Accepting request 536559 from Base:System

- convert processing script to Python 3 - ensure a stable conversion of UTF8 hex-encoded certificate names - ensure a stable ordering of trust/distrust bits in headers (forwarded request 536543 from matejcik) OBS-URL: https://build.opensuse.org/request/show/536559 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/ca-certificates-mozilla?expand=0&rev=37
2017-10-27 11:47:17 +00:00 · 2017-10-27 11:47:17 +00:00 · 96e24d7a24
commit 96e24d7a24
parent 6a431e5dee 20378a0d47
3 changed files with 39 additions and 26 deletions
--- a/ca-certificates-mozilla.changes
+++ b/ca-certificates-mozilla.changes
@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Wed Oct 25 12:40:36 UTC 2017 - jmatejek@suse.com
+
+- convert processing script to Python 3
+- ensure a stable conversion of UTF8 hex-encoded certificate names
+- ensure a stable ordering of trust/distrust bits in headers
+
 -------------------------------------------------------------------
 Tue Jan 24 12:46:29 UTC 2017 - meissner@suse.com

--- a/ca-certificates-mozilla.spec
+++ b/ca-certificates-mozilla.spec
@ -21,7 +21,7 @@ BuildRequires:  p11-kit-devel

 BuildRequires:  ca-certificates
 BuildRequires:  openssl
-BuildRequires:  python
+BuildRequires:  python3-base

 Name:           ca-certificates-mozilla
 # Version number is NSS_BUILTINS_LIBRARY_VERSION in this file:
@ -77,7 +77,8 @@ if [ "%{version}" != "$ver" ]; then
 fi

 %build
-python %{SOURCE10}
+export LANG=en_US.UTF-8
+python3 %{SOURCE10}

 %install
 mkdir -p %{buildroot}/%{trustdir_static}/anchors
--- a/certdata2pem.py
+++ b/certdata2pem.py
@ -1,4 +1,4 @@
-#!/usr/bin/python
+#!/usr/bin/python3
 # vim:set et sw=4:
 #
 # certdata2pem.py - splits certdata.txt into multiple files
@ -26,16 +26,16 @@ import os.path
 import re
 import sys
 import textwrap
-import urllib
+import urllib.parse

 objects = []

 def printable_serial(obj):
-  return ".".join(map(lambda x:str(ord(x)), obj['CKA_SERIAL_NUMBER']))
+  return ".".join([str(x) for x in obj['CKA_SERIAL_NUMBER']])

 # Dirty file parser.
 in_data, in_multiline, in_obj = False, False, False
-field, type, value, obj = None, None, None, dict()
+field, vtype, value, obj = None, None, None, dict()
 for line in open('certdata.txt', 'r'):
    # Ignore the file header.
    if not in_data:
@ -55,10 +55,10 @@ for line in open('certdata.txt', 'r'):
        continue
    if in_multiline:
        if not line.startswith('END'):
-            if type == 'MULTILINE_OCTAL':
+            if vtype == 'MULTILINE_OCTAL':
                line = line.strip()
-                for i in re.finditer(r'\\([0-3][0-7][0-7])', line):
-                    value += chr(int(i.group(1), 8))
+                numbers = [int(i.group(1), 8) for i in re.finditer(r'\\([0-3][0-7][0-7])', line)]
+                value += bytes(numbers)
            else:
                value += line
            continue
@ -69,19 +69,19 @@ for line in open('certdata.txt', 'r'):
        in_obj = True
    line_parts = line.strip().split(' ', 2)
    if len(line_parts) > 2:
-        field, type = line_parts[0:2]
+        field, vtype = line_parts[0:2]
        value = ' '.join(line_parts[2:])
    elif len(line_parts) == 2:
-        field, type = line_parts
+        field, vtype = line_parts
        value = None
    else:
-        raise NotImplementedError, 'line_parts < 2 not supported.\n' + line
-    if type == 'MULTILINE_OCTAL':
+        raise NotImplementedError('line_parts < 2 not supported.\n' + line)
+    if vtype == 'MULTILINE_OCTAL':
        in_multiline = True
-        value = ""
+        value = b""
        continue
    obj[field] = value
-if len(obj.items()) > 0:
+if obj:
    objects.append(obj)

 # Build up trust database.
@ -91,7 +91,7 @@ for obj in objects:
        continue
    key = obj['CKA_LABEL'] + printable_serial(obj)
    trustmap[key] = obj
-    print " added trust", key
+    print(" added trust", key)

