1elfsign(1) User Commands elfsign(1)
2
3
4
6 elfsign - sign binaries
7
9 /usr/bin/elfsign sign [-a] [-v] -k private_key -c certificate_file
10 -e elf_object [-F format] [file]...
11
12
13 /usr/bin/elfsign sign [-a] [-v] -c certificate_file
14 -e elf_object -T token_label [-P pin_file] [-F format] [file]...
15
16
17 /usr/bin/elfsign verify [-c certificate_file]
18 [-v] -e elf_object [file]...
19
20
21 /usr/bin/elfsign request -r certificate_request_file
22 {-k private_key | -T token_label}
23
24
25 /usr/bin/elfsign list -f field -c certificate_file
26
27
28 /usr/bin/elfsign list -f field -e elf_object
29
30
32 list Lists on standard output information from a single certifi‐
33 cate file or signed elf object. The selected field appears
34 on a single line. If the field specified does not apply to
35 the named file, the command terminates with no standard out‐
36 put. This output of this subcommand is intended for use in
37 scripts and by other commands.
38
39
40 request Generates a private key and a PKCS#10 certificate request.
41 The PKCS#10 certificate request for use with the Solaris
42 Cryptographic Framework. If the private key is to be created
43 in a token device, elfsign prompts for the PIN required to
44 update the token device. The PKCS#10 certificate request
45 should be sent to the email address solaris-crypto-
46 req@sun.com to obtain a Certificate.
47
48 Users of elfsign must first generate a certificate request
49 and obtain a certificate before signing binaries for use
50 with the Solaris Cryptographic Framework.
51
52
53 sign Signs the elf object, using the given private key and cer‐
54 tificate file.
55
56
57 verify Verifies an existing signed object. Uses the certificate
58 given or searches for an appropriate certificate in
59 /etc/crypto/certs if -c is not given.
60
61
63 The following options are supported:
64
65 -a
66
67 Generates a signed ELF Sign Activation (.esa) file. This option is
68 used when a cryptographic provider has nonretail export approval
69 for unrestricted use and desires retail approval by restricting
70 which export sensitive callers (for example, IPsec) can use the
71 provider. This option assumes that the provider binary has previ‐
72 ously been signed with a restricted certificate.
73
74
75 -c certificate_file
76
77 Specifies the path to an X.509 certificate in PEM/PKCS#7 or ASN.1
78 BER format.
79
80
81 -e elf_object
82
83 Specifies the path to the object to be signed or verified.
84
85 The -e option can be specified multiple times for signing or veri‐
86 fying multiple objects.
87
88
89 -F format
90
91 For the sign subcommand, specifies the format of the signature. The
92 valid format options are
93
94 rsa_md5_sha1 Default format Solaris 10 and updates, The
95 rsa_md5_sha1 format is Obsolete.
96
97
98 rsa_sha1 Default format for this release.
99
100 Formats other than rsa_md5_sha1 include an informational timestamp
101 with the signature indicating when the signature was applied. This
102 timestamp is not cryptographically secure, nor is it used as part
103 of verification.
104
105
106 -f field
107
108 For the list subcommand, specifies what field should appear in the
109 output.
110
111 The valid field specifiers for a certifiicate file are:
112
113 subject Subject DN (Distinguished Name)
114
115
116 issuer Issuer DN
117
118 The valid field specifiers for an elf object are:
119
120 format Format of the signature
121
122
123 signer Subject DN of the certificate used to sign the object
124
125
126 time Time the signature was applied, in the locale's default
127 format
128
129
130
131 -k private_key
132
133 Specifies the location of the private key file when not using a
134 PKCS#11 token. This file is an RSA Private key file in a Solaris
135 specific format. When used with the request subcommand, this is the
136 ouput file for the newly generated key.
137
138 It is an error to specify both the -k and -T options.
139
140
141 -P pin_file
142
143 Specifies the file which holds the PIN for accessing the token
144 device. If the PIN is not provided in a pin_file, elfsign prompts
145 for the PIN.
146
147 It is an error to specify the -P option without the -T option.
148
149
150 -r certificate_request_file
151
152 Specifies the path to the certificate request file, which is in
153 PKCS#10 format.
154
155
156 -T token_label
157
158 Specifies the label of the PCKS#11 token device, as provided by
159 pktool, which holds the private key.
