diff --git a/ca-certificates.spec b/ca-certificates.spec index 79374b0..ad7f955 100644 --- a/ca-certificates.spec +++ b/ca-certificates.spec @@ -38,7 +38,7 @@ Name: ca-certificates Version: 2018.2.24 # for Rawhide, please always use release >= 2 # for Fedora release branches, please use release < 2 (1.0, 1.1, ...) -Release: 4%{?dist} +Release: 5%{?dist} License: Public Domain Group: System Environment/Base @@ -78,7 +78,7 @@ Requires: p11-kit >= 0.23.10 Requires: p11-kit-trust >= 0.23.10 BuildRequires: perl-interpreter -BuildRequires: python2 +BuildRequires: python3 BuildRequires: openssl BuildRequires: asciidoc BuildRequires: libxslt @@ -99,7 +99,7 @@ mkdir %{name}/java pushd %{name}/certs pwd cp %{SOURCE0} . - python %{SOURCE4} >c2p.log 2>c2p.err + python3 %{SOURCE4} >c2p.log 2>c2p.err popd pushd %{name} ( @@ -372,6 +372,9 @@ fi %changelog +* Thu Jun 28 2018 Kai Engert - 2018.2.24-5 +- Ported scripts to python3 + * Mon Jun 11 2018 Daiki Ueno - 2018.2.24-4 - Extract certificate bundle in EDK2 format, suggested by Laszlo Ersek diff --git a/certdata2pem.py b/certdata2pem.py index e63ca0f..a4f38c2 100644 --- a/certdata2pem.py +++ b/certdata2pem.py @@ -26,17 +26,17 @@ import os.path import re import sys import textwrap -import urllib +import urllib.request, urllib.parse, urllib.error import subprocess objects = [] def printable_serial(obj): - return ".".join(map(lambda x:str(ord(x)), obj['CKA_SERIAL_NUMBER'])) + return ".".join([str(x) for x in obj['CKA_SERIAL_NUMBER']]) # Dirty file parser. in_data, in_multiline, in_obj = False, False, False -field, type, value, obj = None, None, None, dict() +field, ftype, value, binval, obj = None, None, None, bytearray(), dict() for line in open('certdata.txt', 'r'): # Ignore the file header. if not in_data: @@ -56,33 +56,36 @@ for line in open('certdata.txt', 'r'): continue if in_multiline: if not line.startswith('END'): - if type == 'MULTILINE_OCTAL': + if ftype == 'MULTILINE_OCTAL': line = line.strip() for i in re.finditer(r'\\([0-3][0-7][0-7])', line): - value += chr(int(i.group(1), 8)) + integ = int(i.group(1), 8) + binval.extend((integ).to_bytes(1, sys.byteorder)) + obj[field] = binval else: value += line + obj[field] = value continue - obj[field] = value in_multiline = False continue if line.startswith('CKA_CLASS'): in_obj = True line_parts = line.strip().split(' ', 2) if len(line_parts) > 2: - field, type = line_parts[0:2] + field, ftype = line_parts[0:2] value = ' '.join(line_parts[2:]) elif len(line_parts) == 2: - field, type = line_parts + field, ftype = line_parts value = None else: - raise NotImplementedError, 'line_parts < 2 not supported.\n' + line - if type == 'MULTILINE_OCTAL': + raise NotImplementedError('line_parts < 2 not supported.\n' + line) + if ftype == 'MULTILINE_OCTAL': in_multiline = True value = "" + binval = bytearray() continue obj[field] = value -if len(obj.items()) > 0: +if len(list(obj.items())) > 0: objects.append(obj) # Build up trust database. @@ -92,7 +95,7 @@ for obj in objects: continue key = obj['CKA_LABEL'] + printable_serial(obj) trustmap[key] = obj - print " added trust", key + print(" added trust", key) # Build up cert database. certmap = dict() @@ -101,7 +104,7 @@ for obj in objects: continue key = obj['CKA_LABEL'] + printable_serial(obj) certmap[key] = obj - print " added cert", key + print(" added cert", key) def obj_to_filename(obj): label = obj['CKA_LABEL'][1:-1] @@ -110,7 +113,18 @@ def obj_to_filename(obj): .replace('(', '=')\ .replace(')', '=')\ .replace(',', '_') - label = re.sub(r'\\x[0-9a-fA-F]{2}', lambda m:chr(int(m.group(0)[2:], 16)), label) + labelbytes = bytearray() + i = 0 + imax = len(label) + while i < imax: + if i < imax-3 and label[i] == '\\' and label[i+1] == 'x': + labelbytes.extend(bytes.fromhex(label[i+2:i+4])) + i += 4 + continue + labelbytes.extend(str.encode(label[i])) + i = i+1 + continue + label = labelbytes.decode('utf-8') serial = printable_serial(obj) return label + ":" + serial @@ -166,31 +180,31 @@ openssl_trust = { for tobj in objects: if tobj['CKA_CLASS'] == 'CKO_NSS_TRUST': key = tobj['CKA_LABEL'] + printable_serial(tobj) - print "producing trust for " + key + print("producing trust for " + key) trustbits = [] distrustbits = [] openssl_trustflags = [] openssl_distrustflags = [] legacy_trustbits = [] legacy_openssl_trustflags = [] - for t in trust_types.keys(): - if tobj.has_key(t) and tobj[t] == 'CKT_NSS_TRUSTED_DELEGATOR': + for t in list(trust_types.keys()): + if t in tobj and tobj[t] == 'CKT_NSS_TRUSTED_DELEGATOR': trustbits.append(t) if t in openssl_trust: openssl_trustflags.append(openssl_trust[t]) - if tobj.has_key(t) and tobj[t] == 'CKT_NSS_NOT_TRUSTED': + if t in tobj and tobj[t] == 'CKT_NSS_NOT_TRUSTED': distrustbits.append(t) if t in openssl_trust: openssl_distrustflags.append(openssl_trust[t]) - for t in legacy_trust_types.keys(): - if tobj.has_key(t) and tobj[t] == 'CKT_NSS_TRUSTED_DELEGATOR': + for t in list(legacy_trust_types.keys()): + if t in tobj and tobj[t] == 'CKT_NSS_TRUSTED_DELEGATOR': real_t = legacy_to_real_trust_types[t] legacy_trustbits.append(real_t) if real_t in openssl_trust: legacy_openssl_trustflags.append(openssl_trust[real_t]) - if tobj.has_key(t) and tobj[t] == 'CKT_NSS_NOT_TRUSTED': - raise NotImplementedError, 'legacy distrust not supported.\n' + line + if t in tobj and tobj[t] == 'CKT_NSS_NOT_TRUSTED': + raise NotImplementedError('legacy distrust not supported.\n' + line) fname = obj_to_filename(tobj) try: @@ -206,10 +220,10 @@ for tobj in objects: #dumpf.close(); is_legacy = 0 - if tobj.has_key('LEGACY_CKA_TRUST_SERVER_AUTH') or tobj.has_key('LEGACY_CKA_TRUST_EMAIL_PROTECTION') or tobj.has_key('LEGACY_CKA_TRUST_CODE_SIGNING'): + if 'LEGACY_CKA_TRUST_SERVER_AUTH' in tobj or 'LEGACY_CKA_TRUST_EMAIL_PROTECTION' in tobj or 'LEGACY_CKA_TRUST_CODE_SIGNING' in tobj: is_legacy = 1 if obj == None: - raise NotImplementedError, 'found legacy trust without certificate.\n' + line + raise NotImplementedError('found legacy trust without certificate.\n' + line) legacy_fname = "legacy-default/" + fname + ".crt" f = open(legacy_fname, 'w') @@ -218,11 +232,13 @@ for tobj in objects: if legacy_openssl_trustflags: f.write("# openssl-trust=" + " ".join(legacy_openssl_trustflags) + "\n") f.write("-----BEGIN CERTIFICATE-----\n") - f.write("\n".join(textwrap.wrap(base64.b64encode(obj['CKA_VALUE']), 64))) + temp_encoded_b64 = base64.b64encode(obj['CKA_VALUE']) + temp_wrapped = textwrap.wrap(temp_encoded_b64.decode(), 64) + f.write("\n".join(temp_wrapped)) f.write("\n-----END CERTIFICATE-----\n") f.close() - if tobj.has_key('CKA_TRUST_SERVER_AUTH') or tobj.has_key('CKA_TRUST_EMAIL_PROTECTION') or tobj.has_key('CKA_TRUST_CODE_SIGNING'): + if 'CKA_TRUST_SERVER_AUTH' in tobj or 'CKA_TRUST_EMAIL_PROTECTION' in tobj or 'CKA_TRUST_CODE_SIGNING' in tobj: legacy_fname = "legacy-disable/" + fname + ".crt" f = open(legacy_fname, 'w') f.write("# alias=%s\n"%tobj['CKA_LABEL']) @@ -244,7 +260,9 @@ for tobj in objects: cert_fname = "cert-" + fname fc = open(cert_fname, 'w') fc.write("-----BEGIN