3 files changed, 80 insertions, 54 deletions
diff --git a/meta/recipes-support/ca-certificates/ca-certificates/0001-Revert-mozilla-certdata2pem.py-print-a-warning-for-e.patch b/meta/recipes-support/ca-certificates/ca-certificates/0001-Revert-mozilla-certdata2pem.py-print-a-warning-for-e.patch
new file mode 100644
index 0000000000..5c4a32f526
--- /dev/null
+++ b/meta/recipes-support/ca-certificates/ca-certificates/0001-Revert-mozilla-certdata2pem.py-print-a-warning-for-e.patch
@@ -0,0 +1,80 @@
+From cb43ec15b700b25f3c4fe44043a1a021aaf5b768 Mon Sep 17 00:00:00 2001
+From: Alexander Kanavin <alex@linutronix.de>
+Date: Mon, 18 Oct 2021 12:05:49 +0200
+Subject: [PATCH] Revert "mozilla/certdata2pem.py: print a warning for expired
+ certificates."
+This avoids a dependency on python3-cryptography, and only checks
+for expired certs (which is upstream concern, but not ours).
+Upstream-Status: Inappropriate [oe-core specific]
+Signed-off-by: Alexander Kanavin <alex@linutronix.de>
+---
+ debian/changelog        |  1 -
+ debian/control          |  2 +-
+ mozilla/certdata2pem.py | 11 -----------
+ 3 files changed, 1 insertion(+), 13 deletions(-)
+diff --git a/debian/changelog b/debian/changelog
+index 531e4d0..4006509 100644
+--- a/debian/changelog
+++ b/debian/changelog
+@@ -37,7 +37,6 @@ ca-certificates (20211004) unstable; urgency=low
+     - "Trustis FPS Root CA"
+     - "Staat der Nederlanden Root CA - G3"
+   * Blacklist expired root certificate "DST Root CA X3" (closes: #995432)
+-  * mozilla/certdata2pem.py: print a warning for expired certificates.
+ 
+  -- Julien Cristau <jcristau@debian.org>  Thu, 07 Oct 2021 17:12:47 +0200
+ 
+diff --git a/debian/control b/debian/control
+index 4434b7a..5c6ba24 100644
+--- a/debian/control
+++ b/debian/control
+@@ -3,7 +3,7 @@ Section: misc
+ Priority: optional
+ Maintainer: Julien Cristau <jcristau@debian.org>
+ Build-Depends: debhelper-compat (= 13), po-debconf
+-Build-Depends-Indep: python3, openssl, python3-cryptography
+Build-Depends-Indep: python3, openssl
+ Standards-Version: 4.5.0.2
+ Vcs-Git: https://salsa.debian.org/debian/ca-certificates.git
+ Vcs-Browser: https://salsa.debian.org/debian/ca-certificates
+diff --git a/mozilla/certdata2pem.py b/mozilla/certdata2pem.py
+index ede23d4..7d796f1 100644
+--- a/mozilla/certdata2pem.py
+++ b/mozilla/certdata2pem.py
+@@ -21,16 +21,12 @@
+ # USA.
+ 
+ import base64
+-import datetime
+ import os.path
+ import re
+ import sys
+ import textwrap
+ import io
+ 
+-from cryptography import x509
+-
+-
+ objects = []
+ 
+ # Dirty file parser.
+@@ -121,13 +117,6 @@ for obj in objects:
+     if obj['CKA_CLASS'] == 'CKO_CERTIFICATE':
+         if not obj['CKA_LABEL'] in trust or not trust[obj['CKA_LABEL']]:
+             continue
+-
+-        cert = x509.load_der_x509_certificate(obj['CKA_VALUE'])
+-        if cert.not_valid_after < datetime.datetime.now():
+-            print('!'*74)
+-            print('Trusted but expired certificate found: %s' % obj['CKA_LABEL'])
+-            print('!'*74)
+-
+         bname = obj['CKA_LABEL'][1:-1].replace('/', '_')\
+                                       .replace(' ', '_')\
+                                       .replace('(', '=')\
+-- 
+2.20.1
diff --git a/meta/recipes-support/ca-certificates/ca-certificates/sbindir.patch b/meta/recipes-support/ca-certificates/ca-certificates/sbindir.patch
deleted file mode 100644
index a113fa8b15..0000000000
--- a/meta/recipes-support/ca-certificates/ca-certificates/sbindir.patch
+++ /dev/null
@@ -1,20 +0,0 @@
-Upstream-Status: Pending
-Let us alter the install destination of the script via SBINDIR
--- ca-certificates-20130119.orig/sbin/Makefile
-+++ ca-certificates-20130119/sbin/Makefile
-@@ -3,9 +3,12 @@
- #
- #
-+SBINDIR = /usr/sbin
-+
- all:
- clean:
- install:
-       install -m755 update-ca-certificates $(DESTDIR)/usr/sbin/
-+       install -d $(DESTDIR)$(SBINDIR)
-+       install -m755 update-ca-certificates $(DESTDIR)$(SBINDIR)/
diff --git a/meta/recipes-support/ca-certificates/ca-certificates/update-ca-certificates-support-Toybox.patch b/meta/recipes-support/ca-certificates/ca-certificates/update-ca-certificates-support-Toybox.patch
deleted file mode 100644
index 6e2171f758..0000000000
--- a/meta/recipes-support/ca-certificates/ca-certificates/update-ca-certificates-support-Toybox.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From 30378026d136efa779732e3f6664e2ecf461e458 Mon Sep 17 00:00:00 2001
-From: Patrick Ohly <patrick.ohly@intel.com>
-Date: Thu, 17 Mar 2016 12:38:09 +0100
-Subject: [PATCH] update-ca-certificates: support Toybox
-"mktemp -t" is deprecated and does not work when using Toybox. Replace
-with something that works also with Toybox.
