1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
|
'\" te
.\" Copyright 2009, Sun Microsystems, Inc. All Rights Reserved
.\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License.
.\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing. See the License for the specific language governing permissions and limitations under the License.
.\" When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced
.\" with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
.TH ELFSIGN 1 "April 9, 2016"
.SH NAME
elfsign \- sign binaries
.SH SYNOPSIS
.LP
.nf
\fB/usr/bin/elfsign\fR sign [\fB-a\fR] [\fB-v\fR] \fB-k\fR \fIprivate_key\fR \fB-c\fR \fIcertificate_file\fR
\fB-e\fR \fIelf_object\fR [\fB-F\fR \fIformat\fR] [file]...
.fi
.LP
.nf
\fB/usr/bin/elfsign\fR sign [\fB-a\fR] [\fB-v\fR] \fB-c\fR \fIcertificate_file\fR
\fB-e\fR \fIelf_object\fR \fB-T\fR \fItoken_label\fR [\fB-P\fR \fIpin_file\fR] [\fB-F\fR \fIformat\fR] [file]...
.fi
.LP
.nf
\fB/usr/bin/elfsign\fR verify [\fB-c\fR \fIcertificate_file\fR]
[\fB-v\fR] \fB-e\fR \fIelf_object\fR [file]...
.fi
.LP
.nf
\fB/usr/bin/elfsign\fR request \fB-r\fR \fIcertificate_request_file\fR
{\fB-k\fR \fIprivate_key\fR | \fB-T\fR \fItoken_label\fR}
.fi
.LP
.nf
\fB/usr/bin/elfsign\fR \fIlist\fR \fB-f\fR \fIfield\fR \fB-c\fR \fIcertificate_file\fR
.fi
.LP
.nf
\fB/usr/bin/elfsign\fR \fIlist\fR \fB-f\fR \fIfield\fR \fB-e\fR \fIelf_object\fR
.fi
.SH DESCRIPTION
.ne 2
.na
\fB\fBlist\fR\fR
.ad
.RS 11n
Lists on standard output information from a single certificate file or signed
elf object. The selected field appears on a single line. If the field specified
does not apply to the named file, the command terminates with no standard
output. This output of this subcommand is intended for use in scripts and by
other commands.
.RE
.sp
.ne 2
.na
\fB\fBrequest\fR\fR
.ad
.RS 11n
Generates a private key and a PKCS#10 certificate request. The PKCS#10
certificate request for use with the Solaris Cryptographic Framework. If the
private key is to be created in a token device, elfsign prompts for the PIN
required to update the token device. The PKCS#10 certificate request should be
sent to the email address \fIsolaris-crypto-req@sun.com\fR to obtain a
Certificate.
.sp
Users of \fBelfsign\fR must first generate a certificate request and obtain a
certificate before signing binaries for use with the Solaris Cryptographic
Framework.
.RE
.sp
.ne 2
.na
\fB\fBsign\fR\fR
.ad
.RS 11n
Signs the elf object, using the given private key and certificate file.
.RE
.sp
.ne 2
.na
\fB\fBverify\fR\fR
.ad
.RS 11n
Verifies an existing signed object. Uses the certificate given or searches for
an appropriate certificate in \fB/etc/crypto/certs\fR if \fB-c\fR is not given.
.RE
.SH OPTIONS
.LP
The following options are supported:
.sp
.ne 2
.na
\fB\fB-a\fR\fR
.ad
.sp .6
.RS 4n
Generates a signed \fBELF\fR Sign Activation (\fB\&.esa\fR) file. This option
is used when a cryptographic provider has nonretail export approval for
unrestricted use and desires retail approval by restricting which export
sensitive callers (for example, IPsec) can use the provider. This option
assumes that the provider binary has previously been signed with a restricted
certificate.
.RE
.sp
.ne 2
.na
\fB\fB-c\fR \fIcertificate_file\fR\fR
.ad
.sp .6
.RS 4n
Specifies the path to an X.509 certificate in PEM/PKCS#7 or ASN.1 BER format.
