[Buildroot] [PATCH] utils/generate-cyclonedx: add support for certifi ssl context

[Buildroot] [PATCH] utils/generate-cyclonedx: add support for certifi ssl context

[Thomas Devoogdt]

urllib.error.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1000)>

Allow to fix this by e.g. using `make host-python-certifi`.

Signed-off-by: Thomas Devoogdt <thomas.devoogdt@barco.com>
---
 utils/generate-cyclonedx | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/utils/generate-cyclonedx b/utils/generate-cyclonedx
index 33e06ea86aa..183ddf60fbd 100755
--- a/utils/generate-cyclonedx
+++ b/utils/generate-cyclonedx
@@ -18,6 +18,14 @@ import urllib.request
 import subprocess
 import sys
 
+try:
+    import certifi
+    import ssl
+
+    ssl_context = ssl.create_default_context(cafile=certifi.where())
+except ModuleNotFoundError:
+    ssl_context = None
+
 CYCLONEDX_VERSION = "1.6"
 SPDX_SCHEMA_URL = f"https://raw.githubusercontent.com/CycloneDX/specification/{CYCLONEDX_VERSION}/schema/spdx.schema.json"
 
@@ -39,7 +47,9 @@ SPDX_LICENSES = []
 if not SPDX_SCHEMA_PATH.exists():
     # Download the CycloneDX SPDX schema JSON, and cache it locally
     cyclonedxpath.mkdir(parents=True, exist_ok=True)
-    urllib.request.urlretrieve(SPDX_SCHEMA_URL, SPDX_SCHEMA_PATH)
+    with (urllib.request.urlopen(SPDX_SCHEMA_URL, context=ssl_context) as resp,
+          open(SPDX_SCHEMA_PATH, "wb") as fp):
+        fp.write(resp.read())
 
 try:
     with SPDX_SCHEMA_PATH.open() as f:
-- 
2.43.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH] utils/generate-cyclonedx: add support for certifi ssl context

[Peter Korsgaard]

>>>>> "Thomas" == Thomas Devoogdt <thomas@devoogdt.com> writes:

 > urllib.error.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED]
 > certificate verify failed: unable to get local issuer certificate
 > (_ssl.c:1000)>

 > Allow to fix this by e.g. using `make host-python-certifi`.

 > Signed-off-by: Thomas Devoogdt <thomas.devoogdt@barco.com>

Is this on a very old machine / python setup? Are you using your host
machine's python or building host-python3?

It is not like we are doing anything special here, perhaps your ssl
configuration is outdated? Can you access the URL with curl / wget?

curl -v https://raw.githubusercontent.com/CycloneDX/specification/
..
* Server certificate:
*  subject: CN=*.github.io
*  start date: Mar  7 00:00:00 2025 GMT
*  expire date: Mar  7 23:59:59 2026 GMT
*  subjectAltName: host "raw.githubusercontent.com" matched cert's "*.githubusercontent.com"
*  issuer: C=GB; ST=Greater Manchester; L=Salford; O=Sectigo Limited; CN=Sectigo RSA Domain Validation Secure Server CA
*  SSL certificate verify ok.

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH] utils/generate-cyclonedx: add support for certifi ssl context

[Thomas Devoogdt]

[-- Attachment #1.1: Type: text/plain, Size: 1305 bytes --]

Hi Peter,

This was tested on an old build server, but by using host-python3.

Kr,

Thomas Devoogdt

Op do 13 mrt 2025, 10:41 schreef Peter Korsgaard <peter@korsgaard.com>:

> >>>>> "Thomas" == Thomas Devoogdt <thomas@devoogdt.com> writes:
>
>  > urllib.error.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED]
>  > certificate verify failed: unable to get local issuer certificate
>  > (_ssl.c:1000)>
>
>  > Allow to fix this by e.g. using `make host-python-certifi`.
>
>  > Signed-off-by: Thomas Devoogdt <thomas.devoogdt@barco.com>
>
> Is this on a very old machine / python setup? Are you using your host
> machine's python or building host-python3?
>
> It is not like we are doing anything special here, perhaps your ssl
> configuration is outdated? Can you access the URL with curl / wget?
>
> curl -v https://raw.githubusercontent.com/CycloneDX/specification/
> ..
> * Server certificate:
> *  subject: CN=*.github.io
> *  start date: Mar  7 00:00:00 2025 GMT
> *  expire date: Mar  7 23:59:59 2026 GMT
> *  subjectAltName: host "raw.githubusercontent.com" matched cert's "*.
> githubusercontent.com"
> *  issuer: C=GB; ST=Greater Manchester; L=Salford; O=Sectigo Limited;
> CN=Sectigo RSA Domain Validation Secure Server CA
> *  SSL certificate verify ok.
>
> --
> Bye, Peter Korsgaard
>
>

[-- Attachment #1.2: Type: text/html, Size: 2349 bytes --]

[-- Attachment #2: Type: text/plain, Size: 150 bytes --]

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH] utils/generate-cyclonedx: add support for certifi ssl context

[Peter Korsgaard]

>>>>> "Thomas" == Thomas Devoogdt <thomas@devoogdt.com> writes:

 > Hi Peter,
 > This was tested on an old build server, but by using host-python3.

Guessing what server you refer to ;) I see the newer python3 in
/usr/local looks for certs in /usr/local/ssl/certs/ (which is empty),
rather than /etc/ssl/certs like wget/curl.

Replacing that with a symlink to /etc/ssl/certs fixes it for me, so I
have marked this patch as superseeded.

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot