Add 'infra/libkookie/' from commit 'd661aa56a8843e991261510c1bb28fdc2f6975ae'

git-subtree-dir: infra/libkookie
git-subtree-mainline: 49f735974dd103039ddc4cb576bb76555164a9e7
git-subtree-split: d661aa56a8843e991261510c1bb28fdc2f6975ae

3 files changed, 93 insertions, 0 deletions

diff --git a/infra/libkookie/nixpkgs/pkgs/data/misc/cacert/default.nix b/infra/libkookie/nixpkgs/pkgs/data/misc/cacert/default.nix
new file mode 100644
index 000000000000..f72431c5a27c
--- /dev/null
+++ b/infra/libkookie/nixpkgs/pkgs/data/misc/cacert/default.nix
@@ -0,0 +1,70 @@
+{ stdenv, fetchurl, nss, python3
+, blacklist ? []
+, includeEmail ? false
+}:
+
+with stdenv.lib;
+
+let
+
+  certdata2pem = fetchurl {
+    name = "certdata2pem.py";
+    url = "https://salsa.debian.org/debian/ca-certificates/raw/debian/20170717/mozilla/certdata2pem.py";
+    sha256 = "1d4q27j1gss0186a5m8bs5dk786w07ccyq0qi6xmd2zr1a8q16wy";
+  };
+
+in
+
+stdenv.mkDerivation {
+  name = "nss-cacert-${nss.version}";
+
+  src = nss.src;
+
+  outputs = [ "out" "unbundled" ];
+
+  nativeBuildInputs = [ python3 ];
+
+  configurePhase = ''
+    ln -s nss/lib/ckfw/builtins/certdata.txt
+
+    cat << EOF > blacklist.txt
+    ${concatStringsSep "\n" (map (c: ''"${c}"'') blacklist)}
+    EOF
+
+    cat ${certdata2pem} > certdata2pem.py
+    patch -p1 < ${./fix-unicode-ca-names.patch}
+    ${optionalString includeEmail ''
+      # Disable CAs used for mail signing
+      substituteInPlace certdata2pem.py --replace \[\'CKA_TRUST_EMAIL_PROTECTION\'\] '''
+    ''}
+  '';
+
+  buildPhase = ''
+    python certdata2pem.py | grep -vE '^(!|UNTRUSTED)'
+
+    for cert in *.crt; do
+      echo $cert | cut -d. -f1 | sed -e 's,_, ,g' >> ca-bundle.crt
+      cat $cert >> ca-bundle.crt
+      echo >> ca-bundle.crt
+    done
+  '';
+
+  installPhase = ''
+    mkdir -pv $out/etc/ssl/certs
+    cp -v ca-bundle.crt $out/etc/ssl/certs
+    # install individual certs in unbundled output
+    mkdir -pv $unbundled/etc/ssl/certs
+    cp -v *.crt $unbundled/etc/ssl/certs
+    rm -f $unbundled/etc/ssl/certs/ca-bundle.crt  # not wanted in unbundled
+  '';
+
+  setupHook = ./setup-hook.sh;
+
+  meta = {
+    homepage = "https://curl.haxx.se/docs/caextract.html";
+    description = "A bundle of X.509 certificates of public Certificate Authorities (CA)";
+    platforms = platforms.all;
+    maintainers = with maintainers; [ fpletz ];
+    license = licenses.mpl20;
+  };
+}
diff --git a/infra/libkookie/nixpkgs/pkgs/data/misc/cacert/fix-unicode-ca-names.patch b/infra/libkookie/nixpkgs/pkgs/data/misc/cacert/fix-unicode-ca-names.patch
new file mode 100644
index 000000000000..07d3629196a7
--- /dev/null
+++ b/infra/libkookie/nixpkgs/pkgs/data/misc/cacert/fix-unicode-ca-names.patch
@@ -0,0 +1,20 @@
+--- a/certdata2pem.py	2017-08-01 23:10:00.000000000 +0300
++++ b/certdata2pem.py	2017-08-01 23:08:21.131297636 +0300
+@@ -88,7 +88,7 @@
+ \# Read blacklist.
+ blacklist = []
+ if os.path.exists('blacklist.txt'):
+-    for line in open('blacklist.txt', 'r'):
++    for line in io.open('blacklist.txt', 'r', encoding='utf-8'):
+         line = line.strip()
+         if line.startswith('#') or len(line) == 0:
+             continue
+@@ -101,7 +101,7 @@
+     if obj['CKA_CLASS'] != 'CKO_NSS_TRUST':
+         continue
+     if obj['CKA_LABEL'] in blacklist:
+-        print("Certificate %s blacklisted, ignoring." % obj['CKA_LABEL'])
++        print("Certificate %s blacklisted, ignoring." % unicode(obj['CKA_LABEL']).encode('utf-8'))
+     elif obj['CKA_TRUST_SERVER_AUTH'] == 'CKT_NSS_TRUSTED_DELEGATOR':
+         trust[obj['CKA_LABEL']] = True
+     elif obj['CKA_TRUST_EMAIL_PROTECTION'] == 'CKT_NSS_TRUSTED_DELEGATOR':
diff --git a/infra/libkookie/nixpkgs/pkgs/data/misc/cacert/setup-hook.sh b/infra/libkookie/nixpkgs/pkgs/data/misc/cacert/setup-hook.sh
new file mode 100644
index 000000000000..77b68a5c251c
--- /dev/null
+++ b/infra/libkookie/nixpkgs/pkgs/data/misc/cacert/setup-hook.sh
@@ -0,0 +1,3 @@
+export NIX_SSL_CERT_FILE=@out@/etc/ssl/certs/ca-bundle.crt
+# left for compatibility
+export SSL_CERT_FILE=@out@/etc/ssl/certs/ca-bundle.crt