Hello community,
here is the log from the commit of package ca-certificates-mozilla for
openSUSE:Factory checked in at 2017-10-27 13:47:17
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/ca-certificates-mozilla (Old)
and /work/SRC/openSUSE:Factory/.ca-certificates-mozilla.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "ca-certificates-mozilla"
Fri Oct 27 13:47:17 2017 rev:37 rq:536559 version:2.11
Changes:
--------
---
/work/SRC/openSUSE:Factory/ca-certificates-mozilla/ca-certificates-mozilla.changes
2017-02-03 17:33:50.933415327 +0100
+++
/work/SRC/openSUSE:Factory/.ca-certificates-mozilla.new/ca-certificates-mozilla.changes
2017-10-27 13:47:18.583593707 +0200
@@ -1,0 +2,7 @@
+Wed Oct 25 12:40:36 UTC 2017 - [email protected]
+
+- convert processing script to Python 3
+- ensure a stable conversion of UTF8 hex-encoded certificate names
+- ensure a stable ordering of trust/distrust bits in headers
+
+-------------------------------------------------------------------
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ ca-certificates-mozilla.spec ++++++
--- /var/tmp/diff_new_pack.fZW1Hk/_old 2017-10-27 13:47:19.659543421 +0200
+++ /var/tmp/diff_new_pack.fZW1Hk/_new 2017-10-27 13:47:19.663543234 +0200
@@ -21,7 +21,7 @@
BuildRequires: ca-certificates
BuildRequires: openssl
-BuildRequires: python
+BuildRequires: python3-base
Name: ca-certificates-mozilla
# Version number is NSS_BUILTINS_LIBRARY_VERSION in this file:
@@ -77,7 +77,8 @@
fi
%build
-python %{SOURCE10}
+export LANG=en_US.UTF-8
+python3 %{SOURCE10}
%install
mkdir -p %{buildroot}/%{trustdir_static}/anchors
++++++ certdata2pem.py ++++++
--- /var/tmp/diff_new_pack.fZW1Hk/_old 2017-10-27 13:47:19.779537813 +0200
+++ /var/tmp/diff_new_pack.fZW1Hk/_new 2017-10-27 13:47:19.779537813 +0200
@@ -1,4 +1,4 @@
-#!/usr/bin/python
+#!/usr/bin/python3
# vim:set et sw=4:
#
# certdata2pem.py - splits certdata.txt into multiple files
@@ -26,16 +26,16 @@
import re
import sys
import textwrap
-import urllib
+import urllib.parse
objects = []
def printable_serial(obj):
- return ".".join(map(lambda x:str(ord(x)), obj['CKA_SERIAL_NUMBER']))
+ return ".".join([str(x) for x in obj['CKA_SERIAL_NUMBER']])
# Dirty file parser.
in_data, in_multiline, in_obj = False, False, False
-field, type, value, obj = None, None, None, dict()
+field, vtype, value, obj = None, None, None, dict()
for line in open('certdata.txt', 'r'):
# Ignore the file header.
if not in_data:
@@ -55,10 +55,10 @@
continue
if in_multiline:
if not line.startswith('END'):
- if type == 'MULTILINE_OCTAL':
+ if vtype == 'MULTILINE_OCTAL':
line = line.strip()
- for i in re.finditer(r'\\([0-3][0-7][0-7])', line):
- value += chr(int(i.group(1), 8))
+ numbers = [int(i.group(1), 8) for i in
re.finditer(r'\\([0-3][0-7][0-7])', line)]
+ value += bytes(numbers)
else:
value += line
continue
@@ -69,19 +69,19 @@
in_obj = True
line_parts = line.strip().split(' ', 2)
if len(line_parts) > 2:
- field, type = line_parts[0:2]
+ field, vtype = line_parts[0:2]
value = ' '.join(line_parts[2:])
elif len(line_parts) == 2:
- field, type = line_parts
+ field, vtype = line_parts
value = None
else:
- raise NotImplementedError, 'line_parts < 2 not supported.\n' + line
- if type == 'MULTILINE_OCTAL':
+ raise NotImplementedError('line_parts < 2 not supported.\n' + line)
+ if vtype == 'MULTILINE_OCTAL':
in_multiline = True
- value = ""
+ value = b""
continue
obj[field] = value
-if len(obj.items()) > 0:
+if obj:
objects.append(obj)
