[jackhill/guix/guix.git] / gnu / packages / certs.scm

;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2015 Andreas Enge <andreas@enge.fr>
;;; Copyright © 2015 Mark H Weaver <mhw@netris.org>
;;;
;;; This file is part of GNU Guix.
;;;
;;; GNU Guix is free software; you can redistribute it and/or modify it
;;; under the terms of the GNU General Public License as published by
;;; the Free Software Foundation; either version 3 of the License, or (at
;;; your option) any later version.
;;;
;;; GNU Guix is distributed in the hope that it will be useful, but
;;; WITHOUT ANY WARRANTY; without even the implied warranty of
;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
;;; GNU General Public License for more details.
;;;
;;; You should have received a copy of the GNU General Public License
;;; along with GNU Guix.  If not, see <http://www.gnu.org/licenses/>.

(define-module (gnu packages certs)
  #:use-module ((guix licenses) #:prefix license:)
  #:use-module (guix packages)
  #:use-module (guix download)
  #:use-module (guix build-system gnu)
  #:use-module (guix build-system trivial)
  #:use-module (gnu packages)
  #:use-module (gnu packages gnuzilla)
  #:use-module (gnu packages openssl)
  #:use-module (gnu packages python))

(define certdata2pem
  (package
    (name "certdata2pem")
    (version "2013")
    (source
     (origin
      (method url-fetch)
        (uri
          "http://pkgs.fedoraproject.org/cgit/ca-certificates.git/plain/certdata2pem.py?id=053dde8a2f5901e97028a58bf54e7d0ef8095a54")
        (file-name "certdata2pem.py")
        (sha256
          (base32
            "0zscrm41gnsf14zvlkxhy00h3dmgidyz645ldpda3y3vabnwv8dx"))))
   (build-system trivial-build-system)
   (inputs
     `(("python" ,python-2)))
   (arguments
    `(#:modules ((guix build utils))
      #:builder
        (begin
          (use-modules (guix build utils))
          (let ((bin (string-append %output "/bin")))
            (copy-file (assoc-ref %build-inputs "source") "certdata2pem.py")
            (chmod "certdata2pem.py" #o555)
            (substitute* "certdata2pem.py"
              (("/usr/bin/python")
               (string-append (assoc-ref %build-inputs "python")
                              "/bin/python"))
              ;; Use the file extension .pem instead of .crt.
              (("crt") "pem"))
            (mkdir-p bin)
            (copy-file "certdata2pem.py"
                       (string-append bin "/certdata2pem.py"))))))
   (synopsis "Python script to extract .pem data from certificate collection")
   (description
    "certdata2pem.py is a Python script to transform X.509 certificate
\"source code\" as contained, for example, in the Mozilla sources, into
.pem formatted certificates.")
   (license license:gpl2+)
   (home-page "http://pkgs.fedoraproject.org/cgit/ca-certificates.git/")))

(define-public nss-certs
  (package (inherit nss) ; to reuse the source, version and some metadata
    (name "nss-certs")
    (build-system gnu-build-system)
    (outputs '("out"))
    (native-inputs
     `(("certdata2pem" ,certdata2pem)
       ("openssl" ,openssl)))
    (inputs '())
    (propagated-inputs '())
    (arguments
     `(#:modules ((guix build gnu-build-system)
                  (guix build utils)
                  (rnrs io ports)
                  (srfi srfi-26)
                  (ice-9 regex))
       #:phases
         (alist-cons-after
           'unpack 'install
           (lambda _
             (let ((certsdir (string-append %output "/etc/ssl/certs/"))
                   (trusted-rx (make-regexp "^# openssl-trust=[a-zA-Z]"
                                            regexp/newline)))

               (define (maybe-install-cert file)
                 (let ((cert (call-with-input-file file get-string-all)))
                   (when (regexp-exec trusted-rx cert)
                     (call-with-output-file
                         (string-append certsdir file)
                       (cut display cert <>)))))

               (mkdir-p certsdir)
               (with-directory-excursion "nss/lib/ckfw/builtins/"
                 ;; extract single certificates from blob
                 (system* "certdata2pem.py" "certdata.txt")
                 ;; copy selected .pem files into the output
                 (for-each maybe-install-cert
                           (find-files "." ".*\\.pem")))

               (with-directory-excursion certsdir
                 ;; create symbolic links for and by openssl
                 ;; Strangely, the call (system* "c_rehash" certsdir)
                 ;; from inside the build dir fails with
                 ;; "Usage error; try -help."
                 ;; This looks like a bug in openssl-1.0.2, but we can also
                 ;; switch into the target directory.
                 (system* "c_rehash" "."))))

