From a4e468a2a0afa80df174831c2f422184820bb0fa Mon Sep 17 00:00:00 2001 From: Thomas Petazzoni Date: Thu, 6 Jan 2022 23:15:00 +0100 Subject: [PATCH] mozilla/certdata2pem.py: make cryptography module optional The Python cryptography module is only used to verify if trusted certificates have expired, but this is only a warning. For some build systems and distributions, providing Python cryptography is costly, especially since it's now partly written in Rust. As the check is only a warning, it's anyway going to be overlooked by most people. This commit changes the check to be optional: if the cryptography Python module is there, we perform the check, otherwise the check is skipped. Signed-off-by: Thomas Petazzoni [Steve: refreshed to apply on ca-certificates version 20230311] Signed-off-by: Steve Hay --- mozilla/certdata2pem.py | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/mozilla/certdata2pem.py b/mozilla/certdata2pem.py index 4df86a2..3a6d7dc 100644 --- a/mozilla/certdata2pem.py +++ b/mozilla/certdata2pem.py @@ -28,8 +28,6 @@ import sys import textwrap import io -from cryptography import x509 - objects = [] @@ -122,11 +120,16 @@ for obj in objects: if not obj['CKA_LABEL'] in trust or not trust[obj['CKA_LABEL']]: continue - cert = x509.load_der_x509_certificate(bytes(obj['CKA_VALUE'])) - if cert.not_valid_after < datetime.datetime.utcnow(): - print('!'*74) - print('Trusted but expired certificate found: %s' % obj['CKA_LABEL']) - print('!'*74) + try: + from cryptography import x509 + + cert = x509.load_der_x509_certificate(bytes(obj['CKA_VALUE'])) + if cert.not_valid_after < datetime.datetime.utcnow(): + print('!'*74) + print('Trusted but expired certificate found: %s' % obj['CKA_LABEL']) + print('!'*74) + except ImportError: + pass bname = obj['CKA_LABEL'][1:-1].replace('/', '_')\ .replace(' ', '_')\ -- 2.30.2