mozilla/certdata2pem.py: print a warning for expired certificates.

author: Julien Cristau <jcristau@debian.org> 2021-10-04 22:05:09 +0200
committer: Julien Cristau <jcristau@debian.org> 2021-10-04 22:05:09 +0200
commit: 8033d52259172b4bddc0f8bbcb6f6566b348db72 (patch)
tree: 5f926c98293cd26336174ee7b322c3180eaac8f6 /mozilla/certdata2pem.py
parent: 5b83fd984706ea03101dbb011846e60364c3a149 (diff)
download: ca-certificates-8033d52259172b4bddc0f8bbcb6f6566b348db72.tar.gz
1 files changed, 11 insertions, 0 deletions
diff --git a/mozilla/certdata2pem.py b/mozilla/certdata2pem.py
index 7d796f1..ede23d4 100644
--- a/mozilla/certdata2pem.py
+++ b/mozilla/certdata2pem.py
@@ -21,12 +21,16 @@
 # USA.
 
 import base64
+import datetime
 import os.path
 import re
 import sys
 import textwrap
 import io
 
+from cryptography import x509
+
+
 objects = []
 
 # Dirty file parser.
@@ -117,6 +121,13 @@ for obj in objects:
     if obj['CKA_CLASS'] == 'CKO_CERTIFICATE':
         if not obj['CKA_LABEL'] in trust or not trust[obj['CKA_LABEL']]:
             continue
+
+        cert = x509.load_der_x509_certificate(obj['CKA_VALUE'])
+        if cert.not_valid_after < datetime.datetime.now():
+            print('!'*74)
+            print('Trusted but expired certificate found: %s' % obj['CKA_LABEL'])
+            print('!'*74)
+
         bname = obj['CKA_LABEL'][1:-1].replace('/', '_')\
                                       .replace(' ', '_')\
                                       .replace('(', '=')\
author	Julien Cristau <jcristau@debian.org>	2021-10-04 22:05:09 +0200
committer	Julien Cristau <jcristau@debian.org>	2021-10-04 22:05:09 +0200
commit	8033d52259172b4bddc0f8bbcb6f6566b348db72 (patch)
tree	5f926c98293cd26336174ee7b322c3180eaac8f6 /mozilla/certdata2pem.py
parent	5b83fd984706ea03101dbb011846e60364c3a149 (diff)
download	ca-certificates-8033d52259172b4bddc0f8bbcb6f6566b348db72.tar.gz