rpm/ca-certificates-mozilla
SHA256
1
0
Fork 0
forked from pool/ca-certificates-mozilla
Code Pull Requests Activity

Accepting request 536559 from Base:System

Browse Source 
- convert processing script to Python 3
- ensure a stable conversion of UTF8 hex-encoded certificate names
- ensure a stable ordering of trust/distrust bits in headers (forwarded request 536543 from matejcik)

OBS-URL: https://build.opensuse.org/request/show/536559
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/ca-certificates-mozilla?expand=0&rev=37
This commit is contained in:
Dominique Leuenberger 2017-10-27 11:47:17 +00:00 committed by Git OBS Bridge
commit 96e24d7a24
3 changed files with 39 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
ca-certificates-mozilla.changes
View File

@ -1,3 +1,10 @@
-------------------------------------------------------------------
Wed Oct 25 12:40:36 UTC 2017 - jmatejek@suse.com
- convert processing script to Python 3
- ensure a stable conversion of UTF8 hex-encoded certificate names
- ensure a stable ordering of trust/distrust bits in headers
------------------------------------------------------------------- -------------------------------------------------------------------
Tue Jan 24 12:46:29 UTC 2017 - meissner@suse.com Tue Jan 24 12:46:29 UTC 2017 - meissner@suse.com

5
ca-certificates-mozilla.spec
View File

@ -21,7 +21,7 @@ BuildRequires: p11-kit-devel
BuildRequires: ca-certificates BuildRequires: ca-certificates
BuildRequires: openssl BuildRequires: openssl
BuildRequires: python BuildRequires: python3-base
Name: ca-certificates-mozilla Name: ca-certificates-mozilla
# Version number is NSS_BUILTINS_LIBRARY_VERSION in this file: # Version number is NSS_BUILTINS_LIBRARY_VERSION in this file:
@ -77,7 +77,8 @@ if [ "%{version}" != "$ver" ]; then
fi fi
%build %build
python %{SOURCE10} export LANG=en_US.UTF-8
python3 %{SOURCE10}
%install %install
mkdir -p %{buildroot}/%{trustdir_static}/anchors mkdir -p %{buildroot}/%{trustdir_static}/anchors

