@@ -1,4 +1,4 @@
-From bf18b564122e8f976681a2398862fde1eafd84ba Mon Sep 17 00:00:00 2001
+From a4e468a2a0afa80df174831c2f422184820bb0fa Mon Sep 17 00:00:00 2001
From: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Date: Thu, 6 Jan 2022 23:15:00 +0100
Subject: [PATCH] mozilla/certdata2pem.py: make cryptography module optional
@@ -14,38 +14,39 @@ cryptography Python module is there, we perform the check, otherwise
the check is skipped.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
+[Steve: refreshed to apply on ca-certificates version 20230311]
+Signed-off-by: Steve Hay <me@stevenhay.com>
---
- mozilla/certdata2pem.py | 18 ++++++++++--------
- 1 file changed, 10 insertions(+), 8 deletions(-)
+ mozilla/certdata2pem.py | 17 ++++++++++-------
+ 1 file changed, 10 insertions(+), 7 deletions(-)
diff --git a/mozilla/certdata2pem.py b/mozilla/certdata2pem.py
-index ede23d4..a6261f8 100644
+index 4df86a2..3a6d7dc 100644
--- a/mozilla/certdata2pem.py
+++ b/mozilla/certdata2pem.py
-@@ -28,9 +28,6 @@ import sys
+@@ -28,8 +28,6 @@ import sys
import textwrap
import io
-from cryptography import x509
-
--
+
objects = []
- # Dirty file parser.
-@@ -122,11 +119,16 @@ for obj in objects:
+@@ -122,11 +120,16 @@ for obj in objects:
if not obj['CKA_LABEL'] in trust or not trust[obj['CKA_LABEL']]:
continue
-- cert = x509.load_der_x509_certificate(obj['CKA_VALUE'])
-- if cert.not_valid_after < datetime.datetime.now():
+- cert = x509.load_der_x509_certificate(bytes(obj['CKA_VALUE']))
+- if cert.not_valid_after < datetime.datetime.utcnow():
- print('!'*74)
- print('Trusted but expired certificate found: %s' % obj['CKA_LABEL'])
- print('!'*74)
+ try:
+ from cryptography import x509
+
-+ cert = x509.load_der_x509_certificate(obj['CKA_VALUE'])
-+ if cert.not_valid_after < datetime.datetime.now():
++ cert = x509.load_der_x509_certificate(bytes(obj['CKA_VALUE']))
++ if cert.not_valid_after < datetime.datetime.utcnow():
+ print('!'*74)
+ print('Trusted but expired certificate found: %s' % obj['CKA_LABEL'])
+ print('!'*74)
@@ -55,5 +56,5 @@ index ede23d4..a6261f8 100644
bname = obj['CKA_LABEL'][1:-1].replace('/', '_')\
.replace(' ', '_')\
--
-2.33.1
+2.30.2
deleted file mode 100644
@@ -1,29 +0,0 @@
-From 5e493ca307a031e81528ceddb96f3da40bc062cf Mon Sep 17 00:00:00 2001
-From: Wataru Ashihara <wsh@iij.ad.jp>
-Date: Wed, 2 Nov 2022 12:40:05 -0400
-Subject: [PATCH] mozilla/certdata2pem.py: Fix compat with cryptography > 3.0
-
-In newer cryptography packages, load_der_x509_certificate is enforced to be 'bytes' rather than currently used 'bytearray'. This fixes that.
-
-https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1008244
-Signed-off-by: Justin Wood <jwood@starry.com>
----
- mozilla/certdata2pem.py | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/mozilla/certdata2pem.py b/mozilla/certdata2pem.py
-index a6261f8..c0fa52c 100644
---- a/mozilla/certdata2pem.py
-+++ b/mozilla/certdata2pem.py
-@@ -122,7 +122,7 @@ for obj in objects:
- try:
- from cryptography import x509
-
-- cert = x509.load_der_x509_certificate(obj['CKA_VALUE'])
-+ cert = x509.load_der_x509_certificate(bytes(obj['CKA_VALUE']))
- if cert.not_valid_after < datetime.datetime.now():
- print('!'*74)
- print('Trusted but expired certificate found: %s' % obj['CKA_LABEL'])
-2.38.1
-
@@ -1,6 +1,4 @@
# hashes from: $(CA_CERTIFICATES_SITE)/ca-certificates_$(CA_CERTIFICATES_VERSION).dsc :
-sha1 bce5a8fac45456dbebf256f3a812c6cd0a853e3e ca-certificates_20211016.tar.xz
-sha256 2ae9b6dc5f40c25d6d7fe55e07b54f12a8967d1955d3b7b2f42ee46266eeef88 ca-certificates_20211016.tar.xz
-
+sha256 83de934afa186e279d1ed08ea0d73f5cf43a6fbfb5f00874b6db3711c64576f3 ca-certificates_20230311.tar.xz
# Locally computed
sha256 e85e1bcad3a915dc7e6f41412bc5bdeba275cadd817896ea0451f2140a93967c debian/copyright
@@ -4,9 +4,9 @@
#
################################################################################
-CA_CERTIFICATES_VERSION = 20211016
+CA_CERTIFICATES_VERSION = 20230311
CA_CERTIFICATES_SOURCE = ca-certificates_$(CA_CERTIFICATES_VERSION).tar.xz
-CA_CERTIFICATES_SITE = https://snapshot.debian.org/archive/debian/20211022T144903Z/pool/main/c/ca-certificates
+CA_CERTIFICATES_SITE = https://snapshot.debian.org/archive/debian/20230317T205011Z/pool/main/c/ca-certificates
CA_CERTIFICATES_DEPENDENCIES = host-openssl host-python3
CA_CERTIFICATES_LICENSE = GPL-2.0+ (script), MPL-2.0 (data)
CA_CERTIFICATES_LICENSE_FILES = debian/copyright