.RE
.sp
.ne 2
.na
\fB\fB-e\fR \fIelf_object\fR\fR
.ad
.sp .6
.RS 4n
Specifies the path to the object to be signed or verified.
.sp
The \fB-e\fR option can be specified multiple times for signing or verifying
multiple objects.
.RE
.sp
.ne 2
.na
\fB\fB-F\fR \fIformat\fR\fR
.ad
.sp .6
.RS 4n
For the \fBsign\fR subcommand, specifies the format of the signature. The valid
format options are
.sp
.ne 2
.na
\fB\fBrsa_md5_sha1\fR\fR
.ad
.RS 16n
Default format Solaris 10 and updates, The \fBrsa_md5_sha1\fR format is
Obsolete.
.RE
.sp
.ne 2
.na
\fB\fBrsa_sha1\fR\fR
.ad
.RS 16n
Default format for this release.
.RE
Formats other than \fBrsa_md5_sha1\fR include an informational timestamp with
the signature indicating when the signature was applied. This timestamp is not
cryptographically secure, nor is it used as part of verification.
.RE
.sp
.ne 2
.na
\fB\fB-f\fR \fIfield\fR\fR
.ad
.sp .6
.RS 4n
For the \fBlist\fR subcommand, specifies what field should appear in the
output.
.sp
The valid field specifiers for a certifiicate file are:
.sp
.ne 2
.na
\fBsubject\fR
.ad
.RS 11n
Subject DN (Distinguished Name)
.RE
.sp
.ne 2
.na
\fBissuer\fR
.ad
.RS 11n
Issuer DN
.RE
The valid field specifiers for an elf object are:
.sp
.ne 2
.na
\fBformat\fR
.ad
.RS 10n
Format of the signature
.RE
.sp
.ne 2
.na
\fBsigner\fR
.ad
.RS 10n
Subject DN of the certificate used to sign the object
.RE
.sp
.ne 2
.na
\fBtime\fR
.ad
.RS 10n
Time the signature was applied, in the locale's default format
.RE
.RE
.sp
.ne 2
.na
\fB\fB-k\fR \fIprivate_key\fR\fR
.ad
.sp .6
.RS 4n
Specifies the location of the private key file when not using a PKCS#11 token.
This file is an RSA Private key file in a Solaris specific format. When used
with the \fBrequest\fR subcommand, this is the ouput file for the newly
generated key.
.sp
It is an error to specify both the \fB-k\fR and \fB-T\fR options.
.RE
.sp
.ne 2
.na
\fB\fB-P\fR \fIpin_file\fR\fR
.ad
.sp .6
.RS 4n
Specifies the file which holds the PIN for accessing the token device. If the
PIN is not provided in a \fIpin_file\fR, \fBelfsign\fR prompts for the PIN.
.sp
It is an error to specify the \fB-P\fR option without the \fB-T\fR option.
.RE
.sp
.ne 2
.na
\fB\fB-r\fR \fIcertificate_request_file\fR\fR
.ad
.sp .6
.RS 4n
Specifies the path to the certificate request file, which is in PKCS#10 format.
.RE
.sp
.ne 2
.na
\fB\fB-T\fR \fItoken_label\fR\fR
.ad
.sp .6
.RS 4n
Specifies the label of the PCKS#11 token device, as provided by \fBpktool\fR,
which holds the private key.
.sp
It is an error to specify both the \fB-T\fR and \fB-k\fR options.
.RE
.sp
.ne 2
.na
\fB\fB-v\fR\fR
.ad
.sp .6
.RS 4n
Requests more detailed information. The additional output includes the signer
and, if the signature format contains it, the time the object was signed. This
is not stable parsable output.
.RE
.SH OPERANDS
.LP
The following operand is supported:
.sp
.ne 2
.na
\fB\fIfile\fR\fR
.ad
.RS 8n
One or more elf objects to be signed or verified. At least one elf object must
be specified either via the -e option or after all other options.
