Bug 1815016 - Upgrade certifi to the latest release. r=firefox-build-system-reviewers,ahochheiden

Differential Revision: https://phabricator.services.mozilla.com/D170036
2023-02-16 23:50:30 +00:00 · 2023-02-16 23:50:30 +00:00 · b3e17778b6
commit b3e17778b6
parent 45abd683e8
16 changed files with 1775 additions and 1604 deletions
--- a/third_party/python/certifi/certifi-2018.4.16.dist-info/DESCRIPTION.rst
+++ b/third_party/python/certifi/certifi-2018.4.16.dist-info/DESCRIPTION.rst
@ -1,48 +0,0 @@
-Certifi: Python SSL Certificates
-================================
-
-`Certifi`_ is a carefully curated collection of Root Certificates for
-validating the trustworthiness of SSL certificates while verifying the identity
-of TLS hosts. It has been extracted from the `Requests`_ project.
-
-Installation
------------
-
-``certifi`` is available on PyPI. Simply install it with ``pip``::
-
-    $ pip install certifi
-
-Usage
-----
-
-To reference the installed certificate authority (CA) bundle, you can use the
-built-in function::
-
-    >>> import certifi
-
-    >>> certifi.where()
-    '/usr/local/lib/python2.7/site-packages/certifi/cacert.pem'
-
-Enjoy!
-
-1024-bit Root Certificates
-~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-Browsers and certificate authorities have concluded that 1024-bit keys are
-unacceptably weak for certificates, particularly root certificates. For this
-reason, Mozilla has removed any weak (i.e. 1024-bit key) certificate from its
-bundle, replacing it with an equivalent strong (i.e. 2048-bit or greater key)
-certificate from the same CA. Because Mozilla removed these certificates from
-its bundle, ``certifi`` removed them as well.
-
-In previous versions, ``certifi`` provided the ``certifi.old_where()`` function
-to intentionally re-add the 1024-bit roots back into your bundle. This was not
-recommended in production and therefore was removed. To assist in migrating old
-code, the function ``certifi.old_where()`` continues to exist as an alias of
-``certifi.where()``. Please update your code to use ``certifi.where()``
-instead. ``certifi.old_where()`` will be removed in 2018.
-
-.. _`Certifi`: http://certifi.io/en/latest/
-.. _`Requests`: http://docs.python-requests.org/en/latest/
-
-
--- a/third_party/python/certifi/certifi-2018.4.16.dist-info/RECORD
+++ b/third_party/python/certifi/certifi-2018.4.16.dist-info/RECORD
@ -1,11 +0,0 @@
-certifi/__init__.py,sha256=KHDlQtQQTRmOG0TJi12ZIE5WWq2tYHM5ax30EX6UJ04,63
-certifi/__main__.py,sha256=FiOYt1Fltst7wk9DRa6GCoBr8qBUxlNQu_MKJf04E6s,41
-certifi/cacert.pem,sha256=0lwMLbfi4umzDdOmdLMdrNkgZxw-5y6PCE10PrnJy-k,268839
-certifi/core.py,sha256=xPQDdG_siy5A7BfqGWa7RJhcA61xXEqPiSrw9GNyhHE,836
-certifi-2018.4.16.dist-info/DESCRIPTION.rst,sha256=jXrtxvB2mFIsHbuK8aP8RXrMx5yecyAIMZ2cn8Xb_ro,1679
-certifi-2018.4.16.dist-info/LICENSE.txt,sha256=anCkv2sBABbVmmS4rkrY3H9e8W8ftFPMLs13HFo0ETE,1048
-certifi-2018.4.16.dist-info/METADATA,sha256=uYCLBFPwRU0XfEULiHO8iLo1QELisMwd9CSJ_Bw4DIc,2570
-certifi-2018.4.16.dist-info/RECORD,,
-certifi-2018.4.16.dist-info/WHEEL,sha256=5wvfB7GvgZAbKBSE9uX9Zbi6LCL-_KgezgHblXhCRnM,113
-certifi-2018.4.16.dist-info/metadata.json,sha256=ayQwq1S2ID9f_MxGU0ZEouhzp5UoCwVtNT3ZLM23p7g,1006
-certifi-2018.4.16.dist-info/top_level.txt,sha256=KMu4vUCfsjLrkPbSNdgdekS-pVJzBAJFO__nI8NF6-U,8
--- a/third_party/python/certifi/certifi-2018.4.16.dist-info/metadata.json
+++ b/third_party/python/certifi/certifi-2018.4.16.dist-info/metadata.json
@ -1 +0,0 @@
-{"classifiers": ["Development Status :: 5 - Production/Stable", "Intended Audience :: Developers", "License :: OSI Approved :: Mozilla Public License 2.0 (MPL 2.0)", "Natural Language :: English", "Programming Language :: Python", "Programming Language :: Python :: 2", "Programming Language :: Python :: 2.6", "Programming Language :: Python :: 2.7", "Programming Language :: Python :: 3", "Programming Language :: Python :: 3.3", "Programming Language :: Python :: 3.4", "Programming Language :: Python :: 3.5", "Programming Language :: Python :: 3.6"], "extensions": {"python.details": {"contacts": [{"email": "me@kennethreitz.com", "name": "Kenneth Reitz", "role": "author"}], "document_names": {"description": "DESCRIPTION.rst", "license": "LICENSE.txt"}, "project_urls": {"Home": "http://certifi.io/"}}}, "generator": "bdist_wheel (0.30.0.a0)", "license": "MPL-2.0", "metadata_version": "2.0", "name": "certifi", "summary": "Python package for providing Mozilla's CA Bundle.", "version": "2018.4.16"}
--- a/third_party/python/certifi/certifi-2018.4.16.dist-info/LICENSE.txt
+++ b/third_party/python/certifi/certifi-2018.4.16.dist-info/LICENSE.txt
@ -1,4 +1,4 @@
-This packge contains a modified version of ca-bundle.crt:
+This package contains a modified version of ca-bundle.crt:

