ukify: convert certificate to public key before embedding in .pcrpkey

Follow-up for 419b25ddcac39cf967555c7a2eaa274fbf1ad03c
2025-03-09 12:58:26 +03:00 · 2024-03-04 23:12:26 +00:00 · 2024-03-04 23:12:26 +00:00 · 4d34622d22
commit 4d34622d22
parent 9990fe8257
1 changed files with 14 additions and 0 deletions
--- a/src/ukify/ukify.py
+++ b/src/ukify/ukify.py
@ -824,6 +824,20 @@ def make_uki(opts):
    if pcrpkey is None:
        if opts.pcr_public_keys and len(opts.pcr_public_keys) == 1:
            pcrpkey = opts.pcr_public_keys[0]
+            # If we are getting a certificate when using an engine, we need to convert it to public key format
+            if opts.signing_engine is not None and pathlib.Path(pcrpkey).exists():
+                from cryptography.hazmat.primitives import serialization
+                from cryptography.x509 import load_pem_x509_certificate
+
+                try:
+                    cert = load_pem_x509_certificate(pathlib.Path(pcrpkey).read_bytes())
+                except ValueError:
+                    raise ValueError(f'{pcrpkey} must be an X.509 certificate when signing with an engine')
+                else:
+                    pcrpkey = cert.public_key().public_bytes(
+                        encoding=serialization.Encoding.PEM,
+                        format=serialization.PublicFormat.SubjectPublicKeyInfo,
+                    )
        elif opts.pcr_private_keys and len(opts.pcr_private_keys) == 1:
            from cryptography.hazmat.primitives import serialization
            privkey = serialization.load_pem_private_key(pathlib.Path(opts.pcr_private_keys[0]).read_bytes(), password=None)