[jackhill/guix/guix.git] / gnu / packages / certs.scm

;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2015 Andreas Enge <andreas@enge.fr>
;;; Copyright © 2015 Mark H Weaver <mhw@netris.org>
;;; Copyright © 2016 Ludovic Courtès <ludo@gnu.org>
;;;
;;; This file is part of GNU Guix.
;;;
;;; GNU Guix is free software; you can redistribute it and/or modify it
;;; under the terms of the GNU General Public License as published by
;;; the Free Software Foundation; either version 3 of the License, or (at
;;; your option) any later version.
;;;
;;; GNU Guix is distributed in the hope that it will be useful, but
;;; WITHOUT ANY WARRANTY; without even the implied warranty of
;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
;;; GNU General Public License for more details.
;;;
;;; You should have received a copy of the GNU General Public License
;;; along with GNU Guix.  If not, see <http://www.gnu.org/licenses/>.

(define-module (gnu packages certs)
  #:use-module ((guix licenses) #:prefix license:)
  #:use-module (guix packages)
  #:use-module (guix download)
  #:use-module (guix build-system gnu)
  #:use-module (guix build-system trivial)
  #:use-module (gnu packages)
  #:use-module (gnu packages python)
  #:use-module (gnu packages perl)
  #:use-module (gnu packages tls))

(define certdata2pem
  (package
    (name "certdata2pem")
    (version "2013")
    (source
     (origin
      (method url-fetch)
        (uri
          "http://pkgs.fedoraproject.org/cgit/ca-certificates.git/plain/certdata2pem.py?id=053dde8a2f5901e97028a58bf54e7d0ef8095a54")
        (file-name "certdata2pem.py")
        (sha256
          (base32
            "0zscrm41gnsf14zvlkxhy00h3dmgidyz645ldpda3y3vabnwv8dx"))))
   (build-system trivial-build-system)
   (inputs
     `(("python" ,python-2)))
   (arguments
    `(#:modules ((guix build utils))
      #:builder
        (begin
          (use-modules (guix build utils))
          (let ((bin (string-append %output "/bin")))
            (copy-file (assoc-ref %build-inputs "source") "certdata2pem.py")
            (chmod "certdata2pem.py" #o555)
            (substitute* "certdata2pem.py"
              (("/usr/bin/python")
               (string-append (assoc-ref %build-inputs "python")
                              "/bin/python"))
              ;; Use the file extension .pem instead of .crt.
              (("crt") "pem"))
            (mkdir-p bin)
            (copy-file "certdata2pem.py"
                       (string-append bin "/certdata2pem.py"))))))
   (synopsis "Python script to extract .pem data from certificate collection")
   (description
    "certdata2pem.py is a Python script to transform X.509 certificate
\"source code\" as contained, for example, in the Mozilla sources, into
.pem formatted certificates.")
   (license license:gpl2+)
   (home-page "http://pkgs.fedoraproject.org/cgit/ca-certificates.git/")))

(define-public nss-certs
  (package
    (name "nss-certs")
    (version "3.27.2")
    (source (origin
              (method url-fetch)
              (uri (let ((version-with-underscores
                          (string-join (string-split version #\.) "_")))
                     (string-append
                      "https://ftp.mozilla.org/pub/mozilla.org/security/nss/"
                      "releases/NSS_" version-with-underscores "_RTM/src/"
                      "nss-" version ".tar.gz")))
              (sha256
               (base32
                "0945q9yyhax9lkhxs1bjlr5gwknpvhzsa4zxfh127l398i9ci2nw"))))
    (build-system gnu-build-system)
    (outputs '("out"))
    (native-inputs
     `(("certdata2pem" ,certdata2pem)
       ("openssl" ,openssl)
       ("perl" ,perl)))                           ;for OpenSSL's 'c_rehash'
    (inputs '())
    (propagated-inputs '())
    (arguments
     `(#:modules ((guix build gnu-build-system)
                  (guix build utils)
                  (rnrs io ports)
                  (srfi srfi-26)
                  (ice-9 regex))
       #:phases
         (alist-cons-after
           'unpack 'install
           (lambda _
             (let ((certsdir (string-append %output "/etc/ssl/certs/"))
                   (trusted-rx (make-regexp "^# openssl-trust=[a-zA-Z]"
                                            regexp/newline)))

