From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 45B4C158004 for ; Sun, 21 Jul 2024 08:59:40 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 018BFE2A8F; Sun, 21 Jul 2024 08:59:36 +0000 (UTC) Received: from smtp.gentoo.org (woodpecker.gentoo.org [140.211.166.183]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id B1CB8E2A89 for ; Sun, 21 Jul 2024 08:59:35 +0000 (UTC) From: Andrew Ammerlaan To: gentoo-dev@lists.gentoo.org Cc: Andrew Ammerlaan Subject: [gentoo-dev] [PATCH 1/3] secureboot.eclass: check and fail early if key or cert in DER format Date: Sun, 21 Jul 2024 10:59:22 +0200 Message-ID: <20240721085924.11882-1-andrewammerlaan@gentoo.org> X-Mailer: git-send-email 2.45.2 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Archives-Salt: 24aaf510-8e92-424a-8eed-580764b947e3 X-Archives-Hash: 548049e0b339ed14b50253389385a473 Bug: https://bugs.gentoo.org/936402 Signed-off-by: Andrew Ammerlaan --- eclass/secureboot.eclass | 26 +++++++++++++++++++------- 1 file changed, 19 insertions(+), 7 deletions(-) diff --git a/eclass/secureboot.eclass b/eclass/secureboot.eclass index a9ba514cb7a0..4459b0341845 100644 --- a/eclass/secureboot.eclass +++ b/eclass/secureboot.eclass @@ -1,4 +1,4 @@ -# Copyright 1999-2023 Gentoo Authors +# Copyright 1999-2024 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 # @ECLASS: secureboot.eclass @@ -44,7 +44,12 @@ case ${EAPI} in esac IUSE="secureboot" -BDEPEND="secureboot? ( app-crypt/sbsigntools )" +BDEPEND=" + secureboot? ( + app-crypt/sbsigntools + dev-libs/openssl + ) +" # @ECLASS_VARIABLE: SECUREBOOT_SIGN_KEY # @USER_VARIABLE @@ -75,12 +80,19 @@ _secureboot_die_if_unset() { if [[ -z ${SECUREBOOT_SIGN_KEY} || -z ${SECUREBOOT_SIGN_CERT} ]]; then die "USE=secureboot enabled but SECUREBOOT_SIGN_KEY and/or SECUREBOOT_SIGN_CERT not set." fi - if [[ ! ${SECUREBOOT_SIGN_KEY} == pkcs11:* && ! -r ${SECUREBOOT_SIGN_KEY} ]]; then - die "SECUREBOOT_SIGN_KEY=${SECUREBOOT_SIGN_KEY} not found or not readable!" - fi - if [[ ! -r ${SECUREBOOT_SIGN_CERT} ]]; then - die "SECUREBOOT_SIGN_CERT=${SECUREBOOT_SIGN_CERT} not found or not readable!" + + # Sanity check: fail early if key/cert in DER format or does not exist + local openssl_args=( + -inform PEM -in "${SECUREBOOT_SIGN_CERT}" + -noout -nocert + ) + if [[ ${SECUREBOOT_SIGN_KEY} == pkcs11:* ]]; then + openssl_args+=( -engine pkcs11 -keyform ENGINE -key "${SECUREBOOT_SIGN_KEY}" ) + else + openssl_args+=( -keyform PEM -key "${SECUREBOOT_SIGN_KEY}" ) fi + openssl x509 "${openssl_args[@]}" || + die "Secure Boot signing certificate or key not found or not PEM format." } # @FUNCTION: secureboot_pkg_setup -- 2.45.2