summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Ammerlaan <andrewammerlaan@gentoo.org>2024-07-20 20:10:37 +0200
committerAndrew Ammerlaan <andrewammerlaan@gentoo.org>2024-07-21 15:29:44 +0200
commitf6642547cd274ab4edd7d34b71674d1aa04a2d74 (patch)
treea4fd21597f8f2d2aa97bc41d3e135137586c3202
parentmedia-sound/qtractor: Stabilize 1.0.0 x86, #936434 (diff)
downloadgentoo-f6642547cd274ab4edd7d34b71674d1aa04a2d74.tar.gz
gentoo-f6642547cd274ab4edd7d34b71674d1aa04a2d74.tar.bz2
gentoo-f6642547cd274ab4edd7d34b71674d1aa04a2d74.zip
secureboot.eclass: check and fail early if key or cert in DER format
Bug: https://bugs.gentoo.org/936402 Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
-rw-r--r--eclass/secureboot.eclass26
1 files changed, 19 insertions, 7 deletions
diff --git a/eclass/secureboot.eclass b/eclass/secureboot.eclass
index a9ba514cb7a0..4459b0341845 100644
--- a/eclass/secureboot.eclass
+++ b/eclass/secureboot.eclass
@@ -1,4 +1,4 @@
-# Copyright 1999-2023 Gentoo Authors
+# Copyright 1999-2024 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
# @ECLASS: secureboot.eclass
@@ -44,7 +44,12 @@ case ${EAPI} in
esac
IUSE="secureboot"
-BDEPEND="secureboot? ( app-crypt/sbsigntools )"
+BDEPEND="
+ secureboot? (
+ app-crypt/sbsigntools
+ dev-libs/openssl
+ )
+"
# @ECLASS_VARIABLE: SECUREBOOT_SIGN_KEY
# @USER_VARIABLE
@@ -75,12 +80,19 @@ _secureboot_die_if_unset() {
if [[ -z ${SECUREBOOT_SIGN_KEY} || -z ${SECUREBOOT_SIGN_CERT} ]]; then
die "USE=secureboot enabled but SECUREBOOT_SIGN_KEY and/or SECUREBOOT_SIGN_CERT not set."
fi
- if [[ ! ${SECUREBOOT_SIGN_KEY} == pkcs11:* && ! -r ${SECUREBOOT_SIGN_KEY} ]]; then
- die "SECUREBOOT_SIGN_KEY=${SECUREBOOT_SIGN_KEY} not found or not readable!"
- fi
- if [[ ! -r ${SECUREBOOT_SIGN_CERT} ]]; then
- die "SECUREBOOT_SIGN_CERT=${SECUREBOOT_SIGN_CERT} not found or not readable!"
+
+ # Sanity check: fail early if key/cert in DER format or does not exist
+ local openssl_args=(
+ -inform PEM -in "${SECUREBOOT_SIGN_CERT}"
+ -noout -nocert
+ )
+ if [[ ${SECUREBOOT_SIGN_KEY} == pkcs11:* ]]; then
+ openssl_args+=( -engine pkcs11 -keyform ENGINE -key "${SECUREBOOT_SIGN_KEY}" )
+ else
+ openssl_args+=( -keyform PEM -key "${SECUREBOOT_SIGN_KEY}" )
fi
+ openssl x509 "${openssl_args[@]}" ||
+ die "Secure Boot signing certificate or key not found or not PEM format."
}
# @FUNCTION: secureboot_pkg_setup