[openwrt/openwrt] ca-certificates: fix python3-cryptography woes in certdata2pem.py

LEDE Commits lede-commits at lists.infradead.org
Sat Mar 4 04:10:46 PST 2023


hauke pushed a commit to openwrt/openwrt.git, branch openwrt-21.02:
https://git.openwrt.org/23c86d44bcfa00255c32196458b0a47dfa6732d5

commit 23c86d44bcfa00255c32196458b0a47dfa6732d5
Author: Christian Lamparter <chunkeey at gmail.com>
AuthorDate: Wed Dec 1 15:01:23 2021 +0100

    ca-certificates: fix python3-cryptography woes in certdata2pem.py
    
    This patch is a revert of the upstream patch to Debian's ca-certificate
    commit 033d52259172 ("mozilla/certdata2pem.py: print a warning for expired certificates.")
    
    The reason is, that this change broke builds with the popular
    Ubuntu 20.04 LTS (focal) releases which are shipping with an
    older version of the python3-cryptography package that is not
    compatible.
    
    |Traceback (most recent call last):
    |  File "certdata2pem.py", line 125, in <module>
    |    cert = x509.load_der_x509_certificate(obj['CKA_VALUE'])
    |TypeError: load_der_x509_certificate() missing 1 required positional argument: 'backend'
    |make[5]: *** [Makefile:6: all] Error 1
    
    ...or if the python3-cryptography was missing all together:
    |Traceback (most recent call last):
    |  File "/certdata2pem.py", line 31, in <module>
    |    from cryptography import x509
    |ModuleNotFoundError: No module named 'cryptography'
    
    More concerns were raised by Jo-Philipp Wich:
    "We don't want the build to depend on the local system time anyway.
    Right now it seems to be just a warning but I could imagine that
    eventually certs are simply omitted of found to be expired at
    build time which would break reproducibility."
    
    Link: <https://github.com/openwrt/openwrt/commit/7c99085bd697>
    Reported-by: Chen Minqiang <ptpt52 at gmail.com>
    Reported-by: Shane Synan <digitalcircuit36939 at gmail.com>
    Signed-off-by: Christian Lamparter <chunkeey at gmail.com>
    (cherry picked from commit 25bc66eb40ea2c062940778fba601032b2579734)
---
 ...ates-fix-python3-cryptography-woes-in-cer.patch | 53 ++++++++++++++++++++++
 1 file changed, 53 insertions(+)

diff --git a/package/system/ca-certificates/patches/0001-ca-certificates-fix-python3-cryptography-woes-in-cer.patch b/package/system/ca-certificates/patches/0001-ca-certificates-fix-python3-cryptography-woes-in-cer.patch
new file mode 100644
index 0000000000..add01f42c0
--- /dev/null
+++ b/package/system/ca-certificates/patches/0001-ca-certificates-fix-python3-cryptography-woes-in-cer.patch
@@ -0,0 +1,53 @@
+From 3c51cb5ff1d0db41fb3288fb555c7e7055cf3e86 Mon Sep 17 00:00:00 2001
+From: Christian Lamparter <chunkeey at gmail.com>
+Date: Wed, 1 Dec 2021 14:41:31 +0100
+Subject: [PATCH] ca-certificates: fix python3-cryptography woes in
+ certdata2pem.py
+
+reverts the code portion of the Debian's ca-certificate
+commit 033d52259172 ("mozilla/certdata2pem.py: print a warning for expired certificates.")
+
+It broke builds with the popular Ubuntu 20.04 (focal) releases.
+This was due to them shipping with an older python3-cryptography
+version which is not compatible.
+
+More concerns were raised by jow- as well:
+"We don't want the build to depend on the local system time anyway."
+
+Reported-by: Chen Minqiang <ptpt52 at gmail.com>
+Reported-by: Shane Synan <digitalcircuit36939 at gmail.com>
+Signed-off-by: Christian Lamparter <chunkeey at gmail.com>
+---
+--- a/work/mozilla/certdata2pem.py
++++ b/work/mozilla/certdata2pem.py
+@@ -21,16 +21,12 @@
+ # USA.
+ 
+ import base64
+-import datetime
+ import os.path
+ import re
+ import sys
+ import textwrap
+ import io
+ 
+-from cryptography import x509
+-
+-
+ objects = []
+ 
+ # Dirty file parser.
+@@ -121,13 +117,6 @@ for obj in objects:
+     if obj['CKA_CLASS'] == 'CKO_CERTIFICATE':
+         if not obj['CKA_LABEL'] in trust or not trust[obj['CKA_LABEL']]:
+             continue
+-
+-        cert = x509.load_der_x509_certificate(obj['CKA_VALUE'])
+-        if cert.not_valid_after < datetime.datetime.now():
+-            print('!'*74)
+-            print('Trusted but expired certificate found: %s' % obj['CKA_LABEL'])
+-            print('!'*74)
+-
+         bname = obj['CKA_LABEL'][1:-1].replace('/', '_')\
+                                       .replace(' ', '_')\
+                                       .replace('(', '=')\




More information about the lede-commits mailing list