From ca283741711022e00de72c9fc71dce6edf4a7675 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C4=90o=C3=A0n=20Tr=E1=BA=A7n=20C=C3=B4ng=20Danh?=
 <congdanhqx@gmail.com>
Date: Fri, 16 Jul 2021 23:41:15 +0700
Subject: [PATCH] ca-certificates: update to 20210119+3.67.

While we're at it, stop removing expired certificates in order to help
with reproducibility.
---
 .../files/remove-expired-certs.sh             | 51 -------------------
 .../patches/drop-python-dependency.patch      | 11 ++++
 .../update-ca-certificates-destdir.patch      |  4 +-
 srcpkgs/ca-certificates/template              | 31 ++++++-----
 4 files changed, 31 insertions(+), 66 deletions(-)
 delete mode 100755 srcpkgs/ca-certificates/files/remove-expired-certs.sh
 create mode 100644 srcpkgs/ca-certificates/patches/drop-python-dependency.patch

diff --git a/srcpkgs/ca-certificates/files/remove-expired-certs.sh b/srcpkgs/ca-certificates/files/remove-expired-certs.sh
deleted file mode 100755
index 92cda666cad3..000000000000
--- a/srcpkgs/ca-certificates/files/remove-expired-certs.sh
+++ /dev/null
@@ -1,51 +0,0 @@
-#!/bin/sh
-# Begin remove-expired-certs.sh
-#
-# Version 20120211
-
-# Make sure the date is parsed correctly on all systems
-mydate()
-{
-  local y=$( echo $1 | cut -d" " -f4 )
-  local M=$( echo $1 | cut -d" " -f1 )
-  local d=$( echo $1 | cut -d" " -f2 )
-  local m
-
-  [ -z "${d}" ] && d="0"
-  [ "${d}" -lt 10 ] && d="0${d}"
-
-  case $M in
-    Jan) m="01";;
-    Feb) m="02";;
-    Mar) m="03";;
-    Apr) m="04";;
-    May) m="05";;
-    Jun) m="06";;
-    Jul) m="07";;
-    Aug) m="08";;
-    Sep) m="09";;
-    Oct) m="10";;
-    Nov) m="11";;
-    Dec) m="12";;
-  esac
-
-  certdate="${y}${m}${d}"
-}
-
-DIR="$1"
-[ -z "$DIR" ] && DIR=$(pwd)
-
-today=$(date +%Y%m%d)
-
-find ${DIR} -type f -a -iname "*.crt" -printf "%p\n" | while read cert; do
-  notafter=$(/usr/bin/openssl x509 -enddate -in "${cert}" -noout)
-  date=$( echo ${notafter} |  sed 's/^notAfter=//' )
-  mydate "$date"
-
-  if [ ${certdate} -lt ${today} ]; then
-     echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
-     echo "EXPIRED CERTIFICATE FOUND $certdate: \"$(basename ${cert})\""
-     echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
-     rm -f "${cert}"
-  fi
-done
diff --git a/srcpkgs/ca-certificates/patches/drop-python-dependency.patch b/srcpkgs/ca-certificates/patches/drop-python-dependency.patch
new file mode 100644
index 000000000000..2b71cd166b18
--- /dev/null
+++ b/srcpkgs/ca-certificates/patches/drop-python-dependency.patch
@@ -0,0 +1,11 @@
+--- ca-certificates-20210119+3.67.orig/work/mozilla/Makefile
++++ ca-certificates-20210119+3.67/work/mozilla/Makefile
+@@ -3,7 +3,7 @@
+ #
+ 
+ all:
+-	python3 certdata2pem.py
++	./certdata2pem
+ 
+ clean:
+ 	-rm -f *.crt
diff --git a/srcpkgs/ca-certificates/patches/update-ca-certificates-destdir.patch b/srcpkgs/ca-certificates/patches/update-ca-certificates-destdir.patch
index 34008701e304..831708b769ff 100644
--- a/srcpkgs/ca-certificates/patches/update-ca-certificates-destdir.patch
+++ b/srcpkgs/ca-certificates/patches/update-ca-certificates-destdir.patch
@@ -1,5 +1,5 @@
---- a/sbin/update-ca-certificates	2015-05-29 11:09:43.922158838 +0200
-+++ b/sbin/update-ca-certificates	2015-05-29 11:10:06.842632933 +0200
+--- a/work/sbin/update-ca-certificates	2015-05-29 11:09:43.922158838 +0200
++++ b/work/sbin/update-ca-certificates	2015-05-29 11:10:06.842632933 +0200
 @@ -24,12 +24,12 @@
  verbose=0
  fresh=0
diff --git a/srcpkgs/ca-certificates/template b/srcpkgs/ca-certificates/template
index 854e76a613cd..35de72536816 100644
--- a/srcpkgs/ca-certificates/template
+++ b/srcpkgs/ca-certificates/template
@@ -1,29 +1,34 @@
 # Template file for 'ca-certificates'
 pkgname=ca-certificates
-version=20210119
-revision=2
+version=20210119+3.67
+revision=1
+_nss_version=${version#*+}
 bootstrap=yes
 conf_files="/etc/ca-certificates.conf"
-wrksrc="work"
+create_wrksrc=yes
+build_wrksrc="work"
 hostmakedepends="openssl"
 depends="openssl<=2.0_1 run-parts"
-short_desc="Common CA certificates for SSL/TLS"
+short_desc="Common CA certificates for SSL/TLS from Mozilla"
 maintainer="Orphaned <orphan@voidlinux.org>"
 license="GPL-2.0-or-later, MPL-2.0"
-homepage="https://tracker.debian.org/pkg/ca-certificates"
-distfiles="${DEBIAN_SITE}/main/c/${pkgname}/${pkgname}_${version}.tar.xz"
-checksum=daa3afae563711c30a0586ddae4336e8e3974c2b627faaca404c4e0141b64665
+homepage="https://wiki.mozilla.org/NSS:Root_certs"
+distfiles="${DEBIAN_SITE}/main/c/${pkgname}/${pkgname}_${version%+*}.tar.xz
+ ${MOZILLA_SITE}/security/nss/releases/NSS_${_nss_version//\./_}_RTM/src/nss-${_nss_version}.tar.gz"
+checksum="daa3afae563711c30a0586ddae4336e8e3974c2b627faaca404c4e0141b64665
+ f6549a9148cd27b394b40c77fa73111d5ea23cdb51d796665de1b7458f88ce7f"
 
 post_extract() {
-	$BUILD_CC $BUILD_CFLAGS ${FILESDIR}/certdata2pem.c -o ${wrksrc}/mozilla/certdata2pem
-	cp ${FILESDIR}/remove-expired-certs.sh ${wrksrc}/mozilla
-	vsed -i ${wrksrc}/mozilla/Makefile \
-		-e 's,python3 certdata2pem.py,./certdata2pem,g'
-	vsed -i ${wrksrc}/mozilla/Makefile \
-		-e "s;\(.*\)\(certdata2pem.*\);\1\2\n\1./remove-expired-certs.sh;"
+	cp ${FILESDIR}/remove-expired-certs.sh $build_wrksrc/mozilla
+	cp nss-${_nss_version}/nss/lib/ckfw/builtins/certdata.txt \
+		$build_wrksrc/mozilla
+	cp nss-${_nss_version}/nss/lib/ckfw/builtins/nssckbi.h \
+		$build_wrksrc/mozilla
 }
 
 do_build() {
+	$BUILD_CC $BUILD_CFLAGS ${FILESDIR}/certdata2pem.c \
+		-o mozilla/certdata2pem
 	make ${makejobs}
 }