- Change the mechanism to use system-wide CA certificates:

+ on openSUSE, use the (new) upstream ca_certs_locater mechanism and don't ship a private copy of Mozilla's CA certs file + on SLES, regenerate cacerts.txt from /etc/ssl/certs when httplib2 is installed and/or openssl-certs is installed/updated OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-httplib2?expand=0&rev=38
2013-07-03 08:20:25 +00:00 · 2013-07-03 08:20:25 +00:00 · f1d9144b77
commit f1d9144b77
parent 5808412e1a
6 changed files with 100 additions and 54 deletions
--- a/ca_certs_locater.py
+++ b/ca_certs_locater.py
@ -0,0 +1,22 @@
+#
+# httplib2 system SSL certificate bundle locator for openSUSE / SLES.
+# openSUSE has /etc/ssl/ca-bundle.pem (from package ca-certificates) but on
+# SLES, it's only individual files (from openssl-certs)
+#
+# Author: Sascha Peilicke <speilicke@suse.com>
+#
+
+
+def get():
+    for line in open("/etc/SuSE-release"):
+        if "SUSE Linux Enterprise Server" in line:
+            # Python-2.x doesn't support loading from a directory containing
+            # PEM files, thus we have to use a bundle created by hand (and
+            # refreshed with updates of either httpli2 or openssl-certs).
+            return "ca-bundle.pem"
+        else:
+            return "/etc/ssl/ca-bundle.pem"
+
+
+if __name__ == "__main__":
+    print get()
--- a/certbundle.run
+++ b/certbundle.run
@ -0,0 +1,43 @@
+#!/bin/bash
+# vim: syntax=sh
+
+shopt -s nullglob
+
+cafile=${1:-/etc/ssl/ca-bundle.pem}
+cadir="/etc/ssl/certs"
+
+for i in "$@"; do
+	if [ "$i" = "-f" ]; then
+		fresh=1
+	elif [ "$i" = "-v" ]; then
+		verbose=1
+	fi
+done
+
+if [ -z "$fresh" -a "$cafile" -nt "$cadir" ]; then
+	exit 0
+fi
+echo "creating $cafile ..."
+cat > "$cafile.new" <<EOF
+#
+# automatically created by $0. Do not edit!
+#
+# Use of this file is deprecated and should only be used as last
+# resort by applications that cannot parse the $cadir directory.
+# You should avoid hardcoding any paths in applications anyways though.
+# Use e.g.
+# SSL_CTX_set_default_verify_paths() instead.
+#
+EOF
+for i in "$cadir"/*.pem; do
+	# only include certificates trusted for server auth
+	if grep -q "BEGIN TRUSTED CERTIFICATE" "$i"; then
+		trust=`sed -n '/^# openssl-trust=/{s/^.*=//;p;q;}' "$i"`
+		case "$trust" in
+			*serverAuth*) ;;
+			*) [ -z "$verbose" ] || echo "skipping $i" >&2; continue ;;
+		esac
+	fi
+	openssl x509 -in "$i"
+done >> "$cafile.new"
+mv "$cafile.new" "$cafile"
--- a/httplib2-use-system-certs.patch
+++ b/httplib2-use-system-certs.patch
@ -1,46 +0,0 @@
-diff -ruN a/python2/httplib2/__init__.py b/python2/httplib2/__init__.py
--- a/python2/httplib2/__init__.py	2013-03-06 21:45:31.000000000 +0100
-+++ b/python2/httplib2/__init__.py	2013-03-22 14:02:09.458410128 +0100
-@@ -184,15 +184,8 @@
- # requesting that URI again.
- DEFAULT_MAX_REDIRECTS = 5
- 
-try:
-    # Users can optionally provide a module that tells us where the CA_CERTS
-    # are located.
-    import ca_certs_locater
-    CA_CERTS = ca_certs_locater.get()
-except ImportError:
-    # Default CA certificates file bundled with httplib2.
-    CA_CERTS = os.path.join(
-        os.path.dirname(os.path.abspath(__file__ )), "cacerts.txt")
-+# Default CA certificates file bundled with httplib2.
-+CA_CERTS = '/etc/ssl/ca-bundle.pem'
- 
- # Which headers are hop-by-hop headers by default
- HOP_BY_HOP = ['connection', 'keep-alive', 'proxy-authenticate', 'proxy-authorization', 'te', 'trailers', 'transfer-encoding', 'upgrade']
-diff -ruN a/python3/httplib2/__init__.py b/python3/httplib2/__init__.py
--- a/python3/httplib2/__init__.py	2013-03-06 21:45:31.000000000 +0100
-+++ b/python3/httplib2/__init__.py	2013-03-22 14:01:51.270409717 +0100
-@@ -124,8 +124,8 @@
- HOP_BY_HOP = ['connection', 'keep-alive', 'proxy-authenticate', 'proxy-authorization', 'te', 'trailers', 'transfer-encoding', 'upgrade']
- 
- # Default CA certificates file bundled with httplib2.
-CA_CERTS = os.path.join(
-        os.path.dirname(os.path.abspath(__file__ )), "cacerts.txt")
-+CA_CERTS = '/etc/ssl/ca-bundle.pem'
-+        
- 
- def _get_end2end_headers(response):
-     hopbyhop = list(HOP_BY_HOP)
-diff -ruN a/setup.py b/setup.py
--- a/setup.py	2013-03-06 21:45:31.000000000 +0100
-+++ b/setup.py	2013-03-22 14:02:33.031410660 +0100
-@@ -62,7 +62,6 @@
-         """,
-         package_dir=pkgdir,
-         packages=['httplib2'],
-        package_data={'httplib2': ['*.txt']},
-         classifiers=[
-         'Development Status :: 4 - Beta',
-         'Environment :: Web Environment',
--- a/pre_checkin.sh
+++ b/pre_checkin.sh
@ -1,4 +0,0 @@
-#!/bin/sh
-
-sed 's,^\(Name: *\)python-,\1python3-,;s,^\(Requires: *\)python-,\1python3-,;s,^\(BuildRequires: *\)python-,\1python3-,;s,python setup.py,python3 setup.py,;s,python_sitelib,python3_sitelib,;s,python_sitearch,python3_sitearch,' python-httplib2.spec > python3-httplib2.spec
-cp python-httplib2.changes python3-httplib2.changes
--- a/python-httplib2.changes
+++ b/python-httplib2.changes
@ -1,3 +1,12 @@
+-------------------------------------------------------------------
+Thu Jun 20 11:48:15 UTC 2013 - speilicke@suse.com
+
+- Change the mechanism to use system-wide CA certificates:
+  + on openSUSE, use the (new) upstream ca_certs_locater mechanism
+    and don't ship a private copy of Mozilla's CA certs file
+  + on SLES, regenerate cacerts.txt from /etc/ssl/certs when
+    httplib2 is installed and/or openssl-certs is installed/updated
+
 -------------------------------------------------------------------
 Thu May  2 10:23:29 UTC 2013 - speilicke@suse.com

