up to 20211004

- patch to handle python cryptography api change
  (x509.load_der_x509_certificate() requires bytes in >= 35 instead of
  bytearray)
- blacklist EC-ACC certificate which stricter python cryptography fails
  to parse
- upstream dropped/blacklisted expired certs

diff --git a/blacklist.patch b/blacklist.patch
new file mode 100644 (file)
index 0000000..8cf9172
--- /dev/null
+++ b/blacklist.patch
@@ -0,0 +1,9 @@
+--- work/mozilla/blacklist.txt.orig    2021-10-07 17:12:47.000000000 +0200
++++ work/mozilla/blacklist.txt 2021-10-09 22:48:50.449155614 +0200
+@@ -10,3 +10,6 @@
+ 
+ # Expired CA (#995432)
+ "DST Root CA X3"
++
++# Negative serial number (python crytography fails to parse it)
++"EC-ACC"

diff --git a/ca-certificates-etc-certs.patch b/ca-certificates-etc-certs.patch
index ecd962356e44372451825ecc8b342d90af6a4317..17c543c21096b99efa72a211bb4188ab2a108e5b 100644 (file)
--- a/ca-certificates-etc-certs.patch
+++ b/ca-certificates-etc-certs.patch
@@ -15,10 +15,10 @@
  
  # Helper files.  (Some of them are not simple arrays because we spawn
  # subshells later on.)
--TEMPBUNDLE="$(mktemp -t "${CERTBUNDLE}.tmp.XXXXXX")"
-+TEMPBUNDLE="$(mktemp "${CERTBUNDLE}.tmp.XXXXXX")"
- ADDED="$(mktemp -t "ca-certificates.tmp.XXXXXX")"
- REMOVED="$(mktemp -t "ca-certificates.tmp.XXXXXX")"
+-TEMPBUNDLE="${ETCCERTSDIR}/${CERTBUNDLE}.new"
++TEMPBUNDLE="${CERTBUNDLE}.new"
+ ADDED="$(mktemp --tmpdir "ca-certificates.tmp.XXXXXX")"
+ REMOVED="$(mktemp --tmpdir "ca-certificates.tmp.XXXXXX")"
  
 @@ -62,7 +62,7 @@
  # bundle.
@@ -67,6 +67,6 @@
 -  done
 -fi
 -
- rm -f "$CERTBUNDLE"
- 
  ADDED_CNT=$(wc -l < "$ADDED")
+ REMOVED_CNT=$(wc -l < "$REMOVED")
+ 

diff --git a/ca-certificates.d.patch b/ca-certificates.d.patch
index bb73b74a34e1993edb3a7bb9a7c852450999cb3d..203a92e82747c192003cb2ce6943a66bbf9c0a1b 100644 (file)
--- a/ca-certificates.d.patch
+++ b/ca-certificates.d.patch
@@ -64,4 +64,4 @@
 +  done
  done
  
- rm -f "$CERTBUNDLE"
+ ADDED_CNT=$(wc -l < "$ADDED")

diff --git a/ca-certificates.spec b/ca-certificates.spec
index ed7d196fb24ebf06c29a907fc9b54bec0d6fd897..7bafe62112d7d044d07a5e36154419a740e385a5 100644 (file)
--- a/ca-certificates.spec
+++ b/ca-certificates.spec
@@ -11,13 +11,13 @@
 Summary:       Common CA Certificates PEM files
 Summary(pl.UTF-8):     Pliki PEM popularnych certyfikatów CA
 Name:          ca-certificates
-%define        ver_date        20210119
+%define        ver_date        20211004
 Version:       %{ver_date}
-Release:       6
+Release:       1
 License:       GPL v2 (scripts), MPL v2 (mozilla certs), distributable (other certs)
 Group:         Base
 Source0:       http://ftp.debian.org/debian/pool/main/c/ca-certificates/%{name}_%{version}.tar.xz
-# Source0-md5: c02582bf9ae338e558617291897615eb
+# Source0-md5: 42aece456797aba11e6ef894894f36d3
 Source2:       http://www.certum.pl/keys/CA.pem
 # Source2-md5: 35610177afc9c64e70f1ce62c1885496
 Source14:      http://www.certum.pl/CTNCA.pem
@@ -57,14 +57,17 @@ Source36:   http://www.terena.org/activities/tcs/repository-g3/TERENA_SSL_High_Ass
 Patch0:                %{name}-undebianize.patch
 Patch1:                %{name}-more-certs.patch
 Patch2:                %{name}-etc-certs.patch
-
+Patch3:                py_cryptography35.patch
+Patch4:                blacklist.patch
 Patch5:                %{name}-DESTDIR.patch
 Patch6:                %{name}.d.patch
 Patch7:                no-openssl-rehash.patch
 URL:           https://packages.debian.org/sid/ca-certificates
 BuildRequires: openssl-tools
-BuildRequires: python >= 1:2.6
-BuildRequires: python-modules
+BuildRequires: python3
+BuildRequires: python3-cryptography
+BuildRequires: python3-packaging
+BuildRequires: python3-modules
 BuildRequires: rpm >= 4.4.9-56
 BuildRequires: sed >= 4.0
 BuildRequires: tar >= 1:1.22
@@ -107,7 +110,8 @@ cd work
 %patch0 -p1
 %patch1 -p1
 %patch2 -p1
-
+%patch3 -p1
+%patch4 -p1
 %patch5 -p1
 %patch6 -p1
 %patch7 -p1
@@ -171,11 +175,6 @@ make_sure_expired_and_rm() {
        return 0
 }
 
-# expired
-make_sure_expired_and_rm mozilla/Sonera_Class_2_Root_CA.crt
-make_sure_expired_and_rm mozilla/DST_Root_CA_X3.crt
-make_sure_expired_and_rm mozilla/QuoVadis_Root_CA.crt
-
 # See TODO
 # %{__rm} mozilla/RSA_Security_1024_v3.crt
 

diff --git a/py_cryptography35.patch b/py_cryptography35.patch
new file mode 100644 (file)
index 0000000..f4015d6
--- /dev/null
+++ b/py_cryptography35.patch
@@ -0,0 +1,29 @@
+--- work/mozilla/certdata2pem.py.orig  2021-10-07 17:12:47.000000000 +0200
++++ work/mozilla/certdata2pem.py       2021-10-09 22:27:49.300281185 +0200
+@@ -29,7 +29,13 @@
+ import io
+ 
+ from cryptography import x509
++import cryptography
++from packaging import version
+ 
++if version.parse(cryptography.__version__) >= version.parse("35.0.0"):
++    use_bytes=True
++else:
++    use_bytes=False
+ 
+ objects = []
+ 
+@@ -122,7 +128,11 @@
+         if not obj['CKA_LABEL'] in trust or not trust[obj['CKA_LABEL']]:
+             continue
+ 
+-        cert = x509.load_der_x509_certificate(obj['CKA_VALUE'])
++        if use_bytes:
++            cka_value = bytes(obj['CKA_VALUE'])
++        else:
++            cka_value = obj['CKA_VALUE']
++        cert = x509.load_der_x509_certificate(cka_value)
+         if cert.not_valid_after < datetime.datetime.now():
+             print('!'*74)
+             print('Trusted but expired certificate found: %s' % obj['CKA_LABEL'])