fix: fix .der output in talosctl gen secureboot

PEM was converted to DER incorrectly when the output was a X509 certificate and not a public key. Skip unnecessary parsing of it to an RSA public key before writing it in DER format as output. Simplify the code as we do not generate `*-signing-public-key.pem` anymore. Signed-off-by: Utku Ozdemir <[email protected]> (cherry picked from commit cc06b5d)
siderolabs · Jan 18, 2024 · 3576d11 · 3576d11
1 parent 0191c3b
commit 3576d11
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 13 deletions.
diff --git a/cmd/talosctl/cmd/mgmt/gen/secureboot.go b/cmd/talosctl/cmd/mgmt/gen/secureboot.go
@@ -6,7 +6,6 @@ package gen
 
 import (
 	"context"
-	stdlibx509 "crypto/x509"
 	"encoding/pem"
 	"fmt"
 	"io/fs"
@@ -46,7 +45,7 @@ var genSecurebootUKICmd = &cobra.Command{
 	Long:  ``,
 	Args:  cobra.NoArgs,
 	RunE: func(cmd *cobra.Command, args []string) error {
-		return generateSigningCerts(genSecurebootCmdFlags.outputDirectory, "uki", genSecurebootUKICmdFlags.commonName, 4096, true, false)
+		return generateSigningCerts(genSecurebootCmdFlags.outputDirectory, "uki", genSecurebootUKICmdFlags.commonName, 4096, true)
 	},
 }
 
@@ -57,7 +56,7 @@ var genSecurebootPCRCmd = &cobra.Command{
 	Long:  ``,
 	Args:  cobra.NoArgs,
 	RunE: func(cmd *cobra.Command, args []string) error {
-		return generateSigningCerts(genSecurebootCmdFlags.outputDirectory, "pcr", "dummy", 2048, false, true)
+		return generateSigningCerts(genSecurebootCmdFlags.outputDirectory, "pcr", "dummy", 2048, false)
 	},
 }
 
@@ -98,7 +97,7 @@ func checkedWrite(path string, data []byte, perm fs.FileMode) error { //nolint:u
 	return os.WriteFile(path, data, perm)
 }
 
-func generateSigningCerts(path, prefix, commonName string, rsaBits int, outputCert, outputDER bool) error {
+func generateSigningCerts(path, prefix, commonName string, rsaBits int, outputCert bool) error {
 	currentTime := time.Now()
 
 	opts := []x509.Option{
@@ -120,10 +119,8 @@ func generateSigningCerts(path, prefix, commonName string, rsaBits int, outputCe
 			return err
 		}
 
-		if outputDER {
-			if err = saveAsDER(filepath.Join(path, prefix+"-signing-cert.der"), signingKey.CrtPEM); err != nil {
-				return err
-			}
+		if err = saveAsDER(filepath.Join(path, prefix+"-signing-cert.der"), signingKey.CrtPEM); err != nil {
+			return err
 		}
 	}
 
@@ -192,15 +189,14 @@ func init() {
 }
 
 func convertPEMToDER(data []byte) ([]byte, error) {
-	block, _ := pem.Decode(data)
+	block, rest := pem.Decode(data)
 	if block == nil {
 		return nil, fmt.Errorf("failed to decode PEM data")
 	}
 
-	key, err := stdlibx509.ParsePKIXPublicKey(block.Bytes)
-	if err != nil {
-		return nil, err
+	if len(rest) > 0 {
+		return nil, fmt.Errorf("more than one PEM block found in PEM data")
 	}
 
-	return stdlibx509.MarshalPKIXPublicKey(key)
+	return block.Bytes, nil
 }
diff --git a/website/content/v1.6/talos-guides/install/bare-metal-platforms/secureboot.md b/website/content/v1.6/talos-guides/install/bare-metal-platforms/secureboot.md
@@ -37,10 +37,12 @@ Talos provides a utility to generate the keys, but existing PKI infrastructure c
 ```shell
 $ talosctl gen secureboot uki --common-name "SecureBoot Key"
 writing _out/uki-signing-cert.pem
+writing _out/uki-signing-cert.der
 writing _out/uki-signing-key.pem
 ```
 
 The generated certificate and private key are written to disk in PEM-encoded format (RSA 4096-bit key).
+The certificate is also written in DER format for the systems which expect the certificate in DER format.
 
 PCR signing key can be generated with: