openwrt/package/system/ca-certificates/patches/0001-ca-certificates-fix-python3-cryptography-woes-in-cer.patch

54 lines
1.7 KiB
Diff
Raw Normal View History

From 3c51cb5ff1d0db41fb3288fb555c7e7055cf3e86 Mon Sep 17 00:00:00 2001
From: Christian Lamparter <chunkeey@gmail.com>
Date: Wed, 1 Dec 2021 14:41:31 +0100
Subject: [PATCH] ca-certificates: fix python3-cryptography woes in
certdata2pem.py
reverts the code portion of the Debian's ca-certificate
commit 033d52259172 ("mozilla/certdata2pem.py: print a warning for expired certificates.")
It broke builds with the popular Ubuntu 20.04 (focal) releases.
This was due to them shipping with an older python3-cryptography
version which is not compatible.
More concerns were raised by jow- as well:
"We don't want the build to depend on the local system time anyway."
Reported-by: Chen Minqiang <ptpt52@gmail.com>
Reported-by: Shane Synan <digitalcircuit36939@gmail.com>
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
---
ca-certificates: Update to version 20230311 Update the ca-certificates and ca-bundle package from version 20211016 to version 20230311. Use TAR_OPTIONS instead of hacking Build/Prepare, refresh patches. Debian change-log entry [1]: |[...] |[ Đoàn Trần Công Danh ] |* ca-certificates: compat with non-GNU mktemp (closes: #1000847) | |[ Ilya Lipnitskiy ] |* certdata2pem.py: use UTC time when checking cert validity | |[ Julien Cristau ] |* Update Mozilla certificate authority bundle to version 2.60 | The following certificate authorities were added (+): | + "Autoridad de Certificacion Firmaprofesional CIF A62634068" | + "Certainly Root E1" | + "Certainly Root R1" | + "D-TRUST BR Root CA 1 2020" | + "D-TRUST EV Root CA 1 2020" | + "DigiCert TLS ECC P384 Root G5" | + "DigiCert TLS RSA4096 Root G5" | + "E-Tugra Global Root CA ECC v3" | + "E-Tugra Global Root CA RSA v3" | + "HARICA TLS ECC Root CA 2021" | + "HARICA TLS RSA Root CA 2021" | + "HiPKI Root CA - G1" | + "ISRG Root X2" | + "Security Communication ECC RootCA1" | + "Security Communication RootCA3" | + "Telia Root CA v2" | + "TunTrust Root CA" | + "vTrus ECC Root CA" | + "vTrus Root CA" | The following certificate authorities were removed (-): | - "Cybertrust Global Root" (expired) | - "EC-ACC" | - "GlobalSign Root CA - R2" (expired) | - "Hellenic Academic and Research Institutions RootCA 2011" | - "Network Solutions Certificate Authority" | - "Staat der Nederlanden EV Root CA" (expired) |* Drop trailing space from debconf template causing misformatting | (closes: #980821) | |[ Wataru Ashihara ] |* Make certdata2pem.py compatible with cryptography >= 35 (closes: #1008244) |[...] [1]: https://metadata.ftp-master.debian.org/changelogs/main/c/ca-certificates/ca-certificates_20230311_changelog Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org> (cherry picked from commit 7c83b6ac8656f9a3b005554d25857e8ed5faf3f6)
2023-05-26 04:09:47 +00:00
--- a/mozilla/certdata2pem.py
+++ b/mozilla/certdata2pem.py
@@ -21,16 +21,12 @@
# USA.
import base64
-import datetime
import os.path
import re
import sys
import textwrap
import io
-from cryptography import x509
-
-
objects = []
# Dirty file parser.
@@ -121,13 +117,6 @@ for obj in objects:
if obj['CKA_CLASS'] == 'CKO_CERTIFICATE':
if not obj['CKA_LABEL'] in trust or not trust[obj['CKA_LABEL']]:
continue
-
ca-certificates: Update to version 20230311 Update the ca-certificates and ca-bundle package from version 20211016 to version 20230311. Use TAR_OPTIONS instead of hacking Build/Prepare, refresh patches. Debian change-log entry [1]: |[...] |[ Đoàn Trần Công Danh ] |* ca-certificates: compat with non-GNU mktemp (closes: #1000847) | |[ Ilya Lipnitskiy ] |* certdata2pem.py: use UTC time when checking cert validity | |[ Julien Cristau ] |* Update Mozilla certificate authority bundle to version 2.60 | The following certificate authorities were added (+): | + "Autoridad de Certificacion Firmaprofesional CIF A62634068" | + "Certainly Root E1" | + "Certainly Root R1" | + "D-TRUST BR Root CA 1 2020" | + "D-TRUST EV Root CA 1 2020" | + "DigiCert TLS ECC P384 Root G5" | + "DigiCert TLS RSA4096 Root G5" | + "E-Tugra Global Root CA ECC v3" | + "E-Tugra Global Root CA RSA v3" | + "HARICA TLS ECC Root CA 2021" | + "HARICA TLS RSA Root CA 2021" | + "HiPKI Root CA - G1" | + "ISRG Root X2" | + "Security Communication ECC RootCA1" | + "Security Communication RootCA3" | + "Telia Root CA v2" | + "TunTrust Root CA" | + "vTrus ECC Root CA" | + "vTrus Root CA" | The following certificate authorities were removed (-): | - "Cybertrust Global Root" (expired) | - "EC-ACC" | - "GlobalSign Root CA - R2" (expired) | - "Hellenic Academic and Research Institutions RootCA 2011" | - "Network Solutions Certificate Authority" | - "Staat der Nederlanden EV Root CA" (expired) |* Drop trailing space from debconf template causing misformatting | (closes: #980821) | |[ Wataru Ashihara ] |* Make certdata2pem.py compatible with cryptography >= 35 (closes: #1008244) |[...] [1]: https://metadata.ftp-master.debian.org/changelogs/main/c/ca-certificates/ca-certificates_20230311_changelog Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org> (cherry picked from commit 7c83b6ac8656f9a3b005554d25857e8ed5faf3f6)
2023-05-26 04:09:47 +00:00
- cert = x509.load_der_x509_certificate(bytes(obj['CKA_VALUE']))
- if cert.not_valid_after < datetime.datetime.utcnow():
- print('!'*74)
- print('Trusted but expired certificate found: %s' % obj['CKA_LABEL'])
- print('!'*74)
-
bname = obj['CKA_LABEL'][1:-1].replace('/', '_')\
.replace(' ', '_')\
.replace('(', '=')\