[PATCH 3/4] modsign: Allow password to be specified for signing key

From: David Woodhouse
Date: Fri May 15 2015 - 12:53:51 EST

Signed-off-by: David Woodhouse <David.Woodhouse@xxxxxxxxx>
---
Documentation/module-signing.txt | 2 ++
Makefile | 1 +
init/Kconfig | 6 ++++++
scripts/sign-file.c | 39 ++++++++++++++++++++++++++++++++++++++-
4 files changed, 47 insertions(+), 1 deletion(-)

diff --git a/Documentation/module-signing.txt b/Documentation/module-signing.txt
index c72702e..b0ed080 100644
--- a/Documentation/module-signing.txt
+++ b/Documentation/module-signing.txt
@@ -194,6 +194,8 @@ The hash algorithm used does not have to match the one configured, but if it
doesn't, you should make sure that hash algorithm is either built into the
kernel or can be loaded without requiring itself.

+If the private key requires a passphrase or PIN, it can be provided in the
+$CONFIG_MODULE_SIG_KEY_PASSWORD environment variable.

============================
SIGNED MODULES AND STRIPPING
diff --git a/Makefile b/Makefile
index 9590e67..70c066c 100644
--- a/Makefile
+++ b/Makefile
@@ -875,6 +875,7 @@ ifdef CONFIG_MODULE_SIG_ALL
MODSECKEY = $(CONFIG_MODULE_SIG_KEY)
MODPUBKEY = ./signing_key.x509
export MODPUBKEY
+export CONFIG_MODULE_SIG_KEY_PASSWORD
mod_sign_cmd = scripts/sign-file $(CONFIG_MODULE_SIG_HASH) $(MODSECKEY) $(MODPUBKEY)
else
mod_sign_cmd = true
diff --git a/init/Kconfig b/init/Kconfig
index 1ca075a..7bbc857 100644
--- a/init/Kconfig
+++ b/init/Kconfig
@@ -1967,6 +1967,12 @@ config MODULE_SIG_KEY
Provide the file name of a private key in PEM format, or a PKCS#11
URI according to RFC7512 to specify the key.

+config MODULE_SIG_KEY_PASSWORD
+ string "Passphrase or PIN for module signing key if needed" if MODULE_SIG_EXTERNAL_KEY
+ help
+ If a passphrase or PIN is required for the private key, provide
+ it here.
+
config MODULE_COMPRESS
bool "Compress modules on installation"
depends on MODULES
diff --git a/scripts/sign-file.c b/scripts/sign-file.c
index 39aaabe..9a54acc 100755
--- a/scripts/sign-file.c
+++ b/scripts/sign-file.c
@@ -80,9 +80,32 @@ static void drain_openssl_errors(void)
} \
} while(0)

+static char *key_pass;
+
+static int pem_pw_cb(char *buf, int len, int w, void *v)
+{
+ int pwlen;
+
+ if (!key_pass)
+ return -1;
+
+ pwlen = strlen(key_pass);
+ if (pwlen >= len)
+ return -1;
+
+ strcpy(buf, key_pass);
+
+ /* If it's wrong, don't keep trying it. */
+ free(key_pass);
+ key_pass = NULL;
+
+ return pwlen;
+}
+
int main(int argc, char **argv)
{
struct module_signature sig_info = { .id_type = PKEY_ID_PKCS7 };
+ const char *pass_env;
char *hash_algo = NULL;
char *private_key_name, *x509_name, *module_name, *dest_name;
bool save_pkcs7 = false, replace_orig;
@@ -96,6 +119,7 @@ int main(int argc, char **argv)
BIO *b, *bd = NULL, *bm;
int opt, n;

+ OpenSSL_add_all_algorithms();
ERR_load_crypto_strings();
ERR_clear_error();

@@ -127,12 +151,25 @@ int main(int argc, char **argv)
replace_orig = true;
}

+ pass_env = getenv("CONFIG_MODULE_SIG_KEY_PASSWORD");
+ if (pass_env) {
+ int pwlen = strlen(pass_env);
+
+ if (pass_env[0] == '\"' && pass_env[pwlen - 1] == '\"') {
+ pass_env++;
+ pwlen -= 2;
+ }
+ if (pwlen)
+ key_pass = strndup(pass_env, pwlen);
+ }
+
/* Read the private key and the X.509 cert the PKCS#7 message
* will point to.
*/
b = BIO_new_file(private_key_name, "rb");
ERR(!b, "%s", private_key_name);
- private_key = PEM_read_bio_PrivateKey(b, NULL, NULL, NULL);
+ private_key = PEM_read_bio_PrivateKey(b, NULL, pem_pw_cb, NULL);
+ ERR(!private_key, "%s", private_key_name);
BIO_free(b);

b = BIO_new_file(x509_name, "rb");
--
2.4.0

--
David Woodhouse Open Source Technology Centre
David.Woodhouse@xxxxxxxxx Intel Corporation

Attachment: smime.p7s
Description: S/MIME cryptographic signature