Commit | Line | Data |
---|---|---|
cf053a4f AE |
1 | ;;; GNU Guix --- Functional package management for GNU |
2 | ;;; Copyright © 2015 Andreas Enge <andreas@enge.fr> | |
41ce4601 | 3 | ;;; Copyright © 2015 Mark H Weaver <mhw@netris.org> |
30cc14f1 | 4 | ;;; Copyright © 2016, 2017, 2021 Ludovic Courtès <ludo@gnu.org> |
0a6bd107 | 5 | ;;; Copyright © 2017 Leo Famulari <leo@famulari.name> |
3c747a08 | 6 | ;;; Copyright © 2017, 2018 Tobias Geerinckx-Rice <me@tobias.gr> |
18c38c18 | 7 | ;;; Copyright © 2021 Maxim Cournoyer <maxim.cournoyer@gmail.com> |
1001baa1 | 8 | ;;; Copyright © 2021 Efraim Flashner <efraim@flashner.co.il> |
acfa55a5 | 9 | ;;; Copyright © 2021 Raghav Gururajan <rg@raghavgururajan.name> |
cf053a4f AE |
10 | ;;; |
11 | ;;; This file is part of GNU Guix. | |
12 | ;;; | |
13 | ;;; GNU Guix is free software; you can redistribute it and/or modify it | |
14 | ;;; under the terms of the GNU General Public License as published by | |
15 | ;;; the Free Software Foundation; either version 3 of the License, or (at | |
16 | ;;; your option) any later version. | |
17 | ;;; | |
18 | ;;; GNU Guix is distributed in the hope that it will be useful, but | |
19 | ;;; WITHOUT ANY WARRANTY; without even the implied warranty of | |
20 | ;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
21 | ;;; GNU General Public License for more details. | |
22 | ;;; | |
23 | ;;; You should have received a copy of the GNU General Public License | |
24 | ;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>. | |
25 | ||
26 | (define-module (gnu packages certs) | |
27 | #:use-module ((guix licenses) #:prefix license:) | |
28 | #:use-module (guix packages) | |
11a7bfbc | 29 | #:use-module (guix utils) |
cf053a4f | 30 | #:use-module (guix download) |
acfa55a5 RG |
31 | #:use-module (guix git-download) |
32 | #:use-module (guix build-system copy) | |
6e6e2414 | 33 | #:use-module (guix build-system gnu) |
cf053a4f AE |
34 | #:use-module (guix build-system trivial) |
35 | #:use-module (gnu packages) | |
acfa55a5 | 36 | #:use-module (gnu packages curl) |
cc2b77df | 37 | #:use-module (gnu packages python) |
c643e6ca | 38 | #:use-module (gnu packages perl) |
cc2b77df | 39 | #:use-module (gnu packages tls)) |
cf053a4f | 40 | |
acfa55a5 RG |
41 | (define-public desec-certbot-hook |
42 | (let ((commit "68da7abc0793602fd336962a7e2348b57c5d6fd6") | |
43 | (revision "0")) | |
44 | (package | |
45 | (name "desec-certbot-hook") | |
46 | (version | |
47 | (git-version "0" revision commit)) | |
48 | (source | |
49 | (origin | |
50 | (method git-fetch) | |
51 | (uri | |
52 | (git-reference | |
53 | (url "https://github.com/desec-io/desec-certbot-hook") | |
54 | (commit commit))) | |
55 | (file-name (git-file-name name version)) | |
56 | (sha256 | |
57 | (base32 "0qjqk6i85b1y7fgzcx74r4gn2i4dkjza34hkzp6kyn9hrb8f2gv2")))) | |
58 | (build-system copy-build-system) | |
59 | (arguments | |
60 | `(#:phases | |
61 | (modify-phases %standard-phases | |
62 | (add-after 'unpack 'patch-script | |
63 | (lambda* (#:key inputs #:allow-other-keys) | |
64 | (substitute* "hook.sh" | |
65 | ;; The hook-script look for '.dedynauth' file in $PWD. | |
66 | ;; But users cannot create or edit files in store. | |
67 | ;; So we patch the hook-script to look for '.dedynauth' file, | |
68 | ;; in /etc/desec. | |
69 | (("\\$\\(pwd\\)") | |
70 | "/etc/desec") | |