--- a/python-httplib2.spec
+++ b/python-httplib2.spec
@ -25,9 +25,10 @@ License:        MIT and Apache-2.0 and (MPL-1.1 or GPL-2.0+ or LGPL-2.1+)
 Group:          Development/Libraries/Python
 Source:         http://pypi.python.org/packages/source/h/httplib2/httplib2-%{version}.tar.gz
 # PATCH-FIX-OPENSUSE: Don't ship private copy of Mozilla NSS certs, use system certs instead (bnc#761162)
-Patch0:         httplib2-use-system-certs.patch
+Source1:        ca_certs_locater.py
+Source2:        certbundle.run
 # PATCH-FIX-UPSTREAM: speilicke@suse.com -- SSL certificate hostname mismatch is checked only once
-Patch1:         httplib2-bnc-818100.patch
+Patch0:         httplib2-bnc-818100.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 BuildRequires:  python-devel
 # Test requirements (for ssl module):
@ -50,20 +51,41 @@ left out of other HTTP libraries.
 %prep
 %setup -q -n httplib2-%{version}
 %patch0 -p1
-%patch1 -p1

 %build
 python setup.py build

 %install
 python setup.py install --prefix=%{_prefix} --root=%{buildroot}
+# NOTE(saschpe): On SLES, there's no /etc/ssl/ca-bundle.pem, thus
+# we have to generate a private copy (and refresh it occasionally)
+%if 0%{?sles_version}
+install -m 0755 %{SOURCE2} %{buildroot}%{python_sitelib}/httplib2/
+%else
+install -m 0644 %{SOURCE1} %{buildroot}%{python_sitelib}/httplib2/
+rm %{buildroot}%{python_sitelib}/httplib2/cacerts.txt
+%endif

 #%%check
 #python python2/httplib2test.py

+%if 0%{?sles_version}
+%post
+%{python_sitelib}/httplib2/certbundle.run %{python_sitelib}/httplib2/cacerts.txt
+
+%triggerin -- openssl-certs
+%{python_sitelib}/httplib2/certbundle.run %{python_sitelib}/httplib2/cacerts.txt
+%endif
+
 %files
 %defattr(-,root,root)
 %doc README
-%{python_sitelib}/*
+%{python_sitelib}/httplib2-%{version}-py%{py_ver}.egg-info
+%dir %{python_sitelib}/httplib2
+%{python_sitelib}/httplib2/*.py*
+%if 0%{?sles_version}
+%{python_sitelib}/httplib2/certbundle.run
+%ghost %{python_sitelib}/httplib2/cacerts.txt
+%endif

 %changelog