 ca-bundle.crt -- Bundle of CA Root Certificates

@ -6,7 +6,7 @@ Certificate data from Mozilla as of: Thu Nov  3 19:04:19 2011#
 This is a bundle of X.509 certificates of public Certificate Authorities
 (CA). These were automatically extracted from Mozilla's root certificates
 file (certdata.txt).  This file can be found in the mozilla source tree:
-http://mxr.mozilla.org/mozilla/source/security/nss/lib/ckfw/builtins/certdata.txt?raw=1#
+https://hg.mozilla.org/mozilla-central/file/tip/security/nss/lib/ckfw/builtins/certdata.txt
 It contains the certificates in PEM format and therefore
 can be directly used with curl / libcurl / php_curl, or with
 an Apache+mod_ssl webserver for SSL client authentication.
--- a/third_party/python/certifi/certifi-2022.12.7.dist-info/METADATA
+++ b/third_party/python/certifi/certifi-2022.12.7.dist-info/METADATA
@ -1,30 +1,33 @@
-Metadata-Version: 2.0
+Metadata-Version: 2.1
 Name: certifi
-Version: 2018.4.16
+Version: 2022.12.7
 Summary: Python package for providing Mozilla's CA Bundle.
-Home-page: http://certifi.io/
+Home-page: https://github.com/certifi/python-certifi
 Author: Kenneth Reitz
 Author-email: me@kennethreitz.com
 License: MPL-2.0
+Project-URL: Source, https://github.com/certifi/python-certifi
 Platform: UNKNOWN
 Classifier: Development Status :: 5 - Production/Stable
 Classifier: Intended Audience :: Developers
 Classifier: License :: OSI Approved :: Mozilla Public License 2.0 (MPL 2.0)
 Classifier: Natural Language :: English
 Classifier: Programming Language :: Python
-Classifier: Programming Language :: Python :: 2
-Classifier: Programming Language :: Python :: 2.6
-Classifier: Programming Language :: Python :: 2.7
 Classifier: Programming Language :: Python :: 3
-Classifier: Programming Language :: Python :: 3.3
-Classifier: Programming Language :: Python :: 3.4
-Classifier: Programming Language :: Python :: 3.5
+Classifier: Programming Language :: Python :: 3 :: Only
 Classifier: Programming Language :: Python :: 3.6
+Classifier: Programming Language :: Python :: 3.7
+Classifier: Programming Language :: Python :: 3.8
+Classifier: Programming Language :: Python :: 3.9
+Classifier: Programming Language :: Python :: 3.10
+Classifier: Programming Language :: Python :: 3.11
+Requires-Python: >=3.6
+License-File: LICENSE

