Re: Linux 4.3-rc1 build error on CentOS 5.11 "scripts/sign-file.c:23:25: fatal error: openssl/cms.h: No such file or directory"
From: David Howells
Date: Wed Sep 16 2015 - 18:46:04 EST
David Howells <dhowells@xxxxxxxxxx> wrote:
> Hmmm... Tricky. I'll have to think about it. I'm using PKCS7_NOCERTS with
> PKCS7_sign_add_signer() (or the CMS equivalents) to leave the cert list out of
> the message - but it's then necessary to manually specify the signers - at
> least so I recall.
It's worse than that. The PKCS7_sign() function in pre-1.0.0 OpenSSL crypto
libs will only do SHA1.
Now, it will work, and SHA1 might be just about acceptable for something based
on that old an OpenSSL library.
With this in mind, does the attached additional patch (on top of the one I
gave you yesterday) work for you? You need to set CONFIG_MODULE_SIG_SHA1=y in
your config.
David
---
diff --git a/scripts/sign-file.c b/scripts/sign-file.c
index 0765141c3150..f65120e2aa03 100755
--- a/scripts/sign-file.c
+++ b/scripts/sign-file.c
@@ -32,7 +32,14 @@
* assume that it's not available and its header file is missing and that we
* should use PKCS#7 instead. Switching to the older PKCS#7 format restricts
* the options we have on specifying the X.509 certificate we want.
+ *
+ * Further, older versions of OpenSSL don't support manually adding signers to
+ * the PKCS#7 message so have to accept that we get a certificate included in
+ * the signature message. Nor do such older versions of OpenSSL support
+ * signing with anything other than SHA1 - so we're stuck with that if such is
+ * the case.
*/
+#define USE_PKCS7
#if OPENSSL_VERSION_NUMBER < 0x10000000L
#define USE_PKCS7
#endif
@@ -184,6 +191,14 @@ int main(int argc, char **argv)
replace_orig = true;
}
+#ifdef USE_PKCS7
+ if (strcmp(hash_algo, "sha1") != 0) {
+ fprintf(stderr, "sign-file: %s only supports SHA1 signing\n",
+ OPENSSL_VERSION_TEXT);
+ exit(3);
+ }
+#endif
+
/* Read the private key and the X.509 cert the PKCS#7 message
* will point to.
*/
@@ -240,8 +255,8 @@ int main(int argc, char **argv)
bm = BIO_new_file(module_name, "rb");
ERR(!bm, "%s", module_name);
- /* Load the signature message from the digest buffer. */
#ifndef USE_PKCS7
+ /* Load the signature message from the digest buffer. */
cms = CMS_sign(NULL, NULL, NULL, NULL,
CMS_NOCERTS | CMS_PARTIAL | CMS_BINARY | CMS_DETACHED | CMS_STREAM);
ERR(!cms, "CMS_sign");
@@ -254,17 +269,10 @@ int main(int argc, char **argv)
"CMS_final");
#else
- pkcs7 = PKCS7_sign(NULL, NULL, NULL, NULL,
- PKCS7_NOCERTS | PKCS7_PARTIAL | PKCS7_BINARY |
- PKCS7_DETACHED | PKCS7_STREAM);
+ pkcs7 = PKCS7_sign(x509, private_key, NULL, bm,
+ PKCS7_NOCERTS | PKCS7_BINARY |
+ PKCS7_DETACHED | PKCS7_STREAM | use_signed_attrs);
ERR(!pkcs7, "PKCS7_sign");
-
- ERR(!PKCS7_sign_add_signer(pkcs7, x509, private_key, digest_algo,
- PKCS7_NOCERTS | PKCS7_BINARY | PKCS7_NOSMIMECAP |
- use_signed_attrs),
- "PKCS7_sign_add_signer");
- ERR(PKCS7_final(pkcs7, bm, PKCS7_NOCERTS | PKCS7_BINARY) < 0,
- "PKCS7_final");
#endif
if (save_sig) {
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/