ASR_BASE
Change-Id: Icf3719cc0afe3eeb3edc7fa80a2eb5199ca9dda1
diff --git a/package/system/ca-certificates/Makefile b/package/system/ca-certificates/Makefile
new file mode 100644
index 0000000..254d7b5
--- /dev/null
+++ b/package/system/ca-certificates/Makefile
@@ -0,0 +1,70 @@
+#
+# Copyright (C) 2006-2017 OpenWrt.org
+#
+# This is free software, licensed under the GNU General Public License v2.
+# See /LICENSE for more information.
+#
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=ca-certificates
+PKG_VERSION:=20240203
+PKG_RELEASE:=1
+PKG_MAINTAINER:=
+
+PKG_LICENSE:=GPL-2.0-or-later MPL-2.0
+PKG_LICENSE_FILES:=debian/copyright
+
+PKG_SOURCE:=$(PKG_NAME)_$(PKG_VERSION).tar.xz
+PKG_SOURCE_URL:=@DEBIAN/pool/main/c/ca-certificates
+PKG_HASH:=3286d3fc42c4d11b7086711a85f865b44065ce05cf1fb5376b2abed07622a9c6
+PKG_INSTALL:=1
+
+include $(INCLUDE_DIR)/package.mk
+
+TAR_OPTIONS+= --strip-components 1
+TAR_CMD=$(HOST_TAR) -C $(1) $(TAR_OPTIONS)
+
+define Package/ca-certificates
+ SECTION:=base
+ CATEGORY:=Base system
+ TITLE:=System CA certificates
+ PKGARCH:=all
+ PROVIDES:=ca-certs
+endef
+
+define Package/ca-bundle
+ SECTION:=base
+ CATEGORY:=Base system
+ TITLE:=System CA certificates as a bundle
+ PKGARCH:=all
+ PROVIDES:=ca-certs
+endef
+
+define Build/Install
+ mkdir -p \
+ $(PKG_INSTALL_DIR)/usr/sbin \
+ $(PKG_INSTALL_DIR)/usr/share/ca-certificates
+ $(call Build/Install/Default,)
+endef
+
+define Package/ca-certificates/install
+ $(INSTALL_DIR) $(1)/etc/ssl/certs
+ $(INSTALL_DATA) $(PKG_INSTALL_DIR)/usr/share/ca-certificates/*/*.crt $(1)/etc/ssl/certs/
+
+ for CERTFILE in `ls -1 $(1)/etc/ssl/certs`; do \
+ HASH=`openssl x509 -hash -noout -in $(1)/etc/ssl/certs/$$$$CERTFILE` ; \
+ SUFFIX=0 ; \
+ while [ -h "$(1)/etc/ssl/certs/$$$$HASH.$$$$SUFFIX" ]; do \
+ let "SUFFIX += 1" ; \
+ done ; \
+ $(LN) "$$$$CERTFILE" "$(1)/etc/ssl/certs/$$$$HASH.$$$$SUFFIX" ; \
+ done
+endef
+
+define Package/ca-bundle/install
+ $(INSTALL_DIR) $(1)/etc/ssl/certs
+ cat $(PKG_INSTALL_DIR)/usr/share/ca-certificates/*/*.crt >$(1)/etc/ssl/certs/ca-certificates.crt
+ $(LN) /etc/ssl/certs/ca-certificates.crt $(1)/etc/ssl/cert.pem
+endef
+$(eval $(call BuildPackage,ca-bundle))
+$(eval $(call BuildPackage,ca-certificates))
diff --git a/package/system/ca-certificates/patches/0001-ca-certificates-fix-python3-cryptography-woes-in-cer.patch b/package/system/ca-certificates/patches/0001-ca-certificates-fix-python3-cryptography-woes-in-cer.patch
new file mode 100644
index 0000000..0909261
--- /dev/null
+++ b/package/system/ca-certificates/patches/0001-ca-certificates-fix-python3-cryptography-woes-in-cer.patch
@@ -0,0 +1,53 @@
+From 3c51cb5ff1d0db41fb3288fb555c7e7055cf3e86 Mon Sep 17 00:00:00 2001
+From: Christian Lamparter <chunkeey@gmail.com>
+Date: Wed, 1 Dec 2021 14:41:31 +0100
+Subject: [PATCH] ca-certificates: fix python3-cryptography woes in
+ certdata2pem.py
+
+reverts the code portion of the Debian's ca-certificate
+commit 033d52259172 ("mozilla/certdata2pem.py: print a warning for expired certificates.")
+
+It broke builds with the popular Ubuntu 20.04 (focal) releases.
+This was due to them shipping with an older python3-cryptography
+version which is not compatible.
+
+More concerns were raised by jow- as well:
+"We don't want the build to depend on the local system time anyway."
+
+Reported-by: Chen Minqiang <ptpt52@gmail.com>
+Reported-by: Shane Synan <digitalcircuit36939@gmail.com>
+Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
+---
+--- a/mozilla/certdata2pem.py
++++ b/mozilla/certdata2pem.py
+@@ -21,16 +21,12 @@
+ # USA.
+
+ import base64
+-import datetime
+ import os.path
+ import re
+ import sys
+ import textwrap
+ import io
+
+-from cryptography import x509
+-
+-
+ objects = []
+
+ # Dirty file parser.
+@@ -121,13 +117,6 @@ for obj in objects:
+ if obj['CKA_CLASS'] == 'CKO_CERTIFICATE':
+ if not obj['CKA_LABEL'] in trust or not trust[obj['CKA_LABEL']]:
+ continue
+-
+- cert = x509.load_der_x509_certificate(bytes(obj['CKA_VALUE']))
+- if cert.not_valid_after < datetime.datetime.utcnow():
+- print('!'*74)
+- print('Trusted but expired certificate found: %s' % obj['CKA_LABEL'])
+- print('!'*74)
+-
+ bname = obj['CKA_LABEL'][1:-1].replace('/', '_')\
+ .replace(' ', '_')\
+ .replace('(', '=')\