gnu/packages/certs.scm

   1 ;;; GNU Guix --- Functional package management for GNU
   2 ;;; Copyright © 2015 Andreas Enge <andreas@enge.fr>
   3 ;;; Copyright © 2015 Mark H Weaver <mhw@netris.org>
   4 ;;; Copyright © 2016-2017, 2021-2022 Ludovic Courtès <ludo@gnu.org>
   5 ;;; Copyright © 2017 Leo Famulari <leo@famulari.name>
   6 ;;; Copyright © 2017, 2018 Tobias Geerinckx-Rice <me@tobias.gr>
   7 ;;; Copyright © 2021 Maxim Cournoyer <maxim.cournoyer@gmail.com>
   8 ;;; Copyright © 2021 Efraim Flashner <efraim@flashner.co.il>
   9 ;;; Copyright © 2021 Raghav Gururajan <rg@raghavgururajan.name>
  10 ;;;
  11 ;;; This file is part of GNU Guix.
  12 ;;;
  13 ;;; GNU Guix is free software; you can redistribute it and/or modify it
  14 ;;; under the terms of the GNU General Public License as published by
  15 ;;; the Free Software Foundation; either version 3 of the License, or (at
  16 ;;; your option) any later version.
  17 ;;;
  18 ;;; GNU Guix is distributed in the hope that it will be useful, but
  19 ;;; WITHOUT ANY WARRANTY; without even the implied warranty of
  20 ;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  21 ;;; GNU General Public License for more details.
  22 ;;;
  23 ;;; You should have received a copy of the GNU General Public License
  24 ;;; along with GNU Guix.  If not, see <http://www.gnu.org/licenses/>.
  25
  26 (define-module (gnu packages certs)
  27   #:use-module ((guix licenses) #:prefix license:)
  28   #:use-module (guix packages)
  29   #:use-module (guix utils)
  30   #:use-module (guix download)
  31   #:use-module (guix gexp)
  32   #:use-module (guix git-download)
  33   #:use-module (guix build-system copy)
  34   #:use-module (guix build-system gnu)
  35   #:use-module (guix build-system trivial)
  36   #:use-module (gnu packages)
  37   #:use-module (gnu packages curl)
  38   #:use-module (gnu packages python)
  39   #:use-module (gnu packages perl)
  40   #:use-module (gnu packages tls))
  41
  42 (define-public desec-certbot-hook
  43   (let ((commit "68da7abc0793602fd336962a7e2348b57c5d6fd6")
  44         (revision "0"))
  45     (package
  46       (name "desec-certbot-hook")
  47       (version
  48        (git-version "0" revision commit))
  49       (source
  50        (origin
  51          (method git-fetch)
  52          (uri
  53           (git-reference
  54            (url "https://github.com/desec-io/desec-certbot-hook")
  55            (commit commit)))
  56          (file-name (git-file-name name version))
  57          (sha256
  58           (base32 "0qjqk6i85b1y7fgzcx74r4gn2i4dkjza34hkzp6kyn9hrb8f2gv2"))))
  59       (build-system copy-build-system)
  60       (arguments
  61        `(#:phases
  62          (modify-phases %standard-phases
  63            (add-after 'unpack 'patch-script
  64              (lambda* (#:key inputs #:allow-other-keys)
  65                (substitute* "hook.sh"
  66                  ;; The hook-script look for '.dedynauth' file in $PWD.
  67                  ;; But users cannot create or edit files in store.
  68                  ;; So we patch the hook-script to look for '.dedynauth' file,
  69                  ;; in /etc/desec.
  70                  (("\\$\\(pwd\\)")
  71                   "/etc/desec")
  72                  ;; Make absolute reference to curl program.
  73                  (("curl")
  74                   (string-append (assoc-ref inputs "curl")
  75                                  "/bin/curl"))))))
  76          #:install-plan
  77          '(("." "etc/desec" #:include ("hook.sh")))))
  78       (inputs
  79        (list curl))
  80       (synopsis "Certbot DNS challenge automatization for deSEC")
  81       (description "The deSEC can be used to obtain certificates with certbot
  82 DNS ownership verification.  With the help of this hook script, you can obtain
  83 your Let's Encrypt certificate using certbot with authorization provided by the
  84 DNS challenge mechanism, that is, you will not need a running web server or any
  85 port forwarding to your local machine.")