# Build up trust database.
@@ -91,7 +91,7 @@
continue
key = obj['CKA_LABEL'] + printable_serial(obj)
trustmap[key] = obj
- print " added trust", key
+ print(" added trust", key)
# Build up cert database.
certmap = dict()
@@ -100,7 +100,7 @@
continue
key = obj['CKA_LABEL'] + printable_serial(obj)
certmap[key] = obj
- print " added cert", key
+ print(" added cert", key)
def obj_to_filename(obj):
label = obj['CKA_LABEL'][1:-1]
@@ -109,7 +109,12 @@
.replace('(', '=')\
.replace(')', '=')\
.replace(',', '_')
- label = re.sub(r'\\x[0-9a-fA-F]{2}', lambda m:chr(int(m.group(0)[2:],
16)), label)
+ # encode possible Unicode string to UTF8 bytes first
+ label = label.encode("utf8")
+ # decode hex escape sequences
+ label = re.sub(rb'\\x[0-9a-fA-F]{2}', lambda m:bytes([int(m.group(0)[2:],
16)]), label)
+ # read back UTF8 bytes
+ label = label.decode("utf8")
serial = printable_serial(obj)
return label + ":" + serial
@@ -142,17 +147,17 @@
for tobj in objects:
if tobj['CKA_CLASS'] == 'CKO_NSS_TRUST':
key = tobj['CKA_LABEL'] + printable_serial(tobj)
- print "producing trust for " + key
+ print("producing trust for " + key)
trustbits = []
distrustbits = []
openssl_trustflags = []
openssl_distrustflags = []
- for t in trust_types.keys():
- if tobj.has_key(t) and tobj[t] == 'CKT_NSS_TRUSTED_DELEGATOR':
+ for t in sorted(trust_types.keys()):
+ if t in tobj and tobj[t] == 'CKT_NSS_TRUSTED_DELEGATOR':
trustbits.append(t)
if t in openssl_trust:
openssl_trustflags.append(openssl_trust[t])
- if tobj.has_key(t) and tobj[t] == 'CKT_NSS_NOT_TRUSTED':
+ if t in tobj and tobj[t] == 'CKT_NSS_NOT_TRUSTED':
distrustbits.append(t)
if t in openssl_trust:
openssl_distrustflags.append(openssl_trust[t])
@@ -178,7 +183,7 @@
if openssl_distrustflags:
f.write("# openssl-distrust=" + "
".join(openssl_distrustflags) + "\n")
f.write("-----BEGIN CERTIFICATE-----\n")
-
f.write("\n".join(textwrap.wrap(base64.b64encode(obj['CKA_VALUE']), 64)))
+
f.write("\n".join(textwrap.wrap(base64.b64encode(obj['CKA_VALUE']).decode("ascii"),
64)))
f.write("\n-----END CERTIFICATE-----\n")
else:
f.write("[p11-kit-object-v1]\n")
@@ -188,12 +193,12 @@
f.write("class: certificate\n")
f.write("certificate-type: x-509\n")
f.write("issuer: \"");
- f.write(urllib.quote(tobj['CKA_ISSUER']));
+ f.write(urllib.parse.quote(tobj['CKA_ISSUER']));
f.write("\"\n")
f.write("serial-number: \"");
- f.write(urllib.quote(tobj['CKA_SERIAL_NUMBER']));
+ f.write(urllib.parse.quote(tobj['CKA_SERIAL_NUMBER']));
f.write("\"\n")
if (tobj['CKA_TRUST_SERVER_AUTH'] == 'CKT_NSS_NOT_TRUSTED') or
(tobj['CKA_TRUST_EMAIL_PROTECTION'] == 'CKT_NSS_NOT_TRUSTED') or
(tobj['CKA_TRUST_CODE_SIGNING'] == 'CKT_NSS_NOT_TRUSTED'):
f.write("x-distrusted: true\n")
f.write("\n\n")
- print " -> written as '%s', trust = %s, openssl-trust = %s, distrust =
%s, openssl-distrust = %s" % (fname, trustbits, openssl_trustflags,
distrustbits, openssl_distrustflags)
+ print(" -> written as '%s', trust = %s, openssl-trust = %s, distrust =
%s, openssl-distrust = %s" % (fname, trustbits, openssl_trustflags,
distrustbits, openssl_distrustflags))