               (define (maybe-install-cert file)
                 (let ((cert (call-with-input-file file get-string-all)))
                   (when (regexp-exec trusted-rx cert)
                     (call-with-output-file
                         (string-append certsdir file)
                       (cut display cert <>)))))

               (mkdir-p certsdir)
               (with-directory-excursion "nss/lib/ckfw/builtins/"
                 ;; extract single certificates from blob
                 (system* "certdata2pem.py" "certdata.txt")
                 ;; copy selected .pem files into the output
                 (for-each maybe-install-cert
                           (find-files "." ".*\\.pem")))

               (with-directory-excursion certsdir
                 ;; create symbolic links for and by openssl
                 ;; Strangely, the call (system* "c_rehash" certsdir)
                 ;; from inside the build dir fails with
                 ;; "Usage error; try -help."
                 ;; This looks like a bug in openssl-1.0.2, but we can also
                 ;; switch into the target directory.
                 (system* "c_rehash" "."))))

           (map (cut assq <> %standard-phases)
                '(set-paths install-locale unpack)))))
    (synopsis "CA certificates from Mozilla")
    (description
     "This package provides certificates for Certification Authorities (CA)
taken from the NSS package and thus ultimately from the Mozilla project.")
    (home-page "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS")
    (license license:mpl2.0)))
Commit	Line	Data
cf053a4f AE	1	;;; GNU Guix --- Functional package management for GNU
cf053a4f AE	2	;;; Copyright © 2015 Andreas Enge <andreas@enge.fr>
41ce4601	3	;;; Copyright © 2015 Mark H Weaver <mhw@netris.org>
745ad37a	4	;;; Copyright © 2016 Ludovic Courtès <ludo@gnu.org>
cf053a4f AE	5	;;;
	6	;;; This file is part of GNU Guix.
	7	;;;
	8	;;; GNU Guix is free software; you can redistribute it and/or modify it
	9	;;; under the terms of the GNU General Public License as published by
	10	;;; the Free Software Foundation; either version 3 of the License, or (at
	11	;;; your option) any later version.
	12	;;;
	13	;;; GNU Guix is distributed in the hope that it will be useful, but
	14	;;; WITHOUT ANY WARRANTY; without even the implied warranty of
	15	;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	16	;;; GNU General Public License for more details.
	17	;;;
	18	;;; You should have received a copy of the GNU General Public License
	19	;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
	20
	21	(define-module (gnu packages certs)
	22	#:use-module ((guix licenses) #:prefix license:)
	23	#:use-module (guix packages)
	24	#:use-module (guix download)
6e6e2414	25	#:use-module (guix build-system gnu)
cf053a4f AE	26	#:use-module (guix build-system trivial)
cf053a4f AE	27	#:use-module (gnu packages)
cc2b77df	28	#:use-module (gnu packages python)
784d6e91	29	#:use-module (gnu packages perl)
cc2b77df	30	#:use-module (gnu packages tls))
cf053a4f AE	31
	32	(define certdata2pem
	33	(package
	34	(name "certdata2pem")
	35	(version "2013")
	36	(source
81f36365	37	(origin
cf053a4f AE	38	(method url-fetch)
	39	(uri
	40	"http://pkgs.fedoraproject.org/cgit/ca-certificates.git/plain/certdata2pem.py?id=053dde8a2f5901e97028a58bf54e7d0ef8095a54")
81f36365	41	(file-name "certdata2pem.py")
cf053a4f AE	42	(sha256
	43	(base32
	44	"0zscrm41gnsf14zvlkxhy00h3dmgidyz645ldpda3y3vabnwv8dx"))))
	45	(build-system trivial-build-system)
	46	(inputs
	47	`(("python" ,python-2)))
	48	(arguments
