security/p11-kit: Use base system CA certificates

Drop dependency on ca_root_nss and use base system root certificates instead. This allows users to add their own certificates. trust_paths now points to a directory and that directory contains "anchors" and "blocklist" symlinks pointing to the base system certificate directories. This is based on the documentation from https://p11-glue.github.io/p11-glue/p11-kit/manual/trust-module.html. The list of certificates known to p11-kit can be verified by running "trust list". PR: 268841 Approved by: novel (maintainer)

security/p11-kit: Use base system CA certificates
8672992e · Tijl Coosemans · d1207aa8 · 8672992e · 8672992e
Commit 8672992e authored 2 years ago by Tijl Coosemans
--- a/security/p11-kit/Makefile
+++ b/security/p11-kit/Makefile
 PORTNAME=	p11-kit
 DISTVERSION=	0.24.1
-PORTREVISION=	1
+PORTREVISION=	2
 CATEGORIES=	security devel
 MASTER_SITES=	https://github.com/p11-glue/p11-kit/releases/download/${DISTVERSION}/

@@ -11,9 +11,7 @@ WWW=		https://p11-glue.freedesktop.org/p11-kit.html
 LICENSE=	BSD3CLAUSE
 LICENSE_FILE=	${WRKSRC}/COPYING

-BUILD_DEPENDS=	${LOCALBASE}/share/certs/ca-root-nss.crt:security/ca_root_nss \
-		bash-completion>=0:shells/bash-completion
-RUN_DEPENDS=	${LOCALBASE}/share/certs/ca-root-nss.crt:security/ca_root_nss
+BUILD_DEPENDS=	bash-completion>=0:shells/bash-completion
 LIB_DEPENDS=	libffi.so:devel/libffi \
 		libtasn1.so:security/libtasn1

@@ -26,7 +24,7 @@ MESON_ARGS=	-Dbash_completion=enabled \
 		-Dlibffi=enabled \
 		-Dnls=false \
 		-Dtrust_module=enabled \
-		-Dtrust_paths=${LOCALBASE}/share/certs/ca-root-nss.crt
+		-Dtrust_paths=${DATADIR}/certs

 OPTIONS_DEFINE=		DOCS MANPAGES TEST
 OPTIONS_SUB=		yes
@@ -43,9 +41,18 @@ MANPAGES_MESON_TRUE=	man

 TEST_MESON_TRUE=	test

+.include <bsd.port.options.mk>
+
 post-install:
 	${MKDIR} ${STAGEDIR}${EXAMPLESDIR}
 	${MV} ${STAGEDIR}${PREFIX}/etc/pkcs11/pkcs11.conf.example ${STAGEDIR}${EXAMPLESDIR}
 	${RMDIR} ${STAGEDIR}${PREFIX}/etc/pkcs11
+	${MKDIR} ${STAGEDIR}${DATADIR}/certs
+	${LN} -s /usr/share/certs/trusted ${STAGEDIR}${DATADIR}/certs/anchors
+.if ${OPSYS} == FreeBSD && ${OSVERSION} < 1400024
+	${LN} -s /usr/share/certs/blacklisted ${STAGEDIR}${DATADIR}/certs/blocklist
+.else
+	${LN} -s /usr/share/certs/untrusted ${STAGEDIR}${DATADIR}/certs/blocklist
+.endif

 .include <bsd.port.mk>
--- a/security/p11-kit/pkg-plist
+++ b/security/p11-kit/pkg-plist
@@ -61,5 +61,7 @@ share/bash-completion/completions/trust
 %%DOCS%%share/gtk-doc/html/p11-kit/trust.html
 %%DOCS%%share/gtk-doc/html/p11-kit/up-insensitive.png
 %%DOCS%%share/gtk-doc/html/p11-kit/up.png
+%%DATADIR%%/certs/anchors
+%%DATADIR%%/certs/blocklist
 %%DATADIR%%/modules/p11-kit-trust.module
 %%EXAMPLESDIR%%/pkcs11.conf.example