-Upstream-Status: Pending
-Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
---
- sbin/update-ca-certificates | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-diff --git a/sbin/update-ca-certificates b/sbin/update-ca-certificates
-index 79c41bb..ae9e3f1 100755
--- a/sbin/update-ca-certificates
-+++ b/sbin/update-ca-certificates
-@@ -113,9 +113,9 @@ trap cleanup 0
- 
- # Helper files.  (Some of them are not simple arrays because we spawn
- # subshells later on.)
-TEMPBUNDLE="$(mktemp -t "${CERTBUNDLE}.tmp.XXXXXX")"
-ADDED="$(mktemp -t "ca-certificates.tmp.XXXXXX")"
-REMOVED="$(mktemp -t "ca-certificates.tmp.XXXXXX")"
-+TEMPBUNDLE="$(mktemp -p${TMPDIR:-/tmp} "${CERTBUNDLE}.tmp.XXXXXX")"
-+ADDED="$(mktemp -p${TMPDIR:-/tmp} "ca-certificates.tmp.XXXXXX")"
-+REMOVED="$(mktemp -p${TMPDIR:-/tmp} "ca-certificates.tmp.XXXXXX")"
- 
- # Adds a certificate to the list of trusted ones.  This includes a symlink
- # in /etc/ssl/certs to the certificate file and its inclusion into the
-- 
-2.1.4

diff --git a/meta/recipes-support/ca-certificates/ca-certificates/0001-Revert-mozilla-certdata2pem.py-print-a-warning-for-e.patch b/meta/recipes-support/ca-certificates/ca-certificates/0001-Revert-mozilla-certdata2pem.py-print-a-warning-for-e.patch new file mode 100644 index 0000000000..5c4a32f526 --- /dev/null +++ b/meta/recipes-support/ca-certificates/ca-certificates/0001-Revert-mozilla-certdata2pem.py-print-a-warning-for-e.patch
@@ -0,0 +1,80 @@
		1	From cb43ec15b700b25f3c4fe44043a1a021aaf5b768 Mon Sep 17 00:00:00 2001
		2	From: Alexander Kanavin <alex@linutronix.de>
		3	Date: Mon, 18 Oct 2021 12:05:49 +0200
		4	Subject: [PATCH] Revert "mozilla/certdata2pem.py: print a warning for expired
		5	certificates."
		6
		7	This avoids a dependency on python3-cryptography, and only checks
		8	for expired certs (which is upstream concern, but not ours).
		9
		10	Upstream-Status: Inappropriate [oe-core specific]
		11	Signed-off-by: Alexander Kanavin <alex@linutronix.de>
		12	---
		13	debian/changelog \| 1 -
		14	debian/control \| 2 +-
		15	mozilla/certdata2pem.py \| 11 -----------
		16	3 files changed, 1 insertion(+), 13 deletions(-)
		17
		18	diff --git a/debian/changelog b/debian/changelog
		19	index 531e4d0..4006509 100644
		20	--- a/debian/changelog
		21	+++ b/debian/changelog
		22	@@ -37,7 +37,6 @@ ca-certificates (20211004) unstable; urgency=low
		23	- "Trustis FPS Root CA"
		24	- "Staat der Nederlanden Root CA - G3"
		25	* Blacklist expired root certificate "DST Root CA X3" (closes: #995432)
		26	- * mozilla/certdata2pem.py: print a warning for expired certificates.
		27
		28	-- Julien Cristau <jcristau@debian.org> Thu, 07 Oct 2021 17:12:47 +0200
		29
		30	diff --git a/debian/control b/debian/control
		31	index 4434b7a..5c6ba24 100644
		32	--- a/debian/control
		33	+++ b/debian/control
		34	@@ -3,7 +3,7 @@ Section: misc
		35	Priority: optional
		36	Maintainer: Julien Cristau <jcristau@debian.org>
		37	Build-Depends: debhelper-compat (= 13), po-debconf
		38	-Build-Depends-Indep: python3, openssl, python3-cryptography
		39	+Build-Depends-Indep: python3, openssl
		40	Standards-Version: 4.5.0.2
		41	Vcs-Git: https://salsa.debian.org/debian/ca-certificates.git
		42	Vcs-Browser: https://salsa.debian.org/debian/ca-certificates
		43	diff --git a/mozilla/certdata2pem.py b/mozilla/certdata2pem.py
		44	index ede23d4..7d796f1 100644
		45	--- a/mozilla/certdata2pem.py
		46	+++ b/mozilla/certdata2pem.py
		47	@@ -21,16 +21,12 @@
		48	# USA.
