|
|
@@ -0,0 +1,53 @@
|
|
|
+From 3c51cb5ff1d0db41fb3288fb555c7e7055cf3e86 Mon Sep 17 00:00:00 2001
|
|
|
+From: Christian Lamparter <chunkeey@gmail.com>
|
|
|
+Date: Wed, 1 Dec 2021 14:41:31 +0100
|
|
|
+Subject: [PATCH] ca-certificates: fix python3-cryptography woes in
|
|
|
+ certdata2pem.py
|
|
|
+
|
|
|
+reverts the code portion of the Debian's ca-certificate
|
|
|
+commit 033d52259172 ("mozilla/certdata2pem.py: print a warning for expired certificates.")
|
|
|
+
|
|
|
+It broke builds with the popular Ubuntu 20.04 (focal) releases.
|
|
|
+This was due to them shipping with an older python3-cryptography
|
|
|
+version which is not compatible.
|
|
|
+
|
|
|
+More concerns were raised by jow- as well:
|
|
|
+"We don't want the build to depend on the local system time anyway."
|
|
|
+
|
|
|
+Reported-by: Chen Minqiang <ptpt52@gmail.com>
|
|
|
+Reported-by: Shane Synan <digitalcircuit36939@gmail.com>
|
|
|
+Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
|
|
|
+---
|
|
|
+--- a/work/mozilla/certdata2pem.py
|
|
|
++++ b/work/mozilla/certdata2pem.py
|
|
|
+@@ -21,16 +21,12 @@
|
|
|
+ # USA.
|
|
|
+
|
|
|
+ import base64
|
|
|
+-import datetime
|
|
|
+ import os.path
|
|
|
+ import re
|
|
|
+ import sys
|
|
|
+ import textwrap
|
|
|
+ import io
|
|
|
+
|
|
|
+-from cryptography import x509
|
|
|
+-
|
|
|
+-
|
|
|
+ objects = []
|
|
|
+
|
|
|
+ # Dirty file parser.
|
|
|
+@@ -121,13 +117,6 @@ for obj in objects:
|
|
|
+ if obj['CKA_CLASS'] == 'CKO_CERTIFICATE':
|
|
|
+ if not obj['CKA_LABEL'] in trust or not trust[obj['CKA_LABEL']]:
|
|
|
+ continue
|
|
|
+-
|
|
|
+- cert = x509.load_der_x509_certificate(obj['CKA_VALUE'])
|
|
|
+- if cert.not_valid_after < datetime.datetime.now():
|
|
|
+- print('!'*74)
|
|
|
+- print('Trusted but expired certificate found: %s' % obj['CKA_LABEL'])
|
|
|
+- print('!'*74)
|
|
|
+-
|
|
|
+ bname = obj['CKA_LABEL'][1:-1].replace('/', '_')\
|
|
|
+ .replace(' ', '_')\
|
|
|
+ .replace('(', '=')\
|
