1PESIGN(1)                   General Commands Manual                  PESIGN(1)
2
3
4

NAME

6       pesign - command line tool for signing UEFI applications
7
8

SYNOPSIS

10       pesign [--in=infile | -i infile]
11              [--out=outfile | -o outfile]
12              [--certdir=certdir/fR | -n certdir]
13              [--nss-token=token | -t token]
14              [--certificate=nickname | -c nickname]
15              [--force | -f] [--sign | -s] [--hash | -h]
16              [--digest_type=digest | -d digest]
17              [--show-signature | -S ] [--remove-signature | -r ]
18              [--export-pubkey=outkey | -K outkey]
19              [--export-cert=outcert | -C outcert]
20              [--ascii-armor | -a] [--daemonize | -D] [--nofork | -N]
21              [--padding | -P | --nopadding | -p ]
22              [--signature-number=signum | -u signum]
23
24

DESCRIPTION

26       pesign  is  a command line tool for manipulating signatures and crypto‐
27       graphic digests of UEFI applications.
28
29

OPTIONS

31       --in=infile
32              Specify input binary.
33
34
35       --out=outfile
36              Specify output binary.
37
38
39       --certdir=certdir
40              Specify nss certificate database directory.
41
42
43       --nss-token=token
44              Use the specified NSS token's certificate database.
45
46
47       --certificate=nickname
48              Use the certificate database entry with the  specified  nickname
49              for signing.
50
51
52       --force
53              Overwrite  output  files.  Without  this  parameter, pesign will
54              refuse to overrite any output files which already exist.
55
56
57       --sign Sign the input binary with the key specified by --certificate.
58
59
60       --hash Display the cryptographic digest of the input binary on standard
61              output.
62
63
64       --digest_type=digest
65              Use  the  specified digest in hashing and signing operations. By
66              default, this value is "sha256".   Use  "--digest_type=help"  to
67              list the available digests.
68
69
70       --show-signature
71              Show information about the signature of the input binary.
72
73
74       --remove-signature
75              Remove the signature section from the binary.
76
77
78       --signature-number=signum
79              Specify  which  signature  to  operate  on.  This field is zero-
80              indexed.
81
82
83       --export-pubkey=outkey
84              Export the public key specified by --certificate to outkey
85
86
87       --export-cert=outcert
88              Export the certificate specified by --certificate to outcert
89
90
91       --ascii-armor
92              Use ascii armoring on exported certificates.
93
94
95       --daemonize
96              Spawn a daemon for use with pesign-client(1)
97
98
99       --nofork
100              Do not fork when using --daemonize.
101
102
103       --padding | --nopadding
104              Do or do not pad the binary out to the PE 9.3  alignment  before
105              signing.   Padding  is  recommended  (and  in many circumstances
106              required) even for binaries which predate the current  PE  spec,
107              and is enabled by default as of pesign 113.
108
109

EXAMPLES

111       1.If  you  have  a certificate file and private key file, the following
112       steps may be used to sign a PE image:
113
114           # Create a pkcs12 file from private key and
115           # certificate file.
116           host:~$ openssl pkcs12 -export -out foo_key.p12 \
117                           -inkey signing_key.pem \
118                           -in xyz_cert.x509.pem
119
120           # Import pkcs12 file into pesign db
121           host:~$ pk12util -i foo_key.p12 -d /etc/pki/pesign
122
123           # Do the signing
124           host:~$ pesign -i <input-file> -o <output-file> \
125                          -c <cert nickname>  -s
126
127       Please note that this is just an example,  and  that  recommended  best
128       practice is to always store private keys in a FIPS 140-2 hardware secu‐
129       rity module, level 2 or higher.
130
131       2.If you have a key pair in your HSM and your HSM supports PKCS #11 and
132       the  OpenSSL Engine, the following steps may be used to sign a PE image
133       using OpenSSL:
134
135           # Install your vendor's engine into OpenSSL. (Contact  your  vendor
136           for OpenSSL engine support)
137           host:~$ cp <vendor_engine>.so  /usr/lib64/openssl/engines/
138           host:~$ openssl engine -v <engine_id>
139                           [Verify  vendor  engine.  engine_id  is set by your
140                           vendor while producing .so file]
141
142           # Add PKCS #11 module
143           host:~$ sudo su - pesign -s /bin/bash
144           host:~$ modutil -dbdir /etc/pki/pesign -add <module_name>  -libfile
145           /usr/lib64/<vendor_engine>.so
146
147           # List the added module
148           host:~$ modutil -dbdir /etc/pki/pesign -list
149           Example, listing of PKCS #11 modules
150            -------------------------------------
151           <module_name>
152           library name: /usr/lib64/<vendor-engine>.so
153           slots: N slots attached
154           status: loaded
155           slot: PCI Card
156           token: Test-CA
157
158           # List certs in tokens
159           host:~$  certutil  -d  /etc/pki/pesign  -L -h "Test-CA" [token name
160           from listing above]
161
162           # Sign with private key in HSM
163           host:~$ pesign --sign --in=<input_file> --out=<output_file>  --nss-
164           token="Test-CA" --certficate="PUB_CRT"
165           Where  "Test-CA" is the name of the HSM token as listed by "modutil
166           -list" and "PUB_CRT" is the certificate name/label in the HSM whose
167           private key will be used to sign the PE binary.
168

SEE ALSO

170       pesign-client(1)
171
172       FIPS 140-2 http://csrc.nist.gov/publications/PubsFIPS.html
173
174

AUTHORS

176       Peter Jones, Vikas Charak
177
178
179
180                                Thu Jun 21 2012                      PESIGN(1)
Impressum