 Certifi: Python SSL Certificates
 ================================

-`Certifi`_ is a carefully curated collection of Root Certificates for
+Certifi provides Mozilla's carefully curated collection of Root Certificates for
 validating the trustworthiness of SSL certificates while verifying the identity
 of TLS hosts. It has been extracted from the `Requests`_ project.

@ -44,7 +47,12 @@ built-in function::
    >>> import certifi

    >>> certifi.where()
-    '/usr/local/lib/python2.7/site-packages/certifi/cacert.pem'
+    '/usr/local/lib/python3.7/site-packages/certifi/cacert.pem'
+
+Or from the command line::
+
+    $ python -m certifi
+    /usr/local/lib/python3.7/site-packages/certifi/cacert.pem

 Enjoy!

@ -60,12 +68,16 @@ its bundle, ``certifi`` removed them as well.

 In previous versions, ``certifi`` provided the ``certifi.old_where()`` function
 to intentionally re-add the 1024-bit roots back into your bundle. This was not
-recommended in production and therefore was removed. To assist in migrating old
-code, the function ``certifi.old_where()`` continues to exist as an alias of
-``certifi.where()``. Please update your code to use ``certifi.where()``
-instead. ``certifi.old_where()`` will be removed in 2018.
+recommended in production and therefore was removed at the end of 2018.

-.. _`Certifi`: http://certifi.io/en/latest/
-.. _`Requests`: http://docs.python-requests.org/en/latest/
+.. _`Requests`: https://requests.readthedocs.io/en/master/
+
+Addition/Removal of Certificates
+--------------------------------
+
+Certifi does not support any addition/removal or other modification of the
+CA trust store content. This project is intended to provide a reliable and
+highly portable root of trust to python deployments. Look to upstream projects
+for methods to use alternate trust.


--- a/third_party/python/certifi/certifi-2022.12.7.dist-info/RECORD
+++ b/third_party/python/certifi/certifi-2022.12.7.dist-info/RECORD
@ -0,0 +1,10 @@
+certifi/__init__.py,sha256=bK_nm9bLJzNvWZc2oZdiTwg2KWD4HSPBWGaM0zUDvMw,94
+certifi/__main__.py,sha256=xBBoj905TUWBLRGANOcf7oi6e-3dMP4cEoG9OyMs11g,243
+certifi/cacert.pem,sha256=LBHDzgj_xA05AxnHK8ENT5COnGNElNZe0svFUHMf1SQ,275233
+certifi/core.py,sha256=lhewz0zFb2b4ULsQurElmloYwQoecjWzPqY67P8T7iM,4219
+certifi/py.typed,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+certifi-2022.12.7.dist-info/LICENSE,sha256=oC9sY4-fuE0G93ZMOrCF2K9-2luTwWbaVDEkeQd8b7A,1052
+certifi-2022.12.7.dist-info/METADATA,sha256=chFpcxKhCPEQ3d8-Vz36zr2Micf1eQhKkFFk7_JvJNo,2911
+certifi-2022.12.7.dist-info/WHEEL,sha256=ewwEueio1C2XeHTvT17n8dZUJgOvyCWCt0WVNLClP9o,92
+certifi-2022.12.7.dist-info/top_level.txt,sha256=KMu4vUCfsjLrkPbSNdgdekS-pVJzBAJFO__nI8NF6-U,8
+certifi-2022.12.7.dist-info/RECORD,,
--- a/third_party/python/certifi/certifi-2022.12.7.dist-info/WHEEL
+++ b/third_party/python/certifi/certifi-2022.12.7.dist-info/WHEEL
@ -1,6 +1,5 @@
 Wheel-Version: 1.0
-Generator: bdist_wheel (0.30.0.a0)
+Generator: bdist_wheel (0.37.0)
 Root-Is-Purelib: true
-Tag: py2-none-any
 Tag: py3-none-any

