Hallo, dies ist ein Test.

PWD: /www/data-lst1/unixsoft/unixsoft/kaempfer/.public_html

Running in File Mode
Relative path: ./../../../../../../usr/./man/man1/elfsign.1
Real path: /usr/share/man/man1/elfsign.1
Zurück

'\" te
.\" Copyright (c) 2009, 2020, Oracle and/or its affiliates.
.TH elfsign 1 "14 Oct 2016" "Oracle Solaris 11.4" "User Commands"
.SH NAME
elfsign \- sign binaries
.SH SYNOPSIS

.LP
.nf
\fB/usr/bin/elfsign\fR sign [\fB-v\fR] \fB-k\fR \fIprivate_key\fR \fB-c\fR \fIcertificate_file\fR
     \fB-e\fR \fIelf_object\fR [-d \fIdata_range\fR] [\fB-F\fR \fIformat\fR] [file]...
.fi

.LP
.nf
\fB/usr/bin/elfsign\fR sign [\fB-v\fR] \fB-c\fR \fIcertificate_file\fR
     -e \fIelf_object\fR -T \fItoken_uri\fR [-d \fIdata_range\fR] [-F \fIformat\fR] [\fIfile\fR]...
.fi

.LP
.nf
/usr/bin/elfsign sign [-v] -c \fIcertificate_file\fR
	  [-e \fIelf_object\fR] -s \fIsignature_file\fR [-d \fIdata_range\fR]
         [-F \fIformat\fR|-O oid] [\fIfile\fR]
.fi

.LP
.nf
\fB/usr/bin/elfsign\fR verify [\fB-c\fR \fIcertificate_file\fR]
     [\fB-v\fR] \fB-e\fR \fIelf_object\fR [file]...
.fi

.LP
.nf
\fB/usr/bin/elfsign\fR \fIlist\fR [\fB-f\fR \fIfield\fR] \fB-c\fR \fIcertificate_file\fR
.fi

.LP
.nf
\fB/usr/bin/elfsign\fR \fIlist\fR [\fB-f\fR \fIfield\fR] \fB-e\fR \fIelf_object\fR [file]...
.fi

.LP
.nf
/usr/bin/elfsign digest [-o \fIdigest_file\fR]
       [-e \fIelf_object\fR] [-F format] [file]
.fi

.LP
.nf
/usr/bin/elfsign data [-o \fIoutput_file\fR]
       [-e \fIelf_object\fR] [-d \fIdata_range\fR] [file]
.fi
.SH DESCRIPTION
.sp
.ne 2
.mk
.na
\fB\fBlist\fR\fR
.ad
.br
.sp .6
.RS 4n
Lists on standard output information from a single certificate file or signed elf object. The selected field appears on a single line. If the field specified does not apply to the named file, the command terminates with no standard output. This output of this subcommand is intended for use in scripts and by other commands. 
.RE

.sp
.ne 2
.mk
.na
\fB\fBsign\fR\fR
.ad
.br
.sp .6
.RS 4n
Signs the elf object, using the given private key and certificate file, or signature and certificate file.
.RE

.sp
.ne 2
.mk
.na
\fB\fBverify\fR\fR
.ad
.br
.sp .6
.RS 4n
Verifies an existing signed object. Uses the certificate given or searches for an appropriate certificate in directories \fB/etc/certs/elfsign\fR and \fB/etc/certs\fR if \fB-c\fR option is not given.
.RE

.sp
.ne 2
.mk
.na
\fB\fBdigest\fR\fR
.ad
.br
.sp .6
.RS 4n
Prints on standard output, the digest of the elf object in a given format. SHA-256 is the default format.
.RE

.sp
.ne 2
.mk
.na
\fB\fBdata\fR\fR
.ad
.br
.sp .6
.RS 4n
Prints to the specified \fIoutput_file\fR or to standard output, the ELF data to be signed for the given data range. The default data range is interpret. 
.RE

.SH OPTIONS
.sp
.LP
The following options are supported:
.sp
.ne 2
.mk
.na
\fB\fB-c\fR \fIcertificate_file\fR\fR
.ad
.br
.sp .6
.RS 4n
Specifies the path to an X.509 certificate in PEM/PKCS#7 or ASN.1 BER format.
.RE

