gnu/packages/certs.scm

   1 ;;; GNU Guix --- Functional package management for GNU
   2 ;;; Copyright © 2015 Andreas Enge <andreas@enge.fr>
   3 ;;; Copyright © 2015 Mark H Weaver <mhw@netris.org>
   4 ;;;
   5 ;;; This file is part of GNU Guix.
   6 ;;;
   7 ;;; GNU Guix is free software; you can redistribute it and/or modify it
   8 ;;; under the terms of the GNU General Public License as published by
   9 ;;; the Free Software Foundation; either version 3 of the License, or (at
  10 ;;; your option) any later version.
  11 ;;;
  12 ;;; GNU Guix is distributed in the hope that it will be useful, but
  13 ;;; WITHOUT ANY WARRANTY; without even the implied warranty of
  14 ;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  15 ;;; GNU General Public License for more details.
  16 ;;;
  17 ;;; You should have received a copy of the GNU General Public License
  18 ;;; along with GNU Guix.  If not, see <http://www.gnu.org/licenses/>.
  19
  20 (define-module (gnu packages certs)
  21   #:use-module ((guix licenses) #:prefix license:)
  22   #:use-module (guix packages)
  23   #:use-module (guix download)
  24   #:use-module (guix build-system gnu)
  25   #:use-module (guix build-system trivial)
  26   #:use-module (gnu packages)
  27   #:use-module (gnu packages gnuzilla)
  28   #:use-module (gnu packages openssl)
  29   #:use-module (gnu packages python))
  30
  31 (define certdata2pem
  32   (package
  33     (name "certdata2pem")
  34     (version "2013")
  35     (source
  36      (origin
  37       (method url-fetch)
  38         (uri
  39           "http://pkgs.fedoraproject.org/cgit/ca-certificates.git/plain/certdata2pem.py?id=053dde8a2f5901e97028a58bf54e7d0ef8095a54")
  40         (file-name "certdata2pem.py")
  41         (sha256
  42           (base32
  43             "0zscrm41gnsf14zvlkxhy00h3dmgidyz645ldpda3y3vabnwv8dx"))))
  44    (build-system trivial-build-system)
  45    (inputs
  46      `(("python" ,python-2)))
  47    (arguments
  48     `(#:modules ((guix build utils))
  49       #:builder
  50         (begin
  51           (use-modules (guix build utils))
  52           (let ((bin (string-append %output "/bin")))
  53             (copy-file (assoc-ref %build-inputs "source") "certdata2pem.py")
  54             (chmod "certdata2pem.py" #o555)
  55             (substitute* "certdata2pem.py"
  56               (("/usr/bin/python")
  57                (string-append (assoc-ref %build-inputs "python")
  58                               "/bin/python"))
  59               ;; Use the file extension .pem instead of .crt.
  60               (("crt") "pem"))
  61             (mkdir-p bin)
  62             (copy-file "certdata2pem.py"
  63                        (string-append bin "/certdata2pem.py"))))))
  64    (synopsis "Python script to extract .pem data from certificate collection")
  65    (description
  66     "certdata2pem.py is a Python script to transform X.509 certificate
  67 \"source code\" as contained, for example, in the Mozilla sources, into
  68 .pem formatted certificates.")
  69    (license license:gpl2+)
  70    (home-page "http://pkgs.fedoraproject.org/cgit/ca-certificates.git/")))
  71
  72 (define-public nss-certs
  73   (package (inherit nss) ; to reuse the source, version and some metadata
  74     (name "nss-certs")
  75     (build-system gnu-build-system)
  76     (outputs '("out"))
  77     (native-inputs
  78      `(("certdata2pem" ,certdata2pem)
  79        ("openssl" ,openssl)))
  80     (inputs '())
  81     (propagated-inputs '())
  82     (arguments
  83      `(#:modules ((guix build gnu-build-system)
  84                   (guix build utils)
  85                   (rnrs io ports)
  86                   (srfi srfi-26)
  87                   (ice-9 regex))
  88        #:phases
  89          (alist-cons-after
  90            'unpack 'install
  91            (lambda _
  92              (let ((certsdir (string-append %output "/etc/ssl/certs/"))
  93                    (trusted-rx (make-regexp "^# openssl-trust=[a-zA-Z]"
  94                                             regexp/newline)))
  95
  96                (define (maybe-install-cert file)
  97                  (let ((cert (call-with-input-file file get-string-all)))
  98                    (when (regexp-exec trusted-rx cert)
  99                      (call-with-output-file
 100                          (string-append certsdir file)
 101                        (cut display cert <>)))))
 102
 103                (mkdir-p certsdir)
 104                (with-directory-excursion "nss/lib/ckfw/builtins/"
 105                  ;; extract single certificates from blob
 106                  (system* "certdata2pem.py" "certdata.txt")
 107                  ;; copy selected .pem files into the output
 108                  (for-each maybe-install-cert
 109                            (find-files "." ".*\\.pem")))
 110
 111                (with-directory-excursion certsdir
 112                  ;; create symbolic links for and by openssl
 113                  ;; Strangely, the call (system* "c_rehash" certsdir)
 114                  ;; from inside the build dir fails with
 115                  ;; "Usage error; try -help."
 116                  ;; This looks like a bug in openssl-1.0.2, but we can also
 117                  ;; switch into the target directory.
 118                  (system* "c_rehash" "."))))
 119
 120            (map (cut assq <> %standard-phases)
 121                 '(set-paths install-locale unpack)))))
 122     (synopsis "CA certificates from Mozilla")
 123     (description
 124       "This package provides certificates for Certification Authorities (CA)
 125 taken from the NSS package and thus ultimately from the Mozilla project.")))