           (map (cut assq <> %standard-phases)
                '(set-paths install-locale unpack)))))
    (synopsis "CA certificates from Mozilla")
    (description
      "This package provides certificates for Certification Authorities (CA)
taken from the NSS package and thus ultimately from the Mozilla project.")))
Commit	Line	Data
cf053a4f AE	1	;;; GNU Guix --- Functional package management for GNU
cf053a4f AE	2	;;; Copyright © 2015 Andreas Enge <andreas@enge.fr>
41ce4601	3	;;; Copyright © 2015 Mark H Weaver <mhw@netris.org>
cf053a4f AE	4	;;;
	5	;;; This file is part of GNU Guix.
	6	;;;
	7	;;; GNU Guix is free software; you can redistribute it and/or modify it
	8	;;; under the terms of the GNU General Public License as published by
	9	;;; the Free Software Foundation; either version 3 of the License, or (at
	10	;;; your option) any later version.
	11	;;;
	12	;;; GNU Guix is distributed in the hope that it will be useful, but
	13	;;; WITHOUT ANY WARRANTY; without even the implied warranty of
	14	;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	15	;;; GNU General Public License for more details.
	16	;;;
	17	;;; You should have received a copy of the GNU General Public License
	18	;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
	19
	20	(define-module (gnu packages certs)
	21	#:use-module ((guix licenses) #:prefix license:)
	22	#:use-module (guix packages)
	23	#:use-module (guix download)
6e6e2414	24	#:use-module (guix build-system gnu)
cf053a4f AE	25	#:use-module (guix build-system trivial)
cf053a4f AE	26	#:use-module (gnu packages)
6e6e2414 AE	27	#:use-module (gnu packages gnuzilla)
6e6e2414 AE	28	#:use-module (gnu packages openssl)
cf053a4f AE	29	#:use-module (gnu packages python))
	30
	31	(define certdata2pem
	32	(package
	33	(name "certdata2pem")
	34	(version "2013")
	35	(source
81f36365	36	(origin
cf053a4f AE	37	(method url-fetch)
	38	(uri
	39	"http://pkgs.fedoraproject.org/cgit/ca-certificates.git/plain/certdata2pem.py?id=053dde8a2f5901e97028a58bf54e7d0ef8095a54")
81f36365	40	(file-name "certdata2pem.py")
cf053a4f AE	41	(sha256
	42	(base32
	43	"0zscrm41gnsf14zvlkxhy00h3dmgidyz645ldpda3y3vabnwv8dx"))))
	44	(build-system trivial-build-system)
	45	(inputs
	46	`(("python" ,python-2)))
	47	(arguments
	48	`(#:modules ((guix build utils))
	49	#:builder
	50	(begin
	51	(use-modules (guix build utils))
	52	(let ((bin (string-append %output "/bin")))
	53	(copy-file (assoc-ref %build-inputs "source") "certdata2pem.py")
	54	(chmod "certdata2pem.py" #o555)
	55	(substitute* "certdata2pem.py"
	56	(("/usr/bin/python")
	57	(string-append (assoc-ref %build-inputs "python")
	58	"/bin/python"))
	59	;; Use the file extension .pem instead of .crt.
	60	(("crt") "pem"))
	61	(mkdir-p bin)
	62	(copy-file "certdata2pem.py"
	63	(string-append bin "/certdata2pem.py"))))))
	64	(synopsis "Python script to extract .pem data from certificate collection")
	65	(description
	66	"certdata2pem.py is a Python script to transform X.509 certificate
	67	\"source code\" as contained, for example, in the Mozilla sources, into
	68	.pem formatted certificates.")
	69	(license license:gpl2+)
	70	(home-page "http://pkgs.fedoraproject.org/cgit/ca-certificates.git/")))
6e6e2414 AE	71
	72	(define-public nss-certs
	73	(package (inherit nss) ; to reuse the source, version and some metadata
	74	(name "nss-certs")
	75	(build-system gnu-build-system)
	76	(outputs '("out"))
	77	(native-inputs
	78	`(("certdata2pem" ,certdata2pem)
	79	("openssl" ,openssl)))
	80	(inputs '())
	81	(propagated-inputs '())
	82	(arguments
	83	`(#:modules ((guix build gnu-build-system)
	84	(guix build utils)
41ce4601 MW	85	(rnrs io ports)
	86	(srfi srfi-26)
	87	(ice-9 regex))
6e6e2414 AE	88	#:phases
	89	(alist-cons-after
	90	'unpack 'install
	91	(lambda _
41ce4601 MW	92	(let ((certsdir (string-append %output "/etc/ssl/certs/"))
	93	(trusted-rx (make-regexp "^# openssl-trust=[a-zA-Z]"
	94	regexp/newline)))
	95
	96	(define (maybe-install-cert file)
	97	(let ((cert (call-with-input-file file get-string-all)))
	98	(when (regexp-exec trusted-rx cert)
	99	(call-with-output-file
	100	(string-append certsdir file)
	101	(cut display cert <>)))))
	102
6e6e2414 AE	103	(mkdir-p certsdir)
	104	(with-directory-excursion "nss/lib/ckfw/builtins/"
	105	;; extract single certificates from blob
	106	(system* "certdata2pem.py" "certdata.txt")
41ce4601 MW	107	;; copy selected .pem files into the output
41ce4601 MW	108	(for-each maybe-install-cert
41ce4601 MW	109	(find-files "." ".*\\.pem")))
	110
	111	(with-directory-excursion certsdir
	112	;; create symbolic links for and by openssl
	113	;; Strangely, the call (system* "c_rehash" certsdir)
	114	;; from inside the build dir fails with
	115	;; "Usage error; try -help."
	116	;; This looks like a bug in openssl-1.0.2, but we can also
	117	;; switch into the target directory.
	118	(system* "c_rehash" "."))))
	119
6e6e2414	120	(map (cut assq <> %standard-phases)
81f36365	121	'(set-paths install-locale unpack)))))
6e6e2414 AE	122	(synopsis "CA certificates from Mozilla")
	123	(description
	124	"This package provides certificates for Certification Authorities (CA)
	125	taken from the NSS package and thus ultimately from the Mozilla project.")))