--- a/third_party/python/certifi/certifi-2022.12.7.dist-info/top_level.txt
+++ b/third_party/python/certifi/certifi-2022.12.7.dist-info/top_level.txt
--- a/third_party/python/certifi/certifi/init.py
+++ b/third_party/python/certifi/certifi/init.py
@ -1,3 +1,4 @@
-from .core import where, old_where
+from .core import contents, where

-__version__ = "2018.04.16"
+__all__ = ["contents", "where"]
+__version__ = "2022.12.07"
--- a/third_party/python/certifi/certifi/main.py
+++ b/third_party/python/certifi/certifi/main.py
@ -1,2 +1,12 @@
-from certifi import where
-print(where())
+import argparse
+
+from certifi import contents, where
+
+parser = argparse.ArgumentParser()
+parser.add_argument("-c", "--contents", action="store_true")
+args = parser.parse_args()
+
+if args.contents:
+    print(contents())
+else:
+    print(where())
--- a/third_party/python/certifi/certifi/cacert.pem
+++ b/third_party/python/certifi/certifi/cacert.pem
--- a/third_party/python/certifi/certifi/core.py
+++ b/third_party/python/certifi/certifi/core.py
@ -1,37 +1,108 @@
-#!/usr/bin/env python
-# -*- coding: utf-8 -*-
-
 """
 certifi.py
 ~~~~~~~~~~

-This module returns the installation location of cacert.pem.
+This module returns the installation location of cacert.pem or its contents.
 """
-import os
-import warnings
+import sys


-class DeprecatedBundleWarning(DeprecationWarning):
-    """
-    The weak security bundle is being deprecated. Please bother your service
-    provider to get them to stop using cross-signed roots.
-    """
+if sys.version_info >= (3, 11):

+    from importlib.resources import as_file, files

-def where():
+    _CACERT_CTX = None
+    _CACERT_PATH = None
+
+    def where() -> str:
+        # This is slightly terrible, but we want to delay extracting the file
+        # in cases where we're inside of a zipimport situation until someone
+        # actually calls where(), but we don't want to re-extract the file
+        # on every call of where(), so we'll do it once then store it in a
+        # global variable.
+        global _CACERT_CTX
+        global _CACERT_PATH
+        if _CACERT_PATH is None:
+            # This is slightly janky, the importlib.resources API wants you to
+            # manage the cleanup of this file, so it doesn't actually return a
+            # path, it returns a context manager that will give you the path
+            # when you enter it and will do any cleanup when you leave it. In
+            # the common case of not needing a temporary file, it will just
+            # return the file system location and the __exit__() is a no-op.
+            #
+            # We also have to hold onto the actual context manager, because
+            # it will do the cleanup whenever it gets garbage collected, so
+            # we will also store that at the global level as well.
+            _CACERT_CTX = as_file(files("certifi").joinpath("cacert.pem"))
+            _CACERT_PATH = str(_CACERT_CTX.__enter__())
+
+        return _CACERT_PATH
+
+    def contents() -> str:
+        return files("certifi").joinpath("cacert.pem").read_text(encoding="ascii")
+
+elif sys.version_info >= (3, 7):
+
+    from importlib.resources import path as get_path, read_text
+
+    _CACERT_CTX = None
+    _CACERT_PATH = None
+
+    def where() -> str:
+        # This is slightly terrible, but we want to delay extracting the
+        # file in cases where we're inside of a zipimport situation until