.sp
.ne 2
.mk
.na
\fB\fB-d\fR \fIdata_range\fR\fR
.ad
.br
.sp .6
.RS 4n
Specifies the range of ELF data to sign. The valid \fIdata_range\fR options are:
.sp
.ne 2
.mk
.na
\fB\fBcurrent\fR\fR
.ad
.br
.sp .6
.RS 4n
Use the data range found in the ELF file signature. If there's no signature, use the default data range.
.RE

.sp
.ne 2
.mk
.na
\fB\fBinterpret\fR\fR
.ad
.br
.sp .6
.RS 4n
The data signed are interpreted according to the file type. Treats relocatable ELF files and kernel modules the same as "\fBrelobj\fR". For executable ELF files, sign ELF headers and ELF Program segments.
.RE

.sp
.ne 2
.mk
.na
\fB\fBrelobj\fR\fR
.ad
.br
.sp .6
.RS 4n
The data signed are ELF headers and ELF sections (excluding the signature section). This is the default range.
.RE

.sp
.ne 2
.mk
.na
\fB\fBlegacy\fR\fR
.ad
.br
.sp .6
.RS 4n
The data signed are ELF sections (excludes the signature section and ELF headers). This option is for use for signing files for older releases only.
.RE

.RE

.sp
.ne 2
.mk
.na
\fB\fB-e\fR \fIelf_object\fR\fR
.ad
.br
.sp .6
.RS 4n
Specifies the path to the object to be signed or verified.
.sp
The \fB-e\fR option can be specified multiple times for signing or verifying multiple objects. 
.RE

.sp
.ne 2
.mk
.na
\fB\fB-F\fR \fIformat\fR\fR
.ad
.br
.sp .6
.RS 4n
For the \fBsign\fR subcommand, specifies the format of the signature. The valid format options are
.sp
.ne 2
.mk
.na
\fB\fBcurrent\fR\fR
.ad
.RS 16n
.rt
Use the format found in the ELF file signature. If there's no signature, use the default format.
.RE

.sp
.ne 2
.mk
.na
\fB\fBdefault\fR\fR
.ad
.RS 16n
.rt
Use the default cryptographic signature algorithm, rsa_sha256.
.RE

.sp
.ne 2
.mk
.na
\fB\fBrsa_sha256\fR\fR
.ad
.RS 16n
.rt
RSA signature of a SHA-256 digest. This is the default format if \fB-F\fR option is omitted.
.RE

.sp
.ne 2
.mk
.na
\fB\fBrsa_sha1\fR\fR
.ad
.RS 16n
.rt
RSA signature of a SHA-1 digest. This format is obsolete.
.RE

.sp
.ne 2
.mk
.na
\fB\fBrsa_md5_sha1\fR\fR
.ad
.RS 16n
.rt
RSA signature of a MD5 digest of a SHA-1 digest. This format is obsolete.
.RE

.RE

.sp
.ne 2
.mk
.na
\fB\fB-O\fR \fIoid\fR\fR
.ad
.br
.sp .6
.RS 4n
Specifies the encryption algorithm's OID, in lieu of \fB-F\fR option. For example, "\fB-O 1.2.840.113549.1.1.11\fR" is equivalent to "\fB-F rsa_sha256\fR". The OID is not validated.
.RE

.sp
.ne 2
.mk
.na
\fB\fB-f\fR \fIfield\fR\fR
.ad
.br
.sp .6
.RS 4n
For the \fBlist\fR subcommand, specifies what field should appear in the output. 
.sp
The list subcommand supports the following option:
.sp
.sp
.ne 2
.mk
.na
\fB\fB-f\fR \fBall\fR\fR
.ad
.br
.sp .6
.RS 4n
Lists all fields in a certificate or an ELF file. For an ELF file, the following signature information is displayed: Endianness, format, version, signer, timestamp, signature and OID.
.RE

The valid field specifiers for a certificate file are:
.sp
.sp
.ne 2
.mk
.na
\fBsubject\fR
.ad
.RS 11n
.rt
Subject DN (Distinguished Name)
.RE

