From 8079716eb3a23d5edd7bdbff871adf8bbba27e54 Mon Sep 17 00:00:00 2001
From: Ken Dreyer <kdreyer@redhat.com>
Date: Jan 14 2022 19:03:32 +0000
Subject: koji-ssl-admin: note cryptography 3.0+ supports serializing pkcs12


python-cryptography v3.0 added support for
pkcs12.serialize_key_and_certificates(), which would allow us to write
the pkcs12 bundles with Python instead of shelling out to OpenSSL.

Note this in the comments for the future.

---

diff --git a/src/bin/koji-ssl-admin b/src/bin/koji-ssl-admin
index aff30f5..8de828d 100755
--- a/src/bin/koji-ssl-admin
+++ b/src/bin/koji-ssl-admin
@@ -358,8 +358,10 @@ def write_pkcs12(crt_path, key_path, ca_crt_path, pkcs12_path, force):
     """
     if os.path.exists(pkcs12_path) and not force:
         raise OSError(errno.EEXIST, os.strerror(errno.EEXIST), pkcs12_path)
-    # Unfortunately python-cryptography supports reading the pkcs12 format,
-    # but not writing it. We have to shell out to openssl, like:
+    # python-cryptography 2.5+ supports reading pkcs12 format.
+    # python-cryptography 3.0+ supports writing pkcs12 format.
+    # To support older python-cryptography versions, we shell out to openssl,
+    # like:
     # openssl pkcs12 -export -inkey kdreyer.key -in kdreyer.crt \
     #                -CAfile koji-ca.crt -out kdreyer_browser_cert.p12
     command = ('openssl', 'pkcs12', '-export',