NetCube-Systems-Austria/kumquat-buildroot
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
5b559109ee
kumquat-buildroot/package/ca-certificates/0001-mozilla-certdata2pem.py-make-cryptography-module-opt.patch
ʎɐH ǝʌǝʇS 9f5c8bd430 package/ca-certificates: bump version to 20230311 
The impetus for this change was that wget fails to load pages signed by
Let's Encrypt due to missing root certs. This version has the updated and
correct certs.

0002-mozilla-certdata2pem.py-Fix-compat-with-cryptography.patch

Patch dropped because the fix is incorporated upstream.

Signed-off-by: Steve Hay <me@stevenhay.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2023-03-19 17:44:12 +01:00

61 lines
2.1 KiB
Diff
Raw Blame History

From a4e468a2a0afa80df174831c2f422184820bb0fa Mon Sep 17 00:00:00 2001
From: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Date: Thu, 6 Jan 2022 23:15:00 +0100
Subject: [PATCH] mozilla/certdata2pem.py: make cryptography module optional
The Python cryptography module is only used to verify if trusted
certificates have expired, but this is only a warning. For some build
systems and distributions, providing Python cryptography is costly,
especially since it's now partly written in Rust.
As the check is only a warning, it's anyway going to be overlooked by
most people. This commit changes the check to be optional: if the
cryptography Python module is there, we perform the check, otherwise
the check is skipped.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
[Steve: refreshed to apply on ca-certificates version 20230311]
Signed-off-by: Steve Hay <me@stevenhay.com>
---
mozilla/certdata2pem.py | 17 ++++++++++-------
1 file changed, 10 insertions(+), 7 deletions(-)
diff --git a/mozilla/certdata2pem.py b/mozilla/certdata2pem.py
index 4df86a2..3a6d7dc 100644
--- a/mozilla/certdata2pem.py
+++ b/mozilla/certdata2pem.py
@@ -28,8 +28,6 @@ import sys
import textwrap
import io
-from cryptography import x509
-
objects = []
@@ -122,11 +120,16 @@ for obj in objects:
if not obj['CKA_LABEL'] in trust or not trust[obj['CKA_LABEL']]:
continue
- cert = x509.load_der_x509_certificate(bytes(obj['CKA_VALUE']))
- if cert.not_valid_after < datetime.datetime.utcnow():
- print('!'*74)
- print('Trusted but expired certificate found: %s' % obj['CKA_LABEL'])
- print('!'*74)
+ try:
+ from cryptography import x509
+
+ cert = x509.load_der_x509_certificate(bytes(obj['CKA_VALUE']))
+ if cert.not_valid_after < datetime.datetime.utcnow():
+ print('!'*74)
+ print('Trusted but expired certificate found: %s' % obj['CKA_LABEL'])
+ print('!'*74)
+ except ImportError:
+ pass
bname = obj['CKA_LABEL'][1:-1].replace('/', '_')\
.replace(' ', '_')\
--
2.30.2
Reference in New Issue View Git Blame Copy Permalink