.sp
.ne 2
.mk
.na
\fBissuer\fR
.ad
.RS 11n
.rt
Issuer DN
.RE

The valid field specifiers for an elf object are: 
.sp
.ne 2
.mk
.na
\fBformat\fR
.ad
.RS 10n
.rt
Format of the signature
.RE

.sp
.ne 2
.mk
.na
\fBsigner\fR
.ad
.RS 10n
.rt
Subject DN of the certificate used to sign the object
.RE

.sp
.ne 2
.mk
.na
\fBtime\fR
.ad
.RS 10n
.rt
Time the signature was applied, in the locale's default format. This is no longer used.
.RE

.RE

.sp
.ne 2
.mk
.na
\fB\fB-k\fR \fIprivate_key\fR\fR
.ad
.br
.sp .6
.RS 4n
Specifies the location of the private key file when not using a PKCS#11 token. This file is an RSA Private key file in standard PEM (base64) or DER (binary) format.
.sp
It is an error to specify both the \fB-k\fR and \fB-T\fR options. 
.RE

.sp
.ne 2
.mk
.na
\fB\fB-o\fR \fIoutput_file\fR\fR
.ad
.br
.sp .6
.RS 4n
Specifies the path to the output file to be output with the \fBdata\fR command.
.RE

.sp
.ne 2
.mk
.na
\fB\fB-P\fR \fIpin_file\fR\fR
.ad
.br
.sp .6
.RS 4n
Specifies the file which holds the PIN for accessing the token device. If the PIN is not provided in a \fIpin_file\fR, \fBelfsign\fR prompts for the PIN.
.sp
It is an error to specify the \fB-P\fR option without the \fB-T\fR option.
.RE

.sp
.ne 2
.mk
.na
\fB\fB-s\fR \fIsignature_file\fR\fR
.ad
.br
.sp .6
.RS 4n
Specifies the path to a signature file in binary or base64 encoded format. Signature file is created separately using private key and the file created by the "\fBelfsign data\fR" subcommand of the elf object.
.RE

.sp
.ne 2
.mk
.na
\fB\fB-T\fR \fItoken_uri\fR\fR
.ad
.br
.sp .6
.RS 4n
Specifies the URI of the PKCS#11 token device, as provided by \fBpktool\fR, which holds the private key. The token label, token key label, and pin file can be specified through the \fItoken_uri\fR; the token key label (object) is a required input attribute.
.sp
It is an error to specify both the \fB-T\fR and \fB-k\fR options. 
.RE

.sp
.ne 2
.mk
.na
\fB\fB-v\fR\fR
.ad
.br
.sp .6
.RS 4n
Requests more detailed information. The additional output includes the signer and, if the signature format contains it, the time the object was signed. This is not stable parsable output.
.RE

.SH OPERANDS
.sp
.LP
The following operand is supported:
.sp
.ne 2
.mk
.na
\fB\fIfile\fR\fR
.ad
.br
.sp .6
.RS 4n
One or more \fBelf\fR objects to be signed, verified or listed. At least one \fBelf\fR object must be specified either via the \fB-e\fR option or after all other options.
.RE

.SH EXAMPLES
.LP
\fBExample 1\fR Signing an ELF Object Using a Key/Certificate in a File

.sp
.in +2
.nf
example$ elfsign sign -k myprivatekey -c mycert -e lib/libmylib.so.1
.fi
.in -2
.sp
.LP
\fBExample 2\fR Verifying an \fBelf\fR Object's Signature

.sp
.in +2
.nf
example$ elfsign verify -c mycert -e lib/libmylib.so.1
elfsign: verification of lib/libmylib.so.1 passed
.fi
.in -2
.sp
.LP
\fBExample 3\fR Signing an Object Specifying the Data Range

.sp
.LP
This will be the prefix of the Certificate DN: ORCL

.sp
.in +2
.nf
example$ \fBelfsign sign -d relobj -k myprivatekey -c mycert
          -e lib/libmylib.so.1\fR
.fi
.in -2
.sp
.LP
\fBExample 4\fR Determining Information About an Object

