Add Python 3 support to ca-certificates.

Thanks to Andrew Wilcox for the patch! Closes: #789753
author: Michael Shuler <michael@pbandjelly.org> 2015-10-22 15:33:15 -0500
committer: Tristan Van Berkom <tristan.vanberkom@codethink.co.uk> 2015-11-12 22:28:16 +0900
commit: 445c89b5c4f6844c166de011a302ec655131db11 (patch)
tree: 671ff972118780a32866fd97e918b01fb3cddddf
parent: 651de1c8439c6206ea76b7d502daa9de05b5a461 (diff)
download: ca-certificates-445c89b5c4f6844c166de011a302ec655131db11.tar.gz
2 files changed, 43 insertions, 13 deletions
diff --git a/debian/changelog b/debian/changelog
index ee00a56..5d52e41 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,27 @@
+ca-certificates (20151022) UNRELEASED; urgency=medium
+
+  * debian/postinst:
+    Handle /usr/local/share/ca-certificates permissions and ownership on
+    upgrade.  Closes: #611501
+  * mozilla/{certdata.txt,nssckbi.h}:
+    Update Mozilla certificate authority bundle to version 2.5.
+  * mozilla/certdata2pem.py:
+    Add Python 3 support to ca-certificates.
+    Thanks to Andrew Wilcox for the patch!  Closes: #789753
+TODO: verify adds/removes
+    The following certificate authorities were added (+):
+    + "Certinomis - Root CA"
+    + "TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H5"
+    + "TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H6"
+    The following certificate authorities were removed (-):
+    - "Buypass Class 3 CA 1"
+    - "SG TRUST SERVICES RACINE"
+    - "TC TrustCenter Class 2 CA II"
+    - "TC TrustCenter Universal CA I"
+    - "TURKTRUST Certificate Services Provider Root 1"
+
+ -- Michael Shuler <michael@pbandjelly.org>  Thu, 22 Oct 2015 15:32:23 -0500
+
 ca-certificates (20150426) unstable; urgency=medium
 
   * debian/postinst:
diff --git a/mozilla/certdata2pem.py b/mozilla/certdata2pem.py
index 0482894..ec48ab6 100644
--- a/mozilla/certdata2pem.py
+++ b/mozilla/certdata2pem.py
@@ -53,7 +53,7 @@ for line in open('certdata.txt', 'r'):
             if type == 'MULTILINE_OCTAL':
                 line = line.strip()
                 for i in re.finditer(r'\\([0-3][0-7][0-7])', line):
-                    value += chr(int(i.group(1), 8))
+                    value.append(int(i.group(1), 8))
             else:
                 value += line
             continue
@@ -70,13 +70,13 @@ for line in open('certdata.txt', 'r'):
         field, type = line_parts
         value = None
     else:
-        raise NotImplementedError, 'line_parts < 2 not supported.'
+        raise NotImplementedError('line_parts < 2 not supported.')
     if type == 'MULTILINE_OCTAL':
         in_multiline = True
-        value = ""
+        value = bytearray()
         continue
     obj[field] = value
-if len(obj.items()) > 0:
+if len(obj) > 0:
     objects.append(obj)
 
 # Read blacklist.
@@ -95,7 +95,7 @@ for obj in objects:
     if obj['CKA_CLASS'] not in ('CKO_NETSCAPE_TRUST', 'CKO_NSS_TRUST'):
         continue
     if obj['CKA_LABEL'] in blacklist:
-        print "Certificate %s blacklisted, ignoring." % obj['CKA_LABEL']
+        print("Certificate %s blacklisted, ignoring." % obj['CKA_LABEL'])
     elif obj['CKA_TRUST_SERVER_AUTH'] in ('CKT_NETSCAPE_TRUSTED_DELEGATOR',
                                           'CKT_NSS_TRUSTED_DELEGATOR'):
         trust[obj['CKA_LABEL']] = True
@@ -104,13 +104,13 @@ for obj in objects:
         trust[obj['CKA_LABEL']] = True
     elif obj['CKA_TRUST_SERVER_AUTH'] in ('CKT_NETSCAPE_UNTRUSTED',
                                           'CKT_NSS_NOT_TRUSTED'):
-        print '!'*74
-        print "UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: %s" % obj['CKA_LABEL']
-        print '!'*74
+        print('!'*74)
+        print("UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: %s" % obj['CKA_LABEL'])
+        print('!'*74)
     else:
-        print "Ignoring certificate %s.  SAUTH=%s, EPROT=%s" % \
+        print("Ignoring certificate %s.  SAUTH=%s, EPROT=%s" % \
               (obj['CKA_LABEL'], obj['CKA_TRUST_SERVER_AUTH'],
-               obj['CKA_TRUST_EMAIL_PROTECTION'])
+               obj['CKA_TRUST_EMAIL_PROTECTION']))
 
 for obj in objects:
     if obj['CKA_CLASS'] == 'CKO_CERTIFICATE':
@@ -121,13 +121,19 @@ for obj in objects:
                                       .replace('(', '=')\
                                       .replace(')', '=')\
                                       .replace(',', '_')
-        bname = bname.decode('string_escape')
+
+        # this is the only way to decode the way NSS stores multi-byte UTF-8
+        if bytes != str:
+            bname = bname.encode('utf-8')
+        bname = bname.decode('unicode_escape').encode('latin-1').decode('utf-8')
         fname = bname + '.crt'
+
         if os.path.exists(fname):
-            print "Found duplicate certificate name %s, renaming." % bname
+            print("Found duplicate certificate name %s, renaming." % bname)
             fname = bname + '_2.crt'
         f = open(fname, 'w')
         f.write("-----BEGIN CERTIFICATE-----\n")
-        f.write("\n".join(textwrap.wrap(base64.b64encode(obj['CKA_VALUE']), 64)))
+        encoded = base64.b64encode(obj['CKA_VALUE']).decode('utf-8')
+        f.write("\n".join(textwrap.wrap(encoded, 64)))
         f.write("\n-----END CERTIFICATE-----\n")
author	Michael Shuler <michael@pbandjelly.org>	2015-10-22 15:33:15 -0500
committer	Tristan Van Berkom <tristan.vanberkom@codethink.co.uk>	2015-11-12 22:28:16 +0900
commit	445c89b5c4f6844c166de011a302ec655131db11 (patch)
tree	671ff972118780a32866fd97e918b01fb3cddddf
parent	651de1c8439c6206ea76b7d502daa9de05b5a461 (diff)
download	ca-certificates-445c89b5c4f6844c166de011a302ec655131db11.tar.gz