 # Build up cert database.
 certmap = dict()
@ -100,7 +100,7 @@ for obj in objects:
        continue
    key = obj['CKA_LABEL'] + printable_serial(obj)
    certmap[key] = obj
-    print " added cert", key
+    print(" added cert", key)

 def obj_to_filename(obj):
    label = obj['CKA_LABEL'][1:-1]
@ -109,7 +109,12 @@ def obj_to_filename(obj):
        .replace('(', '=')\
        .replace(')', '=')\
        .replace(',', '_')
-    label = re.sub(r'\\x[0-9a-fA-F]{2}', lambda m:chr(int(m.group(0)[2:], 16)), label)
+    # encode possible Unicode string to UTF8 bytes first
+    label = label.encode("utf8")
+    # decode hex escape sequences
+    label = re.sub(rb'\\x[0-9a-fA-F]{2}', lambda m:bytes([int(m.group(0)[2:], 16)]), label)
+    # read back UTF8 bytes
+    label = label.decode("utf8")
    serial = printable_serial(obj)
    return label + ":" + serial

@ -142,17 +147,17 @@ openssl_trust = {
 for tobj in objects:
    if tobj['CKA_CLASS'] == 'CKO_NSS_TRUST':
        key = tobj['CKA_LABEL'] + printable_serial(tobj)
-        print "producing trust for " + key
+        print("producing trust for " + key)
        trustbits = []
        distrustbits = []
        openssl_trustflags = []
        openssl_distrustflags = []
-        for t in trust_types.keys():
-            if tobj.has_key(t) and tobj[t] == 'CKT_NSS_TRUSTED_DELEGATOR':
+        for t in sorted(trust_types.keys()):
+            if t in tobj and tobj[t] == 'CKT_NSS_TRUSTED_DELEGATOR':
                trustbits.append(t)
                if t in openssl_trust:
                    openssl_trustflags.append(openssl_trust[t])
-            if tobj.has_key(t) and tobj[t] == 'CKT_NSS_NOT_TRUSTED':
+            if t in tobj and tobj[t] == 'CKT_NSS_NOT_TRUSTED':
                distrustbits.append(t)
                if t in openssl_trust:
                    openssl_distrustflags.append(openssl_trust[t])
@ -178,7 +183,7 @@ for tobj in objects:
            if openssl_distrustflags:
                f.write("# openssl-distrust=" + " ".join(openssl_distrustflags) + "\n")
            f.write("-----BEGIN CERTIFICATE-----\n")
-            f.write("\n".join(textwrap.wrap(base64.b64encode(obj['CKA_VALUE']), 64)))
+            f.write("\n".join(textwrap.wrap(base64.b64encode(obj['CKA_VALUE']).decode("ascii"), 64)))
            f.write("\n-----END CERTIFICATE-----\n")
        else:
            f.write("[p11-kit-object-v1]\n")
@ -188,12 +193,12 @@ for tobj in objects:
            f.write("class: certificate\n")
            f.write("certificate-type: x-509\n")
            f.write("issuer: \"");
-            f.write(urllib.quote(tobj['CKA_ISSUER']));
+            f.write(urllib.parse.quote(tobj['CKA_ISSUER']));
            f.write("\"\n")
            f.write("serial-number: \"");
-            f.write(urllib.quote(tobj['CKA_SERIAL_NUMBER']));
+            f.write(urllib.parse.quote(tobj['CKA_SERIAL_NUMBER']));
            f.write("\"\n")
            if (tobj['CKA_TRUST_SERVER_AUTH'] == 'CKT_NSS_NOT_TRUSTED') or (tobj['CKA_TRUST_EMAIL_PROTECTION'] == 'CKT_NSS_NOT_TRUSTED') or (tobj['CKA_TRUST_CODE_SIGNING'] == 'CKT_NSS_NOT_TRUSTED'):
              f.write("x-distrusted: true\n")
            f.write("\n\n")
-        print " -> written as '%s', trust = %s, openssl-trust = %s, distrust = %s, openssl-distrust = %s" % (fname, trustbits, openssl_trustflags, distrustbits, openssl_distrustflags)
+        print(" -> written as '%s', trust = %s, openssl-trust = %s, distrust = %s, openssl-distrust = %s" % (fname, trustbits, openssl_trustflags, distrustbits, openssl_distrustflags))