Switch to SpeakEasy.net DSL

The Modular Manual Browser

Home Page
Manual: (SunOS-5.10)
Apropos / Subsearch:
optional field

elfsign(1)                       User Commands                      elfsign(1)

       elfsign - sign binaries for the Solaris Cryptographic Framework

       /usr/bin/elfsign  sign  [-a]  -k  private_key  -c  certificate_file  -e

       /usr/bin/elfsign verify [-c certificate_file] -e elf_object

       /usr/bin/elfsign request -k private_key -r certificate_request_file

       sign            Signs the elf object for use with the  Solaris  Crypto-
                       graphic Framework, using the given private key and cer-
                       tificate file.

       verify          Verifies an existing signed object. Uses  the  certifi-
                       cate  given  or searches for an appropriate certificate
                       in /etc/crypto/certs if -c is not given.

       request         Generates a  private  key  and  a  PKCS#10  certificate
                       request. The PKCS#10 certificate request should be sent
                       to  the  email  address  solaris-crypto-req@sun.com  to
                       obtain a Certificate.

                       Users  of  elfsign  must  first  generate a certificate
                       request and obtain a certificate before using the other

       The following options are supported:


           Generates  a signed ELF Sign Activation (.esa) file. This option is
           used when a cryptographic provider has  nonretail  export  approval
           for  unrestricted  use  and  desires retail approval by restricting
           which export sensitive callers (for example,  IPsec)  may  use  the
           provider.  This  option assumes that the provider binary has previ-
           ously been signed with a restricted certificate.

       -c certificate_file

           Specifies the path to an X.509 certificate in PEM/PKCS#7  or  ASN.1
           BER format.

       -e elf_object

           Specifies the path to the object to be signed or verified.

       -k private_key

           Specifies  the  location  of  the private key file when not using a
           PKCS#11 token. This file is an RSA Private key file  in  a  Solaris
           specific format. When used with the request subcommand, this is the
           ouput file for the newly generated key.

       -r certificate_request_file

           Specifies the path to the certificate request  file,  which  is  in
           PKCS#10 format.

       Example 1: Signing an ELF object using a key/certificate in a file

       example$ elfsign sign -k myprivatekey -c mycert -e lib/libmylib.so.1

       Example 2: Verifying an elf object's signature

       example$ elfsign verify -c mycert -e lib/libmylib.so.1
       elfsign: verification of lib/libmylib.so.1 passed

       Example 3: Generating a certificate request

       example$ elfsign request -k mykey -r req.pkcs10
       Enter Company Name / Stock Symbol or some other globally unique identifier.
       This will be the prefix of the Certificate DN: SUNW

       The government of the United States of America restricts the export of
       "open cryptographic interfaces", also known as "crypto-with-a-hole".
       Due to this restriction, all providers for the Solaris cryptographic
       framework must be signed, regardless of the country of origin.

       The terms "retail" and "non-retail" refer to export classifications for
       products manufactured in the USA. These terms define the portion of the
       world where the product may be shipped.) Roughly speaking, "retail" is
       worldwide (minus certain excluded nations) and "non-retail" is domestic
       only (plus some highly favored nations). If your provider is subject to USA
       export control, then you must obtain an export approval (classification)
       from the government of the USA before exporting your provider. It is
       critical that you specify the obtained (or expected, when used during
       development) classification to the following questions so that your provider
       will be appropriately signed.

       Do you have retail export approval for use without restrictions based
       on the caller (for example, IPsec)? [Yes/No] No

       If you have non-retail export approval for unrestricted use of your
       provider by callers, are you also planning to receive retail approval by
       restricting which export sensitive callers (for example, IPsec) may
       use your provider? [Yes/No] No


       The following exit values are returned:

       tab(); lw(1.000000i) lw(3.000000i) lw(1.500000i).  VALUEMEANINGSUB-COM-
       MAND  0Operation   successfulsign/verify/request   1Invalid   arguments
       2Failed to verify ELF object verify 3Unable to open ELF objectsign/ver-
       ify 4T{ Unable to load or invalid certificate T}sign/verify 5T{  Unable
       to  load or invalid private key T}sign 6Failed to add signaturesign 7T{
       Attempt to verify unsigned object or object not an ELF file T}verify

       /etc/crypto/certs       The /etc/crypto/certs directory is searched for
                               the  verify  subcommand  if  the -c flag is not

       See attributes(5) for descriptions of the following attributes:

       tab()    allbox;    cw(2.750000i)|     cw(2.750000i)     lw(2.750000i)|
       lw(2.750000i).    ATTRIBUTE   TYPEATTRIBUTE  VALUE  AvailabilitySUNWtoo
       Interface StabilityEvolving

       libpkcs11(3LIB), attributes(5)

SunOS 5.10                        19 Mar 2004                       elfsign(1)