wlitool.1 (2011 03)
wlitool(1)
Optional WLI Product Required
wlitool(1)
NAME
wlitool - sign ELF executable files
SYNOPSIS
wlitool -h
wlitool -k privkey [-p src:val][
-g prodid][-o capability,...] execfile
DESCRIPTION
wlitool will add a WLI signature to execfile, an ELF executable file. A WLI signature implies that
execfile is an authorized executable, and permits execfile to be granted access to the file identified by an
IBAC policy.
wlitool differs from wlsign by not requiring that WLI is installed on the platform where it is executed.
It also is able to sign ELF binaries only. Like wlisign , the signature also permits WLI capabilities to be
granted to execfile.
wlitool generates a WLI signature and metadata equivalent to that generated by wlisign (1) with the
-a option. wlitool will execute on HP Integrity platforms installed with HP-UX 11i v1 or later operat-
ing environments.
wlitool may be copied to a platform and used to sign executables before the execut-
ables are transferred to a platform with WLI installed. As with binaries signed with
wlisign, the pub-
lic key extracted from privkey must be authorized with
wlicert for execfile to be an authorized execut-
able on the platform with WLI installed. Please consult wlicert (1M) for details on authorizing public
keys.
A cryptographic hash, generated as part of the signing operation, uniquely identifies execfile as a WLI
authorized application. Please consult wli (5) for details on generating RSA keys for signing and
verification and WLI file access policies. Consult wlipolicy (1) for details on generating and managing file
access policies.
A WLI signature enables WLI capabilities to be granted to execfile . One or more capabilities can be
added to the signature metadata for execfile during or after the initial metadata creation. For more infor-
mation on capabilities , see wli(5). The WLI metadata section added to execfile contains the signature, ID
of the signer, fingerprint of the verifying public key, and optional information such as capabilities and
product ID.
Since the size of execfile increases with the addition of signature metadata,
swverify will return an
error on validation of execfile. swmodify can be employed to update the SD-UX database with the size
of the modified execfile so that swverify will succeed. It is the responsibility of the user to adjust SD-
UX or other HP-UX products to size changes of executable files.
A product ID (
-g prodid) is a string chosen by the user to represent a group of authorized executables. If
a product ID is specified when adding or updating with wlitool, it is stored in the signature metadata
section. The same product ID can be assigned to many executable signatures, thus allowing an IBAC pol-
icy to establish a one to many relationship between a file and the authorized executables allowed to access
it.
Verification of signatures generated with
wlitool is handled by wlisign using the -v option and the
public key extracted from the signing key. The metadata in readable form can also be printed out using
wlisign with the -l option. Consult wlisign(1) for details on signature verification and listing meta-
data.
WLI signatures are computed by taking a cryptographic hash of critical ELF sections and encrypting the
resultant digest with the specified private key, in accordance with the RSA standard.
The
wlitool command is installed with the optional HP-UX Whitelisting (WLI) product.
Options
-g prodid prodid is the product ID, a string of the user’s choosing that can be added to one or
more signed executables. A group of executables can then be given access to an
IBAC-protected file through prodid. prodid can be added to signature metadata
during or after its creation.
-h Displays wlitool command syntax.
-k privkey File containing a private RSA key. This need not be an administrator key.
-o {capabilities } A comma-separated list of WLI capabilities granted to execfile . A capability can be
added to the signature metadata during or after its creation. There are four
HP-UX 11iv3: Sep 2010 Web Release − 1 − Hewlett-Packard Company 1