ELFSIGN(1) | User Commands | ELFSIGN(1) |
elfsign - sign binaries
/usr/bin/elfsign sign [-a] [-v] -k private_key -c certificate_file
-e elf_object [-F format] [file]...
/usr/bin/elfsign sign [-a] [-v] -c certificate_file
-e elf_object -T token_label [-P pin_file] [-F format] [file]...
/usr/bin/elfsign verify [-c certificate_file]
[-v] -e elf_object [file]...
/usr/bin/elfsign request -r certificate_request_file
{-k private_key | -T token_label}
/usr/bin/elfsign list -f field -c certificate_file
/usr/bin/elfsign list -f field -e elf_object
list
request
Users of elfsign must first generate a certificate request and obtain a certificate before signing binaries for use with the Solaris Cryptographic Framework.
sign
verify
The following options are supported:
-a
-c certificate_file
-e elf_object
The -e option can be specified multiple times for signing or verifying multiple objects.
-F format
rsa_md5_sha1
rsa_sha1
Formats other than rsa_md5_sha1 include an informational timestamp with the signature indicating when the signature was applied. This timestamp is not cryptographically secure, nor is it used as part of verification.
-f field
The valid field specifiers for a certifiicate file are:
subject
issuer
The valid field specifiers for an elf object are:
format
signer
time
-k private_key
It is an error to specify both the -k and -T options.
-P pin_file
It is an error to specify the -P option without the -T option.
-r certificate_request_file
-T token_label
It is an error to specify both the -T and -k options.
-v
The following operand is supported:
file
Example 1 Signing an ELF Object Using a Key/Certificate in a File
example$ elfsign sign -k myprivatekey -c mycert -e lib/libmylib.so.1
Example 2 Verifying an elf Object's Signature
example$ elfsign verify -c mycert -e lib/libmylib.so.1 elfsign: verification of lib/libmylib.so.1 passed
Example 3 Generating a Certificate Request
example$ elfsign request -k mykey -r req.pkcs10 Enter Company Name / Stock Symbol or some other globally unique identifier. This will be the prefix of the Certificate DN: SUNW The government of the United States of America restricts the export of "open cryptographic interfaces", also known as "crypto-with-a-hole". Due to this restriction, all providers for the Solaris cryptographic framework must be signed, regardless of the country of origin. The terms "retail" and "non-retail" refer to export classifications for products manufactured in the USA. These terms define the portion of the world where the product may be shipped.) Roughly speaking, "retail" is worldwide (minus certain excluded nations) and "non-retail" is domestic only (plus some highly favored nations). If your provider is subject to USA export control, then you must obtain an export approval (classification) from the government of the USA before exporting your provider. It is critical that you specify the obtained (or expected, when used during development) classification to the following questions so that your provider will be appropriately signed. Do you have retail export approval for use without restrictions based on the caller (for example, IPsec)? [Yes/No] No If you have non-retail export approval for unrestricted use of your provider by callers, are you also planning to receive retail approval by restricting which export sensitive callers (for example, IPsec) may use your provider? [Yes/No] No [...]
Example 4 Determining Information About an Object
example$ elfsign list -f format -e lib/libmylib.so.1 rsa_md5_sha1 example$ elfsign list -f signer -e lib/libmylib.so.1 CN=VENDOR, OU=Software Development, O=Vendor Inc.
The following exit values are returned:
VALUE | MEANING | SUBCOMMAND |
0 | Operation successful | sign/verify/request |
1 | Invalid arguments | |
2 | Failed to verify ELF object | verify |
3 | Unable to open ELF object | sign/verify |
4 | Unable to load or invalid certificate | sign/verify |
5 | Unable to load private key, private key is invalid, or token label is invalid | sign |
6 | Failed to add signature | sign |
7 | Attempt to verify unsigned object or object not an ELF file | verify |
/etc/crypto/certs
See attributes(7) for descriptions of the following attributes:
ATTRIBUTE TYPE | ATTRIBUTE VALUE |
Interface Stability | See below. |
The elfsign command and subcommands are Committed. While applications should not depend on the output format of elfsign, the output format of the list subcommand is Committed.
date(1), pktool(1), libpkcs11(3LIB), attributes(7), cryptoadm(8)
April 9, 2016 | OmniOS |