ukify: ellipsize CN to not exceed maximum length

Currently the generation of the certificate fails if len(fqdn) >= 43. Ellipsize the fqdn to let the tests pass in all cases. Fixes https://github.com/systemd/systemd/issues/34581.
2025-01-03 05:18:09 +03:00 · 2024-12-02 14:42:23 +01:00 · 2024-12-02 14:42:23 +01:00 · 544df97b41
commit 544df97b41
parent 703b1b7f24
1 changed files with 5 additions and 0 deletions
--- a/src/ukify/ukify.py
+++ b/src/ukify/ukify.py
@ -1387,7 +1387,12 @@ def generate_keys(opts: UkifyConfig) -> None:
    # are specified as input paths.
    if opts.sb_key and opts.sb_cert:
        fqdn = socket.getfqdn()
+
        cn = f'SecureBoot signing key on host {fqdn}'
+        if len(cn) > 64:
+            # The length of CN must not exceed 64 bytes
+            cn = cn[:61] + '...'
+
        key_pem, cert_pem = generate_key_cert_pair(
            common_name=cn,
            valid_days=opts.sb_cert_validity,