--- /dev/null
+From cb43ec15b700b25f3c4fe44043a1a021aaf5b768 Mon Sep 17 00:00:00 2001
+From: Alexander Kanavin <alex@linutronix.de>
+Date: Mon, 18 Oct 2021 12:05:49 +0200
+Subject: [PATCH] Revert "mozilla/certdata2pem.py: print a warning for expired
+ certificates."
+
+This avoids a dependency on python3-cryptography, and only checks
+for expired certs (which is upstream concern, but not ours).
+
+Upstream-Status: Inappropriate [oe-core specific]
+Signed-off-by: Alexander Kanavin <alex@linutronix.de>
+---
+ debian/changelog | 1 -
+ debian/control | 2 +-
+ mozilla/certdata2pem.py | 11 -----------
+ 3 files changed, 1 insertion(+), 13 deletions(-)
+
+diff --git a/debian/changelog b/debian/changelog
+index 531e4d0..4006509 100644
+--- a/debian/changelog
++++ b/debian/changelog
+@@ -37,7 +37,6 @@ ca-certificates (20211004) unstable; urgency=low
+ - "Trustis FPS Root CA"
+ - "Staat der Nederlanden Root CA - G3"
+ * Blacklist expired root certificate "DST Root CA X3" (closes: #995432)
+- * mozilla/certdata2pem.py: print a warning for expired certificates.
+
+ -- Julien Cristau <jcristau@debian.org> Thu, 07 Oct 2021 17:12:47 +0200
+
+diff --git a/debian/control b/debian/control
+index 4434b7a..5c6ba24 100644
+--- a/debian/control
++++ b/debian/control
+@@ -3,7 +3,7 @@ Section: misc
+ Priority: optional
+ Maintainer: Julien Cristau <jcristau@debian.org>
+ Build-Depends: debhelper-compat (= 13), po-debconf
+-Build-Depends-Indep: python3, openssl, python3-cryptography
++Build-Depends-Indep: python3, openssl
+ Standards-Version: 4.5.0.2
+ Vcs-Git: https://salsa.debian.org/debian/ca-certificates.git
+ Vcs-Browser: https://salsa.debian.org/debian/ca-certificates
+diff --git a/mozilla/certdata2pem.py b/mozilla/certdata2pem.py
+index ede23d4..7d796f1 100644
+--- a/mozilla/certdata2pem.py
++++ b/mozilla/certdata2pem.py
+@@ -21,16 +21,12 @@
+ # USA.
+
+ import base64
+-import datetime
+ import os.path
+ import re
+ import sys
+ import textwrap
+ import io
+
+-from cryptography import x509
+-
+-
+ objects = []
+
+ # Dirty file parser.
+@@ -121,13 +117,6 @@ for obj in objects:
+ if obj['CKA_CLASS'] == 'CKO_CERTIFICATE':
+ if not obj['CKA_LABEL'] in trust or not trust[obj['CKA_LABEL']]:
+ continue
+-
+- cert = x509.load_der_x509_certificate(obj['CKA_VALUE'])
+- if cert.not_valid_after < datetime.datetime.now():
+- print('!'*74)
+- print('Trusted but expired certificate found: %s' % obj['CKA_LABEL'])
+- print('!'*74)
+-
+ bname = obj['CKA_LABEL'][1:-1].replace('/', '_')\
+ .replace(' ', '_')\
+ .replace('(', '=')\
+--
+2.20.1
+
+++ /dev/null
-sbin/Makefile: Allow the sbin path to be configurable
-
-Some project sharing ca-certificates from Debian allow configuration
-of the installation location. Make the sbin location configurable.
-
-Also ensure the target directory exists
-
-Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-Upstream-Status: Submitted [https://salsa.debian.org/debian/ca-certificates/-/merge_requests/5]
-
---- ca-certificates-20130119.orig/sbin/Makefile
-+++ ca-certificates-20130119/sbin/Makefile
-@@ -3,9 +3,12 @@
- #
- #
-
-+SBINDIR = /usr/sbin
-+
- all:
-
- clean:
-
- install:
-- install -m755 update-ca-certificates $(DESTDIR)/usr/sbin/
-+ install -d $(DESTDIR)$(SBINDIR)
-+ install -m755 update-ca-certificates $(DESTDIR)$(SBINDIR)/
+++ /dev/null
-update-ca-certificates: Replace deprecated mktemp -t with mktemp --tmpdir
-
-According to coreutils docs, mktemp -t is deprecated, switch to the
---tmpdir option instead.
-
-Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-Upstream-Status: Submitted [https://salsa.debian.org/debian/ca-certificates/-/merge_requests/5]
-
-[This was originally for compatibility with toybox but toybox now
-supports -t]
----
- sbin/update-ca-certificates | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/sbin/update-ca-certificates b/sbin/update-ca-certificates
-index 79c41bb..ae9e3f1 100755
---- a/sbin/update-ca-certificates
-+++ b/sbin/update-ca-certificates
-@@ -113,9 +113,9 @@ trap cleanup 0
-
- # Helper files. (Some of them are not simple arrays because we spawn
- # subshells later on.)
--TEMPBUNDLE="$(mktemp -t "${CERTBUNDLE}.tmp.XXXXXX")"
--ADDED="$(mktemp -t "ca-certificates.tmp.XXXXXX")"
--REMOVED="$(mktemp -t "ca-certificates.tmp.XXXXXX")"
-+TEMPBUNDLE="$(mktemp --tmpdir "${CERTBUNDLE}.tmp.XXXXXX")"
-+ADDED="$(mktemp --tmpdir "ca-certificates.tmp.XXXXXX")"
-+REMOVED="$(mktemp --tmpdir "ca-certificates.tmp.XXXXXX")"
-
- # Adds a certificate to the list of trusted ones. This includes a symlink
- # in /etc/ssl/certs to the certificate file and its inclusion into the
---
-2.1.4
# Need rehash from openssl and run-parts from debianutils
PACKAGE_WRITE_DEPS += "openssl-native debianutils-native"
-SRCREV = "181be7ebd169b4a6fb5d90c3e6dc791e90534144"
+SRCREV = "07de54fdcc5806bde549e1edf60738c6bccf50e8"
SRC_URI = "git://salsa.debian.org/debian/ca-certificates.git;protocol=https \
file://0002-update-ca-certificates-use-SYSROOT.patch \
file://0001-update-ca-certificates-don-t-use-Debianisms-in-run-p.patch \
- file://update-ca-certificates-support-Toybox.patch \
file://default-sysroot.patch \
- file://sbindir.patch \
file://0003-update-ca-certificates-use-relative-symlinks-from-ET.patch \
+ file://0001-Revert-mozilla-certdata2pem.py-print-a-warning-for-e.patch \
"
UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>\d+)"
