Empty --certificate_chain crashes with MalformedFraming for certificate and pkcs11-certificate signing options #613
Description
Description
When --certificate_chain is not provided (optional for PKCS#11), the join produces b"", and x509.load_pem_x509_certificates(b"") raises ValueError: MalformedFraming. The non-PKCS#11 sign_certificate.py has the same code pattern but is not affected because its CLI requires --certificate_chain
Version
1.1.1
Steps
Generated certificate using:
OUTDIR="${1:-.}"
KEY="${OUTDIR}/signing-key.pem"
CERT="${OUTDIR}/signing-cert.pem"
openssl ecparam -genkey -name secp384r1 -noout -out "${KEY}"
openssl req -new -x509 \
-key "${KEY}" \
-out "${CERT}" \
-days 365 \
-subj "/CN=Model Signing Test" \
-addext "keyUsage=digitalSignature"Signing:
model_signing sign certificate --signature sig.json --private_key signing-key.pem \
--signing_certificate signing-cert.pem ./model
Error:
Signing failed with error: Unable to load PEM file. See https://cryptography.io/en/latest/faq/#why-can-t-i-import-my-pem-file for more details. MalformedFraming
--certificate-chain is not mandated in certificate or pkcs11-certificate.