cacert: really fix utf-8 certname blacklists

See #27576.
This commit is contained in:
Franz Pletz 2017-08-09 19:51:25 +02:00
parent 1ed786292b
commit 2d5c1226c6
No known key found for this signature in database
GPG key ID: 846FDED7792617B4
2 changed files with 24 additions and 3 deletions

View file

@ -1,4 +1,4 @@
{ stdenv, fetchurl, writeText, nss, python3
{ stdenv, fetchurl, writeText, nss, python
, blacklist ? []
, includeEmail ? false
}:
@ -20,7 +20,7 @@ stdenv.mkDerivation rec {
src = nss.src;
nativeBuildInputs = [ python3 ];
nativeBuildInputs = [ python ];
configurePhase = ''
ln -s nss/lib/ckfw/builtins/certdata.txt
@ -29,7 +29,8 @@ stdenv.mkDerivation rec {
${concatStringsSep "\n" (map (c: ''"${c}"'') blacklist)}
EOF
cp ${certdata2pem} certdata2pem.py
cat ${certdata2pem} > certdata2pem.py
patch -p1 < ${./fix-unicode-ca-names.patch}
${optionalString includeEmail ''
# Disable CAs used for mail signing
substituteInPlace certdata2pem.py --replace \[\'CKA_TRUST_EMAIL_PROTECTION\'\] '''

View file

@ -0,0 +1,20 @@
--- a/certdata2pem.py 2017-08-01 23:10:00.000000000 +0300
+++ b/certdata2pem.py 2017-08-01 23:08:21.131297636 +0300
@@ -88,7 +88,7 @@
\# Read blacklist.
blacklist = []
if os.path.exists('blacklist.txt'):
- for line in open('blacklist.txt', 'r'):
+ for line in io.open('blacklist.txt', 'r', encoding='utf-8'):
line = line.strip()
if line.startswith('#') or len(line) == 0:
continue
@@ -101,7 +101,7 @@
if obj['CKA_CLASS'] != 'CKO_NSS_TRUST':
continue
if obj['CKA_LABEL'] in blacklist:
- print("Certificate %s blacklisted, ignoring." % obj['CKA_LABEL'])
+ print("Certificate %s blacklisted, ignoring." % unicode(obj['CKA_LABEL']).encode('utf-8'))
elif obj['CKA_TRUST_SERVER_AUTH'] == 'CKT_NSS_TRUSTED_DELEGATOR':
trust[obj['CKA_LABEL']] = True
elif obj['CKA_TRUST_EMAIL_PROTECTION'] == 'CKT_NSS_TRUSTED_DELEGATOR':