	49	`(#:modules ((guix build utils))
	50	#:builder
	51	(begin
	52	(use-modules (guix build utils))
	53	(let ((bin (string-append %output "/bin")))
	54	(copy-file (assoc-ref %build-inputs "source") "certdata2pem.py")
	55	(chmod "certdata2pem.py" #o555)
	56	(substitute* "certdata2pem.py"
	57	(("/usr/bin/python")
	58	(string-append (assoc-ref %build-inputs "python")
	59	"/bin/python"))
	60	;; Use the file extension .pem instead of .crt.
	61	(("crt") "pem"))
	62	(mkdir-p bin)
	63	(copy-file "certdata2pem.py"
	64	(string-append bin "/certdata2pem.py"))))))
	65	(synopsis "Python script to extract .pem data from certificate collection")
	66	(description
	67	"certdata2pem.py is a Python script to transform X.509 certificate
	68	\"source code\" as contained, for example, in the Mozilla sources, into
	69	.pem formatted certificates.")
	70	(license license:gpl2+)
	71	(home-page "http://pkgs.fedoraproject.org/cgit/ca-certificates.git/")))
6e6e2414 AE	72
6e6e2414 AE	73	(define-public nss-certs
745ad37a	74	(package
6e6e2414	75	(name "nss-certs")
7ab3ea42	76	(version "3.27.2")
745ad37a RW	77	(source (origin
	78	(method url-fetch)
	79	(uri (let ((version-with-underscores
	80	(string-join (string-split version #\.) "_")))
	81	(string-append
	82	"https://ftp.mozilla.org/pub/mozilla.org/security/nss/"
	83	"releases/NSS_" version-with-underscores "_RTM/src/"
	84	"nss-" version ".tar.gz")))
	85	(sha256
	86	(base32
7ab3ea42	87	"0945q9yyhax9lkhxs1bjlr5gwknpvhzsa4zxfh127l398i9ci2nw"))))
6e6e2414 AE	88	(build-system gnu-build-system)
	89	(outputs '("out"))
	90	(native-inputs
	91	`(("certdata2pem" ,certdata2pem)
784d6e91 LC	92	("openssl" ,openssl)
784d6e91 LC	93	("perl" ,perl))) ;for OpenSSL's 'c_rehash'
6e6e2414 AE	94	(inputs '())
	95	(propagated-inputs '())
	96	(arguments
	97	`(#:modules ((guix build gnu-build-system)
	98	(guix build utils)
41ce4601 MW	99	(rnrs io ports)
	100	(srfi srfi-26)
	101	(ice-9 regex))
6e6e2414 AE	102	#:phases
	103	(alist-cons-after
	104	'unpack 'install
	105	(lambda _
41ce4601 MW	106	(let ((certsdir (string-append %output "/etc/ssl/certs/"))
	107	(trusted-rx (make-regexp "^# openssl-trust=[a-zA-Z]"
	108	regexp/newline)))
	109
	110	(define (maybe-install-cert file)
	111	(let ((cert (call-with-input-file file get-string-all)))
	112	(when (regexp-exec trusted-rx cert)
	113	(call-with-output-file
	114	(string-append certsdir file)
	115	(cut display cert <>)))))
	116
6e6e2414 AE	117	(mkdir-p certsdir)
	118	(with-directory-excursion "nss/lib/ckfw/builtins/"
	119	;; extract single certificates from blob
	120	(system* "certdata2pem.py" "certdata.txt")
41ce4601 MW	121	;; copy selected .pem files into the output
41ce4601 MW	122	(for-each maybe-install-cert
41ce4601 MW	123	(find-files "." ".*\\.pem")))
	124
	125	(with-directory-excursion certsdir
	126	;; create symbolic links for and by openssl
	127	;; Strangely, the call (system* "c_rehash" certsdir)
	128	;; from inside the build dir fails with
	129	;; "Usage error; try -help."
	130	;; This looks like a bug in openssl-1.0.2, but we can also
	131	;; switch into the target directory.
	132	(system* "c_rehash" "."))))
	133
6e6e2414	134	(map (cut assq <> %standard-phases)
81f36365	135	'(set-paths install-locale unpack)))))
6e6e2414 AE	136	(synopsis "CA certificates from Mozilla")
6e6e2414 AE	137	(description
745ad37a RW	138	"This package provides certificates for Certification Authorities (CA)
	139	taken from the NSS package and thus ultimately from the Mozilla project.")
	140	(home-page "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS")
	141	(license license:mpl2.0)))