[glib-networking/pgriffis/automate-cert-update] Automate updating CA root files for tests

[Patrick Griffis <pgriffis src gnome org>]

commit 257c2802b5098297d1f416f496dfe097f3c1bd9e
Author: Patrick Griffis <pgriffis igalia com>
Date:   Sat Jun 19 10:16:53 2021 -0500

    Automate updating CA root files for tests

 tls/tests/files/create-files.sh               | 12 +++++++---
 tls/tests/files/update-chain-with-new-root.py | 32 +++++++++++++++++++++++++++
 2 files changed, 41 insertions(+), 3 deletions(-)
---
diff --git a/tls/tests/files/create-files.sh b/tls/tests/files/create-files.sh
index 96fecff..ff9563a 100755
--- a/tls/tests/files/create-files.sh
+++ b/tls/tests/files/create-files.sh
@@ -20,9 +20,7 @@ echo "a couple of certificates (sudo password will be requested). This"
 echo "is because it uses the OpenSSL x509 utility instead of the ca"
 echo "utility which allows to set a starting date for the certificates."
 echo
-echo "A few manual changes need to be made. The first certificate"
-echo "in ca-roots.pem and ca-roots-bad.pem need to be replaced by"
-echo "the contents of ca.pem."
+echo "Note that one of the scripts requires python3's cryptography module."
 echo
 echo "                   *** IMPORTANT ***"
 echo
@@ -187,6 +185,14 @@ cat server-intermediate.pem > chain.pem
 cat intermediate-ca.pem >> chain.pem
 cat ca.pem >> chain.pem
 
+#######################################################################
+### Updating CA Root files
+#######################################################################
+
+msg "Updating CA Root files"
+./update-chain-with-new-root.py ca-roots.pem ca.pem
+./update-chain-with-new-root.py ca-roots-bad.pem ca.pem
+
 #######################################################################
 ### Update test database
 #######################################################################
diff --git a/tls/tests/files/update-chain-with-new-root.py b/tls/tests/files/update-chain-with-new-root.py
new file mode 100755
index 0000000..fa5ab0b
--- /dev/null
+++ b/tls/tests/files/update-chain-with-new-root.py
@@ -0,0 +1,32 @@
+#!/usr/bin/env python3
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+import sys
+
+try:
+    chain_path = sys.argv[1]
+    new_root_path = sys.argv[2]
+except IndexError:
+    sys.exit('USAGE: update-chain-with-new-root.py ca-file.pem new-ca.pem')
+
+new_cert_lines = []
+with open(new_root_path, 'rb') as root_file:
+    new_cert_lines += root_file.readlines()
+
+with open(chain_path, 'rb+') as chain_file:
+    chain_file_lines = chain_file.readlines()
+    new_chain_file_lines = []
+
+    # Replace the lines we don't want with the new lines
+    for i, line in enumerate(chain_file_lines):
+        if b'BEGIN CERTIFICATE' in line:
+            new_chain_file_lines += chain_file_lines[:i]
+            new_chain_file_lines += new_cert_lines
+            continue
+        if b'END CERTIFICATE' in line:
+            new_chain_file_lines += chain_file_lines[i + 1:]
+            break
+
+    # Write over old file
+    chain_file.seek(0)
+    chain_file.writelines(new_chain_file_lines)