From de4dd2fdd40fd5dacbc0a63d1eb72ae24745414b Mon Sep 17 00:00:00 2001
From: Jan Palus <atler@pld-linux.org>
Date: Sat, 9 Oct 2021 23:03:56 +0200
Subject: [PATCH] up to 20211004

- patch to handle python cryptography api change
  (x509.load_der_x509_certificate() requires bytes in >= 35 instead of
  bytearray)
- blacklist EC-ACC certificate which stricter python cryptography fails
  to parse
- upstream dropped/blacklisted expired certs
---
 blacklist.patch                 |  9 +++++++++
 ca-certificates-etc-certs.patch | 12 ++++++------
 ca-certificates.d.patch         |  2 +-
 ca-certificates.spec            | 23 +++++++++++------------
 py_cryptography35.patch         | 29 +++++++++++++++++++++++++++++
 5 files changed, 56 insertions(+), 19 deletions(-)
 create mode 100644 blacklist.patch
 create mode 100644 py_cryptography35.patch

diff --git a/blacklist.patch b/blacklist.patch
new file mode 100644
index 0000000..8cf9172
--- /dev/null
+++ b/blacklist.patch
@@ -0,0 +1,9 @@
+--- work/mozilla/blacklist.txt.orig	2021-10-07 17:12:47.000000000 +0200
++++ work/mozilla/blacklist.txt	2021-10-09 22:48:50.449155614 +0200
+@@ -10,3 +10,6 @@
+ 
+ # Expired CA (#995432)
+ "DST Root CA X3"
++
++# Negative serial number (python crytography fails to parse it)
++"EC-ACC"
diff --git a/ca-certificates-etc-certs.patch b/ca-certificates-etc-certs.patch
index ecd9623..17c543c 100644
--- a/ca-certificates-etc-certs.patch
+++ b/ca-certificates-etc-certs.patch
@@ -15,10 +15,10 @@
  
  # Helper files.  (Some of them are not simple arrays because we spawn
  # subshells later on.)
--TEMPBUNDLE="$(mktemp -t "${CERTBUNDLE}.tmp.XXXXXX")"
-+TEMPBUNDLE="$(mktemp "${CERTBUNDLE}.tmp.XXXXXX")"
- ADDED="$(mktemp -t "ca-certificates.tmp.XXXXXX")"
- REMOVED="$(mktemp -t "ca-certificates.tmp.XXXXXX")"
+-TEMPBUNDLE="${ETCCERTSDIR}/${CERTBUNDLE}.new"
++TEMPBUNDLE="${CERTBUNDLE}.new"
+ ADDED="$(mktemp --tmpdir "ca-certificates.tmp.XXXXXX")"
+ REMOVED="$(mktemp --tmpdir "ca-certificates.tmp.XXXXXX")"
  
 @@ -62,7 +62,7 @@
  # bundle.
@@ -67,6 +67,6 @@
 -  done
 -fi
 -
- rm -f "$CERTBUNDLE"
- 
  ADDED_CNT=$(wc -l < "$ADDED")
+ REMOVED_CNT=$(wc -l < "$REMOVED")
+ 
diff --git a/ca-certificates.d.patch b/ca-certificates.d.patch
index bb73b74..203a92e 100644
--- a/ca-certificates.d.patch
+++ b/ca-certificates.d.patch
@@ -64,4 +64,4 @@
 +  done
  done
  
