From 4d34622d22331778ed8ac9f30b726f12f38055ff Mon Sep 17 00:00:00 2001 From: Luca Boccassi Date: Mon, 4 Mar 2024 23:12:26 +0000 Subject: [PATCH] ukify: convert certificate to public key before embedding in .pcrpkey Follow-up for 419b25ddcac39cf967555c7a2eaa274fbf1ad03c --- src/ukify/ukify.py | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/src/ukify/ukify.py b/src/ukify/ukify.py index f7d08590d93..2e89ba17d93 100755 --- a/src/ukify/ukify.py +++ b/src/ukify/ukify.py @@ -824,6 +824,20 @@ def make_uki(opts): if pcrpkey is None: if opts.pcr_public_keys and len(opts.pcr_public_keys) == 1: pcrpkey = opts.pcr_public_keys[0] + # If we are getting a certificate when using an engine, we need to convert it to public key format + if opts.signing_engine is not None and pathlib.Path(pcrpkey).exists(): + from cryptography.hazmat.primitives import serialization + from cryptography.x509 import load_pem_x509_certificate + + try: + cert = load_pem_x509_certificate(pathlib.Path(pcrpkey).read_bytes()) + except ValueError: + raise ValueError(f'{pcrpkey} must be an X.509 certificate when signing with an engine') + else: + pcrpkey = cert.public_key().public_bytes( + encoding=serialization.Encoding.PEM, + format=serialization.PublicFormat.SubjectPublicKeyInfo, + ) elif opts.pcr_private_keys and len(opts.pcr_private_keys) == 1: from cryptography.hazmat.primitives import serialization privkey = serialization.load_pem_private_key(pathlib.Path(opts.pcr_private_keys[0]).read_bytes(), password=None)