.RE
.SH EXAMPLES
.LP
\fBExample 1 \fRSigning an ELF Object Using a Key/Certificate in a File
.sp
.in +2
.nf
example$ elfsign sign -k myprivatekey -c mycert -e lib/libmylib.so.1
.fi
.in -2
.sp
.LP
\fBExample 2 \fRVerifying an \fBelf\fR Object's Signature
.sp
.in +2
.nf
example$ elfsign verify -c mycert -e lib/libmylib.so.1
elfsign: verification of lib/libmylib.so.1 passed
.fi
.in -2
.sp
.LP
\fBExample 3 \fRGenerating a Certificate Request
.sp
.in +2
.nf
example$ elfsign request -k mykey -r req.pkcs10
Enter Company Name / Stock Symbol or some other globally
unique identifier.
This will be the prefix of the Certificate DN: SUNW
The government of the United States of America restricts the export of
"open cryptographic interfaces", also known as "crypto-with-a-hole".
Due to this restriction, all providers for the Solaris cryptographic
framework must be signed, regardless of the country of origin.
The terms "retail" and "non-retail" refer to export classifications for
products manufactured in the USA. These terms define the portion of the
world where the product may be shipped.) Roughly speaking, "retail" is
worldwide (minus certain excluded nations) and "non-retail" is domestic
only (plus some highly favored nations).
If your provider is subject to USA export control, then you
must obtain an export approval (classification)
from the government of the USA before exporting your provider.
It is critical that you specify the obtained (or expected, when
used during development) classification to the following questions
so that your provider will be appropriately signed.
Do you have retail export approval for use without restrictions
based on the caller (for example, IPsec)? [Yes/No] \fBNo\fR
If you have non-retail export approval for unrestricted use of your
provider by callers, are you also planning to receive retail
approval by restricting which export sensitive callers
(for example, IPsec) may use your provider? [Yes/No] \fBNo\fR
[...]
.fi
.in -2
.sp
.LP
\fBExample 4 \fRDetermining Information About an Object
.sp
.in +2
.nf
example$ elfsign list -f format -e lib/libmylib.so.1
rsa_md5_sha1
example$ elfsign list -f signer -e lib/libmylib.so.1
CN=VENDOR, OU=Software Development, O=Vendor Inc.
.fi
.in -2
.sp
.SH EXIT STATUS
.LP
The following exit values are returned:
.sp
.sp
.TS
c c c
l l l .
VALUE MEANING SUBCOMMAND
\fB0\fR Operation successful sign/verify/request
\fB1\fR Invalid arguments
\fB2\fR Failed to verify ELF object verify
3 Unable to open ELF object sign/verify
4 Unable to load or invalid certificate sign/verify
5 T{
Unable to load private key, private key is invalid, or token label is invalid
T} sign
6 Failed to add signature sign
7 T{
Attempt to verify unsigned object or object not an ELF file
T} verify
.TE
.SH FILES
.ne 2
.na
\fB\fB/etc/crypto/certs\fR\fR
.ad
.RS 21n
Directory searched for the \fBverify\fR subcommand if the \fB-c\fR flag is not
used
.RE
.SH ATTRIBUTES
.LP
See \fBattributes\fR(5) for descriptions of the following attributes:
.sp
.sp
.TS
box;
c | c
l | l .
ATTRIBUTE TYPE ATTRIBUTE VALUE
_
Interface Stability See below.
.TE
.sp
.LP
The \fBelfsign\fR command and subcommands are Committed. While applications
should not depend on the output format of \fBelfsign\fR, the output format of
the \fBlist\fR subcommand is Committed.
.SH SEE ALSO
.LP
\fBdate\fR(1), \fBpktool\fR(1), \fBcryptoadm\fR(1M), \fBlibpkcs11\fR(3LIB),
\fBattributes\fR(5)
|