71 | ;; Make absolute reference to curl program. | |
72 | (("curl") | |
73 | (string-append (assoc-ref inputs "curl") | |
74 | "/bin/curl")))))) | |
75 | #:install-plan | |
76 | '(("." "etc/desec" #:include ("hook.sh"))))) | |
77 | (inputs | |
8394619b | 78 | (list curl)) |
acfa55a5 RG |
79 | (synopsis "Certbot DNS challenge automatization for deSEC") |
80 | (description "The deSEC can be used to obtain certificates with certbot | |
81 | DNS ownership verification. With the help of this hook script, you can obtain | |
82 | your Let's Encrypt certificate using certbot with authorization provided by the | |
83 | DNS challenge mechanism, that is, you will not need a running web server or any | |
84 | port forwarding to your local machine.") | |
85 | (home-page "https://desec.io") | |
86 | (license license:expat)))) | |
87 | ||
30cc14f1 | 88 | (define-public certdata2pem |
9e804e38 MC |
89 | (let ((revision "1") |
90 | (commit "4c576f350f44186d439179f63d5be19f710a73f5")) | |
91 | (package | |
92 | (name "certdata2pem") | |
93 | (version "0.0.0") ;no version | |
94 | (source (origin | |
95 | (method url-fetch) | |
96 | (uri (string-append | |
1001baa1 | 97 | "https://raw.githubusercontent.com/sabotage-linux/sabotage/" |
9e804e38 MC |
98 | commit "/KEEP/certdata2pem.c")) |
99 | (sha256 | |
100 | (base32 | |
101 | "1rywp29q4l1cs2baplkbcravxqs4kw2cys4yifhfznbc210pskq6")))) | |
102 | (build-system gnu-build-system) | |
103 | (arguments | |
104 | `(#:phases (modify-phases %standard-phases | |
105 | (delete 'configure) | |
f87b9872 MO |
106 | (add-before 'build 'fix-extension |
107 | (lambda _ | |
108 | (substitute* "certdata2pem.c" | |
109 | (("\\.crt") | |
110 | ".pem")))) | |
9e804e38 MC |
111 | (replace 'build |
112 | (lambda _ | |
11a7bfbc EF |
113 | (invoke ,(cc-for-target) "certdata2pem.c" |
114 | "-o" "certdata2pem"))) | |
9e804e38 MC |
115 | (delete 'check) ;no test suite |
116 | (replace 'install | |
117 | (lambda* (#:key outputs #:allow-other-keys) | |
118 | (let ((out (assoc-ref outputs "out"))) | |
119 | (install-file "certdata2pem" | |
120 | (string-append out "/bin")))))))) | |
121 | (home-page "https://github.com/sabotage-linux/") | |
122 | (synopsis "Utility to split TLS certificates data into multiple PEM files") | |
123 | (description "This is a C version of the certdata2pem Python utility | |
124 | that was originally contributed to Debian.") | |
125 | (license license:isc)))) | |
6e6e2414 AE |
126 | |
127 | (define-public nss-certs | |
745ad37a | 128 | (package |
6e6e2414 | 129 | (name "nss-certs") |
ceb9c6c5 TGR |
130 | ;; XXX We used to refer to the nss package here, but that eventually caused |
131 | ;; module cycles. The below is a quick copy-paste job that must be kept in | |
132 | ;; sync manually. Surely there's a better way…? | |
133 | (version "3.71") | |
134 | (source (origin | |
135 | (method url-fetch) | |
136 | (uri (let ((version-with-underscores | |
137 | (string-join (string-split version #\.) "_"))) | |
138 | (string-append | |
139 | "https://ftp.mozilla.org/pub/mozilla.org/security/nss/" | |
140 | "releases/NSS_" version-with-underscores "_RTM/src/" | |
141 | "nss-" version ".tar.gz"))) | |
142 | (sha256 | |
143 | (base32 | |
144 | "0ly2l3dv6z5hlxs72h5x6796ni3x1bq60saavaf42ddgv4ax7b4r")) | |
145 | ;; Create nss.pc and nss-config. | |
