From: Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
Date: Mon, 2 Dec 2024 13:42:23 +0000 (+0100)
Subject: ukify: ellipsize CN to not exceed maximum length
X-Git-Tag: v257~48
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=544df97b4102069b59dc8f9014bab645c4fd7690;p=thirdparty%2Fsystemd.git

ukify: ellipsize CN to not exceed maximum length

Currently the generation of the certificate fails if len(fqdn) >= 43.
Ellipsize the fqdn to let the tests pass in all cases.

Fixes https://github.com/systemd/systemd/issues/34581.
---

diff --git a/src/ukify/ukify.py b/src/ukify/ukify.py
index a5719615cc3..e661dfe5485 100755
--- a/src/ukify/ukify.py
+++ b/src/ukify/ukify.py
@@ -1387,7 +1387,12 @@ def generate_keys(opts: UkifyConfig) -> None:
     # are specified as input paths.
     if opts.sb_key and opts.sb_cert:
         fqdn = socket.getfqdn()
+
         cn = f'SecureBoot signing key on host {fqdn}'
+        if len(cn) > 64:
+            # The length of CN must not exceed 64 bytes
+            cn = cn[:61] + '...'
+
         key_pem, cert_pem = generate_key_cert_pair(
             common_name=cn,
             valid_days=opts.sb_cert_validity,