160
161 It is an error to specify both the -T and -k options.
162
163
164 -v
165
166 Requests more detailed information. The additional output includes
167 the signer and, if the signature format contains it, the time the
168 object was signed. This is not stable parseable output.
169
170
172 The following operand is supported:
173
174 file One or more elf objects to be signed or verified. At least one
175 elf object must be specified either via the -e option or after
176 all other options.
177
178
180 Example 1 Signing an ELF Object Using a Key/Certificate in a File
181
182 example$ elfsign sign -k myprivatekey -c mycert -e lib/libmylib.so.1
183
184
185
186 Example 2 Verifying an elf Object's Signature
187
188 example$ elfsign verify -c mycert -e lib/libmylib.so.1
189 elfsign: verification of lib/libmylib.so.1 passed
190
191
192
193 Example 3 Generating a Certificate Request
194
195 example$ elfsign request -k mykey -r req.pkcs10
196 Enter Company Name / Stock Symbol or some other globally
197 unique identifier.
198 This will be the prefix of the Certificate DN: SUNW
199
200 The government of the United States of America restricts the export of
201 "open cryptographic interfaces", also known as "crypto-with-a-hole".
202 Due to this restriction, all providers for the Solaris cryptographic
203 framework must be signed, regardless of the country of origin.
204
205 The terms "retail" and "non-retail" refer to export classifications for
206 products manufactured in the USA. These terms define the portion of the
207 world where the product may be shipped.) Roughly speaking, "retail" is
208 worldwide (minus certain excluded nations) and "non-retail" is domestic
209 only (plus some highly favored nations).
210 If your provider is subject to USA export control, then you
211 must obtain an export approval (classification)
212 from the government of the USA before exporting your provider.
213 It is critical that you specify the obtained (or expected, when
214 used during development) classification to the following questions
215 so that your provider will be appropriately signed.
216
217 Do you have retail export approval for use without restrictions
218 based on the caller (for example, IPsec)? [Yes/No] No
219
220 If you have non-retail export approval for unrestricted use of your
221 provider by callers, are you also planning to receive retail
222 approval by restricting which export sensitive callers
223 (for example, IPsec) may use your provider? [Yes/No] No
224
225 [...]
226
227
228
229 Example 4 Determining Information About an Object
230
231 example$ elfsign list -f format -e lib/libmylib.so.1
232 rsa_md5_sha1
233
234 example$ elfsign list -f signer -e lib/libmylib.so.1
235 CN=VENDOR, OU=Software Development, O=Vendor Inc.
236
237
238
240 The following exit values are returned:
241
242
243
244
245 VALUE MEANING SUB-COMMAND
246 0 Operation successful sign/verify/request
247 1 Invalid arguments
248 2 Failed to verify ELF object verify
249 3 Unable to open ELF object sign/verify
250 4 Unable to load or invalid certificate sign/verify
251 5 Unable to load private key, private sign
252 key is invalid, or token label is
253 invalid
254 6 Failed to add signature sign
255 7 Attempt to verify unsigned object or verify
256 object not an ELF file
257
258
260 /etc/crypto/certs Directory searched for the verify subcommand if
261 the -c flag is not used
262
263
265 See attributes(5) for descriptions of the following attributes:
266
267
268
269
270 ┌─────────────────────────────┬─────────────────────────────┐
271 │ ATTRIBUTE TYPE │ ATTRIBUTE VALUE │
272 ├─────────────────────────────┼─────────────────────────────┤
273 │Availability │SUNWtoo │
274 ├─────────────────────────────┼─────────────────────────────┤
275 │Interface Stability │See below. │
276 └─────────────────────────────┴─────────────────────────────┘
277
278
279 The elfsign command and subcommands are Committed. While applications
280 should not depend on the output format of elfsign, the output format of
281 the list subcommand is Committed.
282
284 date(1), pktool(1), cryptoadm(1M), libpkcs11(3LIB), attributes(5)
285
286
287
288SunOS 5.11 7 Jul 2008 elfsign(1)