Commit | Line | Data |
---|---|---|
cf053a4f AE |
1 | ;;; GNU Guix --- Functional package management for GNU |
2 | ;;; Copyright © 2015 Andreas Enge <andreas@enge.fr> | |
41ce4601 | 3 | ;;; Copyright © 2015 Mark H Weaver <mhw@netris.org> |
6f0f5514 | 4 | ;;; Copyright © 2016, 2017 Ludovic Courtès <ludo@gnu.org> |
0a6bd107 | 5 | ;;; Copyright © 2017 Leo Famulari <leo@famulari.name> |
3c747a08 | 6 | ;;; Copyright © 2017, 2018 Tobias Geerinckx-Rice <me@tobias.gr> |
cf053a4f AE |
7 | ;;; |
8 | ;;; This file is part of GNU Guix. | |
9 | ;;; | |
10 | ;;; GNU Guix is free software; you can redistribute it and/or modify it | |
11 | ;;; under the terms of the GNU General Public License as published by | |
12 | ;;; the Free Software Foundation; either version 3 of the License, or (at | |
13 | ;;; your option) any later version. | |
14 | ;;; | |
15 | ;;; GNU Guix is distributed in the hope that it will be useful, but | |
16 | ;;; WITHOUT ANY WARRANTY; without even the implied warranty of | |
17 | ;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
18 | ;;; GNU General Public License for more details. | |
19 | ;;; | |
20 | ;;; You should have received a copy of the GNU General Public License | |
21 | ;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>. | |
22 | ||
23 | (define-module (gnu packages certs) | |
24 | #:use-module ((guix licenses) #:prefix license:) | |
25 | #:use-module (guix packages) | |
26 | #:use-module (guix download) | |
6e6e2414 | 27 | #:use-module (guix build-system gnu) |
cf053a4f AE |
28 | #:use-module (guix build-system trivial) |
29 | #:use-module (gnu packages) | |
cc2b77df | 30 | #:use-module (gnu packages python) |
784d6e91 | 31 | #:use-module (gnu packages perl) |
cc2b77df | 32 | #:use-module (gnu packages tls)) |
cf053a4f AE |
33 | |
34 | (define certdata2pem | |
35 | (package | |
36 | (name "certdata2pem") | |
37 | (version "2013") | |
38 | (source | |
81f36365 | 39 | (origin |
cf053a4f AE |
40 | (method url-fetch) |
41 | (uri | |
42 | "http://pkgs.fedoraproject.org/cgit/ca-certificates.git/plain/certdata2pem.py?id=053dde8a2f5901e97028a58bf54e7d0ef8095a54") | |
81f36365 | 43 | (file-name "certdata2pem.py") |
cf053a4f AE |
44 | (sha256 |
45 | (base32 | |
46 | "0zscrm41gnsf14zvlkxhy00h3dmgidyz645ldpda3y3vabnwv8dx")))) | |
47 | (build-system trivial-build-system) | |
48 | (inputs | |
49 | `(("python" ,python-2))) | |
50 | (arguments | |
51 | `(#:modules ((guix build utils)) | |
52 | #:builder | |
53 | (begin | |
54 | (use-modules (guix build utils)) | |
55 | (let ((bin (string-append %output "/bin"))) | |
56 | (copy-file (assoc-ref %build-inputs "source") "certdata2pem.py") | |
57 | (chmod "certdata2pem.py" #o555) | |
58 | (substitute* "certdata2pem.py" | |
59 | (("/usr/bin/python") | |
60 | (string-append (assoc-ref %build-inputs "python") | |
61 | "/bin/python")) | |
62 | ;; Use the file extension .pem instead of .crt. | |
63 | (("crt") "pem")) | |
64 | (mkdir-p bin) | |
65 | (copy-file "certdata2pem.py" | |
e3cfef22 MW |
66 | (string-append bin "/certdata2pem.py")) |
67 | #t)))) | |
cf053a4f AE |
68 | (synopsis "Python script to extract .pem data from certificate collection") |
69 | (description | |
