| Skip Navigation Links | |
| Exit Print View | |
|
man pages section 1: User Commands Oracle Solaris 11.1 Information Library |
| Skip Navigation Links | |
| Exit Print View | |
|
|
man pages section 1: User Commands Oracle Solaris 11.1 Information Library |
- sign binaries
/usr/bin/elfsign sign [-v] -k private_key -c certificate_file
-e elf_object [-F format] [file].../usr/bin/elfsign sign [-v] -c certificate_file
-e elf_object -T token_label [-P pin_file] [-F format] [file].../usr/bin/elfsign verify [-c certificate_file]
[-v] -e elf_object [file].../usr/bin/elfsign request -r certificate_request_file
{-k private_key | -T token_label}/usr/bin/elfsign list -f field -c certificate_file
/usr/bin/elfsign list -f field -e elf_object
Lists on standard output information from a single certificate file or signed elf object. The selected field appears on a single line. If the field specified does not apply to the named file, the command terminates with no standard output. This output of this subcommand is intended for use in scripts and by other commands.
Generates a private key and a PKCS#10 certificate request. The PKCS#10 certificate request for use with the Solaris Cryptographic Framework. If the private key is to be created in a token device, elfsign prompts for the PIN required to update the token device. The PKCS#10 certificate request should be sent to the email address solaris-crypto-req_ww@oracle.com to obtain a Certificate.
Users of elfsign must first generate a certificate request and obtain a certificate before signing binaries for use with the Solaris Cryptographic Framework.
Signs the elf object, using the given private key and certificate file.
Verifies an existing signed object. Uses the certificate given or searches for an appropriate certificate in /etc/crypto/certs if -c is not given.
The following options are supported:
Specifies the path to an X.509 certificate in PEM/PKCS#7 or ASN.1 BER format.
Specifies the path to the object to be signed or verified.
The -e option can be specified multiple times for signing or verifying multiple objects.
For the sign subcommand, specifies the format of the signature. The valid format options are
Default format Solaris 10 and updates, The rsa_md5_sha1 format is Obsolete.
Default format for this release.
Formats other than rsa_md5_sha1 include an informational timestamp with the signature indicating when the signature was applied. This timestamp is not cryptographically secure, nor is it used as part of verification.
For the list subcommand, specifies what field should appear in the output.
The valid field specifiers for a certifiicate file are:
Subject DN (Distinguished Name)
Issuer DN
The valid field specifiers for an elf object are:
Format of the signature
Subject DN of the certificate used to sign the object
Time the signature was applied, in the locale's default format
Specifies the location of the private key file when not using a PKCS#11 token. This file is an RSA Private key file in a Solaris specific format. When used with the request subcommand, this is the ouput file for the newly generated key.
It is an error to specify both the -k and -T options.
Specifies the file which holds the PIN for accessing the token device. If the PIN is not provided in a pin_file, elfsign prompts for the PIN.
It is an error to specify the -P option without the -T option.
Specifies the path to the certificate request file, which is in PKCS#10 format.
Specifies the label of the PCKS#11 token device, as provided by pktool, which holds the private key.
It is an error to specify both the -T and -k options.
Requests more detailed information. The additional output includes the signer and, if the signature format contains it, the time the object was signed. This is not stable parseable output.
The following operand is supported:
One or more elf objects to be signed or verified. At least one elf object must be specified either via the -e option or after all other options.
Example 1 Signing an ELF Object Using a Key/Certificate in a File
example$ elfsign sign -k myprivatekey -c mycert -e lib/libmylib.so.1
Example 2 Verifying an elf Object's Signature
example$ elfsign verify -c mycert -e lib/libmylib.so.1 elfsign: verification of lib/libmylib.so.1 passed
Example 3 Generating a Certificate Request
example$ elfsign request -k mykey -r req.pkcs10 Enter Company Name / Stock Symbol or some other globally unique identifier. This will be the prefix of the Certificate DN: SUNW
Example 4 Determining Information About an Object
example$ elfsign list -f format -e lib/libmylib.so.1 rsa_md5_sha1 example$ elfsign list -f signer -e lib/libmylib.so.1 CN=VENDOR, OU=Software Development, O=Vendor Inc.
The following exit values are returned:
|
Directory searched for the verify subcommand if the -c flag is not used
See attributes(5) for descriptions of the following attributes:
|
The elfsign command and subcommands are Committed. While applications should not depend on the output format of elfsign, the output format of the list subcommand is Committed.
date(1), pktool(1), cryptoadm(1M), libpkcs11(3LIB), attributes(5)
|