elfsign(1) User Commands elfsign(1)NAMEelfsign - sign binaries
SYNOPSIS
/usr/bin/elfsign sign [-v] -k private_key -c certificate_file
-e elf_object [-F format] [file]...
/usr/bin/elfsign sign [-v] -c certificate_file
-e elf_object -T token_label [-P pin_file] [-F format] [file]...
/usr/bin/elfsign verify [-c certificate_file]
[-v] -e elf_object [file]...
/usr/bin/elfsign request -r certificate_request_file
{-k private_key | -T token_label}
/usr/bin/elfsign list -f field -c certificate_file
/usr/bin/elfsign list -f field -e elf_object
DESCRIPTION
list Lists on standard output information from a single certifi‐
cate file or signed elf object. The selected field appears
on a single line. If the field specified does not apply to
the named file, the command terminates with no standard out‐
put. This output of this subcommand is intended for use in
scripts and by other commands.
request Generates a private key and a PKCS#10 certificate request.
The PKCS#10 certificate request for use with the Solaris
Cryptographic Framework. If the private key is to be created
in a token device, elfsign prompts for the PIN required to
update the token device. The PKCS#10 certificate request
should be sent to the email address solaris-crypto-
req_ww@oracle.com to obtain a Certificate.
Users of elfsign must first generate a certificate request
and obtain a certificate before signing binaries for use
with the Solaris Cryptographic Framework.
sign Signs the elf object, using the given private key and cer‐
tificate file.
verify Verifies an existing signed object. Uses the certificate
given or searches for an appropriate certificate in
/etc/crypto/certs if -c is not given.
OPTIONS
The following options are supported:
-c certificate_file
Specifies the path to an X.509 certificate in PEM/PKCS#7 or ASN.1
BER format.
-e elf_object
Specifies the path to the object to be signed or verified.
The -e option can be specified multiple times for signing or veri‐
fying multiple objects.
-F format
For the sign subcommand, specifies the format of the signature. The
valid format options are
rsa_md5_sha1 Default format Solaris 10 and updates, The
rsa_md5_sha1 format is Obsolete.
rsa_sha1 Default format for this release.
Formats other than rsa_md5_sha1 include an informational timestamp
with the signature indicating when the signature was applied. This
timestamp is not cryptographically secure, nor is it used as part
of verification.
-f field
For the list subcommand, specifies what field should appear in the
output.
The valid field specifiers for a certifiicate file are:
subject Subject DN (Distinguished Name)
issuer Issuer DN
The valid field specifiers for an elf object are:
format Format of the signature
signer Subject DN of the certificate used to sign the object
time Time the signature was applied, in the locale's default
format
-k private_key
Specifies the location of the private key file when not using a
PKCS#11 token. This file is an RSA Private key file in a Solaris
specific format. When used with the request subcommand, this is the
ouput file for the newly generated key.
It is an error to specify both the -k and -T options.
-P pin_file
Specifies the file which holds the PIN for accessing the token
device. If the PIN is not provided in a pin_file, elfsign prompts
for the PIN.
It is an error to specify the -P option without the -T option.
-r certificate_request_file
Specifies the path to the certificate request file, which is in
PKCS#10 format.
-T token_label
Specifies the label of the PCKS#11 token device, as provided by
pktool, which holds the private key.
It is an error to specify both the -T and -k options.
-v
Requests more detailed information. The additional output includes
the signer and, if the signature format contains it, the time the
object was signed. This is not stable parseable output.
OPERANDS
The following operand is supported:
file One or more elf objects to be signed or verified. At least one
elf object must be specified either via the -e option or after
all other options.
EXAMPLES
Example 1 Signing an ELF Object Using a Key/Certificate in a File
example$ elfsign sign -k myprivatekey -c mycert -e lib/libmylib.so.1
Example 2 Verifying an elf Object's Signature
example$ elfsign verify -c mycert -e lib/libmylib.so.1
elfsign: verification of lib/libmylib.so.1 passed
Example 3 Generating a Certificate Request
example$ elfsign request -k mykey -r req.pkcs10
Enter Company Name / Stock Symbol or some other globally
unique identifier.
This will be the prefix of the Certificate DN: SUNW
Example 4 Determining Information About an Object
example$ elfsign list -f format -e lib/libmylib.so.1
rsa_md5_sha1
example$ elfsign list -f signer -e lib/libmylib.so.1
CN=VENDOR, OU=Software Development, O=Vendor Inc.
EXIT STATUS
The following exit values are returned:
VALUE MEANING SUB-COMMAND
0 Operation successful sign/verify/request
1 Invalid arguments
2 Failed to verify ELF object verify
3 Unable to open ELF object sign/verify
4 Unable to load or invalid certificate sign/verify
5 Unable to load private key, private sign
key is invalid, or token label is
invalid
6 Failed to add signature sign
7 Attempt to verify unsigned object or verify
object not an ELF file
FILES
/etc/crypto/certs Directory searched for the verify subcommand if
the -c flag is not used
ATTRIBUTES
See attributes(5) for descriptions of the following attributes:
┌─────────────────────────────┬─────────────────────────────┐
│ ATTRIBUTE TYPE │ ATTRIBUTE VALUE │
├─────────────────────────────┼─────────────────────────────┤
│Availability │SUNWtoo │
├─────────────────────────────┼─────────────────────────────┤
│Interface Stability │See below. │
└─────────────────────────────┴─────────────────────────────┘
The elfsign command and subcommands are Committed. While applications
should not depend on the output format of elfsign, the output format of
the list subcommand is Committed.
SEE ALSOdate(1), pktool(1), cryptoadm(1M), libpkcs11(3LIB), attributes(5)SunOS 5.10 24 Apr 2012 elfsign(1)