70 | "certdata2pem.py is a Python script to transform X.509 certificate | |
71 | \"source code\" as contained, for example, in the Mozilla sources, into | |
72 | .pem formatted certificates.") | |
73 | (license license:gpl2+) | |
74 | (home-page "http://pkgs.fedoraproject.org/cgit/ca-certificates.git/"))) | |
6e6e2414 AE |
75 | |
76 | (define-public nss-certs | |
745ad37a | 77 | (package |
6e6e2414 | 78 | (name "nss-certs") |
f7e3e8c8 | 79 | (version "3.49.1") |
745ad37a RW |
80 | (source (origin |
81 | (method url-fetch) | |
82 | (uri (let ((version-with-underscores | |
83 | (string-join (string-split version #\.) "_"))) | |
84 | (string-append | |
85 | "https://ftp.mozilla.org/pub/mozilla.org/security/nss/" | |
86 | "releases/NSS_" version-with-underscores "_RTM/src/" | |
87 | "nss-" version ".tar.gz"))) | |
88 | (sha256 | |
89 | (base32 | |
f7e3e8c8 | 90 | "0vh23g16ldvnsrn2dnvdl2i133kizi660r7ilb00vfq2kvj45anr")))) |
6e6e2414 AE |
91 | (build-system gnu-build-system) |
92 | (outputs '("out")) | |
93 | (native-inputs | |
94 | `(("certdata2pem" ,certdata2pem) | |
784d6e91 LC |
95 | ("openssl" ,openssl) |
96 | ("perl" ,perl))) ;for OpenSSL's 'c_rehash' | |
6e6e2414 AE |
97 | (inputs '()) |
98 | (propagated-inputs '()) | |
99 | (arguments | |
100 | `(#:modules ((guix build gnu-build-system) | |
101 | (guix build utils) | |
41ce4601 MW |
102 | (rnrs io ports) |
103 | (srfi srfi-26) | |
104 | (ice-9 regex)) | |
6e6e2414 | 105 | #:phases |
3c747a08 TGR |
106 | (modify-phases |
107 | (map (cut assq <> %standard-phases) | |
108 | '(set-paths install-locale unpack)) | |
109 | (add-after 'unpack 'install | |
6e6e2414 | 110 | (lambda _ |
41ce4601 MW |
111 | (let ((certsdir (string-append %output "/etc/ssl/certs/")) |
112 | (trusted-rx (make-regexp "^# openssl-trust=[a-zA-Z]" | |
113 | regexp/newline))) | |
114 | ||
115 | (define (maybe-install-cert file) | |
116 | (let ((cert (call-with-input-file file get-string-all))) | |
117 | (when (regexp-exec trusted-rx cert) | |
118 | (call-with-output-file | |
119 | (string-append certsdir file) | |
120 | (cut display cert <>))))) | |
121 | ||
6e6e2414 AE |
122 | (mkdir-p certsdir) |
123 | (with-directory-excursion "nss/lib/ckfw/builtins/" | |
124 | ;; extract single certificates from blob | |
dbf5b118 | 125 | (invoke "certdata2pem.py" "certdata.txt") |
41ce4601 MW |
126 | ;; copy selected .pem files into the output |
127 | (for-each maybe-install-cert | |
41ce4601 MW |
128 | (find-files "." ".*\\.pem"))) |
129 | ||
130 | (with-directory-excursion certsdir | |
131 | ;; create symbolic links for and by openssl | |
132 | ;; Strangely, the call (system* "c_rehash" certsdir) | |
133 | ;; from inside the build dir fails with | |
134 | ;; "Usage error; try -help." | |
135 | ;; This looks like a bug in openssl-1.0.2, but we can also | |
136 | ;; switch into the target directory. | |
3c747a08 TGR |
137 | (invoke "c_rehash" ".")) |
138 | #t)))))) | |
41ce4601 | 139 | |
6e6e2414 AE |
140 | (synopsis "CA certificates from Mozilla") |
141 | (description | |
745ad37a RW |
142 | "This package provides certificates for Certification Authorities (CA) |
143 | taken from the NSS package and thus ultimately from the Mozilla project.") | |
