From a4e9f3d3e8c9400d32ac2554067676feb19c0772 Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Wed, 8 Nov 2023 22:37:37 +0100
Subject: [PATCH] cryptenroll: slightly reorder things

The tpm2_tpm2b_public_from_pem() invocation only makes sense when we
succeed to load the file from disk, hence we might do this together and
safe a conditionalization.
---
 src/cryptenroll/cryptenroll-tpm2.c | 26 +++++++++++++-------------
 1 file changed, 13 insertions(+), 13 deletions(-)

diff --git a/src/cryptenroll/cryptenroll-tpm2.c b/src/cryptenroll/cryptenroll-tpm2.c
index 3b8b8ae2e09..653ad4452a1 100644
--- a/src/cryptenroll/cryptenroll-tpm2.c
+++ b/src/cryptenroll/cryptenroll-tpm2.c
@@ -193,6 +193,7 @@ int enroll_tpm2(struct crypt_device *cd,
                         return log_error_errno(base64_encoded_size, "Failed to base64 encode salted pin: %m");
         }
 
+        TPM2B_PUBLIC public = {};
         r = tpm2_load_pcr_public_key(pubkey_path, &pubkey, &pubkey_size);
         if (r < 0) {
                 if (pubkey_path || signature_path || r != -ENOENT)
@@ -200,13 +201,19 @@ int enroll_tpm2(struct crypt_device *cd,
 
                 log_debug_errno(r, "Failed to read TPM2 PCR public key, proceeding without: %m");
                 pubkey_pcr_mask = 0;
-        } else if (signature_path) {
-                /* Also try to load the signature JSON object, to verify that our enrollment will work.
-                 * This is optional however, skip it if it's not explicitly provided. */
-
-                r = tpm2_load_pcr_signature(signature_path, &signature_json);
+        } else {
+                r = tpm2_tpm2b_public_from_pem(pubkey, pubkey_size, &public);
                 if (r < 0)
-                        return log_debug_errno(r, "Failed to read TPM PCR signature: %m");
+                        return log_error_errno(r, "Could not convert public key to TPM2B_PUBLIC: %m");
+
+                if (signature_path) {
+                        /* Also try to load the signature JSON object, to verify that our enrollment will work.
+                         * This is optional however, skip it if it's not explicitly provided. */
+
+                        r = tpm2_load_pcr_signature(signature_path, &signature_json);
+                        if (r < 0)
+                                return log_debug_errno(r, "Failed to read TPM PCR signature: %m");
+                }
         }
 
         bool any_pcr_value_specified = tpm2_pcr_values_has_any_values(hash_pcr_values, n_hash_pcr_values);
@@ -260,13 +267,6 @@ int enroll_tpm2(struct crypt_device *cd,
                         return log_error_errno(r, "Could not get hash mask: %m");
         }
 
-        TPM2B_PUBLIC public;
-        if (pubkey) {
-                r = tpm2_tpm2b_public_from_pem(pubkey, pubkey_size, &public);
-                if (r < 0)
-                        return log_error_errno(r, "Could not convert public key to TPM2B_PUBLIC: %m");
-        }
-
         TPM2B_DIGEST policy = TPM2B_DIGEST_MAKE(NULL, TPM2_SHA256_DIGEST_SIZE);
         r = tpm2_calculate_sealing_policy(
                         hash_pcr_values,
-- 
2.39.2