- rm -f "$CERTBUNDLE"
+ ADDED_CNT=$(wc -l < "$ADDED")
diff --git a/ca-certificates.spec b/ca-certificates.spec
index ed7d196..7bafe62 100644
--- a/ca-certificates.spec
+++ b/ca-certificates.spec
@@ -11,13 +11,13 @@
 Summary:	Common CA Certificates PEM files
 Summary(pl.UTF-8):	Pliki PEM popularnych certyfikatÃ³w CA
 Name:		ca-certificates
-%define	ver_date	20210119
+%define	ver_date	20211004
 Version:	%{ver_date}
-Release:	6
+Release:	1
 License:	GPL v2 (scripts), MPL v2 (mozilla certs), distributable (other certs)
 Group:		Base
 Source0:	http://ftp.debian.org/debian/pool/main/c/ca-certificates/%{name}_%{version}.tar.xz
-# Source0-md5:	c02582bf9ae338e558617291897615eb
+# Source0-md5:	42aece456797aba11e6ef894894f36d3
 Source2:	http://www.certum.pl/keys/CA.pem
 # Source2-md5:	35610177afc9c64e70f1ce62c1885496
 Source14:	http://www.certum.pl/CTNCA.pem
@@ -57,14 +57,17 @@ Source36:	http://www.terena.org/activities/tcs/repository-g3/TERENA_SSL_High_Ass
 Patch0:		%{name}-undebianize.patch
 Patch1:		%{name}-more-certs.patch
 Patch2:		%{name}-etc-certs.patch
-
+Patch3:		py_cryptography35.patch
+Patch4:		blacklist.patch
 Patch5:		%{name}-DESTDIR.patch
 Patch6:		%{name}.d.patch
 Patch7:		no-openssl-rehash.patch
 URL:		https://packages.debian.org/sid/ca-certificates
 BuildRequires:	openssl-tools
-BuildRequires:	python >= 1:2.6
-BuildRequires:	python-modules
+BuildRequires:	python3
+BuildRequires:	python3-cryptography
+BuildRequires:	python3-packaging
+BuildRequires:	python3-modules
 BuildRequires:	rpm >= 4.4.9-56
 BuildRequires:	sed >= 4.0
 BuildRequires:	tar >= 1:1.22
@@ -107,7 +110,8 @@ cd work
 %patch0 -p1
 %patch1 -p1
 %patch2 -p1
-
+%patch3 -p1
+%patch4 -p1
 %patch5 -p1
 %patch6 -p1
 %patch7 -p1
@@ -171,11 +175,6 @@ make_sure_expired_and_rm() {
 	return 0
 }
 
-# expired
-make_sure_expired_and_rm mozilla/Sonera_Class_2_Root_CA.crt
-make_sure_expired_and_rm mozilla/DST_Root_CA_X3.crt
-make_sure_expired_and_rm mozilla/QuoVadis_Root_CA.crt
-
 # See TODO
 # %{__rm} mozilla/RSA_Security_1024_v3.crt
 
diff --git a/py_cryptography35.patch b/py_cryptography35.patch
new file mode 100644
index 0000000..f4015d6
--- /dev/null
+++ b/py_cryptography35.patch
@@ -0,0 +1,29 @@
+--- work/mozilla/certdata2pem.py.orig	2021-10-07 17:12:47.000000000 +0200
++++ work/mozilla/certdata2pem.py	2021-10-09 22:27:49.300281185 +0200
+@@ -29,7 +29,13 @@
+ import io
+ 
+ from cryptography import x509
++import cryptography
++from packaging import version
+ 
++if version.parse(cryptography.__version__) >= version.parse("35.0.0"):
++    use_bytes=True
++else:
++    use_bytes=False
+ 
+ objects = []
+ 
+@@ -122,7 +128,11 @@
+         if not obj['CKA_LABEL'] in trust or not trust[obj['CKA_LABEL']]:
+             continue
+ 
+-        cert = x509.load_der_x509_certificate(obj['CKA_VALUE'])
++        if use_bytes:
++            cka_value = bytes(obj['CKA_VALUE'])
++        else:
++            cka_value = obj['CKA_VALUE']
++        cert = x509.load_der_x509_certificate(cka_value)
+         if cert.not_valid_after < datetime.datetime.now():
+             print('!'*74)
+             print('Trusted but expired certificate found: %s' % obj['CKA_LABEL'])
-- 
2.44.0