  86       (home-page "https://desec.io")
  87       (license license:expat))))
  88
  89 (define-public certdata2pem
  90   (let ((revision "1")
  91         (commit "4c576f350f44186d439179f63d5be19f710a73f5"))
  92     (package
  93       (name "certdata2pem")
  94       (version "0.0.0")                   ;no version
  95       (source (origin
  96                 (method url-fetch)
  97                 (uri (string-append
  98                       "https://raw.githubusercontent.com/sabotage-linux/sabotage/"
  99                       commit "/KEEP/certdata2pem.c"))
 100                 (sha256
 101                  (base32
 102                   "1rywp29q4l1cs2baplkbcravxqs4kw2cys4yifhfznbc210pskq6"))))
 103       (build-system gnu-build-system)
 104       (arguments
 105        `(#:phases (modify-phases %standard-phases
 106                     (delete 'configure)
 107                     (add-before 'build 'fix-extension
 108                       (lambda _
 109                         (substitute* "certdata2pem.c"
 110                           (("\\.crt")
 111                            ".pem"))))
 112                     (replace 'build
 113                       (lambda _
 114                         (invoke ,(cc-for-target) "certdata2pem.c"
 115                                 "-o" "certdata2pem")))
 116                     (delete 'check)     ;no test suite
 117                     (replace 'install
 118                       (lambda* (#:key outputs #:allow-other-keys)
 119                         (let ((out (assoc-ref outputs "out")))
 120                           (install-file "certdata2pem"
 121                                         (string-append out "/bin"))))))))
 122       (home-page "https://github.com/sabotage-linux/")
 123       (synopsis "Utility to split TLS certificates data into multiple PEM files")
 124       (description "This is a C version of the certdata2pem Python utility
 125 that was originally contributed to Debian.")
 126       (license license:isc))))
 127
 128 (define-public nss-certs
 129   (package
 130     (name "nss-certs")
 131     ;; XXX We used to refer to the nss package here, but that eventually caused
 132     ;; module cycles.  The below is a quick copy-paste job that must be kept in
 133     ;; sync manually.  Surely there's a better way…?
 134     (version "3.71")
 135     (source (origin
 136               (method url-fetch)
 137               (uri (let ((version-with-underscores
 138                           (string-join (string-split version #\.) "_")))
 139                      (string-append
 140                       "https://ftp.mozilla.org/pub/mozilla.org/security/nss/"
 141                       "releases/NSS_" version-with-underscores "_RTM/src/"
 142                       "nss-" version ".tar.gz")))
 143               (sha256
 144                (base32
 145                 "0ly2l3dv6z5hlxs72h5x6796ni3x1bq60saavaf42ddgv4ax7b4r"))
 146               ;; Create nss.pc and nss-config.
 147               (patches (search-patches "nss-3.56-pkgconfig.patch"
 148                                        "nss-getcwd-nonnull.patch"
 149                                        "nss-increase-test-timeout.patch"))
 150               (modules '((guix build utils)))
 151               (snippet
 152                '(begin
 153                   ;; Delete the bundled copy of these libraries.
 154                   (delete-file-recursively "nss/lib/zlib")
 155                   (delete-file-recursively "nss/lib/sqlite")))))
 156     (build-system gnu-build-system)
 157     (outputs '("out"))
 158     (native-inputs
 159      (list certdata2pem openssl))
 160     (inputs '())
 161     (propagated-inputs '())
 162     (arguments
 163      (list #:modules '((guix build gnu-build-system)
 164                        (guix build utils)
 165                        (rnrs io ports)
 166                        (srfi srfi-26))
 167            #:phases
 168            #~(modify-phases
 169                  (map (cut assq <> %standard-phases)
 170                       '(set-paths install-locale unpack))
 171                (add-after 'unpack 'install
 172                  (lambda _
 173                    (let ((certsdir (string-append #$output
 174                                                   "/etc/ssl/certs/")))
 175                      (with-directory-excursion "nss/lib/ckfw/builtins/"
 176                        (unless (file-exists? "blacklist.txt")
 177                          (call-with-output-file "blacklist.txt" (const #t)))
 178                        ;; Extract selected single certificates from blob.
 179                        (invoke "certdata2pem")
 180                        ;; Copy .pem files into the output.
 181                        (for-each (cut install-file <> certsdir)
 182                                  (find-files "." ".*\\.pem$")))
 183                      (invoke "openssl" "rehash" certsdir)))))))
 184     (synopsis "CA certificates from Mozilla")
 185     (description
 186      "This package provides certificates for Certification Authorities (CA)
 187 taken from the NSS package and thus ultimately from the Mozilla project.")
