From: Luca Boccassi <bluca@debian.org>
Date: Mon, 4 Mar 2024 23:12:26 +0000 (+0000)
Subject: ukify: convert certificate to public key before embedding in .pcrpkey
X-Git-Tag: v256-rc1~630
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4d34622d22331778ed8ac9f30b726f12f38055ff;p=thirdparty%2Fsystemd.git

ukify: convert certificate to public key before embedding in .pcrpkey

Follow-up for 419b25ddcac39cf967555c7a2eaa274fbf1ad03c
---

diff --git a/src/ukify/ukify.py b/src/ukify/ukify.py
index f7d08590d93..2e89ba17d93 100755
--- a/src/ukify/ukify.py
+++ b/src/ukify/ukify.py
@@ -824,6 +824,20 @@ def make_uki(opts):
     if pcrpkey is None:
         if opts.pcr_public_keys and len(opts.pcr_public_keys) == 1:
             pcrpkey = opts.pcr_public_keys[0]
+            # If we are getting a certificate when using an engine, we need to convert it to public key format
+            if opts.signing_engine is not None and pathlib.Path(pcrpkey).exists():
+                from cryptography.hazmat.primitives import serialization
+                from cryptography.x509 import load_pem_x509_certificate
+
+                try:
+                    cert = load_pem_x509_certificate(pathlib.Path(pcrpkey).read_bytes())
+                except ValueError:
+                    raise ValueError(f'{pcrpkey} must be an X.509 certificate when signing with an engine')
+                else:
+                    pcrpkey = cert.public_key().public_bytes(
+                        encoding=serialization.Encoding.PEM,
+                        format=serialization.PublicFormat.SubjectPublicKeyInfo,
+                    )
         elif opts.pcr_private_keys and len(opts.pcr_private_keys) == 1:
             from cryptography.hazmat.primitives import serialization
             privkey = serialization.load_pem_private_key(pathlib.Path(opts.pcr_private_keys[0]).read_bytes(), password=None)