HCoop / jackhill / guix / guix.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
gnu: emacs-consult: Fix grammar.
[jackhill/guix/guix.git] / gnu / packages / certs.scm
1 ;;; GNU Guix --- Functional package management for GNU
2 ;;; Copyright © 2015 Andreas Enge <andreas@enge.fr>
3 ;;; Copyright © 2015 Mark H Weaver <mhw@netris.org>
4 ;;; Copyright © 2016, 2017 Ludovic Courtès <ludo@gnu.org>
5 ;;; Copyright © 2017 Leo Famulari <leo@famulari.name>
6 ;;; Copyright © 2017, 2018 Tobias Geerinckx-Rice <me@tobias.gr>
7 ;;;
8 ;;; This file is part of GNU Guix.
9 ;;;
10 ;;; GNU Guix is free software; you can redistribute it and/or modify it
11 ;;; under the terms of the GNU General Public License as published by
12 ;;; the Free Software Foundation; either version 3 of the License, or (at
13 ;;; your option) any later version.
14 ;;;
15 ;;; GNU Guix is distributed in the hope that it will be useful, but
16 ;;; WITHOUT ANY WARRANTY; without even the implied warranty of
17 ;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 ;;; GNU General Public License for more details.
19 ;;;
20 ;;; You should have received a copy of the GNU General Public License
21 ;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
22
23 (define-module (gnu packages certs)
24 #:use-module ((guix licenses) #:prefix license:)
25 #:use-module (guix packages)
26 #:use-module (guix download)
27 #:use-module (guix build-system gnu)
28 #:use-module (guix build-system trivial)
29 #:use-module (gnu packages)
30 #:use-module (gnu packages python)
31 #:use-module (gnu packages perl)
32 #:use-module (gnu packages tls))
33
34 (define certdata2pem
35 (package
36 (name "certdata2pem")
37 (version "2013")
38 (source
39 (origin
40 (method url-fetch)
41 (uri
42 "http://pkgs.fedoraproject.org/cgit/ca-certificates.git/plain/certdata2pem.py?id=053dde8a2f5901e97028a58bf54e7d0ef8095a54")
43 (file-name "certdata2pem.py")
44 (sha256
45 (base32
46 "0zscrm41gnsf14zvlkxhy00h3dmgidyz645ldpda3y3vabnwv8dx"))))
47 (build-system trivial-build-system)
48 (inputs
49 `(("python" ,python-2)))
50 (arguments
51 `(#:modules ((guix build utils))
52 #:builder
53 (begin
54 (use-modules (guix build utils))
55 (let ((bin (string-append %output "/bin")))
56 (copy-file (assoc-ref %build-inputs "source") "certdata2pem.py")
57 (chmod "certdata2pem.py" #o555)
58 (substitute* "certdata2pem.py"
59 (("/usr/bin/python")
60 (string-append (assoc-ref %build-inputs "python")
61 "/bin/python"))
62 ;; Use the file extension .pem instead of .crt.
63 (("crt") "pem"))
64 (mkdir-p bin)
65 (copy-file "certdata2pem.py"
66 (string-append bin "/certdata2pem.py"))
67 #t))))
68 (synopsis "Python script to extract .pem data from certificate collection")
69 (description
70 "certdata2pem.py is a Python script to transform X.509 certificate
71 \"source code\" as contained, for example, in the Mozilla sources, into
72 .pem formatted certificates.")
