kernel-build.eclass: check and fail early if key or cert in DER format

Bug: https://bugs.gentoo.org/936402
Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>

1 files changed, 22 insertions, 2 deletions

diff --git a/eclass/kernel-build.eclass b/eclass/kernel-build.eclass
index cf060fa83766..fa01be28723f 100644
--- a/eclass/kernel-build.eclass
+++ b/eclass/kernel-build.eclass
@@ -133,8 +133,28 @@ kernel-build_pkg_setup() {
 	python-any-r1_pkg_setup
 	if [[ ${KERNEL_IUSE_MODULES_SIGN} ]]; then
 		secureboot_pkg_setup
-		if [[ -e ${MODULES_SIGN_KEY} && ${MODULES_SIGN_KEY} != pkcs11:* ]]; then
-			if [[ -e ${MODULES_SIGN_CERT} && ${MODULES_SIGN_CERT} != ${MODULES_SIGN_KEY} ]]; then
+
+		# Sanity check: fail early if key/cert in DER format or does not exist
+		local openssl_args=(
+			-noout -nocert
+		)
+		if [[ -n ${MODULES_SIGN_CERT} ]]; then
+			openssl_args+=( -inform PEM -in "${MODULES_SIGN_CERT}" )
+		else
+			# If no cert specified, we assume the pem key also contains the cert
+			openssl_args+=( -inform PEM -in "${MODULES_SIGN_KEY}" )
+		fi
+		if [[ ${MODULES_SIGN_KEY} == pkcs11:* ]]; then
+			openssl_args+=( -engine pkcs11 -keyform ENGINE -key "${MODULES_SIGN_KEY}" )
+		else
+			openssl_args+=( -keyform PEM -key "${MODULES_SIGN_KEY}" )
+		fi
+
+		openssl x509 "${openssl_args[@]}" ||
+			die "Kernel module signing certificate or key not found or not PEM format."
+
+		if [[ ${MODULES_SIGN_KEY} != pkcs11:* ]]; then
+			if [[ ${MODULES_SIGN_CERT} != ${MODULES_SIGN_KEY} ]]; then
 				MODULES_SIGN_KEY_CONTENTS="$(cat "${MODULES_SIGN_CERT}" "${MODULES_SIGN_KEY}" || die)"
 			else
 				MODULES_SIGN_KEY_CONTENTS="$(< "${MODULES_SIGN_KEY}")"