/
sign_binary.rs
86 lines (67 loc) · 3.02 KB
/
sign_binary.rs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
use std::str::FromStr;
use cms::cert::IssuerAndSerialNumber;
use cryptoki::{context::{Pkcs11, CInitializeArgs}, mechanism::Mechanism, object::Attribute};
/// Demonstrates how to sign a PE binary.
use goblin::pe::{PE, writer::PEWriter};
use goblin_signing::{sign::create_certificate, pkcs11::{signature_request::SignatureRequest, keypair::DerivedKeypair}};
use sha2::Sha256;
use x509_cert::name::RdnSequence;
fn main() {
let file = include_bytes!("../tests/bins/nixos-uki.efi");
let file = &file[..];
let pe = PE::parse(file).unwrap();
println!("{:?}", pe.certificates.first().unwrap().1.certificate);
let mut pkcs11 = Pkcs11::new(
std::env::var("PKCS11_SOFTHSM2_MODULE").unwrap()
).unwrap();
pkcs11.initialize(CInitializeArgs::OsThreads).unwrap();
println!("PKCS#11 initialized");
// Take first slot
println!("Available tokens: {:#?}", pkcs11.get_slots_with_token().unwrap());
let slot = pkcs11.get_slots_with_token().unwrap().remove(0);
println!("Obtained a security token, i.e. a slot: {:#?}", slot);
let _ = pkcs11.init_token(slot, "fedcba", "my first token").unwrap();
let session = pkcs11.open_rw_session(slot).unwrap();
println!("Session opened in read-write");
let _ = session.login(cryptoki::session::UserType::So, Some("fedcba")).unwrap();
println!("Logged in as the security officer");
let _ = session.init_pin("fedcba").unwrap();
println!("Normal pin initialized");
let _ = session.logout().unwrap();
println!("Logged out from the security officer");
let _ = session.login(cryptoki::session::UserType::User, Some("fedcba")).unwrap();
println!("Logged in as a user");
println!("Available mechanisms: {:#?}", pkcs11.get_mechanism_list(slot).unwrap().into_iter().map(|mech| mech.to_string()).collect::<Vec<_>>());
let mechanism = Mechanism::Sha256RsaPkcs;
let (_public_key, private_key) = session.generate_key_pair(
&Mechanism::RsaPkcsKeyPairGen,
&[
Attribute::Verify(true),
Attribute::ModulusBits(2048.into())
],
&[
Attribute::Token(true),
Attribute::Private(true),
Attribute::Subject("test@example.org".into()),
Attribute::Id("test".into()),
Attribute::Sensitive(true),
Attribute::Sign(true),
]
).unwrap();
println!("New key generated on the security token");
let signer = SignatureRequest::<'_, ecdsa::der::Signature<p256::NistP256>>::new(
mechanism,
DerivedKeypair::from_session(private_key, &session).unwrap(),
&session
);
// TODO: assert public_key is the one we expect.
/*let certificate = create_certificate::<Sha256, _, _>(&pe,
cms::signed_data::SignerIdentifier::IssuerAndSerialNumber(
IssuerAndSerialNumber {
issuer: RdnSequence::from_str("CN=test").unwrap(),
serial_number: 1_u32.into()
}
), &signer).unwrap();
let pe_writer = PEWriter::new(pe).unwrap();
println!("Signed!");*/
}