buildroot/package/ca-certificates/0001-mozilla-certdata2pem.p...

61 lines
2.1 KiB
Diff

From a4e468a2a0afa80df174831c2f422184820bb0fa Mon Sep 17 00:00:00 2001
From: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Date: Thu, 6 Jan 2022 23:15:00 +0100
Subject: [PATCH] mozilla/certdata2pem.py: make cryptography module optional
The Python cryptography module is only used to verify if trusted
certificates have expired, but this is only a warning. For some build
systems and distributions, providing Python cryptography is costly,
especially since it's now partly written in Rust.
As the check is only a warning, it's anyway going to be overlooked by
most people. This commit changes the check to be optional: if the
cryptography Python module is there, we perform the check, otherwise
the check is skipped.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
[Steve: refreshed to apply on ca-certificates version 20230311]
Signed-off-by: Steve Hay <me@stevenhay.com>
---
mozilla/certdata2pem.py | 17 ++++++++++-------
1 file changed, 10 insertions(+), 7 deletions(-)
diff --git a/mozilla/certdata2pem.py b/mozilla/certdata2pem.py
index 4df86a2..3a6d7dc 100644
--- a/mozilla/certdata2pem.py
+++ b/mozilla/certdata2pem.py
@@ -28,8 +28,6 @@ import sys
import textwrap
import io
-from cryptography import x509
-
objects = []
@@ -122,11 +120,16 @@ for obj in objects:
if not obj['CKA_LABEL'] in trust or not trust[obj['CKA_LABEL']]:
continue
- cert = x509.load_der_x509_certificate(bytes(obj['CKA_VALUE']))
- if cert.not_valid_after < datetime.datetime.utcnow():
- print('!'*74)
- print('Trusted but expired certificate found: %s' % obj['CKA_LABEL'])
- print('!'*74)
+ try:
+ from cryptography import x509
+
+ cert = x509.load_der_x509_certificate(bytes(obj['CKA_VALUE']))
+ if cert.not_valid_after < datetime.datetime.utcnow():
+ print('!'*74)
+ print('Trusted but expired certificate found: %s' % obj['CKA_LABEL'])
+ print('!'*74)
+ except ImportError:
+ pass
bname = obj['CKA_LABEL'][1:-1].replace('/', '_')\
.replace(' ', '_')\
--
2.30.2