 188     (home-page "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS")
 189     (license license:mpl2.0)))
 190
 191 (define-public le-certs
 192   (package
 193     (name "le-certs")
 194     (version "1")
 195     (source #f)
 196     (build-system trivial-build-system)
 197     (arguments
 198      '(#:modules ((guix build utils))
 199        #:builder
 200        (begin
 201          (use-modules (guix build utils))
 202          (let ((root-rsa (assoc-ref %build-inputs "isrgrootx1.pem"))
 203                (root-ecdsa (assoc-ref %build-inputs "isrgrootx2.pem"))
 204                (intermediate-rsa (assoc-ref %build-inputs "letsencryptauthorityr3.pem"))
 205                (intermediate-ecdsa (assoc-ref %build-inputs "letsencryptauthoritye1.pem"))
 206                (backup-rsa (assoc-ref %build-inputs "letsencryptauthorityr4.pem"))
 207                (backup-ecdsa (assoc-ref %build-inputs "letsencryptauthoritye2.pem"))
 208                (out (string-append (assoc-ref %outputs "out") "/etc/ssl/certs"))
 209                (openssl (assoc-ref %build-inputs "openssl"))
 210                (perl (assoc-ref %build-inputs "perl")))
 211            (mkdir-p out)
 212            (for-each
 213              (lambda (cert)
 214                (copy-file cert (string-append out "/"
 215                                               (strip-store-file-name cert))))
 216              (list root-rsa root-ecdsa
 217                    intermediate-rsa intermediate-ecdsa
 218                    backup-rsa backup-ecdsa))
 219
 220            ;; Create hash symlinks suitable for OpenSSL ('SSL_CERT_DIR' and
 221            ;; similar.)
 222            (chdir (string-append %output "/etc/ssl/certs"))
 223            (invoke (string-append perl "/bin/perl")
 224                    (string-append openssl "/bin/c_rehash")
 225                    ".")))))
 226     (native-inputs
 227      (list openssl perl))                           ;for 'c_rehash'
 228     (inputs
 229      `(; The Let's Encrypt root certificate, "ISRG Root X1".
 230        ("isrgrootx1.pem"
 231         ,(origin
 232            (method url-fetch)
 233            (uri "https://letsencrypt.org/certs/isrgrootx1.pem")
 234            (sha256
 235             (base32
 236              "1la36n2f31j9s03v847ig6ny9lr875q3g7smnq33dcsmf2i5gd92"))))
 237       ; Upcoming ECDSA Let's Encrypt root certificate, "ISRG Root X2"
 238       ; Let's Encrypt describes it as "Active, limited availability"
 239       ("isrgrootx2.pem"
 240         ,(origin
 241            (method url-fetch)
 242            (uri "https://letsencrypt.org/certs/isrg-root-x2.pem")
 243            (sha256
 244             (base32
 245              "04xh8912nwkghqydbqvvmslpqbcafgxgjh9qnn0z2vgy24g8hgd1"))))
 246       ;; "Let’s Encrypt Authority R3", the active Let's Encrypt intermediate
 247       ;; RSA certificate.
 248       ("letsencryptauthorityr3.pem"
 249        ,(origin
 250           (method url-fetch)
 251           (uri "https://letsencrypt.org/certs/lets-encrypt-r3.pem")
 252           (sha256
 253            (base32
 254             "0clxry49rx6qd3pgbzknpgzywbg3j96zy0227wwjnwivqj7inzhp"))))
 255       ;; "Let’s Encrypt Authority E1", the active Let's Encrypt intermediate
 256       ;; ECDSA certificate.
 257       ("letsencryptauthoritye1.pem"
 258        ,(origin
 259           (method url-fetch)
 260           (uri "https://letsencrypt.org/certs/lets-encrypt-e1.pem")
 261           (sha256
 262            (base32
 263             "1zwrc6dlk1qig0z23x6x7fib14rrw41ccbf2ds0rw75zccc59xx0"))))
 264       ;; "Let’s Encrypt Authority R4", the backup Let's Encrypt intermediate
 265       ;; RSA certificate.  This will be used for disaster recovery and will only be
 266       ;; used should Let's Encrypt lose the ability to issue with "Let’s
 267       ;; Encrypt Authority R3".
 268       ("letsencryptauthorityr4.pem"
 269        ,(origin
 270           (method url-fetch)
 271           (uri "https://letsencrypt.org/certs/lets-encrypt-r4.pem")
 272           (sha256
 273            (base32
 274             "09bzxzbwb9x2xxan3p1fyj1pi2p5yks0879gwz5f28y9mzq8vmd8"))))
 275       ;; "Let’s Encrypt Authority E2", the backup Let's Encrypt intermediate
 276       ;; ECDSA certificate.  This will be used for disaster recovery and will
 277       ;; only be used should Let's Encrypt lose the ability to issue with "Let’s
 278       ;; Encrypt Authority E1".
 279       ("letsencryptauthoritye2.pem"
 280        ,(origin
 281           (method url-fetch)
 282           (uri "https://letsencrypt.org/certs/lets-encrypt-e2.pem")
 283           (sha256
 284            (base32
 285             "1wfmsa29lyi9dkh6xdcamb2rhkp5yl2ppnsgrzcrjl5c7gbqh9ml"))))))
 286     (home-page "https://letsencrypt.org/certificates/")
 287     (synopsis "Let's Encrypt root and intermediate certificates")
 288     (description "This package provides a certificate store containing only the
 289 Let's Encrypt root and intermediate certificates.  It is intended to be used
 290 within Guix.")
 291     (license license:public-domain)))