mirror of
https://github.com/openwrt/openwrt.git
synced 2024-12-23 07:22:33 +00:00
14cbf041ea
Update the ca-certificates and ca-bundle package from version 20211016 to
version 20230311.
Use TAR_OPTIONS instead of hacking Build/Prepare, refresh patches.
Debian change-log entry [1]:
|[...]
|[ Đoàn Trần Công Danh ]
|* ca-certificates: compat with non-GNU mktemp (closes: #1000847)
|
|[ Ilya Lipnitskiy ]
|* certdata2pem.py: use UTC time when checking cert validity
|
|[ Julien Cristau ]
|* Update Mozilla certificate authority bundle to version 2.60
| The following certificate authorities were added (+):
| + "Autoridad de Certificacion Firmaprofesional CIF A62634068"
| + "Certainly Root E1"
| + "Certainly Root R1"
| + "D-TRUST BR Root CA 1 2020"
| + "D-TRUST EV Root CA 1 2020"
| + "DigiCert TLS ECC P384 Root G5"
| + "DigiCert TLS RSA4096 Root G5"
| + "E-Tugra Global Root CA ECC v3"
| + "E-Tugra Global Root CA RSA v3"
| + "HARICA TLS ECC Root CA 2021"
| + "HARICA TLS RSA Root CA 2021"
| + "HiPKI Root CA - G1"
| + "ISRG Root X2"
| + "Security Communication ECC RootCA1"
| + "Security Communication RootCA3"
| + "Telia Root CA v2"
| + "TunTrust Root CA"
| + "vTrus ECC Root CA"
| + "vTrus Root CA"
| The following certificate authorities were removed (-):
| - "Cybertrust Global Root" (expired)
| - "EC-ACC"
| - "GlobalSign Root CA - R2" (expired)
| - "Hellenic Academic and Research Institutions RootCA 2011"
| - "Network Solutions Certificate Authority"
| - "Staat der Nederlanden EV Root CA" (expired)
|* Drop trailing space from debconf template causing misformatting
| (closes: #980821)
|
|[ Wataru Ashihara ]
|* Make certdata2pem.py compatible with cryptography >= 35 (closes: #1008244)
|[...]
[1]: https://metadata.ftp-master.debian.org/changelogs/main/c/ca-certificates/ca-certificates_20230311_changelog
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
(cherry picked from commit 7c83b6ac86
)
54 lines
1.7 KiB
Diff
54 lines
1.7 KiB
Diff
From 3c51cb5ff1d0db41fb3288fb555c7e7055cf3e86 Mon Sep 17 00:00:00 2001
|
|
From: Christian Lamparter <chunkeey@gmail.com>
|
|
Date: Wed, 1 Dec 2021 14:41:31 +0100
|
|
Subject: [PATCH] ca-certificates: fix python3-cryptography woes in
|
|
certdata2pem.py
|
|
|
|
reverts the code portion of the Debian's ca-certificate
|
|
commit 033d52259172 ("mozilla/certdata2pem.py: print a warning for expired certificates.")
|
|
|
|
It broke builds with the popular Ubuntu 20.04 (focal) releases.
|
|
This was due to them shipping with an older python3-cryptography
|
|
version which is not compatible.
|
|
|
|
More concerns were raised by jow- as well:
|
|
"We don't want the build to depend on the local system time anyway."
|
|
|
|
Reported-by: Chen Minqiang <ptpt52@gmail.com>
|
|
Reported-by: Shane Synan <digitalcircuit36939@gmail.com>
|
|
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
|
|
---
|
|
--- a/mozilla/certdata2pem.py
|
|
+++ b/mozilla/certdata2pem.py
|
|
@@ -21,16 +21,12 @@
|
|
# USA.
|
|
|
|
import base64
|
|
-import datetime
|
|
import os.path
|
|
import re
|
|
import sys
|
|
import textwrap
|
|
import io
|
|
|
|
-from cryptography import x509
|
|
-
|
|
-
|
|
objects = []
|
|
|
|
# Dirty file parser.
|
|
@@ -121,13 +117,6 @@ for obj in objects:
|
|
if obj['CKA_CLASS'] == 'CKO_CERTIFICATE':
|
|
if not obj['CKA_LABEL'] in trust or not trust[obj['CKA_LABEL']]:
|
|
continue
|
|
-
|
|
- cert = x509.load_der_x509_certificate(bytes(obj['CKA_VALUE']))
|
|
- if cert.not_valid_after < datetime.datetime.utcnow():
|
|
- print('!'*74)
|
|
- print('Trusted but expired certificate found: %s' % obj['CKA_LABEL'])
|
|
- print('!'*74)
|
|
-
|
|
bname = obj['CKA_LABEL'][1:-1].replace('/', '_')\
|
|
.replace(' ', '_')\
|
|
.replace('(', '=')\
|