From c8ea2db0a9f92c38630f6ae07c1afa342246bf66 Mon Sep 17 00:00:00 2001
From: Vyacheslav Pedash <vyacheslav.pedash@globallogic.com>
Date: Tue, 14 Feb 2023 13:51:22 +0200
Subject: MTX-4791 Update ca-certificates to the latest Debian version.
 Blacklist expired CA certificates.

---
 ...lla-certdata2pem.py-print-a-warning-for-e.patch | 80 ++++++++++++++++++++++
 .../0005-blacklist-expired-CA.patch                |  9 +++
 .../ca-certificates/ca-certificates_%.bbappend     | 14 ++--
 3 files changed, 99 insertions(+), 4 deletions(-)
 create mode 100644 recipes-support/ca-certificates/ca-certificates/0004-Update-Revert-mozilla-certdata2pem.py-print-a-warning-for-e.patch
 create mode 100644 recipes-support/ca-certificates/ca-certificates/0005-blacklist-expired-CA.patch

diff --git a/recipes-support/ca-certificates/ca-certificates/0004-Update-Revert-mozilla-certdata2pem.py-print-a-warning-for-e.patch b/recipes-support/ca-certificates/ca-certificates/0004-Update-Revert-mozilla-certdata2pem.py-print-a-warning-for-e.patch
new file mode 100644
index 0000000..8af5a33
--- /dev/null
+++ b/recipes-support/ca-certificates/ca-certificates/0004-Update-Revert-mozilla-certdata2pem.py-print-a-warning-for-e.patch
@@ -0,0 +1,80 @@
+From cb43ec15b700b25f3c4fe44043a1a021aaf5b768 Mon Sep 17 00:00:00 2001
+From: Alexander Kanavin <alex@linutronix.de>
+Date: Mon, 18 Oct 2021 12:05:49 +0200
+Subject: [PATCH] Revert "mozilla/certdata2pem.py: print a warning for expired
+ certificates."
+
+This avoids a dependency on python3-cryptography, and only checks
+for expired certs (which is upstream concern, but not ours).
+
+Upstream-Status: Inappropriate [oe-core specific]
+Signed-off-by: Alexander Kanavin <alex@linutronix.de>
+---
+ debian/changelog        |  1 -
+ debian/control          |  2 +-
+ mozilla/certdata2pem.py | 11 -----------
+ 3 files changed, 1 insertion(+), 13 deletions(-)
+
+diff --git a/debian/changelog b/debian/changelog
+index 531e4d0..4006509 100644
+--- a/debian/changelog
++++ b/debian/changelog
+@@ -37,7 +37,6 @@ ca-certificates (20211004) unstable; urgency=low
+     - "Trustis FPS Root CA"
+     - "Staat der Nederlanden Root CA - G3"
+   * Blacklist expired root certificate "DST Root CA X3" (closes: #995432)
+-  * mozilla/certdata2pem.py: print a warning for expired certificates.
+ 
+  -- Julien Cristau <jcristau@debian.org>  Thu, 07 Oct 2021 17:12:47 +0200
+ 
+diff --git a/debian/control b/debian/control
+index 4434b7a..5c6ba24 100644
+--- a/debian/control
++++ b/debian/control
+@@ -3,7 +3,7 @@ Section: misc
+ Priority: optional
+ Maintainer: Julien Cristau <jcristau@debian.org>
+ Build-Depends: debhelper-compat (= 13), po-debconf
+-Build-Depends-Indep: python3, openssl, python3-cryptography
++Build-Depends-Indep: python3, openssl
+ Standards-Version: 4.5.0.2
+ Vcs-Git: https://salsa.debian.org/debian/ca-certificates.git
+ Vcs-Browser: https://salsa.debian.org/debian/ca-certificates
+diff --git a/mozilla/certdata2pem.py b/mozilla/certdata2pem.py
+index ede23d4..7d796f1 100644
+--- a/mozilla/certdata2pem.py
++++ b/mozilla/certdata2pem.py
+@@ -21,16 +21,12 @@
+ # USA.
+ 
+ import base64
+-import datetime
+ import os.path
+ import re
+ import sys
+ import textwrap
+ import io
+ 
+-from cryptography import x509
+-
+-
+ objects = []
+ 
+ # Dirty file parser.
+@@ -121,13 +117,6 @@ for obj in objects:
+     if obj['CKA_CLASS'] == 'CKO_CERTIFICATE':
+         if not obj['CKA_LABEL'] in trust or not trust[obj['CKA_LABEL']]:
+             continue
+-
+-        cert = x509.load_der_x509_certificate(bytes(obj['CKA_VALUE']))
+-        if cert.not_valid_after < datetime.datetime.utcnow():
+-            print('!'*74)
+-            print('Trusted but expired certificate found: %s' % obj['CKA_LABEL'])
+-            print('!'*74)
+-
+         bname = obj['CKA_LABEL'][1:-1].replace('/', '_')\
+                                       .replace(' ', '_')\
+                                       .replace('(', '=')\
+-- 
+2.20.1
+
diff --git a/recipes-support/ca-certificates/ca-certificates/0005-blacklist-expired-CA.patch b/recipes-support/ca-certificates/ca-certificates/0005-blacklist-expired-CA.patch
new file mode 100644
index 0000000..d7c5ee8
--- /dev/null
+++ b/recipes-support/ca-certificates/ca-certificates/0005-blacklist-expired-CA.patch
@@ -0,0 +1,9 @@
+diff -uprN a/mozilla/blacklist.txt b/mozilla/blacklist.txt
+--- a/mozilla/blacklist.txt	2023-02-13 18:32:14.842445382 +0200
++++ b/mozilla/blacklist.txt	2023-02-14 13:17:54.090381357 +0200
+@@ -12,3 +12,5 @@
+ "DST Root CA X3"
+ "Cybertrust Global Root"
+ "GlobalSign Root CA - R2"
++"Staat der Nederlanden EV Root CA"
++"E-Tugra Certification Authority"
diff --git a/recipes-support/ca-certificates/ca-certificates_%.bbappend b/recipes-support/ca-certificates/ca-certificates_%.bbappend
index 107c58d..7a9af09 100644
--- a/recipes-support/ca-certificates/ca-certificates_%.bbappend
+++ b/recipes-support/ca-certificates/ca-certificates_%.bbappend
@@ -1,5 +1,11 @@
-PR = "r1"
+PR = "r2"
 
-# Toybox patch breaks busybox, which is what we use for mktemp
-# This fixes the update-ca-certificates script.
-SRC_URI_remove = "file://update-ca-certificates-support-Toybox.patch"
+FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
+
+SRCREV = "88d98d1082e5d2d1f85e5cb42811da813db981c9"
+
+SRC_URI_remove = "file://0001-Revert-mozilla-certdata2pem.py-print-a-warning-for-e.patch"
+
+SRC_URI_append = " \
+    file://0004-Update-Revert-mozilla-certdata2pem.py-print-a-warning-for-e.patch \
+    file://0005-blacklist-expired-CA.patch "
-- 
cgit v1.2.3