eclass/secureboot: Sync with Gentoo

It's from Gentoo commit f6642547cd274ab4edd7d34b71674d1aa04a2d74.

sdk_container/src/third_party/portage-stable/eclass/secureboot.eclass

@@ -1,4 +1,4 @@
-# Copyright 1999-2023 Gentoo Authors
+# Copyright 1999-2024 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
 # @ECLASS: secureboot.eclass
@@ -44,7 +44,12 @@ case ${EAPI} in
 esac
 
 IUSE="secureboot"
-BDEPEND="secureboot? ( app-crypt/sbsigntools )"
+BDEPEND="
+	secureboot? (
+		app-crypt/sbsigntools
+		dev-libs/openssl
+	)
+"
 
 # @ECLASS_VARIABLE: SECUREBOOT_SIGN_KEY
 # @USER_VARIABLE
@@ -75,12 +80,19 @@ _secureboot_die_if_unset() {
 	if [[ -z ${SECUREBOOT_SIGN_KEY} || -z ${SECUREBOOT_SIGN_CERT} ]]; then
 		die "USE=secureboot enabled but SECUREBOOT_SIGN_KEY and/or SECUREBOOT_SIGN_CERT not set."
 	fi
-	if [[ ! ${SECUREBOOT_SIGN_KEY} == pkcs11:* && ! -r ${SECUREBOOT_SIGN_KEY} ]]; then
-		die "SECUREBOOT_SIGN_KEY=${SECUREBOOT_SIGN_KEY} not found or not readable!"
-	fi
-	if [[ ! -r ${SECUREBOOT_SIGN_CERT} ]]; then
-		die "SECUREBOOT_SIGN_CERT=${SECUREBOOT_SIGN_CERT} not found or not readable!"
+
+	# Sanity check: fail early if key/cert in DER format or does not exist
+	local openssl_args=(
+		-inform PEM -in "${SECUREBOOT_SIGN_CERT}"
+		-noout -nocert
+	)
+	if [[ ${SECUREBOOT_SIGN_KEY} == pkcs11:* ]]; then
+		openssl_args+=( -engine pkcs11 -keyform ENGINE -key "${SECUREBOOT_SIGN_KEY}" )
+	else
+		openssl_args+=( -keyform PEM -key "${SECUREBOOT_SIGN_KEY}" )
 	fi
+	openssl x509 "${openssl_args[@]}" ||
+		die "Secure Boot signing certificate or key not found or not PEM format."
 }
 
 # @FUNCTION: secureboot_pkg_setup