[Buildroot] [PATCH 1/1] package/ca-certificates: add support for cryptography > 3.0

[Buildroot] [PATCH 1/1] package/ca-certificates: add support for cryptography > 3.0

[jwood+buildroot]

From: Justin Wood <jwood@starry.com>

This patch was originally submitted upstream at https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1008244
by Wataru Ashihara <wsh@iij.ad.jp>.  Minor changes by me to account for the Buildroot change in 0001-*.patch.

Building ca-certificates with a newer cryptography is breaking without this patch, and building buildroots
`python-cryptography` package first doesn't change the broken behavior.

Signed-off-by: Justin Wood <jwood@starry.com>
---
 ...2pem.py-Fix-compat-with-cryptography.patch | 29 +++++++++++++++++++
 1 file changed, 29 insertions(+)
 create mode 100644 package/ca-certificates/0002-mozilla-certdata2pem.py-Fix-compat-with-cryptography.patch

diff --git a/package/ca-certificates/0002-mozilla-certdata2pem.py-Fix-compat-with-cryptography.patch b/package/ca-certificates/0002-mozilla-certdata2pem.py-Fix-compat-with-cryptography.patch
new file mode 100644
index 0000000000..0537da9224
--- /dev/null
+++ b/package/ca-certificates/0002-mozilla-certdata2pem.py-Fix-compat-with-cryptography.patch
@@ -0,0 +1,29 @@
+From 5e493ca307a031e81528ceddb96f3da40bc062cf Mon Sep 17 00:00:00 2001
+From: Wataru Ashihara <wsh@iij.ad.jp>
+Date: Wed, 2 Nov 2022 12:40:05 -0400
+Subject: [PATCH] mozilla/certdata2pem.py: Fix compat with cryptography > 3.0
+
+In newer cryptography packages, load_der_x509_certificate is enforced to be 'bytes' rather than currently used 'bytearray'.  This fixes that.
+
+https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1008244
+Signed-off-by: Justin Wood <jwood@starry.com>
+---
+ mozilla/certdata2pem.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/mozilla/certdata2pem.py b/mozilla/certdata2pem.py
+index a6261f8..c0fa52c 100644
+--- a/mozilla/certdata2pem.py
++++ b/mozilla/certdata2pem.py
+@@ -122,7 +122,7 @@ for obj in objects:
+         try:
+             from cryptography import x509
+ 
+-            cert = x509.load_der_x509_certificate(obj['CKA_VALUE'])
++            cert = x509.load_der_x509_certificate(bytes(obj['CKA_VALUE']))
+             if cert.not_valid_after < datetime.datetime.now():
+                 print('!'*74)
+                 print('Trusted but expired certificate found: %s' % obj['CKA_LABEL'])
+-- 
+2.38.1
+
-- 
2.38.1

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 1/1] package/ca-certificates: add support for cryptography > 3.0

[Yann E. MORIN]

Justin, All,

On 2022-11-02 12:56 -0400, jwood+buildroot@starry.com spake thusly:
> From: Justin Wood <jwood@starry.com>
> 
> This patch was originally submitted upstream at https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1008244
> by Wataru Ashihara <wsh@iij.ad.jp>.  Minor changes by me to account for the Buildroot change in 0001-*.patch.
> 
> Building ca-certificates with a newer cryptography is breaking without this patch, and building buildroots
> `python-cryptography` package first doesn't change the broken behavior.

I've reworded the commit log in a more logical manner (explain what
breaks and why, then how we fix it).

I also notice that the bug report states that cryptography 3.0 is also
affected, so I tweaked the commit title accordingly.

> Signed-off-by: Justin Wood <jwood@starry.com>

Applied to master, thanks.

Regards,
Yann E. MORIN.

> ---
>  ...2pem.py-Fix-compat-with-cryptography.patch | 29 +++++++++++++++++++
>  1 file changed, 29 insertions(+)
>  create mode 100644 package/ca-certificates/0002-mozilla-certdata2pem.py-Fix-compat-with-cryptography.patch
> 
> diff --git a/package/ca-certificates/0002-mozilla-certdata2pem.py-Fix-compat-with-cryptography.patch b/package/ca-certificates/0002-mozilla-certdata2pem.py-Fix-compat-with-cryptography.patch
> new file mode 100644
> index 0000000000..0537da9224
> --- /dev/null
> +++ b/package/ca-certificates/0002-mozilla-certdata2pem.py-Fix-compat-with-cryptography.patch
> @@ -0,0 +1,29 @@
> +From 5e493ca307a031e81528ceddb96f3da40bc062cf Mon Sep 17 00:00:00 2001
> +From: Wataru Ashihara <wsh@iij.ad.jp>
> +Date: Wed, 2 Nov 2022 12:40:05 -0400
> +Subject: [PATCH] mozilla/certdata2pem.py: Fix compat with cryptography > 3.0
> +
> +In newer cryptography packages, load_der_x509_certificate is enforced to be 'bytes' rather than currently used 'bytearray'.  This fixes that.
> +
> +https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1008244
> +Signed-off-by: Justin Wood <jwood@starry.com>
> +---
> + mozilla/certdata2pem.py | 2 +-
> + 1 file changed, 1 insertion(+), 1 deletion(-)
> +
> +diff --git a/mozilla/certdata2pem.py b/mozilla/certdata2pem.py
> +index a6261f8..c0fa52c 100644
> +--- a/mozilla/certdata2pem.py
> ++++ b/mozilla/certdata2pem.py
> +@@ -122,7 +122,7 @@ for obj in objects:
> +         try:
> +             from cryptography import x509
> + 
> +-            cert = x509.load_der_x509_certificate(obj['CKA_VALUE'])
> ++            cert = x509.load_der_x509_certificate(bytes(obj['CKA_VALUE']))
> +             if cert.not_valid_after < datetime.datetime.now():
> +                 print('!'*74)
> +                 print('Trusted but expired certificate found: %s' % obj['CKA_LABEL'])
> +-- 
> +2.38.1
> +
> -- 
> 2.38.1
> 
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 1/1] package/ca-certificates: add support for cryptography > 3.0

