package/ca-certificates: add support for cryptography >= 3.0

Building ca-certificates with a newer cryptography is breaking because
python-cryptography's x509 API changed to accept only bytes, not str.

Carry a patch that has been submitted upstream [0] but has not yet been
applied [1]. Minor changes to account for 0001-*.patch.

[0] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1008244
[1] https://salsa.debian.org/debian/ca-certificates

Signed-off-by: Justin Wood <jwood@starry.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>

package/ca-certificates/0002-mozilla-certdata2pem.py-Fix-compat-with-cryptography.patch

@@ -0,0 +1,29 @@
+From 5e493ca307a031e81528ceddb96f3da40bc062cf Mon Sep 17 00:00:00 2001
+From: Wataru Ashihara <wsh@iij.ad.jp>
+Date: Wed, 2 Nov 2022 12:40:05 -0400
+Subject: [PATCH] mozilla/certdata2pem.py: Fix compat with cryptography > 3.0
+
+In newer cryptography packages, load_der_x509_certificate is enforced to be 'bytes' rather than currently used 'bytearray'.  This fixes that.
+
+https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1008244
+Signed-off-by: Justin Wood <jwood@starry.com>
+---
+ mozilla/certdata2pem.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/mozilla/certdata2pem.py b/mozilla/certdata2pem.py
+index a6261f8..c0fa52c 100644
+--- a/mozilla/certdata2pem.py
++++ b/mozilla/certdata2pem.py
+@@ -122,7 +122,7 @@ for obj in objects:
+         try:
+             from cryptography import x509
+ 
+-            cert = x509.load_der_x509_certificate(obj['CKA_VALUE'])
++            cert = x509.load_der_x509_certificate(bytes(obj['CKA_VALUE']))
+             if cert.not_valid_after < datetime.datetime.now():
+                 print('!'*74)
+                 print('Trusted but expired certificate found: %s' % obj['CKA_LABEL'])
+-- 
+2.38.1
+