From 25bc66eb40ea2c062940778fba601032b2579734 Mon Sep 17 00:00:00 2001 From: Christian Lamparter Date: Wed, 1 Dec 2021 15:01:23 +0100 Subject: [PATCH] ca-certificates: fix python3-cryptography woes in certdata2pem.py This patch is a revert of the upstream patch to Debian's ca-certificate commit 033d52259172 ("mozilla/certdata2pem.py: print a warning for expired certificates.") The reason is, that this change broke builds with the popular Ubuntu 20.04 LTS (focal) releases which are shipping with an older version of the python3-cryptography package that is not compatible. |Traceback (most recent call last): | File "certdata2pem.py", line 125, in | cert = x509.load_der_x509_certificate(obj['CKA_VALUE']) |TypeError: load_der_x509_certificate() missing 1 required positional argument: 'backend' |make[5]: *** [Makefile:6: all] Error 1 ...or if the python3-cryptography was missing all together: |Traceback (most recent call last): | File "/certdata2pem.py", line 31, in | from cryptography import x509 |ModuleNotFoundError: No module named 'cryptography' More concerns were raised by Jo-Philipp Wich: "We don't want the build to depend on the local system time anyway. Right now it seems to be just a warning but I could imagine that eventually certs are simply omitted of found to be expired at build time which would break reproducibility." Link: Reported-by: Chen Minqiang Reported-by: Shane Synan Signed-off-by: Christian Lamparter --- ...fix-python3-cryptography-woes-in-cer.patch | 53 +++++++++++++++++++ 1 file changed, 53 insertions(+) create mode 100644 package/system/ca-certificates/patches/0001-ca-certificates-fix-python3-cryptography-woes-in-cer.patch diff --git a/package/system/ca-certificates/patches/0001-ca-certificates-fix-python3-cryptography-woes-in-cer.patch b/package/system/ca-certificates/patches/0001-ca-certificates-fix-python3-cryptography-woes-in-cer.patch new file mode 100644 index 0000000000..add01f42c0 --- /dev/null +++ b/package/system/ca-certificates/patches/0001-ca-certificates-fix-python3-cryptography-woes-in-cer.patch @@ -0,0 +1,53 @@ +From 3c51cb5ff1d0db41fb3288fb555c7e7055cf3e86 Mon Sep 17 00:00:00 2001 +From: Christian Lamparter +Date: Wed, 1 Dec 2021 14:41:31 +0100 +Subject: [PATCH] ca-certificates: fix python3-cryptography woes in + certdata2pem.py + +reverts the code portion of the Debian's ca-certificate +commit 033d52259172 ("mozilla/certdata2pem.py: print a warning for expired certificates.") + +It broke builds with the popular Ubuntu 20.04 (focal) releases. +This was due to them shipping with an older python3-cryptography +version which is not compatible. + +More concerns were raised by jow- as well: +"We don't want the build to depend on the local system time anyway." + +Reported-by: Chen Minqiang +Reported-by: Shane Synan +Signed-off-by: Christian Lamparter +--- +--- a/work/mozilla/certdata2pem.py ++++ b/work/mozilla/certdata2pem.py +@@ -21,16 +21,12 @@ + # USA. + + import base64 +-import datetime + import os.path + import re + import sys + import textwrap + import io + +-from cryptography import x509 +- +- + objects = [] + + # Dirty file parser. +@@ -121,13 +117,6 @@ for obj in objects: + if obj['CKA_CLASS'] == 'CKO_CERTIFICATE': + if not obj['CKA_LABEL'] in trust or not trust[obj['CKA_LABEL']]: + continue +- +- cert = x509.load_der_x509_certificate(obj['CKA_VALUE']) +- if cert.not_valid_after < datetime.datetime.now(): +- print('!'*74) +- print('Trusted but expired certificate found: %s' % obj['CKA_LABEL']) +- print('!'*74) +- + bname = obj['CKA_LABEL'][1:-1].replace('/', '_')\ + .replace(' ', '_')\ + .replace('(', '=')\