package/ca-certificates/0001-mozilla-certdata2pem.py-make-cryptography-module-opt.patch - buildroot - Git at Google

 From a4e468a2a0afa80df174831c2f422184820bb0fa Mon Sep 17 00:00:00 2001
 From: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
 Date: Thu, 6 Jan 2022 23:15:00 +0100
 Subject: [PATCH] mozilla/certdata2pem.py: make cryptography module optional

 The Python cryptography module is only used to verify if trusted
 certificates have expired, but this is only a warning. For some build
 systems and distributions, providing Python cryptography is costly,
 especially since it's now partly written in Rust.

 As the check is only a warning, it's anyway going to be overlooked by
 most people. This commit changes the check to be optional: if the
 cryptography Python module is there, we perform the check, otherwise
 the check is skipped.

 Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
 [Steve: refreshed to apply on ca-certificates version 20230311]
 Signed-off-by: Steve Hay <me@stevenhay.com>
 ---
  mozilla/certdata2pem.py | 17 ++++++++++-------
  1 file changed, 10 insertions(+), 7 deletions(-)

 diff --git a/mozilla/certdata2pem.py b/mozilla/certdata2pem.py
 index 4df86a2..3a6d7dc 100644
 --- a/mozilla/certdata2pem.py
 +++ b/mozilla/certdata2pem.py
 @@ -28,8 +28,6 @@ import sys
  import textwrap
  import io

 -from cryptography import x509
 -

  objects = []

 @@ -122,11 +120,16 @@ for obj in objects:
          if not obj['CKA_LABEL'] in trust or not trust[obj['CKA_LABEL']]:
              continue

 -        cert = x509.load_der_x509_certificate(bytes(obj['CKA_VALUE']))
 -        if cert.not_valid_after < datetime.datetime.utcnow():
 -            print('!'*74)
 -            print('Trusted but expired certificate found: %s' % obj['CKA_LABEL'])
 -            print('!'*74)
 +        try:
 +            from cryptography import x509
 +
 +            cert = x509.load_der_x509_certificate(bytes(obj['CKA_VALUE']))
 +            if cert.not_valid_after < datetime.datetime.utcnow():
 +                print('!'*74)
 +                print('Trusted but expired certificate found: %s' % obj['CKA_LABEL'])
 +                print('!'*74)
 +        except ImportError:
 +            pass

          bname = obj['CKA_LABEL'][1:-1].replace('/', '_')\
                                        .replace(' ', '_')\
 --
 2.30.2
	From a4e468a2a0afa80df174831c2f422184820bb0fa Mon Sep 17 00:00:00 2001
	From: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
	Date: Thu, 6 Jan 2022 23:15:00 +0100
	Subject: [PATCH] mozilla/certdata2pem.py: make cryptography module optional

	The Python cryptography module is only used to verify if trusted
	certificates have expired, but this is only a warning. For some build
	systems and distributions, providing Python cryptography is costly,
	especially since it's now partly written in Rust.

	As the check is only a warning, it's anyway going to be overlooked by
	most people. This commit changes the check to be optional: if the
	cryptography Python module is there, we perform the check, otherwise
	the check is skipped.

	Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
	[Steve: refreshed to apply on ca-certificates version 20230311]
	Signed-off-by: Steve Hay <me@stevenhay.com>
	---
	mozilla/certdata2pem.py \| 17 ++++++++++-------
	1 file changed, 10 insertions(+), 7 deletions(-)

	diff --git a/mozilla/certdata2pem.py b/mozilla/certdata2pem.py
	index 4df86a2..3a6d7dc 100644
	--- a/mozilla/certdata2pem.py
	+++ b/mozilla/certdata2pem.py
	@@ -28,8 +28,6 @@ import sys
	import textwrap
	import io

	-from cryptography import x509
	-

	objects = []

	@@ -122,11 +120,16 @@ for obj in objects:
	if not obj['CKA_LABEL'] in trust or not trust[obj['CKA_LABEL']]:
	continue

	- cert = x509.load_der_x509_certificate(bytes(obj['CKA_VALUE']))
	- if cert.not_valid_after < datetime.datetime.utcnow():
	- print('!'*74)
	- print('Trusted but expired certificate found: %s' % obj['CKA_LABEL'])
	- print('!'*74)
	+ try:
	+ from cryptography import x509
	+
	+ cert = x509.load_der_x509_certificate(bytes(obj['CKA_VALUE']))
	+ if cert.not_valid_after < datetime.datetime.utcnow():
	+ print('!'*74)
	+ print('Trusted but expired certificate found: %s' % obj['CKA_LABEL'])
	+ print('!'*74)
	+ except ImportError:
	+ pass

	bname = obj['CKA_LABEL'][1:-1].replace('/', '_')\
	.replace(' ', '_')\
	--
	2.30.2