diff options
| author | Julien Cristau <jcristau@debian.org> | 2021-10-04 22:05:09 +0200 |
|---|---|---|
| committer | Julien Cristau <jcristau@debian.org> | 2021-10-04 22:05:09 +0200 |
| commit | 8033d52259172b4bddc0f8bbcb6f6566b348db72 (patch) | |
| tree | 5f926c98293cd26336174ee7b322c3180eaac8f6 | |
| parent | 5b83fd984706ea03101dbb011846e60364c3a149 (diff) | |
| download | ca-certificates-8033d52259172b4bddc0f8bbcb6f6566b348db72.tar.gz | |
mozilla/certdata2pem.py: print a warning for expired certificates.
| -rw-r--r-- | debian/changelog | 1 | ||||
| -rw-r--r-- | debian/control | 2 | ||||
| -rw-r--r-- | mozilla/certdata2pem.py | 11 |
3 files changed, 13 insertions, 1 deletions
diff --git a/debian/changelog b/debian/changelog index 1512aa7..e5693c7 100644 --- a/debian/changelog +++ b/debian/changelog @@ -30,6 +30,7 @@ ca-certificates (20211004) UNRELEASED; urgency=low - "Trustis FPS Root CA" - "Staat der Nederlanden Root CA - G3" * Blacklist expired root certificate "DST Root CA X3" (closes: #995432) + * mozilla/certdata2pem.py: print a warning for expired certificates. -- Debian Janitor <janitor@jelmer.uk> Thu, 11 Jun 2020 14:29:08 -0000 diff --git a/debian/control b/debian/control index 5c6ba24..4434b7a 100644 --- a/debian/control +++ b/debian/control @@ -3,7 +3,7 @@ Section: misc Priority: optional Maintainer: Julien Cristau <jcristau@debian.org> Build-Depends: debhelper-compat (= 13), po-debconf -Build-Depends-Indep: python3, openssl +Build-Depends-Indep: python3, openssl, python3-cryptography Standards-Version: 4.5.0.2 Vcs-Git: https://salsa.debian.org/debian/ca-certificates.git Vcs-Browser: https://salsa.debian.org/debian/ca-certificates diff --git a/mozilla/certdata2pem.py b/mozilla/certdata2pem.py index 7d796f1..ede23d4 100644 --- a/mozilla/certdata2pem.py +++ b/mozilla/certdata2pem.py @@ -21,12 +21,16 @@ # USA. import base64 +import datetime import os.path import re import sys import textwrap import io +from cryptography import x509 + + objects = [] # Dirty file parser. @@ -117,6 +121,13 @@ for obj in objects: if obj['CKA_CLASS'] == 'CKO_CERTIFICATE': if not obj['CKA_LABEL'] in trust or not trust[obj['CKA_LABEL']]: continue + + cert = x509.load_der_x509_certificate(obj['CKA_VALUE']) + if cert.not_valid_after < datetime.datetime.now(): + print('!'*74) + print('Trusted but expired certificate found: %s' % obj['CKA_LABEL']) + print('!'*74) + bname = obj['CKA_LABEL'][1:-1].replace('/', '_')\ .replace(' ', '_')\ .replace('(', '=')\ |