From 93f361c6237cefec637a4e558e4d70c7cacfa577 Mon Sep 17 00:00:00 2001
From: Hans-Christoph Steiner <hans@eds.org>
Date: Mon, 29 Apr 2024 12:31:06 +0200
Subject: [PATCH] replace decade old pyasn1 crypto impl with working asn1crypto

For some APKs, get_certificate() was returning a different result than
apksigner and keytool.  So I just took the algorithm from androguard, which
uses asn1crypto instead of pyasn1.  So that removes a dependency as well.
asn1crypto is already required by androguard.

The original get_certificate() came from 6e2d0a9e1
---
 fdroidserver/common.py | 19 +++----------------
 setup.py               |  3 +--
 2 files changed, 4 insertions(+), 18 deletions(-)

diff --git a/fdroidserver/common.py b/fdroidserver/common.py
index b1a1827b..5205dc7f 100644
--- a/fdroidserver/common.py
+++ b/fdroidserver/common.py
@@ -54,16 +54,13 @@ from pathlib import Path
 
 import defusedxml.ElementTree as XMLElementTree
 
+from asn1crypto import cms
 from base64 import urlsafe_b64encode
 from binascii import hexlify
 from datetime import datetime, timedelta, timezone
 from queue import Queue
 from zipfile import ZipFile
 
-from pyasn1.codec.der import decoder, encoder
-from pyasn1_modules import rfc2315
-from pyasn1.error import PyAsn1Error
-
 import fdroidserver.metadata
 import fdroidserver.lint
 from fdroidserver import _
@@ -3908,18 +3905,8 @@ def get_certificate(signature_block_file):
     or None in case of error
 
     """
-    content = decoder.decode(signature_block_file, asn1Spec=rfc2315.ContentInfo())[0]
-    if content.getComponentByName('contentType') != rfc2315.signedData:
-        return None
-    content = decoder.decode(content.getComponentByName('content'),
-                             asn1Spec=rfc2315.SignedData())[0]
-    try:
-        certificates = content.getComponentByName('certificates')
-        cert = certificates[0].getComponentByName('certificate')
-    except PyAsn1Error:
-        logging.error("Certificates not found.")
-        return None
-    return encoder.encode(cert)
+    pkcs7obj = cms.ContentInfo.load(signature_block_file)
+    return pkcs7obj['content']['certificates'][0].chosen.dump()
 
 
 def load_stats_fdroid_signing_key_fingerprints():
diff --git a/setup.py b/setup.py
index 8e4e2452..7e8d1912 100755
--- a/setup.py
+++ b/setup.py
@@ -93,14 +93,13 @@ setup(
     install_requires=[
         'appdirs',
         'androguard >= 3.3.5',
+        'asn1crypto',
         'clint',
         'defusedxml',
         'GitPython',
         'paramiko',
         'Pillow',
         'apache-libcloud >= 0.14.1',
-        'pyasn1 >=0.4.1',
-        'pyasn1-modules >= 0.2.1',
         'python-vagrant',
         'PyYAML',
         'qrcode',