From 3c51cb5ff1d0db41fb3288fb555c7e7055cf3e86 Mon Sep 17 00:00:00 2001 From: Christian Lamparter Date: Wed, 1 Dec 2021 14:41:31 +0100 Subject: [PATCH] ca-certificates: fix python3-cryptography woes in certdata2pem.py reverts the code portion of the Debian's ca-certificate commit 033d52259172 ("mozilla/certdata2pem.py: print a warning for expired certificates.") It broke builds with the popular Ubuntu 20.04 (focal) releases. This was due to them shipping with an older python3-cryptography version which is not compatible. More concerns were raised by jow- as well: "We don't want the build to depend on the local system time anyway." Reported-by: Chen Minqiang Reported-by: Shane Synan Signed-off-by: Christian Lamparter --- --- a/mozilla/certdata2pem.py +++ b/mozilla/certdata2pem.py @@ -21,16 +21,12 @@ # USA. import base64 -import datetime import os.path import re import sys import textwrap import io -from cryptography import x509 - - objects = [] # Dirty file parser. @@ -121,13 +117,6 @@ for obj in objects: if obj['CKA_CLASS'] == 'CKO_CERTIFICATE': if not obj['CKA_LABEL'] in trust or not trust[obj['CKA_LABEL']]: continue - - cert = x509.load_der_x509_certificate(bytes(obj['CKA_VALUE'])) - if cert.not_valid_after < datetime.datetime.utcnow(): - print('!'*74) - print('Trusted but expired certificate found: %s' % obj['CKA_LABEL']) - print('!'*74) - bname = obj['CKA_LABEL'][1:-1].replace('/', '_')\ .replace(' ', '_')\ .replace('(', '=')\