146 | (patches (search-patches "nss-3.56-pkgconfig.patch" | |
147 | "nss-getcwd-nonnull.patch" | |
148 | "nss-increase-test-timeout.patch")) | |
149 | (modules '((guix build utils))) | |
150 | (snippet | |
151 | '(begin | |
152 | ;; Delete the bundled copy of these libraries. | |
153 | (delete-file-recursively "nss/lib/zlib") | |
154 | (delete-file-recursively "nss/lib/sqlite"))))) | |
6e6e2414 AE |
155 | (build-system gnu-build-system) |
156 | (outputs '("out")) | |
157 | (native-inputs | |
8394619b | 158 | (list certdata2pem openssl)) |
6e6e2414 AE |
159 | (inputs '()) |
160 | (propagated-inputs '()) | |
161 | (arguments | |
162 | `(#:modules ((guix build gnu-build-system) | |
163 | (guix build utils) | |
41ce4601 | 164 | (rnrs io ports) |
9e804e38 | 165 | (srfi srfi-26)) |
6e6e2414 | 166 | #:phases |
3c747a08 TGR |
167 | (modify-phases |
168 | (map (cut assq <> %standard-phases) | |
169 | '(set-paths install-locale unpack)) | |
170 | (add-after 'unpack 'install | |
6e6e2414 | 171 | (lambda _ |
9e804e38 | 172 | (let ((certsdir (string-append %output "/etc/ssl/certs/"))) |
79878c64 | 173 | (with-directory-excursion "nss/lib/ckfw/builtins/" |
9e804e38 MC |
174 | (unless (file-exists? "blacklist.txt") |
175 | (call-with-output-file "blacklist.txt" (const #t))) | |
176 | ;; Extract selected single certificates from blob. | |
177 | (invoke "certdata2pem") | |
287a8c90 | 178 | ;; Copy .pem files into the output. |
9e804e38 | 179 | (for-each (cut install-file <> certsdir) |
287a8c90 | 180 | (find-files "." ".*\\.pem$"))) |
9e804e38 | 181 | (invoke "openssl" "rehash" certsdir))))))) |
6e6e2414 AE |
182 | (synopsis "CA certificates from Mozilla") |
183 | (description | |
745ad37a RW |
184 | "This package provides certificates for Certification Authorities (CA) |
185 | taken from the NSS package and thus ultimately from the Mozilla project.") | |
186 | (home-page "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS") | |
187 | (license license:mpl2.0))) | |
0a6bd107 LF |
188 | |
189 | (define-public le-certs | |
190 | (package | |
191 | (name "le-certs") | |
15de49e6 | 192 | (version "1") |
0a6bd107 LF |
193 | (source #f) |
194 | (build-system trivial-build-system) | |
195 | (arguments | |
196 | '(#:modules ((guix build utils)) | |
197 | #:builder | |
198 | (begin | |
199 | (use-modules (guix build utils)) | |
15de49e6 LF |
200 | (let ((root-rsa (assoc-ref %build-inputs "isrgrootx1.pem")) |
201 | (root-ecdsa (assoc-ref %build-inputs "isrgrootx2.pem")) | |
202 | (intermediate-rsa (assoc-ref %build-inputs "letsencryptauthorityr3.pem")) | |
203 | (intermediate-ecdsa (assoc-ref %build-inputs "letsencryptauthoritye1.pem")) | |
204 | (backup-rsa (assoc-ref %build-inputs "letsencryptauthorityr4.pem")) | |
205 | (backup-ecdsa (assoc-ref %build-inputs "letsencryptauthoritye2.pem")) | |
6f0f5514 LC |
206 | (out (string-append (assoc-ref %outputs "out") "/etc/ssl/certs")) |
207 | (openssl (assoc-ref %build-inputs "openssl")) | |
208 | (perl (assoc-ref %build-inputs "perl"))) | |
0a6bd107 LF |
209 | (mkdir-p out) |
210 | (for-each | |
211 | (lambda (cert) | |
212 | (copy-file cert (string-append out "/" | |
213 | (strip-store-file-name cert)))) | |
15de49e6 LF |
214 | (list root-rsa root-ecdsa |
215 | intermediate-rsa intermediate-ecdsa | |
216 | backup-rsa backup-ecdsa)) | |
6f0f5514 LC |
217 | |
218 | ;; Create hash symlinks suitable for OpenSSL ('SSL_CERT_DIR' and | |
