From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-dev+bounces-102223-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits))
	(No client certificate requested)
	by finch.gentoo.org (Postfix) with ESMTPS id B1AFE158004
	for <garchives@archives.gentoo.org>; Sun, 21 Jul 2024 08:59:56 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 175A1E2AA1;
	Sun, 21 Jul 2024 08:59:37 +0000 (UTC)
Received: from smtp.gentoo.org (woodpecker.gentoo.org [140.211.166.183])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id 8589AE2A9C
	for <gentoo-dev@lists.gentoo.org>; Sun, 21 Jul 2024 08:59:36 +0000 (UTC)
From: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
To: gentoo-dev@lists.gentoo.org
Cc: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
Subject: [gentoo-dev] [PATCH 2/3] kernel-build.eclass: check and fail early if key or cert in DER format
Date: Sun, 21 Jul 2024 10:59:23 +0200
Message-ID: <20240721085924.11882-2-andrewammerlaan@gentoo.org>
X-Mailer: git-send-email 2.45.2
In-Reply-To: <20240721085924.11882-1-andrewammerlaan@gentoo.org>
References: <20240721085924.11882-1-andrewammerlaan@gentoo.org>
Precedence: bulk
List-Post: <mailto:gentoo-dev@lists.gentoo.org>
List-Help: <mailto:gentoo-dev+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-dev+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-dev+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-dev.gentoo.org>
X-BeenThere: gentoo-dev@lists.gentoo.org
Reply-to: gentoo-dev@lists.gentoo.org
X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Archives-Salt: 2782bff2-b4e3-4d62-9c52-a0c8b7a143f0
X-Archives-Hash: b4603d8881af70da57dbe9cd424cc570

Bug: https://bugs.gentoo.org/936402
Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
---
 eclass/kernel-build.eclass | 24 ++++++++++++++++++++++--
 1 file changed, 22 insertions(+), 2 deletions(-)

diff --git a/eclass/kernel-build.eclass b/eclass/kernel-build.eclass
index cf060fa83766..fa01be28723f 100644
--- a/eclass/kernel-build.eclass
+++ b/eclass/kernel-build.eclass
@@ -133,8 +133,28 @@ kernel-build_pkg_setup() {
 	python-any-r1_pkg_setup
 	if [[ ${KERNEL_IUSE_MODULES_SIGN} ]]; then
 		secureboot_pkg_setup
-		if [[ -e ${MODULES_SIGN_KEY} && ${MODULES_SIGN_KEY} != pkcs11:* ]]; then
-			if [[ -e ${MODULES_SIGN_CERT} && ${MODULES_SIGN_CERT} != ${MODULES_SIGN_KEY} ]]; then
+
+		# Sanity check: fail early if key/cert in DER format or does not exist
+		local openssl_args=(
+			-noout -nocert
+		)
+		if [[ -n ${MODULES_SIGN_CERT} ]]; then
+			openssl_args+=( -inform PEM -in "${MODULES_SIGN_CERT}" )
+		else
+			# If no cert specified, we assume the pem key also contains the cert
+			openssl_args+=( -inform PEM -in "${MODULES_SIGN_KEY}" )
+		fi
+		if [[ ${MODULES_SIGN_KEY} == pkcs11:* ]]; then
+			openssl_args+=( -engine pkcs11 -keyform ENGINE -key "${MODULES_SIGN_KEY}" )
+		else
+			openssl_args+=( -keyform PEM -key "${MODULES_SIGN_KEY}" )
+		fi
+
+		openssl x509 "${openssl_args[@]}" ||
+			die "Kernel module signing certificate or key not found or not PEM format."
+
+		if [[ ${MODULES_SIGN_KEY} != pkcs11:* ]]; then
+			if [[ ${MODULES_SIGN_CERT} != ${MODULES_SIGN_KEY} ]]; then
 				MODULES_SIGN_KEY_CONTENTS="$(cat "${MODULES_SIGN_CERT}" "${MODULES_SIGN_KEY}" || die)"
 			else
 				MODULES_SIGN_KEY_CONTENTS="$(< "${MODULES_SIGN_KEY}")"
-- 
2.45.2