1 ;;; GNU Guix --- Functional package management for GNU
2 ;;; Copyright © 2015 Andreas Enge <andreas@enge.fr>
3 ;;; Copyright © 2015 Mark H Weaver <mhw@netris.org>
5 ;;; This file is part of GNU Guix.
7 ;;; GNU Guix is free software; you can redistribute it and/or modify it
8 ;;; under the terms of the GNU General Public License as published by
9 ;;; the Free Software Foundation; either version 3 of the License, or (at
10 ;;; your option) any later version.
12 ;;; GNU Guix is distributed in the hope that it will be useful, but
13 ;;; WITHOUT ANY WARRANTY; without even the implied warranty of
14 ;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 ;;; GNU General Public License for more details.
17 ;;; You should have received a copy of the GNU General Public License
18 ;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
20 (define-module (gnu packages certs)
21 #:use-module ((guix licenses) #:prefix license:)
22 #:use-module (guix packages)
23 #:use-module (guix download)
24 #:use-module (guix build-system gnu)
25 #:use-module (guix build-system trivial)
26 #:use-module (gnu packages)
27 #:use-module (gnu packages gnuzilla)
28 #:use-module (gnu packages openssl)
29 #:use-module (gnu packages python))
39 "http://pkgs.fedoraproject.org/cgit/ca-certificates.git/plain/certdata2pem.py?id=053dde8a2f5901e97028a58bf54e7d0ef8095a54")
40 (file-name "certdata2pem.py")
43 "0zscrm41gnsf14zvlkxhy00h3dmgidyz645ldpda3y3vabnwv8dx"))))
44 (build-system trivial-build-system)
46 `(("python" ,python-2)))
48 `(#:modules ((guix build utils))
51 (use-modules (guix build utils))
52 (let ((bin (string-append %output "/bin")))
53 (copy-file (assoc-ref %build-inputs "source") "certdata2pem.py")
54 (chmod "certdata2pem.py" #o555)
55 (substitute* "certdata2pem.py"
57 (string-append (assoc-ref %build-inputs "python")
59 ;; Use the file extension .pem instead of .crt.
62 (copy-file "certdata2pem.py"
63 (string-append bin "/certdata2pem.py"))))))
64 (synopsis "Python script to extract .pem data from certificate collection")
66 "certdata2pem.py is a Python script to transform X.509 certificate
67 \"source code\" as contained, for example, in the Mozilla sources, into
68 .pem formatted certificates.")
69 (license license:gpl2+)
70 (home-page "http://pkgs.fedoraproject.org/cgit/ca-certificates.git/")))
72 (define-public nss-certs
73 (package (inherit nss) ; to reuse the source, version and some metadata
75 (build-system gnu-build-system)
78 `(("certdata2pem" ,certdata2pem)
79 ("openssl" ,openssl)))
81 (propagated-inputs '())
83 `(#:modules ((guix build gnu-build-system)
92 (let ((certsdir (string-append %output "/etc/ssl/certs/"))
93 (trusted-rx (make-regexp "^# openssl-trust=[a-zA-Z]"
96 (define (maybe-install-cert file)
97 (let ((cert (call-with-input-file file get-string-all)))
98 (when (regexp-exec trusted-rx cert)
99 (call-with-output-file
100 (string-append certsdir file)
101 (cut display cert <>)))))
104 (with-directory-excursion "nss/lib/ckfw/builtins/"
105 ;; extract single certificates from blob
106 (system* "certdata2pem.py" "certdata.txt")
107 ;; copy selected .pem files into the output
108 (for-each maybe-install-cert
109 (find-files "." ".*\\.pem")))
111 (with-directory-excursion certsdir
112 ;; create symbolic links for and by openssl
113 ;; Strangely, the call (system* "c_rehash" certsdir)
114 ;; from inside the build dir fails with
115 ;; "Usage error; try -help."
116 ;; This looks like a bug in openssl-1.0.2, but we can also
117 ;; switch into the target directory.
118 (system* "c_rehash" "."))))
120 (map (cut assq <> %standard-phases)
121 '(set-paths install-locale unpack)))))
122 (synopsis "CA certificates from Mozilla")
124 "This package provides certificates for Certification Authorities (CA)
125 taken from the NSS package and thus ultimately from the Mozilla project.")))