73 (license license:gpl2+)
74 (home-page "http://pkgs.fedoraproject.org/cgit/ca-certificates.git/")))
75
76 (define-public nss-certs
77 (package
78 (name "nss-certs")
79 (version "3.59")
80 (source (origin
81 (method url-fetch)
82 (uri (let ((version-with-underscores
83 (string-join (string-split version #\.) "_")))
84 (string-append
85 "https://ftp.mozilla.org/pub/mozilla.org/security/nss/"
86 "releases/NSS_" version-with-underscores "_RTM/src/"
87 "nss-" version ".tar.gz")))
88 (sha256
89 (base32
90 "096fs3z21r171q24ca3rq53p1389xmvqz1f2rpm7nlm8r9s82ag6"))))
91 (build-system gnu-build-system)
92 (outputs '("out"))
93 (native-inputs
94 `(("certdata2pem" ,certdata2pem)
95 ("openssl" ,openssl)
96 ("perl" ,perl))) ;for OpenSSL's 'c_rehash'
97 (inputs '())
98 (propagated-inputs '())
99 (arguments
100 `(#:modules ((guix build gnu-build-system)
101 (guix build utils)
102 (rnrs io ports)
103 (srfi srfi-26)
104 (ice-9 regex))
105 #:phases
106 (modify-phases
107 (map (cut assq <> %standard-phases)
108 '(set-paths install-locale unpack))
109 (add-after 'unpack 'install
110 (lambda _
111 (let ((certsdir (string-append %output "/etc/ssl/certs/"))
112 (trusted-rx (make-regexp "^# openssl-trust=[a-zA-Z]"
113 regexp/newline)))
114
115 (define (maybe-install-cert file)
116 (let ((cert (call-with-input-file file get-string-all)))
117 (when (regexp-exec trusted-rx cert)
118 (call-with-output-file
119 (string-append certsdir file)
120 (cut display cert <>)))))
121
122 (mkdir-p certsdir)
123 (with-directory-excursion "nss/lib/ckfw/builtins/"
124 ;; extract single certificates from blob
125 (invoke "certdata2pem.py" "certdata.txt")
126 ;; copy selected .pem files into the output
127 (for-each maybe-install-cert
128 (find-files "." ".*\\.pem")))
129
130 (with-directory-excursion certsdir
131 ;; create symbolic links for and by openssl
132 ;; Strangely, the call (system* "c_rehash" certsdir)
133 ;; from inside the build dir fails with
134 ;; "Usage error; try -help."
135 ;; This looks like a bug in openssl-1.0.2, but we can also
136 ;; switch into the target directory.
137 (invoke "c_rehash" "."))
138 #t))))))
139
140 (synopsis "CA certificates from Mozilla")
141 (description
142 "This package provides certificates for Certification Authorities (CA)
143 taken from the NSS package and thus ultimately from the Mozilla project.")
144 (home-page "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS")
145 (license license:mpl2.0)))
146
147 (define-public le-certs
148 (package
149 (name "le-certs")
150 (version "1")
151 (source #f)
152 (build-system trivial-build-system)
153 (arguments
154 '(#:modules ((guix build utils))
155 #:builder
156 (begin
157 (use-modules (guix build utils))
158 (let ((root-rsa (assoc-ref %build-inputs "isrgrootx1.pem"))
159 (root-ecdsa (assoc-ref %build-inputs "isrgrootx2.pem"))
160 (intermediate-rsa (assoc-ref %build-inputs "letsencryptauthorityr3.pem"))
161 (intermediate-ecdsa (assoc-ref %build-inputs "letsencryptauthoritye1.pem"))
162 (backup-rsa (assoc-ref %build-inputs "letsencryptauthorityr4.pem"))
163 (backup-ecdsa (assoc-ref %build-inputs "letsencryptauthoritye2.pem"))
164 (out (string-append (assoc-ref %outputs "out") "/etc/ssl/certs"))
165 (openssl (assoc-ref %build-inputs "openssl"))
166 (perl (assoc-ref %build-inputs "perl")))
167 (mkdir-p out)
168 (for-each
169 (lambda (cert)
170 (copy-file cert (string-append out "/"
171 (strip-store-file-name cert))))
172 (list root-rsa root-ecdsa
173 intermediate-rsa intermediate-ecdsa
174 backup-rsa backup-ecdsa))
175
176 ;; Create hash symlinks suitable for OpenSSL ('SSL_CERT_DIR' and
177 ;; similar.)