53
certdata2pem.py
View File

@ -1,4 +1,4 @@
#!/usr/bin/python #!/usr/bin/python3
# vim:set et sw=4: # vim:set et sw=4:
# #
# certdata2pem.py - splits certdata.txt into multiple files # certdata2pem.py - splits certdata.txt into multiple files
@ -26,16 +26,16 @@ import os.path
import re import re
import sys import sys
import textwrap import textwrap
import urllib import urllib.parse
objects = [] objects = []
def printable_serial(obj): def printable_serial(obj):
return ".".join(map(lambda x:str(ord(x)), obj['CKA_SERIAL_NUMBER'])) return ".".join([str(x) for x in obj['CKA_SERIAL_NUMBER']])
# Dirty file parser. # Dirty file parser.
in_data, in_multiline, in_obj = False, False, False in_data, in_multiline, in_obj = False, False, False
field, type, value, obj = None, None, None, dict() field, vtype, value, obj = None, None, None, dict()
for line in open('certdata.txt', 'r'): for line in open('certdata.txt', 'r'):
# Ignore the file header. # Ignore the file header.
if not in_data: if not in_data:
@ -55,10 +55,10 @@ for line in open('certdata.txt', 'r'):
continue continue
if in_multiline: if in_multiline:
if not line.startswith('END'): if not line.startswith('END'):
if type == 'MULTILINE_OCTAL': if vtype == 'MULTILINE_OCTAL':
line = line.strip() line = line.strip()
for i in re.finditer(r'\\([0-3][0-7][0-7])', line): numbers = [int(i.group(1), 8) for i in re.finditer(r'\\([0-3][0-7][0-7])', line)]
value += chr(int(i.group(1), 8)) value += bytes(numbers)
else: else:
value += line value += line
continue continue
@ -69,19 +69,19 @@ for line in open('certdata.txt', 'r'):
in_obj = True in_obj = True
line_parts = line.strip().split(' ', 2) line_parts = line.strip().split(' ', 2)
if len(line_parts) > 2: if len(line_parts) > 2:
field, type = line_parts[0:2] field, vtype = line_parts[0:2]
value = ' '.join(line_parts[2:]) value = ' '.join(line_parts[2:])
elif len(line_parts) == 2: elif len(line_parts) == 2:
field, type = line_parts field, vtype = line_parts
value = None value = None
else: else:
raise NotImplementedError, 'line_parts < 2 not supported.\n' + line raise NotImplementedError('line_parts < 2 not supported.\n' + line)
if type == 'MULTILINE_OCTAL': if vtype == 'MULTILINE_OCTAL':
in_multiline = True in_multiline = True
value = "" value = b""
continue continue
obj[field] = value obj[field] = value
if len(obj.items()) > 0: if obj:
objects.append(obj) objects.append(obj)
# Build up trust database. # Build up trust database.
@ -91,7 +91,7 @@ for obj in objects:
continue continue
key = obj['CKA_LABEL'] + printable_serial(obj) key = obj['CKA_LABEL'] + printable_serial(obj)
trustmap[key] = obj trustmap[key] = obj
print " added trust", key print(" added trust", key)
# Build up cert database. # Build up cert database.
certmap = dict() certmap = dict()
@ -100,7 +100,7 @@ for obj in objects:
continue continue
key = obj['CKA_LABEL'] + printable_serial(obj) key = obj['CKA_LABEL'] + printable_serial(obj)
certmap[key] = obj certmap[key] = obj
print " added cert", key print(" added cert", key)
def obj_to_filename(obj): def obj_to_filename(obj):
label = obj['CKA_LABEL'][1:-1] label = obj['CKA_LABEL'][1:-1]
@ -109,7 +109,12 @@ def obj_to_filename(obj):
.replace('(', '=')\ .replace('(', '=')\
.replace(')', '=')\ .replace(')', '=')\
.replace(',', '_') .replace(',', '_')
label = re.sub(r'\\x[0-9a-fA-F]{2}', lambda m:chr(int(m.group(0)[2:], 16)), label) # encode possible Unicode string to UTF8 bytes first
label = label.encode("utf8")
# decode hex escape sequences
label = re.sub(rb'\\x[0-9a-fA-F]{2}', lambda m:bytes([int(m.group(0)[2:], 16)]), label)
# read back UTF8 bytes
label = label.decode("utf8")
serial = printable_serial(obj) serial = printable_serial(obj)
return label + ":" + serial return label + ":" + serial
@ -142,17 +147,17 @@ openssl_trust = {
for tobj in objects: for tobj in objects:
if tobj['CKA_CLASS'] == 'CKO_NSS_TRUST': if tobj['CKA_CLASS'] == 'CKO_NSS_TRUST':
key = tobj['CKA_LABEL'] + printable_serial(tobj) key = tobj['CKA_LABEL'] + printable_serial(tobj)
print "producing trust for " + key print("producing trust for " + key)
trustbits = [] trustbits = []
distrustbits = [] distrustbits = []
openssl_trustflags = [] openssl_trustflags = []
openssl_distrustflags = [] openssl_distrustflags = []
for t in trust_types.keys(): for t in sorted(trust_types.keys()):
if tobj.has_key(t) and tobj[t] == 'CKT_NSS_TRUSTED_DELEGATOR': if t in tobj and tobj[t] == 'CKT_NSS_TRUSTED_DELEGATOR':
trustbits.append(t) trustbits.append(t)
if t in openssl_trust: if t in openssl_trust:
openssl_trustflags.append(openssl_trust[t]) openssl_trustflags.append(openssl_trust[t])
if tobj.has_key(t) and tobj[t] == 'CKT_NSS_NOT_TRUSTED': if t in tobj and tobj[t] == 'CKT_NSS_NOT_TRUSTED':
distrustbits.append(t) distrustbits.append(t)
if t in openssl_trust: if t in openssl_trust:
openssl_distrustflags.append(openssl_trust[t]) openssl_distrustflags.append(openssl_trust[t])
@ -178,7 +183,7 @@ for tobj in objects:
if openssl_distrustflags: if openssl_distrustflags:
f.write("# openssl-distrust=" + " ".join(openssl_distrustflags) + "\n") f.write("# openssl-distrust=" + " ".join(openssl_distrustflags) + "\n")
f.write("-----BEGIN CERTIFICATE-----\n") f.write("-----BEGIN CERTIFICATE-----\n")
f.write("\n".join(textwrap.wrap(base64.b64encode(obj['CKA_VALUE']), 64))) f.write("\n".join(textwrap.wrap(base64.b64encode(obj['CKA_VALUE']).decode("ascii"), 64)))
f.write("\n-----END CERTIFICATE-----\n") f.write("\n-----END CERTIFICATE-----\n")
else: else:
f.write("[p11-kit-object-v1]\n") f.write("[p11-kit-object-v1]\n")
@ -188,12 +193,12 @@ for tobj in objects:
f.write("class: certificate\n") f.write("class: certificate\n")
f.write("certificate-type: x-509\n") f.write("certificate-type: x-509\n")
f.write("issuer: \""); f.write("issuer: \"");
f.write(urllib.quote(tobj['CKA_ISSUER'])); f.write(urllib.parse.quote(tobj['CKA_ISSUER']));
f.write("\"\n") f.write("\"\n")
f.write("serial-number: \""); f.write("serial-number: \"");
f.write(urllib.quote(tobj['CKA_SERIAL_NUMBER'])); f.write(urllib.parse.quote(tobj['CKA_SERIAL_NUMBER']));
f.write("\"\n") f.write("\"\n")
if (tobj['CKA_TRUST_SERVER_AUTH'] == 'CKT_NSS_NOT_TRUSTED') or (tobj['CKA_TRUST_EMAIL_PROTECTION'] == 'CKT_NSS_NOT_TRUSTED') or (tobj['CKA_TRUST_CODE_SIGNING'] == 'CKT_NSS_NOT_TRUSTED'): if (tobj['CKA_TRUST_SERVER_AUTH'] == 'CKT_NSS_NOT_TRUSTED') or (tobj['CKA_TRUST_EMAIL_PROTECTION'] == 'CKT_NSS_NOT_TRUSTED') or (tobj['CKA_TRUST_CODE_SIGNING'] == 'CKT_NSS_NOT_TRUSTED'):
f.write("x-distrusted: true\n") f.write("x-distrusted: true\n")
f.write("\n\n") f.write("\n\n")
print " -> written as '%s', trust = %s, openssl-trust = %s, distrust = %s, openssl-distrust = %s" % (fname, trustbits, openssl_trustflags, distrustbits, openssl_distrustflags) print(" -> written as '%s', trust = %s, openssl-trust = %s, distrust = %s, openssl-distrust = %s" % (fname, trustbits, openssl_trustflags, distrustbits, openssl_distrustflags))