python3Packages.certifi: use system ca-bundle

{ lib

, buildPythonPackage

, cacert

, pythonOlder

, fetchFromGitHub

, pytestCheckHook

    hash = "sha256-B6LO6AfG9cfpyNI7hj3VjmGTFsrrIkDYO4gPMkZY74w=";

  };

  patches = [

    # Add support for NIX_SSL_CERT_FILE

    ./env.patch

  ];

  postPatch = ''

    # Use our system-wide ca-bundle instead of the bundled one

    rm -v "certifi/cacert.pem"

    ln -snvf "${cacert}/etc/ssl/certs/ca-bundle.crt" "certifi/cacert.pem"

  '';

  checkInputs = [

    pytestCheckHook

  ];

  preCheck = ''

    # NIX_SSL_CERT_FILE is set to /no-cert-file.crt during build, which

    # breaks the tests

    unset NIX_SSL_CERT_FILE

  '';

  pythonImportsCheck = [

    "certifi"

  ];

diff --git a/certifi/core.py b/certifi/core.py

index de02898..3ec9147 100644

--- a/certifi/core.py

+++ b/certifi/core.py

@@ -4,6 +4,7 @@ certifi.py

 This module returns the installation location of cacert.pem or its contents.

 """

+import os

 import sys

@@ -12,7 +13,7 @@ if sys.version_info >= (3, 11):

     from importlib.resources import as_file, files

     _CACERT_CTX = None

-    _CACERT_PATH = None

+    _CACERT_PATH = os.environ.get("NIX_SSL_CERT_FILE", None)

     def where() -> str:

         # This is slightly terrible, but we want to delay extracting the file

@@ -39,14 +40,16 @@ if sys.version_info >= (3, 11):

         return _CACERT_PATH

     def contents() -> str:

-        return files("certifi").joinpath("cacert.pem").read_text(encoding="ascii")

+        if _CACERT_PATH is not None:

+            return open(_CACERT_PATH, encoding="utf-8").read()

+        return files("certifi").joinpath("cacert.pem").read_text(encoding="utf-8")

 elif sys.version_info >= (3, 7):

     from importlib.resources import path as get_path, read_text

     _CACERT_CTX = None

-    _CACERT_PATH = None

+    _CACERT_PATH = os.environ.get("NIX_SSL_CERT_FILE", None)

     def where() -> str:

         # This is slightly terrible, but we want to delay extracting the

@@ -74,7 +77,9 @@ elif sys.version_info >= (3, 7):

         return _CACERT_PATH

     def contents() -> str:

-        return read_text("certifi", "cacert.pem", encoding="ascii")

+        if _CACERT_PATH is not None:

+            return open(_CACERT_PATH, encoding="utf-8").read()

+        return read_text("certifi", "cacert.pem", encoding="utf-8")

 else:

     import os

@@ -84,6 +89,8 @@ else:

     Package = Union[types.ModuleType, str]

     Resource = Union[str, "os.PathLike"]

+    _CACERT_PATH = os.environ.get("NIX_SSL_CERT_FILE", None)

+

     # This fallback will work for Python versions prior to 3.7 that lack the

     # importlib.resources module but relies on the existing `where` function

     # so won't address issues with environments like PyOxidizer that don't set

@@ -102,7 +109,14 @@ else:

     def where() -> str:

         f = os.path.dirname(__file__)

+        if _CACERT_PATH is not None:

+            return _CACERT_PATH

+

         return os.path.join(f, "cacert.pem")

     def contents() -> str:

-        return read_text("certifi", "cacert.pem", encoding="ascii")

+        if _CACERT_PATH is not None:

+            with open(_CACERT_PATH, encoding="utf-8") as data:

+                return data.read()

+

+        return read_text("certifi", "cacert.pem", encoding="utf-8")