python3Packages.certifi: use system ca-bundle

We update that one more reliably and it allows ties in with module based
configuration applied through `security.pki`.

Also allow overwriting the CA bundle used through `NIX_SSL_CERT_FILE`
as is common throughout nixpkgs.

Fixes: CVE-2022-23491

pkgs/development/python-modules/certifi/default.nix

@@ -1,5 +1,6 @@
 { lib
 , buildPythonPackage
+, cacert
 , pythonOlder
 , fetchFromGitHub
 , pytestCheckHook
@@ -18,10 +19,27 @@ buildPythonPackage rec {
     hash = "sha256-B6LO6AfG9cfpyNI7hj3VjmGTFsrrIkDYO4gPMkZY74w=";
   };
 
+  patches = [
+    # Add support for NIX_SSL_CERT_FILE
+    ./env.patch
+  ];
+
+  postPatch = ''
+    # Use our system-wide ca-bundle instead of the bundled one
+    rm -v "certifi/cacert.pem"
+    ln -snvf "${cacert}/etc/ssl/certs/ca-bundle.crt" "certifi/cacert.pem"
+  '';
+
   checkInputs = [
     pytestCheckHook
   ];
 
+  preCheck = ''
+    # NIX_SSL_CERT_FILE is set to /no-cert-file.crt during build, which
+    # breaks the tests
+    unset NIX_SSL_CERT_FILE
+  '';
+
   pythonImportsCheck = [
     "certifi"
   ];

pkgs/development/python-modules/certifi/env.patch

@@ -0,0 +1,76 @@
+diff --git a/certifi/core.py b/certifi/core.py
+index de02898..3ec9147 100644
+--- a/certifi/core.py
++++ b/certifi/core.py
+@@ -4,6 +4,7 @@ certifi.py
+ 
+ This module returns the installation location of cacert.pem or its contents.
+ """
++import os
+ import sys
+ 
+ 
+@@ -12,7 +13,7 @@ if sys.version_info >= (3, 11):
+     from importlib.resources import as_file, files
+ 
+     _CACERT_CTX = None
+-    _CACERT_PATH = None
++    _CACERT_PATH = os.environ.get("NIX_SSL_CERT_FILE", None)
+ 
+     def where() -> str:
+         # This is slightly terrible, but we want to delay extracting the file
+@@ -39,14 +40,16 @@ if sys.version_info >= (3, 11):
+         return _CACERT_PATH
+ 
+     def contents() -> str:
+-        return files("certifi").joinpath("cacert.pem").read_text(encoding="ascii")
++        if _CACERT_PATH is not None:
++            return open(_CACERT_PATH, encoding="utf-8").read()
++        return files("certifi").joinpath("cacert.pem").read_text(encoding="utf-8")
+ 
+ elif sys.version_info >= (3, 7):
+ 
+     from importlib.resources import path as get_path, read_text
+ 
+     _CACERT_CTX = None
+-    _CACERT_PATH = None
++    _CACERT_PATH = os.environ.get("NIX_SSL_CERT_FILE", None)
+ 
+     def where() -> str:
+         # This is slightly terrible, but we want to delay extracting the
+@@ -74,7 +77,9 @@ elif sys.version_info >= (3, 7):
+         return _CACERT_PATH
+ 
+     def contents() -> str:
+-        return read_text("certifi", "cacert.pem", encoding="ascii")
++        if _CACERT_PATH is not None:
++            return open(_CACERT_PATH, encoding="utf-8").read()
++        return read_text("certifi", "cacert.pem", encoding="utf-8")
+ 
+ else:
+     import os
+@@ -84,6 +89,8 @@ else:
+     Package = Union[types.ModuleType, str]
+     Resource = Union[str, "os.PathLike"]
+ 
++    _CACERT_PATH = os.environ.get("NIX_SSL_CERT_FILE", None)
++
+     # This fallback will work for Python versions prior to 3.7 that lack the
+     # importlib.resources module but relies on the existing `where` function
+     # so won't address issues with environments like PyOxidizer that don't set
+@@ -102,7 +109,14 @@ else:
+     def where() -> str:
+         f = os.path.dirname(__file__)
+ 
++        if _CACERT_PATH is not None:
++            return _CACERT_PATH
++
+         return os.path.join(f, "cacert.pem")
+ 
+     def contents() -> str:
+-        return read_text("certifi", "cacert.pem", encoding="ascii")
++        if _CACERT_PATH is not None:
++            with open(_CACERT_PATH, encoding="utf-8") as data:
++                return data.read()
++
++        return read_text("certifi", "cacert.pem", encoding="utf-8")