secureboot.eclass: check and fail early if key or cert in DER format

Bug: https://bugs.gentoo.org/936402
Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>

1 files changed, 19 insertions, 7 deletions

diff --git a/eclass/secureboot.eclass b/eclass/secureboot.eclass
index a9ba514cb7a0..4459b0341845 100644
--- a/eclass/secureboot.eclass
+++ b/eclass/secureboot.eclass
@@ -1,4 +1,4 @@
-# Copyright 1999-2023 Gentoo Authors
+# Copyright 1999-2024 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
 # @ECLASS: secureboot.eclass
@@ -44,7 +44,12 @@ case ${EAPI} in
 esac
 
 IUSE="secureboot"
-BDEPEND="secureboot? ( app-crypt/sbsigntools )"
+BDEPEND="
+	secureboot? (
+		app-crypt/sbsigntools
+		dev-libs/openssl
+	)
+"
 
 # @ECLASS_VARIABLE: SECUREBOOT_SIGN_KEY
 # @USER_VARIABLE
@@ -75,12 +80,19 @@ _secureboot_die_if_unset() {
 	if [[ -z ${SECUREBOOT_SIGN_KEY} || -z ${SECUREBOOT_SIGN_CERT} ]]; then
 		die "USE=secureboot enabled but SECUREBOOT_SIGN_KEY and/or SECUREBOOT_SIGN_CERT not set."
 	fi
-	if [[ ! ${SECUREBOOT_SIGN_KEY} == pkcs11:* && ! -r ${SECUREBOOT_SIGN_KEY} ]]; then
-		die "SECUREBOOT_SIGN_KEY=${SECUREBOOT_SIGN_KEY} not found or not readable!"
-	fi
-	if [[ ! -r ${SECUREBOOT_SIGN_CERT} ]]; then
-		die "SECUREBOOT_SIGN_CERT=${SECUREBOOT_SIGN_CERT} not found or not readable!"
+
+	# Sanity check: fail early if key/cert in DER format or does not exist
+	local openssl_args=(
+		-inform PEM -in "${SECUREBOOT_SIGN_CERT}"
+		-noout -nocert
+	)
+	if [[ ${SECUREBOOT_SIGN_KEY} == pkcs11:* ]]; then
+		openssl_args+=( -engine pkcs11 -keyform ENGINE -key "${SECUREBOOT_SIGN_KEY}" )
+	else
+		openssl_args+=( -keyform PEM -key "${SECUREBOOT_SIGN_KEY}" )
 	fi
+	openssl x509 "${openssl_args[@]}" ||
+		die "Secure Boot signing certificate or key not found or not PEM format."
 }
 
 # @FUNCTION: secureboot_pkg_setup