+        # someone actually calls where(), but we don't want to re-extract
+        # the file on every call of where(), so we'll do it once then store
+        # it in a global variable.
+        global _CACERT_CTX
+        global _CACERT_PATH
+        if _CACERT_PATH is None:
+            # This is slightly janky, the importlib.resources API wants you
+            # to manage the cleanup of this file, so it doesn't actually
+            # return a path, it returns a context manager that will give
+            # you the path when you enter it and will do any cleanup when
+            # you leave it. In the common case of not needing a temporary
+            # file, it will just return the file system location and the
+            # __exit__() is a no-op.
+            #
+            # We also have to hold onto the actual context manager, because
+            # it will do the cleanup whenever it gets garbage collected, so
+            # we will also store that at the global level as well.
+            _CACERT_CTX = get_path("certifi", "cacert.pem")
+            _CACERT_PATH = str(_CACERT_CTX.__enter__())
+
+        return _CACERT_PATH
+
+    def contents() -> str:
+        return read_text("certifi", "cacert.pem", encoding="ascii")
+
+else:
+    import os
+    import types
+    from typing import Union
+
+    Package = Union[types.ModuleType, str]
+    Resource = Union[str, "os.PathLike"]
+
+    # This fallback will work for Python versions prior to 3.7 that lack the
+    # importlib.resources module but relies on the existing `where` function
+    # so won't address issues with environments like PyOxidizer that don't set
+    # __file__ on modules.
+    def read_text(
+        package: Package,
+        resource: Resource,
+        encoding: str = 'utf-8',
+        errors: str = 'strict'
+    ) -> str:
+        with open(where(), encoding=encoding) as data:
+            return data.read()
+
+    # If we don't have importlib.resources, then we will just do the old logic
+    # of assuming we're on the filesystem and munge the path directly.
+    def where() -> str:
        f = os.path.dirname(__file__)

-    return os.path.join(f, 'cacert.pem')
+        return os.path.join(f, "cacert.pem")

-
-def old_where():
-    warnings.warn(
-        "The weak security bundle has been removed. certifi.old_where() is now an alias "
-        "of certifi.where(). Please update your code to use certifi.where() instead. "
-        "certifi.old_where() will be removed in 2018.",
-        DeprecatedBundleWarning
-    )
-    return where()
-
-if __name__ == '__main__':
-    print(where())
+    def contents() -> str:
+        return read_text("certifi", "cacert.pem", encoding="ascii")
--- a/third_party/python/certifi/certifi/py.typed
+++ b/third_party/python/certifi/certifi/py.typed
--- a/third_party/python/poetry.lock
+++ b/third_party/python/poetry.lock
@ -82,11 +82,11 @@ testing = ["pytest", "pytest-cov"]

 [[package]]
 name = "certifi"
-version = "2018.4.16"
+version = "2022.12.7"
 description = "Python package for providing Mozilla's CA Bundle."
 category = "main"
 optional = false
-python-versions = "*"
+python-versions = ">=3.6"

 [[package]]
 name = "chardet"
@ -797,7 +797,7 @@ testing = ["pytest (>=4.6)", "pytest-checkdocs (>=1.2.3)", "pytest-flake8", "pyt
 [metadata]
 lock-version = "1.1"
 python-versions = "^3.6"
