ukify: ellipsize CN to not exceed maximum length

Currently the generation of the certificate fails if len(fqdn) >= 43.
Ellipsize the fqdn to let the tests pass in all cases.

Fixes https://github.com/systemd/systemd/issues/34581.

diff --git a/src/ukify/ukify.py b/src/ukify/ukify.py
index a5719615cc3fe307943cef45c710964ba0891316..e661dfe5485d5fc9b961143eee3ba684f8b0cab9 100755 (executable)
--- a/src/ukify/ukify.py
+++ b/src/ukify/ukify.py
@@ -1387,7 +1387,12 @@ def generate_keys(opts: UkifyConfig) -> None:
     # are specified as input paths.
     if opts.sb_key and opts.sb_cert:
         fqdn = socket.getfqdn()
+
         cn = f'SecureBoot signing key on host {fqdn}'
+        if len(cn) > 64:
+            # The length of CN must not exceed 64 bytes
+            cn = cn[:61] + '...'
+
         key_pem, cert_pem = generate_key_cert_pair(
             common_name=cn,
             valid_days=opts.sb_cert_validity,