219 | ;; similar.) | |
220 | (chdir (string-append %output "/etc/ssl/certs")) | |
4530e854 MW |
221 | (invoke (string-append perl "/bin/perl") |
222 | (string-append openssl "/bin/c_rehash") | |
223 | "."))))) | |
6f0f5514 | 224 | (native-inputs |
8394619b | 225 | (list openssl perl)) ;for 'c_rehash' |
0a6bd107 LF |
226 | (inputs |
227 | `(; The Let's Encrypt root certificate, "ISRG Root X1". | |
228 | ("isrgrootx1.pem" | |
229 | ,(origin | |
230 | (method url-fetch) | |
231 | (uri "https://letsencrypt.org/certs/isrgrootx1.pem") | |
232 | (sha256 | |
233 | (base32 | |
505b2631 | 234 | "1la36n2f31j9s03v847ig6ny9lr875q3g7smnq33dcsmf2i5gd92")))) |
15de49e6 LF |
235 | ; Upcoming ECDSA Let's Encrypt root certificate, "ISRG Root X2" |
236 | ; Let's Encrypt describes it as "Active, limited availability" | |
237 | ("isrgrootx2.pem" | |
0a6bd107 LF |
238 | ,(origin |
239 | (method url-fetch) | |
15de49e6 | 240 | (uri "https://letsencrypt.org/certs/isrg-root-x2.pem") |
0a6bd107 LF |
241 | (sha256 |
242 | (base32 | |
15de49e6 LF |
243 | "04xh8912nwkghqydbqvvmslpqbcafgxgjh9qnn0z2vgy24g8hgd1")))) |
244 | ;; "Let’s Encrypt Authority R3", the active Let's Encrypt intermediate | |
245 | ;; RSA certificate. | |
246 | ("letsencryptauthorityr3.pem" | |
247 | ,(origin | |
248 | (method url-fetch) | |
249 | (uri "https://letsencrypt.org/certs/lets-encrypt-r3.pem") | |
250 | (sha256 | |
251 | (base32 | |
252 | "0clxry49rx6qd3pgbzknpgzywbg3j96zy0227wwjnwivqj7inzhp")))) | |
253 | ;; "Let’s Encrypt Authority E1", the active Let's Encrypt intermediate | |
254 | ;; ECDSA certificate. | |
255 | ("letsencryptauthoritye1.pem" | |
256 | ,(origin | |
257 | (method url-fetch) | |
258 | (uri "https://letsencrypt.org/certs/lets-encrypt-e1.pem") | |
259 | (sha256 | |
260 | (base32 | |
261 | "1zwrc6dlk1qig0z23x6x7fib14rrw41ccbf2ds0rw75zccc59xx0")))) | |
262 | ;; "Let’s Encrypt Authority R4", the backup Let's Encrypt intermediate | |
263 | ;; RSA certificate. This will be used for disaster recovery and will only be | |
264 | ;; used should Let's Encrypt lose the ability to issue with "Let’s | |
265 | ;; Encrypt Authority R3". | |
266 | ("letsencryptauthorityr4.pem" | |
267 | ,(origin | |
268 | (method url-fetch) | |
269 | (uri "https://letsencrypt.org/certs/lets-encrypt-r4.pem") | |
270 | (sha256 | |
271 | (base32 | |
272 | "09bzxzbwb9x2xxan3p1fyj1pi2p5yks0879gwz5f28y9mzq8vmd8")))) | |
273 | ;; "Let’s Encrypt Authority E2", the backup Let's Encrypt intermediate | |
274 | ;; ECDSA certificate. This will be used for disaster recovery and will | |
275 | ;; only be used should Let's Encrypt lose the ability to issue with "Let’s | |
276 | ;; Encrypt Authority E1". | |
277 | ("letsencryptauthoritye2.pem" | |
278 | ,(origin | |
279 | (method url-fetch) | |
280 | (uri "https://letsencrypt.org/certs/lets-encrypt-e2.pem") | |
281 | (sha256 | |
282 | (base32 | |
283 | "1wfmsa29lyi9dkh6xdcamb2rhkp5yl2ppnsgrzcrjl5c7gbqh9ml")))))) | |
0a6bd107 LF |
284 | (home-page "https://letsencrypt.org/certificates/") |
285 | (synopsis "Let's Encrypt root and intermediate certificates") | |
286 | (description "This package provides a certificate store containing only the | |
287 | Let's Encrypt root and intermediate certificates. It is intended to be used | |
288 | within Guix.") | |
289 | (license license:public-domain))) |