178 (chdir (string-append %output "/etc/ssl/certs"))
179 (invoke (string-append perl "/bin/perl")
180 (string-append openssl "/bin/c_rehash")
181 ".")))))
182 (native-inputs
183 `(("openssl" ,openssl)
184 ("perl" ,perl))) ;for 'c_rehash'
185 (inputs
186 `(; The Let's Encrypt root certificate, "ISRG Root X1".
187 ("isrgrootx1.pem"
188 ,(origin
189 (method url-fetch)
190 (uri "https://letsencrypt.org/certs/isrgrootx1.pem")
191 (sha256
192 (base32
193 "1la36n2f31j9s03v847ig6ny9lr875q3g7smnq33dcsmf2i5gd92"))))
194 ; Upcoming ECDSA Let's Encrypt root certificate, "ISRG Root X2"
195 ; Let's Encrypt describes it as "Active, limited availability"
196 ("isrgrootx2.pem"
197 ,(origin
198 (method url-fetch)
199 (uri "https://letsencrypt.org/certs/isrg-root-x2.pem")
200 (sha256
201 (base32
202 "04xh8912nwkghqydbqvvmslpqbcafgxgjh9qnn0z2vgy24g8hgd1"))))
203 ;; "Let’s Encrypt Authority R3", the active Let's Encrypt intermediate
204 ;; RSA certificate.
205 ("letsencryptauthorityr3.pem"
206 ,(origin
207 (method url-fetch)
208 (uri "https://letsencrypt.org/certs/lets-encrypt-r3.pem")
209 (sha256
210 (base32
211 "0clxry49rx6qd3pgbzknpgzywbg3j96zy0227wwjnwivqj7inzhp"))))
212 ;; "Let’s Encrypt Authority E1", the active Let's Encrypt intermediate
213 ;; ECDSA certificate.
214 ("letsencryptauthoritye1.pem"
215 ,(origin
216 (method url-fetch)
217 (uri "https://letsencrypt.org/certs/lets-encrypt-e1.pem")
218 (sha256
219 (base32
220 "1zwrc6dlk1qig0z23x6x7fib14rrw41ccbf2ds0rw75zccc59xx0"))))
221 ;; "Let’s Encrypt Authority R4", the backup Let's Encrypt intermediate
222 ;; RSA certificate. This will be used for disaster recovery and will only be
223 ;; used should Let's Encrypt lose the ability to issue with "Let’s
224 ;; Encrypt Authority R3".
225 ("letsencryptauthorityr4.pem"
226 ,(origin
227 (method url-fetch)
228 (uri "https://letsencrypt.org/certs/lets-encrypt-r4.pem")
229 (sha256
230 (base32
231 "09bzxzbwb9x2xxan3p1fyj1pi2p5yks0879gwz5f28y9mzq8vmd8"))))
232 ;; "Let’s Encrypt Authority E2", the backup Let's Encrypt intermediate
233 ;; ECDSA certificate. This will be used for disaster recovery and will
234 ;; only be used should Let's Encrypt lose the ability to issue with "Let’s
235 ;; Encrypt Authority E1".
236 ("letsencryptauthoritye2.pem"
237 ,(origin
238 (method url-fetch)
239 (uri "https://letsencrypt.org/certs/lets-encrypt-e2.pem")
240 (sha256
241 (base32
242 "1wfmsa29lyi9dkh6xdcamb2rhkp5yl2ppnsgrzcrjl5c7gbqh9ml"))))))
243 (home-page "https://letsencrypt.org/certificates/")
244 (synopsis "Let's Encrypt root and intermediate certificates")
245 (description "This package provides a certificate store containing only the
246 Let's Encrypt root and intermediate certificates. It is intended to be used
247 within Guix.")
248 (license license:public-domain)))
jackhill's copy of GNU Guix: https://guix.gnu.org/