1PESIGN(1) General Commands Manual PESIGN(1)
2
6 pesign - command line tool for signing UEFI applications
7
10 pesign [--in=infile | -i infile]
11 [--out=outfile | -o outfile]
12 [--certdir=certdir/fR | -n certdir]
13 [--nss-token=token | -t token]
14 [--certificate=nickname | -c nickname]
15 [--force | -f] [--sign | -s] [--hash | -h]
16 [--digest_type=digest | -d digest]
17 [--show-signature | -S ] [--remove-signature | -r ]
18 [--export-pubkey=outkey | -K outkey]
19 [--export-cert=outcert | -C outcert]
20 [--ascii-armor | -a] [--daemonize | -D] [--nofork | -N]
21 [--padding | -P | --nopadding | -p ]
22 [--signature-number=signum | -u signum]
23
26 pesign is a command line tool for manipulating signatures and crypto‐
27 graphic digests of UEFI applications.
28
31 --in=infile
32 Specify input binary.
33 --out=outfile
36 Specify output binary.
37 --certdir=certdir
40 Specify nss certificate database directory.
41 --nss-token=token
44 Use the specified NSS token's certificate database.
45 --certificate=nickname
48 Use the certificate database entry with the specified nickname
49 for signing.
50 --force
53 Overwrite output files. Without this parameter, pesign will
54 refuse to overrite any output files which already exist.
55 --sign Sign the input binary with the key specified by --certificate.
58 --hash Display the cryptographic digest of the input binary on standard
61 output.
62 --digest_type=digest
65 Use the specified digest in hashing and signing operations. By
66 default, this value is "sha256". Use "--digest_type=help" to
67 list the available digests.
68 --show-signature
71 Show information about the signature of the input binary.
72 --remove-signature
75 Remove the signature section from the binary.
76 --signature-number=signum
79 Specify which signature to operate on. This field is zero-
80 indexed.
81 --export-pubkey=outkey
84 Export the public key specified by --certificate to outkey
85 --export-cert=outcert
88 Export the certificate specified by --certificate to outcert
89 --ascii-armor
92 Use ascii armoring on exported certificates.
93 --daemonize
96 Spawn a daemon for use with pesign-client(1)
97 --nofork
100 Do not fork when using --daemonize.
101 --padding | --nopadding
104 Do or do not pad the binary out to the PE 9.3 alignment before
105 signing. Padding is recommended (and in many circumstances
106 required) even for binaries which predate the current PE spec,
107 and is enabled by default as of pesign 113.
108
111 1.If you have a certificate file and private key file, the following
112 steps may be used to sign a PE image:
113 # Create a pkcs12 file from private key and
115 # certificate file.
116 host:~$ openssl pkcs12 -export -out foo_key.p12 \
117 -inkey signing_key.pem \
118 -in xyz_cert.x509.pem
119 # Import pkcs12 file into pesign db
121 host:~$ pk12util -i foo_key.p12 -d /etc/pki/pesign
122 # Do the signing
124 host:~$ pesign -i <input-file> -o <output-file> \
125 -c <cert nickname> -s
126 Please note that this is just an example, and that recommended best
128 practice is to always store private keys in a FIPS 140-2 hardware secu‐
129 rity module, level 2 or higher.
130 2.If you have a key pair in your HSM and your HSM supports PKCS #11 and
132 the OpenSSL Engine, the following steps may be used to sign a PE image
133 using OpenSSL:
134 # Install your vendor's engine into OpenSSL. (Contact your vendor
136 for OpenSSL engine support)
137 host:~$ cp <vendor_engine>.so /usr/lib64/openssl/engines/
138 host:~$ openssl engine -v <engine_id>
139 [Verify vendor engine. engine_id is set by your
140 vendor while producing .so file]
141 # Add PKCS #11 module
143 host:~$ sudo su - pesign -s /bin/bash
144 host:~$ modutil -dbdir /etc/pki/pesign -add <module_name> -libfile
145 /usr/lib64/<vendor_engine>.so
146 # List the added module
148 host:~$ modutil -dbdir /etc/pki/pesign -list
149 Example, listing of PKCS #11 modules
150 -------------------------------------
151 <module_name>
152 library name: /usr/lib64/<vendor-engine>.so
153 slots: N slots attached
154 status: loaded
155 slot: PCI Card
156 token: Test-CA
157 # List certs in tokens
159 host:~$ certutil -d /etc/pki/pesign -L -h "Test-CA" [token name
160 from listing above]
161 # Sign with private key in HSM
163 host:~$ pesign --sign --in=<input_file> --out=<output_file> --nss-
164 token="Test-CA" --certficate="PUB_CRT"
165 Where "Test-CA" is the name of the HSM token as listed by "modutil
166 -list" and "PUB_CRT" is the certificate name/label in the HSM whose
167 private key will be used to sign the PE binary.
168
170 pesign-client(1)
171 FIPS 140-2 http://csrc.nist.gov/publications/PubsFIPS.html
173
176 Peter Jones, Vikas Charak
177 Thu Jun 21 2012 PESIGN(1)