[Peter Korsgaard]

>>>>> "Yann" == Yann E MORIN <yann.morin.1998@free.fr> writes:

 > Justin, All,
 > On 2022-11-02 12:56 -0400, jwood+buildroot@starry.com spake thusly:
 >> From: Justin Wood <jwood@starry.com>
 >> 
 >> This patch was originally submitted upstream at https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1008244
 >> by Wataru Ashihara <wsh@iij.ad.jp>.  Minor changes by me to account for the Buildroot change in 0001-*.patch.
 >> 
 >> Building ca-certificates with a newer cryptography is breaking without this patch, and building buildroots
 >> `python-cryptography` package first doesn't change the broken behavior.

 > I've reworded the commit log in a more logical manner (explain what
 > breaks and why, then how we fix it).

 > I also notice that the bug report states that cryptography 3.0 is also
 > affected, so I tweaked the commit title accordingly.

 >> Signed-off-by: Justin Wood <jwood@starry.com>

 > Applied to master, thanks.

This is patching code we've added ourselves in patch 0001, so perhaps it
makes sense to invert the order of the patches, merge them or simply
drop the certdata2pem.py call completely? We don't build
host-python-cryptography automatically, so it can only happen if the
recently added optee-os option is selected (or a custom package), and
they happen to build before ca-certificates.

Committed to 2022.08.x, thanks (we don't have host-python-cryptography
in 2022.02.x).

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 1/1] package/ca-certificates: add support for cryptography > 3.0

[Peter Korsgaard]

>>>>> "Justin" == Justin Wood <jwood@starry.com> writes:

 > On Mon, Nov 14, 2022 at 3:20 PM Peter Korsgaard <peter@korsgaard.com> wrote:
 >> 
 >> This is patching code we've added ourselves in patch 0001, so perhaps it
 >> makes sense to invert the order of the patches, merge them or simply
 >> drop the certdata2pem.py call completely? We don't build
 >> host-python-cryptography automatically, so it can only happen if the
 >> recently added optee-os option is selected (or a custom package), and
 >> they happen to build before ca-certificates.
 >> 
 >> Committed to 2022.08.x, thanks (we don't have host-python-cryptography
 >> in 2022.02.x).

 > Of note, in my setup I'm using a system-provided python for host-python,
 > which has `cryptography` installed and available due to a linting tool we
 > install.  That is what caused it to fail for me in 2022.02.x.

Ahh, so you are having some local modifications causing this issue?

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 1/1] package/ca-certificates: add support for cryptography > 3.0

[Justin Wood via buildroot]

[-- Attachment #1.1: Type: text/plain, Size: 1751 bytes --]

Just to follow up for this list, this was merged upstream:

https://salsa.debian.org/debian/ca-certificates/-/commit/c7a3136aa0290f09080ff90d2c21d43b70710310

~Justin Wood

On Mon, Nov 14, 2022 at 3:20 PM Peter Korsgaard <peter@korsgaard.com> wrote:

> >>>>> "Yann" == Yann E MORIN <yann.morin.1998@free.fr> writes:
>
>  > Justin, All,
>  > On 2022-11-02 12:56 -0400, jwood+buildroot@starry.com spake thusly:
>  >> From: Justin Wood <jwood@starry.com>
>  >>
>  >> This patch was originally submitted upstream at
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1008244
>  >> by Wataru Ashihara <wsh@iij.ad.jp>.  Minor changes by me to account
> for the Buildroot change in 0001-*.patch.
>  >>
>  >> Building ca-certificates with a newer cryptography is breaking without
> this patch, and building buildroots
>  >> `python-cryptography` package first doesn't change the broken behavior.
>
>  > I've reworded the commit log in a more logical manner (explain what
>  > breaks and why, then how we fix it).
>
>  > I also notice that the bug report states that cryptography 3.0 is also
>  > affected, so I tweaked the commit title accordingly.
>
>  >> Signed-off-by: Justin Wood <jwood@starry.com>
>
>  > Applied to master, thanks.
>
> This is patching code we've added ourselves in patch 0001, so perhaps it
> makes sense to invert the order of the patches, merge them or simply
> drop the certdata2pem.py call completely? We don't build
> host-python-cryptography automatically, so it can only happen if the
> recently added optee-os option is selected (or a custom package), and
> they happen to build before ca-certificates.
>
> Committed to 2022.08.x, thanks (we don't have host-python-cryptography
> in 2022.02.x).
>
> --
> Bye, Peter Korsgaard
>

[-- Attachment #1.2: Type: text/html, Size: 2838 bytes --]

[-- Attachment #2: Type: text/plain, Size: 150 bytes --]

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot