From 8033d52259172b4bddc0f8bbcb6f6566b348db72 Mon Sep 17 00:00:00 2001
From: Julien Cristau <jcristau@debian.org>
Date: Mon, 4 Oct 2021 22:05:09 +0200
Subject: mozilla/certdata2pem.py: print a warning for expired certificates.

---
 debian/changelog        |  1 +
 debian/control          |  2 +-
 mozilla/certdata2pem.py | 11 +++++++++++
 3 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/debian/changelog b/debian/changelog
index 1512aa7..e5693c7 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -30,6 +30,7 @@ ca-certificates (20211004) UNRELEASED; urgency=low
     - "Trustis FPS Root CA"
     - "Staat der Nederlanden Root CA - G3"
   * Blacklist expired root certificate "DST Root CA X3" (closes: #995432)
+  * mozilla/certdata2pem.py: print a warning for expired certificates.
 
  -- Debian Janitor <janitor@jelmer.uk>  Thu, 11 Jun 2020 14:29:08 -0000
 
diff --git a/debian/control b/debian/control
index 5c6ba24..4434b7a 100644
--- a/debian/control
+++ b/debian/control
@@ -3,7 +3,7 @@ Section: misc
 Priority: optional
 Maintainer: Julien Cristau <jcristau@debian.org>
 Build-Depends: debhelper-compat (= 13), po-debconf
-Build-Depends-Indep: python3, openssl
+Build-Depends-Indep: python3, openssl, python3-cryptography
 Standards-Version: 4.5.0.2
 Vcs-Git: https://salsa.debian.org/debian/ca-certificates.git
 Vcs-Browser: https://salsa.debian.org/debian/ca-certificates
diff --git a/mozilla/certdata2pem.py b/mozilla/certdata2pem.py
index 7d796f1..ede23d4 100644
--- a/mozilla/certdata2pem.py
+++ b/mozilla/certdata2pem.py
@@ -21,12 +21,16 @@
 # USA.
 
 import base64
+import datetime
 import os.path
 import re
 import sys
 import textwrap
 import io
 
+from cryptography import x509
+
+
 objects = []
 
 # Dirty file parser.
@@ -117,6 +121,13 @@ for obj in objects:
     if obj['CKA_CLASS'] == 'CKO_CERTIFICATE':
         if not obj['CKA_LABEL'] in trust or not trust[obj['CKA_LABEL']]:
             continue
+
+        cert = x509.load_der_x509_certificate(obj['CKA_VALUE'])
+        if cert.not_valid_after < datetime.datetime.now():
+            print('!'*74)
+            print('Trusted but expired certificate found: %s' % obj['CKA_LABEL'])
+            print('!'*74)
+
         bname = obj['CKA_LABEL'][1:-1].replace('/', '_')\
                                       .replace(' ', '_')\
                                       .replace('(', '=')\
-- 
cgit v1.2.1