From 7fdb879308247c060654a95a9eedfbc628533f01 Mon Sep 17 00:00:00 2001
From: Harmen Stoppels <harmenstoppels@gmail.com>
Date: Wed, 29 Sep 2021 18:05:58 +0200
Subject: [PATCH] ca-certificates-mozilla for openssl & curl (#26263)

1. Changes the variant of openssl to `certs=mozilla/system/none` so that
   users can pick whether they want Spack or system certs, or if they
   don't want certs at all.
2. Keeps the default behavior of openssl to use certs=systems.
3. Changes the curl configuration to not guess the ca path during
   config, but rather fall back to whatever the tls provider is
   configured with. If we don't do this, curl will still pick up system
   certs if it finds them.

As a minor fix, it also adds the build dep `pkgconfig` to curl, since
that's being used during the configure phase to get openssl compilation
flags.
---
 .../ca-certificates-mozilla/package.py        |  6 ++++-
 .../repos/builtin/packages/curl/package.py    |  6 +++++
 .../repos/builtin/packages/openssl/package.py | 23 ++++++++++++++++---
 3 files changed, 31 insertions(+), 4 deletions(-)

diff --git a/var/spack/repos/builtin/packages/ca-certificates-mozilla/package.py b/var/spack/repos/builtin/packages/ca-certificates-mozilla/package.py
index b49ef03cf75..d828d4c5a84 100644
--- a/var/spack/repos/builtin/packages/ca-certificates-mozilla/package.py
+++ b/var/spack/repos/builtin/packages/ca-certificates-mozilla/package.py
@@ -31,9 +31,13 @@ class CaCertificatesMozilla(Package):
     def url_for_version(self, version):
         return "https://curl.se/ca/cacert-{0}.pem".format(version)
 
+    def setup_dependent_package(self, module, dep_spec):
+        """Returns the absolute path to the bundled certificates"""
+        self.spec.pem_path = join_path(self.prefix.share, 'cacert.pem')
+
     # Install the the pem file as share/cacert.pem
     def install(self, spec, prefix):
-        share = join_path(self.prefix, 'share')
+        share = join_path(prefix, 'share')
         mkdir(share)
         install("cacert-{0}.pem".format(spec.version),
                 join_path(share, "cacert.pem"))
diff --git a/var/spack/repos/builtin/packages/curl/package.py b/var/spack/repos/builtin/packages/curl/package.py
index 1db1b0de3e9..7b04455e28c 100644
--- a/var/spack/repos/builtin/packages/curl/package.py
+++ b/var/spack/repos/builtin/packages/curl/package.py
@@ -97,6 +97,9 @@ class Curl(AutotoolsPackage):
     depends_on('libssh', when='+libssh')
     depends_on('krb5', when='+gssapi')
 
+    # curl queries pkgconfig for openssl compilation flags
+    depends_on('pkgconfig', type='build')
+
     def configure_args(self):
         spec = self.spec
 
@@ -108,6 +111,9 @@ def configure_args(self):
             '--without-libgsasl',
             '--without-libpsl',
             '--without-zstd',
+            '--without-ca-bundle',
+            '--without-ca-path',
+            '--with-ca-fallback',
         ]
 
         # https://daniel.haxx.se/blog/2021/06/07/bye-bye-metalink-in-curl/
diff --git a/var/spack/repos/builtin/packages/openssl/package.py b/var/spack/repos/builtin/packages/openssl/package.py
index ef8055f453e..f82c2c95b34 100644
--- a/var/spack/repos/builtin/packages/openssl/package.py
+++ b/var/spack/repos/builtin/packages/openssl/package.py
@@ -78,12 +78,15 @@ class Openssl(Package):   # Uses Fake Autotools, should subclass Package
     version('1.0.1h', sha256='9d1c8a9836aa63e2c6adb684186cbd4371c9e9dcc01d6e3bb447abf2d4d3d093', deprecated=True)
     version('1.0.1e', sha256='f74f15e8c8ff11aa3d5bb5f276d202ec18d7246e95f961db76054199c69c1ae3', deprecated=True)
 
-    variant('systemcerts', default=True, description='Use system certificates')
+    variant('certs', default='system',
+            values=('mozilla', 'system', 'none'), multi=False,
+            description=('Use certificates from the ca-certificates-mozilla '
+                         'package, symlink system certificates, or none'))
     variant('docs', default=False, description='Install docs and manpages')
 
     depends_on('zlib')
-
     depends_on('perl@5.14.0:', type=('build', 'test'))
+    depends_on('ca-certificates-mozilla', type=('build', 'run'), when='certs=mozilla')
 
     @classmethod
     def determine_version(cls, exe):
@@ -148,7 +151,7 @@ def install(self, spec, prefix):
 
     @run_after('install')
     def link_system_certs(self):
-        if '+systemcerts' not in self.spec:
+        if self.spec.variants['certs'].value != 'system':
             return
 
         system_dirs = [
@@ -188,6 +191,20 @@ def link_system_certs(self):
                     os.rmdir(pkg_certs)
                 os.symlink(sys_certs, pkg_certs)
 
+    @run_after('install')
+    def link_mozilla_certs(self):
+        if self.spec.variants['certs'].value != 'mozilla':
+            return
+
+        pkg_dir = join_path(self.prefix, 'etc', 'openssl')
+        mkdirp(pkg_dir)
+
+        mozilla_pem = self.spec['ca-certificates-mozilla'].pem_path
+        pkg_cert = join_path(pkg_dir, 'cert.pem')
+
+        if not os.path.exists(pkg_cert):
+            os.symlink(mozilla_pem, pkg_cert)
+
     def patch(self):
         if self.spec.satisfies('%nvhpc'):
             # Remove incompatible preprocessor flags