From cb43ec15b700b25f3c4fe44043a1a021aaf5b768 Mon Sep 17 00:00:00 2001
From: Alexander Kanavin <alex@linutronix.de>
Date: Mon, 18 Oct 2021 12:05:49 +0200
Subject: [PATCH] Revert "mozilla/certdata2pem.py: print a warning for expired
 certificates."

This avoids a dependency on python3-cryptography, and only checks
for expired certs (which is upstream concern, but not ours).

Upstream-Status: Inappropriate [oe-core specific]
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
---
 debian/changelog        |  1 -
 debian/control          |  2 +-
 mozilla/certdata2pem.py | 11 -----------
 3 files changed, 1 insertion(+), 13 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index 531e4d0..4006509 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -37,7 +37,6 @@ ca-certificates (20211004) unstable; urgency=low
     - "Trustis FPS Root CA"
     - "Staat der Nederlanden Root CA - G3"
   * Blacklist expired root certificate "DST Root CA X3" (closes: #995432)
-  * mozilla/certdata2pem.py: print a warning for expired certificates.
 
  -- Julien Cristau <jcristau@debian.org>  Thu, 07 Oct 2021 17:12:47 +0200
 
diff --git a/debian/control b/debian/control
index 4434b7a..5c6ba24 100644
--- a/debian/control
+++ b/debian/control
@@ -3,7 +3,7 @@ Section: misc
 Priority: optional
 Maintainer: Julien Cristau <jcristau@debian.org>
 Build-Depends: debhelper-compat (= 13), po-debconf
-Build-Depends-Indep: python3, openssl, python3-cryptography
+Build-Depends-Indep: python3, openssl
 Standards-Version: 4.5.0.2
 Vcs-Git: https://salsa.debian.org/debian/ca-certificates.git
 Vcs-Browser: https://salsa.debian.org/debian/ca-certificates
diff --git a/mozilla/certdata2pem.py b/mozilla/certdata2pem.py
index ede23d4..7d796f1 100644
--- a/mozilla/certdata2pem.py
+++ b/mozilla/certdata2pem.py
@@ -21,16 +21,12 @@
 # USA.
 
 import base64
-import datetime
 import os.path
 import re
 import sys
 import textwrap
 import io
 
-from cryptography import x509
-
-
 objects = []
 
 # Dirty file parser.
@@ -121,13 +117,6 @@ for obj in objects:
     if obj['CKA_CLASS'] == 'CKO_CERTIFICATE':
         if not obj['CKA_LABEL'] in trust or not trust[obj['CKA_LABEL']]:
             continue
-
-        cert = x509.load_der_x509_certificate(obj['CKA_VALUE'])
-        if cert.not_valid_after < datetime.datetime.now():
-            print('!'*74)
-            print('Trusted but expired certificate found: %s' % obj['CKA_LABEL'])
-            print('!'*74)
-
         bname = obj['CKA_LABEL'][1:-1].replace('/', '_')\
                                       .replace(' ', '_')\
                                       .replace('(', '=')\
-- 
2.20.1