1 ;;; GNU Guix --- Functional package management for GNU
2 ;;; Copyright © 2015 Andreas Enge <andreas@enge.fr>
3 ;;; Copyright © 2015 Mark H Weaver <mhw@netris.org>
4 ;;; Copyright © 2016 Ludovic Courtès <ludo@gnu.org>
6 ;;; This file is part of GNU Guix.
8 ;;; GNU Guix is free software; you can redistribute it and/or modify it
9 ;;; under the terms of the GNU General Public License as published by
10 ;;; the Free Software Foundation; either version 3 of the License, or (at
11 ;;; your option) any later version.
13 ;;; GNU Guix is distributed in the hope that it will be useful, but
14 ;;; WITHOUT ANY WARRANTY; without even the implied warranty of
15 ;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 ;;; GNU General Public License for more details.
18 ;;; You should have received a copy of the GNU General Public License
19 ;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
21 (define-module (gnu packages certs)
22 #:use-module ((guix licenses) #:prefix license:)
23 #:use-module (guix packages)
24 #:use-module (guix download)
25 #:use-module (guix build-system gnu)
26 #:use-module (guix build-system trivial)
27 #:use-module (gnu packages)
28 #:use-module (gnu packages python)
29 #:use-module (gnu packages perl)
30 #:use-module (gnu packages tls))
40 "http://pkgs.fedoraproject.org/cgit/ca-certificates.git/plain/certdata2pem.py?id=053dde8a2f5901e97028a58bf54e7d0ef8095a54")
41 (file-name "certdata2pem.py")
44 "0zscrm41gnsf14zvlkxhy00h3dmgidyz645ldpda3y3vabnwv8dx"))))
45 (build-system trivial-build-system)
47 `(("python" ,python-2)))
49 `(#:modules ((guix build utils))
52 (use-modules (guix build utils))
53 (let ((bin (string-append %output "/bin")))
54 (copy-file (assoc-ref %build-inputs "source") "certdata2pem.py")
55 (chmod "certdata2pem.py" #o555)
56 (substitute* "certdata2pem.py"
58 (string-append (assoc-ref %build-inputs "python")
60 ;; Use the file extension .pem instead of .crt.
63 (copy-file "certdata2pem.py"
64 (string-append bin "/certdata2pem.py"))))))
65 (synopsis "Python script to extract .pem data from certificate collection")
67 "certdata2pem.py is a Python script to transform X.509 certificate
68 \"source code\" as contained, for example, in the Mozilla sources, into
69 .pem formatted certificates.")
70 (license license:gpl2+)
71 (home-page "http://pkgs.fedoraproject.org/cgit/ca-certificates.git/")))
73 (define-public nss-certs
79 (uri (let ((version-with-underscores
80 (string-join (string-split version #\.) "_")))
82 "https://ftp.mozilla.org/pub/mozilla.org/security/nss/"
83 "releases/NSS_" version-with-underscores "_RTM/src/"
84 "nss-" version ".tar.gz")))
87 "149807rmzb76hnh48rw4m9jw83iw0168njzchz0hmbsgc8mk0i5w"))))
88 (build-system gnu-build-system)
91 `(("certdata2pem" ,certdata2pem)
93 ("perl" ,perl))) ;for OpenSSL's 'c_rehash'
95 (propagated-inputs '())
97 `(#:modules ((guix build gnu-build-system)
106 (let ((certsdir (string-append %output "/etc/ssl/certs/"))
107 (trusted-rx (make-regexp "^# openssl-trust=[a-zA-Z]"
110 (define (maybe-install-cert file)
111 (let ((cert (call-with-input-file file get-string-all)))
112 (when (regexp-exec trusted-rx cert)
113 (call-with-output-file
114 (string-append certsdir file)
115 (cut display cert <>)))))
118 (with-directory-excursion "nss/lib/ckfw/builtins/"
119 ;; extract single certificates from blob
120 (system* "certdata2pem.py" "certdata.txt")
121 ;; copy selected .pem files into the output
122 (for-each maybe-install-cert
123 (find-files "." ".*\\.pem")))
125 (with-directory-excursion certsdir
126 ;; create symbolic links for and by openssl
127 ;; Strangely, the call (system* "c_rehash" certsdir)
128 ;; from inside the build dir fails with
129 ;; "Usage error; try -help."
130 ;; This looks like a bug in openssl-1.0.2, but we can also
131 ;; switch into the target directory.
132 (system* "c_rehash" "."))))
134 (map (cut assq <> %standard-phases)
135 '(set-paths install-locale unpack)))))
136 (synopsis "CA certificates from Mozilla")
138 "This package provides certificates for Certification Authorities (CA)
139 taken from the NSS package and thus ultimately from the Mozilla project.")
140 (home-page "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS")
141 (license license:mpl2.0)))