crypto-policies/crypto-policies-nss.patch

Index: fedora-crypto-policies-20230920.570ea89/python/policygenerators/nss.py
===================================================================
--- fedora-crypto-policies-20230920.570ea89.orig/python/policygenerators/nss.py
+++ fedora-crypto-policies-20230920.570ea89/python/policygenerators/nss.py
@@ -198,12 +198,20 @@ class NSSGenerator(ConfigGenerator):
         try:
             with os.fdopen(fd, 'w') as f:
                 f.write(config)
-            try:
-                ret = call(f'/usr/bin/nss-policy-check {options} {path}'
-                           '>/dev/null',
-                           shell=True)
-            except CalledProcessError:
-                cls.eprint("/usr/bin/nss-policy-check: Execution failed")
+            if os.path.exists('/usr/bin/nss-policy-check'):
+                # Perform a policy check only if the mozilla-nss-tools
+                # package is installed. This avoids adding more
+                # dependencies to Ring0.
+                try:
+                    ret = call(f'/usr/bin/nss-policy-check {options} {path}'
+                               '>/dev/null', shell=True)
+                except CalledProcessError:
+                    cls.eprint("/usr/bin/nss-policy-check: Execution failed")
+            else:
+                # The mozilla-nss-tools package is not installed and we can
+                # temporarily skip the policy check for mozilla-nss.
+                ret = 3
+
         finally:
             os.unlink(path)
 
@@ -211,6 +219,10 @@ class NSSGenerator(ConfigGenerator):
             cls.eprint("There is a warning in NSS generated policy")
             cls.eprint(f'Policy:\n{config}')
             return False
+        elif ret == 3:
+            cls.eprint('Skipping NSS policy check: '
+                       '/usr/bin/nss-policy-check not found')
+            return True
         elif ret:
             cls.eprint("There is an error in NSS generated policy")
             cls.eprint(f'Policy:\n{config}')
Accepting request 1114283 from home:pmonrealgonzalez:branches:security:tls Update to latest version and update jira tracking number from jsc#PED-4578 to jsc#PED-5041 OBS-URL: https://build.opensuse.org/request/show/1114283 OBS-URL: https://build.opensuse.org/package/show/security:tls/crypto-policies?expand=0&rev=23 2023-09-29 10:48:54 +02:00			`Index: fedora-crypto-policies-20230920.570ea89/python/policygenerators/nss.py`
			`===================================================================`
			`--- fedora-crypto-policies-20230920.570ea89.orig/python/policygenerators/nss.py`
			`+++ fedora-crypto-policies-20230920.570ea89/python/policygenerators/nss.py`
			`@@ -198,12 +198,20 @@ class NSSGenerator(ConfigGenerator):`
			`try:`
			`with os.fdopen(fd, 'w') as f:`
			`f.write(config)`
			`- try:`
			`- ret = call(f'/usr/bin/nss-policy-check {options} {path}'`
			`- '>/dev/null',`
			`- shell=True)`
			`- except CalledProcessError:`
			`- cls.eprint("/usr/bin/nss-policy-check: Execution failed")`
			`+ if os.path.exists('/usr/bin/nss-policy-check'):`
			`+ # Perform a policy check only if the mozilla-nss-tools`
			`+ # package is installed. This avoids adding more`
			`+ # dependencies to Ring0.`
			`+ try:`
			`+ ret = call(f'/usr/bin/nss-policy-check {options} {path}'`
			`+ '>/dev/null', shell=True)`
			`+ except CalledProcessError:`
			`+ cls.eprint("/usr/bin/nss-policy-check: Execution failed")`
			`+ else:`
			`+ # The mozilla-nss-tools package is not installed and we can`
			`+ # temporarily skip the policy check for mozilla-nss.`
			`+ ret = 3`
			`+`
			`finally:`
			`os.unlink(path)`

			`@@ -211,6 +219,10 @@ class NSSGenerator(ConfigGenerator):`
			`cls.eprint("There is a warning in NSS generated policy")`
			`cls.eprint(f'Policy:\n{config}')`
			`return False`
			`+ elif ret == 3:`
			`+ cls.eprint('Skipping NSS policy check: '`
			`+ '/usr/bin/nss-policy-check not found')`
			`+ return True`
			`elif ret:`
			`cls.eprint("There is an error in NSS generated policy")`
			`cls.eprint(f'Policy:\n{config}')`