| 1 | ;;; GNU Guix --- Functional package management for GNU |
| 2 | ;;; Copyright © 2015 Andreas Enge <andreas@enge.fr> |
| 3 | ;;; Copyright © 2015 Mark H Weaver <mhw@netris.org> |
| 4 | ;;; Copyright © 2016 Ludovic Courtès <ludo@gnu.org> |
| 5 | ;;; |
| 6 | ;;; This file is part of GNU Guix. |
| 7 | ;;; |
| 8 | ;;; GNU Guix is free software; you can redistribute it and/or modify it |
| 9 | ;;; under the terms of the GNU General Public License as published by |
| 10 | ;;; the Free Software Foundation; either version 3 of the License, or (at |
| 11 | ;;; your option) any later version. |
| 12 | ;;; |
| 13 | ;;; GNU Guix is distributed in the hope that it will be useful, but |
| 14 | ;;; WITHOUT ANY WARRANTY; without even the implied warranty of |
| 15 | ;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
| 16 | ;;; GNU General Public License for more details. |
| 17 | ;;; |
| 18 | ;;; You should have received a copy of the GNU General Public License |
| 19 | ;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>. |
| 20 | |
| 21 | (define-module (gnu packages certs) |
| 22 | #:use-module ((guix licenses) #:prefix license:) |
| 23 | #:use-module (guix packages) |
| 24 | #:use-module (guix download) |
| 25 | #:use-module (guix build-system gnu) |
| 26 | #:use-module (guix build-system trivial) |
| 27 | #:use-module (gnu packages) |
| 28 | #:use-module (gnu packages python) |
| 29 | #:use-module (gnu packages perl) |
| 30 | #:use-module (gnu packages tls)) |
| 31 | |
| 32 | (define certdata2pem |
| 33 | (package |
| 34 | (name "certdata2pem") |
| 35 | (version "2013") |
| 36 | (source |
| 37 | (origin |
| 38 | (method url-fetch) |
| 39 | (uri |
| 40 | "http://pkgs.fedoraproject.org/cgit/ca-certificates.git/plain/certdata2pem.py?id=053dde8a2f5901e97028a58bf54e7d0ef8095a54") |
| 41 | (file-name "certdata2pem.py") |
| 42 | (sha256 |
| 43 | (base32 |
| 44 | "0zscrm41gnsf14zvlkxhy00h3dmgidyz645ldpda3y3vabnwv8dx")))) |
| 45 | (build-system trivial-build-system) |
| 46 | (inputs |
| 47 | `(("python" ,python-2))) |
| 48 | (arguments |
| 49 | `(#:modules ((guix build utils)) |
| 50 | #:builder |
| 51 | (begin |
| 52 | (use-modules (guix build utils)) |
| 53 | (let ((bin (string-append %output "/bin"))) |
| 54 | (copy-file (assoc-ref %build-inputs "source") "certdata2pem.py") |
| 55 | (chmod "certdata2pem.py" #o555) |
| 56 | (substitute* "certdata2pem.py" |
| 57 | (("/usr/bin/python") |
| 58 | (string-append (assoc-ref %build-inputs "python") |
| 59 | "/bin/python")) |
| 60 | ;; Use the file extension .pem instead of .crt. |
| 61 | (("crt") "pem")) |
| 62 | (mkdir-p bin) |
| 63 | (copy-file "certdata2pem.py" |
| 64 | (string-append bin "/certdata2pem.py")))))) |
| 65 | (synopsis "Python script to extract .pem data from certificate collection") |
| 66 | (description |
| 67 | "certdata2pem.py is a Python script to transform X.509 certificate |
| 68 | \"source code\" as contained, for example, in the Mozilla sources, into |
| 69 | .pem formatted certificates.") |
| 70 | (license license:gpl2+) |
| 71 | (home-page "http://pkgs.fedoraproject.org/cgit/ca-certificates.git/"))) |
| 72 | |
| 73 | (define-public nss-certs |
| 74 | (package |
| 75 | (name "nss-certs") |
| 76 | (version "3.27.2") |
| 77 | (source (origin |
| 78 | (method url-fetch) |
| 79 | (uri (let ((version-with-underscores |
| 80 | (string-join (string-split version #\.) "_"))) |
| 81 | (string-append |
| 82 | "https://ftp.mozilla.org/pub/mozilla.org/security/nss/" |
| 83 | "releases/NSS_" version-with-underscores "_RTM/src/" |
| 84 | "nss-" version ".tar.gz"))) |
| 85 | (sha256 |
| 86 | (base32 |
| 87 | "0945q9yyhax9lkhxs1bjlr5gwknpvhzsa4zxfh127l398i9ci2nw")))) |
| 88 | (build-system gnu-build-system) |
| 89 | (outputs '("out")) |
| 90 | (native-inputs |
| 91 | `(("certdata2pem" ,certdata2pem) |
| 92 | ("openssl" ,openssl) |
| 93 | ("perl" ,perl))) ;for OpenSSL's 'c_rehash' |
| 94 | (inputs '()) |
| 95 | (propagated-inputs '()) |
| 96 | (arguments |
| 97 | `(#:modules ((guix build gnu-build-system) |
| 98 | (guix build utils) |
| 99 | (rnrs io ports) |
| 100 | (srfi srfi-26) |
| 101 | (ice-9 regex)) |
| 102 | #:phases |
| 103 | (alist-cons-after |
| 104 | 'unpack 'install |
| 105 | (lambda _ |
| 106 | (let ((certsdir (string-append %output "/etc/ssl/certs/")) |
| 107 | (trusted-rx (make-regexp "^# openssl-trust=[a-zA-Z]" |
| 108 | regexp/newline))) |
| 109 | |
| 110 | (define (maybe-install-cert file) |
| 111 | (let ((cert (call-with-input-file file get-string-all))) |
| 112 | (when (regexp-exec trusted-rx cert) |
| 113 | (call-with-output-file |
| 114 | (string-append certsdir file) |
| 115 | (cut display cert <>))))) |
| 116 | |
| 117 | (mkdir-p certsdir) |
| 118 | (with-directory-excursion "nss/lib/ckfw/builtins/" |
| 119 | ;; extract single certificates from blob |
| 120 | (system* "certdata2pem.py" "certdata.txt") |
| 121 | ;; copy selected .pem files into the output |
| 122 | (for-each maybe-install-cert |
| 123 | (find-files "." ".*\\.pem"))) |
| 124 | |
| 125 | (with-directory-excursion certsdir |
| 126 | ;; create symbolic links for and by openssl |
| 127 | ;; Strangely, the call (system* "c_rehash" certsdir) |
| 128 | ;; from inside the build dir fails with |
| 129 | ;; "Usage error; try -help." |
| 130 | ;; This looks like a bug in openssl-1.0.2, but we can also |
| 131 | ;; switch into the target directory. |
| 132 | (system* "c_rehash" ".")))) |
| 133 | |
| 134 | (map (cut assq <> %standard-phases) |
| 135 | '(set-paths install-locale unpack))))) |
| 136 | (synopsis "CA certificates from Mozilla") |
| 137 | (description |
| 138 | "This package provides certificates for Certification Authorities (CA) |
| 139 | taken from the NSS package and thus ultimately from the Mozilla project.") |
| 140 | (home-page "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS") |
| 141 | (license license:mpl2.0))) |