		49
		50	import base64
		51	-import datetime
		52	import os.path
		53	import re
		54	import sys
		55	import textwrap
		56	import io
		57
		58	-from cryptography import x509
		59	-
		60	-
		61	objects = []
		62
		63	# Dirty file parser.
		64	@@ -121,13 +117,6 @@ for obj in objects:
		65	if obj['CKA_CLASS'] == 'CKO_CERTIFICATE':
		66	if not obj['CKA_LABEL'] in trust or not trust[obj['CKA_LABEL']]:
		67	continue
		68	-
		69	- cert = x509.load_der_x509_certificate(obj['CKA_VALUE'])
		70	- if cert.not_valid_after < datetime.datetime.now():
		71	- print('!'*74)
		72	- print('Trusted but expired certificate found: %s' % obj['CKA_LABEL'])
		73	- print('!'*74)
		74	-
		75	bname = obj['CKA_LABEL'][1:-1].replace('/', '_')\
		76	.replace(' ', '_')\
		77	.replace('(', '=')\
		78	--
		79	2.20.1
		80


diff --git a/meta/recipes-support/ca-certificates/ca-certificates/sbindir.patch b/meta/recipes-support/ca-certificates/ca-certificates/sbindir.patch deleted file mode 100644 index a113fa8b15..0000000000 --- a/meta/recipes-support/ca-certificates/ca-certificates/sbindir.patch +++ /dev/null
@@ -1,20 +0,0 @@
1	Upstream-Status: Pending
2
3	Let us alter the install destination of the script via SBINDIR
4
5	--- ca-certificates-20130119.orig/sbin/Makefile
6	+++ ca-certificates-20130119/sbin/Makefile
7	@@ -3,9 +3,12 @@
8	#
9	#
10
11	+SBINDIR = /usr/sbin
12	+
13	all:
14
15	clean:
16
17	install:
18	- install -m755 update-ca-certificates $(DESTDIR)/usr/sbin/
19	+ install -d $(DESTDIR)$(SBINDIR)
20	+ install -m755 update-ca-certificates $(DESTDIR)$(SBINDIR)/


diff --git a/meta/recipes-support/ca-certificates/ca-certificates/update-ca-certificates-support-Toybox.patch b/meta/recipes-support/ca-certificates/ca-certificates/update-ca-certificates-support-Toybox.patch deleted file mode 100644 index 6e2171f758..0000000000 --- a/meta/recipes-support/ca-certificates/ca-certificates/update-ca-certificates-support-Toybox.patch +++ /dev/null
@@ -1,34 +0,0 @@
1	From 30378026d136efa779732e3f6664e2ecf461e458 Mon Sep 17 00:00:00 2001
2	From: Patrick Ohly <patrick.ohly@intel.com>
3	Date: Thu, 17 Mar 2016 12:38:09 +0100
4	Subject: [PATCH] update-ca-certificates: support Toybox
5
6	"mktemp -t" is deprecated and does not work when using Toybox. Replace
7	with something that works also with Toybox.
8
9	Upstream-Status: Pending
10
11	Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
12	---
13	sbin/update-ca-certificates \| 6 +++---
14	1 file changed, 3 insertions(+), 3 deletions(-)
15
16	diff --git a/sbin/update-ca-certificates b/sbin/update-ca-certificates
17	index 79c41bb..ae9e3f1 100755
18	--- a/sbin/update-ca-certificates
19	+++ b/sbin/update-ca-certificates
20	@@ -113,9 +113,9 @@ trap cleanup 0
21
22	# Helper files. (Some of them are not simple arrays because we spawn
23	# subshells later on.)
24	-TEMPBUNDLE="$(mktemp -t "${CERTBUNDLE}.tmp.XXXXXX")"
25	-ADDED="$(mktemp -t "ca-certificates.tmp.XXXXXX")"
26	-REMOVED="$(mktemp -t "ca-certificates.tmp.XXXXXX")"
27	+TEMPBUNDLE="$(mktemp -p${TMPDIR:-/tmp} "${CERTBUNDLE}.tmp.XXXXXX")"
28	+ADDED="$(mktemp -p${TMPDIR:-/tmp} "ca-certificates.tmp.XXXXXX")"
29	+REMOVED="$(mktemp -p${TMPDIR:-/tmp} "ca-certificates.tmp.XXXXXX")"
30
31	# Adds a certificate to the list of trusted ones. This includes a symlink
32	# in /etc/ssl/certs to the certificate file and its inclusion into the
33	--
34	2.1.4