-content-hash = "860c0b59297524a1e533309fdaed6fe16102e062c33d1a40f8ad6912b9229b92"
+content-hash = "a43dc447469a334d2dfe1a1397ecd6d03702590bb1b0d2b3cbbf68fb2edd1ff2"

 [metadata.files]
 aiohttp = [
@ -864,8 +864,8 @@ cbor2 = [
    {file = "cbor2-4.0.1.tar.gz", hash = "sha256:cee0d01e520563b5a73c72eace5c428bb68aefb1b3f7aee5d692d3af6a1e5172"},
 ]
 certifi = [
-    {file = "certifi-2018.4.16-py2.py3-none-any.whl", hash = "sha256:9fa520c1bacfb634fa7af20a76bcbd3d5fb390481724c597da32c719a7dca4b0"},
-    {file = "certifi-2018.4.16.tar.gz", hash = "sha256:13e698f54293db9f89122b0581843a782ad0934a4fe0172d2a980ba77fc61bb7"},
+    {file = "certifi-2022.12.7-py3-none-any.whl", hash = "sha256:4ad3232f5e926d6718ec31cfc1fcadfde020920e278684144551c91769c7bc18"},
+    {file = "certifi-2022.12.7.tar.gz", hash = "sha256:35824b4c3a97115964b408844d64aa14db1cc518f6562e8d7261699d1350a9e3"},
 ]
 chardet = [
    {file = "chardet-4.0.0-py2.py3-none-any.whl", hash = "sha256:f864054d66fd9118f2e67044ac8981a54775ec5b67aed0441892edb553d21da5"},
--- a/third_party/python/requirements.in
+++ b/third_party/python/requirements.in
@ -4,6 +4,7 @@ appdirs==1.4.4
 attrs==19.2.0
 blessed==1.19.1
 cbor2==4.0.1
+certifi==2022.12.7
 colorama==0.4.5
 compare-locales==8.2.1
 cookies==2.2.1
--- a/third_party/python/requirements.txt
+++ b/third_party/python/requirements.txt
@ -54,9 +54,9 @@ blessed==1.19.1; python_version >= "2.7" \
 cbor2==4.0.1 \
    --hash=sha256:b0eb916c9ea226aa81e9091607737475d5b0e5c314fe8d5a87179fba449cd190 \
    --hash=sha256:cee0d01e520563b5a73c72eace5c428bb68aefb1b3f7aee5d692d3af6a1e5172
-certifi==2018.4.16 \
-    --hash=sha256:9fa520c1bacfb634fa7af20a76bcbd3d5fb390481724c597da32c719a7dca4b0 \
-    --hash=sha256:13e698f54293db9f89122b0581843a782ad0934a4fe0172d2a980ba77fc61bb7
+certifi==2022.12.7; python_version >= "3.6" \
+    --hash=sha256:4ad3232f5e926d6718ec31cfc1fcadfde020920e278684144551c91769c7bc18 \
+    --hash=sha256:35824b4c3a97115964b408844d64aa14db1cc518f6562e8d7261699d1350a9e3
 chardet==4.0.0; python_version >= "2.7" and python_full_version < "3.0.0" or python_full_version >= "3.5.0" or python_version >= "3.6" and python_full_version < "3.0.0" or python_full_version >= "3.5.0" and python_version >= "3.6" \
    --hash=sha256:f864054d66fd9118f2e67044ac8981a54775ec5b67aed0441892edb553d21da5 \
    --hash=sha256:0d6f53a15db4120f2b08c94f11e7d93d2c911ee118b6b30a04ec3ee8310179fa
				`@ -1 +0,0 @@`
				{"classifiers": ["Development Status :: 5 - Production/Stable", "Intended Audience :: Developers", "License :: OSI Approved :: Mozilla Public License 2.0 (MPL 2.0)", "Natural Language :: English", "Programming Language :: Python", "Programming Language :: Python :: 2", "Programming Language :: Python :: 2.6", "Programming Language :: Python :: 2.7", "Programming Language :: Python :: 3", "Programming Language :: Python :: 3.3", "Programming Language :: Python :: 3.4", "Programming Language :: Python :: 3.5", "Programming Language :: Python :: 3.6"], "extensions": {"python.details": {"contacts": [{"email": "me@kennethreitz.com", "name": "Kenneth Reitz", "role": "author"}], "document_names": {"description": "DESCRIPTION.rst", "license": "LICENSE.txt"}, "project_urls": {"Home": "http://certifi.io/"}}}, "generator": "bdist_wheel (0.30.0.a0)", "license": "MPL-2.0", "metadata_version": "2.0", "name": "certifi", "summary": "Python package for providing Mozilla's CA Bundle.", "version": "2018.4.16"}