144 | (home-page "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS") | |
145 | (license license:mpl2.0))) | |
0a6bd107 LF |
146 | |
147 | (define-public le-certs | |
148 | (package | |
149 | (name "le-certs") | |
150 | (version "0") | |
151 | (source #f) | |
152 | (build-system trivial-build-system) | |
153 | (arguments | |
154 | '(#:modules ((guix build utils)) | |
155 | #:builder | |
156 | (begin | |
157 | (use-modules (guix build utils)) | |
158 | (let ((root (assoc-ref %build-inputs "isrgrootx1.pem")) | |
159 | (intermediate (assoc-ref %build-inputs "letsencryptauthorityx3.pem")) | |
160 | (backup (assoc-ref %build-inputs "letsencryptauthorityx4.pem")) | |
6f0f5514 LC |
161 | (out (string-append (assoc-ref %outputs "out") "/etc/ssl/certs")) |
162 | (openssl (assoc-ref %build-inputs "openssl")) | |
163 | (perl (assoc-ref %build-inputs "perl"))) | |
0a6bd107 LF |
164 | (mkdir-p out) |
165 | (for-each | |
166 | (lambda (cert) | |
167 | (copy-file cert (string-append out "/" | |
168 | (strip-store-file-name cert)))) | |
6f0f5514 LC |
169 | (list root intermediate backup)) |
170 | ||
171 | ;; Create hash symlinks suitable for OpenSSL ('SSL_CERT_DIR' and | |
172 | ;; similar.) | |
173 | (chdir (string-append %output "/etc/ssl/certs")) | |
4530e854 MW |
174 | (invoke (string-append perl "/bin/perl") |
175 | (string-append openssl "/bin/c_rehash") | |
176 | "."))))) | |
6f0f5514 LC |
177 | (native-inputs |
178 | `(("openssl" ,openssl) | |
179 | ("perl" ,perl))) ;for 'c_rehash' | |
0a6bd107 LF |
180 | (inputs |
181 | `(; The Let's Encrypt root certificate, "ISRG Root X1". | |
182 | ("isrgrootx1.pem" | |
183 | ,(origin | |
184 | (method url-fetch) | |
185 | (uri "https://letsencrypt.org/certs/isrgrootx1.pem") | |
186 | (sha256 | |
187 | (base32 | |
48f19e60 | 188 | "0zycy85ff9ga53z1q03df89ka9iihb9p8bjhw056rq2y4rn3b6ac")))) |
0a6bd107 LF |
189 | ;; "Let’s Encrypt Authority X3", the active Let's Encrypt intermediate |
190 | ;; certificate. | |
191 | ("letsencryptauthorityx3.pem" | |
192 | ,(origin | |
193 | (method url-fetch) | |
194 | (uri "https://letsencrypt.org/certs/letsencryptauthorityx3.pem") | |
195 | (sha256 | |
196 | (base32 | |
48f19e60 | 197 | "1kvac1dhm1d02bhrfj6l1cz1dpldz6ishb78zzvy8245zgvh7pdn")))) |
0a6bd107 LF |
198 | ;; "Let’s Encrypt Authority X4", the backup Let's Encrypt intermediate |
199 | ;; certificate. This will be used for disaster recovery and will only be | |
200 | ;; used should Let's Encrypt lose the ability to issue with "Let’s | |
201 | ;; Encrypt Authority X3". | |
202 | ("letsencryptauthorityx4.pem" | |
203 | ,(origin | |
204 | (method url-fetch) | |
205 | (uri "https://letsencrypt.org/certs/letsencryptauthorityx4.pem") | |
206 | (sha256 | |
207 | (base32 | |
48f19e60 | 208 | "0giiixknr0mls2ir6qqzb42mq7x9a7vz79gbn7fjszbf87pqhpzm")))))) |
0a6bd107 LF |
209 | (home-page "https://letsencrypt.org/certificates/") |
210 | (synopsis "Let's Encrypt root and intermediate certificates") | |
211 | (description "This package provides a certificate store containing only the | |
212 | Let's Encrypt root and intermediate certificates. It is intended to be used | |
213 | within Guix.") | |
214 | (license license:public-domain))) |