.sp
.in +2
.nf
example$ elfsign list -f format -e lib/libmylib.so.1
rsa_md5_sha1

example$ elfsign list -f signer -e lib/libmylib.so.1
CN=VENDOR, OU=Software Development, O=Vendor Inc.
.fi
.in -2
.sp
.LP
\fBExample 5\fR Signing an ELF Object Using a Token URI

.sp
.in +2
.nf
example$ \fBelfsign sign -c mycert -e lib/libmylib.so.1
          -T 'pkcs11:token=Sun Software PKCS#11 softtoken;
          object=mykey;pinfile=/path/to/pinfile'\fR
.fi
.in -2
.sp
.LP
\fBExample 6\fR Signing an ELF Object Using a Token URI with interactive PIN

.sp
.in +2
.nf
example$ \fBelfsign sign -c mycert -e lib/libmylib.so.1 \e
          -T 'pkcs11:token=Sun Software PKCS#11 softtoken;object=mykey'\fR
Enter PIN for Sun Software PKCS#11 softtoken:
.fi
.in -2
.sp
.LP
\fBExample 7\fR Signing an ELF Object Using a Signature File

.sp
.LP
Create file containing data to be signed from the ELF object.

.sp
.in +2
.nf
example$ \fBelfsign data -o /path/to/data_file -e /lib/libmylib.so.1\fR
.fi
.in -2
.sp

.sp
.LP
Create private key and certificate file using the \fBopenssl\fR command.

.sp
.in +2
.nf

example$ \fBopenssl genrsa -out /path/to/private_key 2048\fR
example$ \fBopenssl req -new -x509 -days 999 -key /path/to/private_key\fR
     \fB-out /path/to/certificate_file\fR
.fi
.in -2
.sp

.sp
.LP
Create a signature file using the openssl command.

.sp
.in +2
.nf
example$ \fBopenssl dgst -sha256 -binary /path/to/data_file
           >/path/to/digest_file\fR
.fi
.in -2
.sp

.sp
.in +2
.nf
example$ \fBopenssl rsautl -sign -in /path/to/digest_file\fR
           \fB-out /path/to/signature_file -inkey /path/to/private_key\fR
.fi
.in -2
.sp

.sp
.LP
Sign the ELF object using the signature file.

.sp
.in +2
.nf
example$ \fBelfsign sign -c /path/to/certificate_file\fR
           \fB-s /path/to/signature_file -e /lib/libmylib.so.1\fR
.fi
.in -2
.sp
.SH EXIT STATUS
.sp
.LP
The following exit values are returned:
.sp
.TS
tab(
);
lw(1i) lw(3i) lw(1.5i) 
lw(1i) lw(3i) lw(1.5i) 
.
VALUE
MEANING
SUB-COMMAND
\fB0\fR
Operation successful
sign/verify
\fB1\fR
Invalid arguments
\fB2\fR
Failed to verify ELF object 
verify
3
Unable to open ELF object
sign/verify
4
Unable to load or invalid certificate
sign/verify
5
T{
Unable to load private key, private key is invalid, or token label is invalid
T}
sign
6
Failed to add signature
sign
7
T{
Attempt to verify unsigned object or object not an ELF file
T}
verify
.TE
.sp
.SH FILES
.sp
.ne 2
.mk
.na
\fB\fB/etc/certs/elfsign\fR\fR
.ad
.br
.na
\fB\fB/etc/certs\fR\fR
.ad
.br
.sp .6
.RS 4n
Directory searched for the \fBverify\fR subcommand if the \fB-c\fR flag is not used.
.RE

.SH ATTRIBUTES
.sp
.LP
See \fBattributes\fR(7) for descriptions of the following attributes:
.sp
.TS
tab(
) box;
cw(2.75i) |cw(2.75i) 
lw(2.75i) |lw(2.75i) 
.
ATTRIBUTE TYPE
ATTRIBUTE VALUE
_
Availability
developer/base-developer-utilities
_
Interface Stability
See below.
.TE
.sp
.sp
.LP
The \fBelfsign\fR command and subcommands are Committed. While applications should not depend on the output format of \fBelfsign\fR, the output format of the \fBlist\fR subcommand is Committed.
.SH SEE ALSO
.sp
.LP
\fBdate\fR(1), \fBpktool\fR(1), \fBattributes\fR(7), \fBcryptoadm\fR(8)