CERTIFICATE-----\n") - fc.write("\n".join(textwrap.wrap(base64.b64encode(obj['CKA_VALUE']), 64))) + temp_encoded_b64 = base64.b64encode(obj['CKA_VALUE']) + temp_wrapped = textwrap.wrap(temp_encoded_b64.decode(), 64) + fc.write("\n".join(temp_wrapped)) fc.write("\n-----END CERTIFICATE-----\n") fc.close(); pk_fname = "pubkey-" + fname @@ -262,7 +280,7 @@ for tobj in objects: fcout.close() sed_command = ["sed", "--in-place", "s/^/#/", comment_fname] subprocess.call(sed_command) - with open (comment_fname, "r") as myfile: + with open (comment_fname, "r", errors = 'replace') as myfile: cert_comment=myfile.read() fname += ".tmp-p11-kit" @@ -274,19 +292,19 @@ for tobj in objects: has_email_trust = False has_code_trust = False - if tobj.has_key('CKA_TRUST_SERVER_AUTH'): + if 'CKA_TRUST_SERVER_AUTH' in tobj: if tobj['CKA_TRUST_SERVER_AUTH'] == 'CKT_NSS_NOT_TRUSTED': is_distrusted = True elif tobj['CKA_TRUST_SERVER_AUTH'] == 'CKT_NSS_TRUSTED_DELEGATOR': has_server_trust = True - if tobj.has_key('CKA_TRUST_EMAIL_PROTECTION'): + if 'CKA_TRUST_EMAIL_PROTECTION' in tobj: if tobj['CKA_TRUST_EMAIL_PROTECTION'] == 'CKT_NSS_NOT_TRUSTED': is_distrusted = True elif tobj['CKA_TRUST_EMAIL_PROTECTION'] == 'CKT_NSS_TRUSTED_DELEGATOR': has_email_trust = True - if tobj.has_key('CKA_TRUST_CODE_SIGNING'): + if 'CKA_TRUST_CODE_SIGNING' in tobj: if tobj['CKA_TRUST_CODE_SIGNING'] == 'CKT_NSS_NOT_TRUSTED': is_distrusted = True elif tobj['CKA_TRUST_CODE_SIGNING'] == 'CKT_NSS_TRUSTED_DELEGATOR': @@ -352,7 +370,9 @@ for tobj in objects: f.write("modifiable: false\n"); f.write("-----BEGIN CERTIFICATE-----\n") - f.write("\n".join(textwrap.wrap(base64.b64encode(obj['CKA_VALUE']), 64))) + temp_encoded_b64 = base64.b64encode(obj['CKA_VALUE']) + temp_wrapped = textwrap.wrap(temp_encoded_b64.decode(), 64) + f.write("\n".join(temp_wrapped)) f.write("\n-----END CERTIFICATE-----\n") f.write(cert_comment) f.write("\n") @@ -366,13 +386,13 @@ for tobj in objects: f.write("certificate-type: x-509\n") f.write("modifiable: false\n"); f.write("issuer: \""); - f.write(urllib.quote(tobj['CKA_ISSUER'])); + f.write(urllib.parse.quote(tobj['CKA_ISSUER'])); f.write("\"\n") f.write("serial-number: \""); - f.write(urllib.quote(tobj['CKA_SERIAL_NUMBER'])); + f.write(urllib.parse.quote(tobj['CKA_SERIAL_NUMBER'])); f.write("\"\n") if (tobj['CKA_TRUST_SERVER_AUTH'] == 'CKT_NSS_NOT_TRUSTED') or (tobj['CKA_TRUST_EMAIL_PROTECTION'] == 'CKT_NSS_NOT_TRUSTED') or (tobj['CKA_TRUST_CODE_SIGNING'] == 'CKT_NSS_NOT_TRUSTED'): f.write("x-distrusted: true\n") f.write("\n\n") f.close() - print " -> written as '%s', trust = %s, openssl-trust = %s, distrust = %s, openssl-distrust = %s" % (fname, trustbits, openssl_trustflags, distrustbits, openssl_distrustflags) + print(" -> written as '%s', trust = %s, openssl-trust = %s, distrust = %s, openssl-distrust = %s" % (fname, trustbits, openssl_trustflags, distrustbits, openssl_distrustflags)) diff --git a/sort-blocks.py b/sort-blocks.py index 2d7365b..4dee82e 100644 --- a/sort-blocks.py +++ b/sort-blocks.py @@ -1,4 +1,4 @@ -#!/usr/bin/python +#!/usr/bin/python3 # Expected input is a file, where blocks of lines are separated by newline. # Blocks will be sorted. @@ -9,7 +9,7 @@ import sys import string if (len(sys.argv) != 2): - print "syntax: " + sys.argv[0] + " input-filename" + print("syntax: " + sys.argv[0] + " input-filename") sys.exit(1) filename = sys.argv[1] @@ -31,4 +31,4 @@ with open(filename, 'r') as f: block_list.sort() for block in block_list: - print block + print(block)