1 ;;; GNU Guix --- Functional package management for GNU
2 ;;; Copyright © 2015 Andreas Enge <andreas@enge.fr>
3 ;;; Copyright © 2015 Mark H Weaver <mhw@netris.org>
4 ;;; Copyright © 2016, 2017 Ludovic Courtès <ludo@gnu.org>
5 ;;; Copyright © 2017 Leo Famulari <leo@famulari.name>
6 ;;; Copyright © 2017, 2018 Tobias Geerinckx-Rice <me@tobias.gr>
8 ;;; This file is part of GNU Guix.
10 ;;; GNU Guix is free software; you can redistribute it and/or modify it
11 ;;; under the terms of the GNU General Public License as published by
12 ;;; the Free Software Foundation; either version 3 of the License, or (at
13 ;;; your option) any later version.
15 ;;; GNU Guix is distributed in the hope that it will be useful, but
16 ;;; WITHOUT ANY WARRANTY; without even the implied warranty of
17 ;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 ;;; GNU General Public License for more details.
20 ;;; You should have received a copy of the GNU General Public License
21 ;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
23 (define-module (gnu packages certs)
24 #:use-module ((guix licenses) #:prefix license:)
25 #:use-module (guix packages)
26 #:use-module (guix download)
27 #:use-module (guix build-system gnu)
28 #:use-module (guix build-system trivial)
29 #:use-module (gnu packages)
30 #:use-module (gnu packages python)
31 #:use-module (gnu packages perl)
32 #:use-module (gnu packages tls))
42 "http://pkgs.fedoraproject.org/cgit/ca-certificates.git/plain/certdata2pem.py?id=053dde8a2f5901e97028a58bf54e7d0ef8095a54")
43 (file-name "certdata2pem.py")
46 "0zscrm41gnsf14zvlkxhy00h3dmgidyz645ldpda3y3vabnwv8dx"))))
47 (build-system trivial-build-system)
49 `(("python" ,python-2)))
51 `(#:modules ((guix build utils))
54 (use-modules (guix build utils))
55 (let ((bin (string-append %output "/bin")))
56 (copy-file (assoc-ref %build-inputs "source") "certdata2pem.py")
57 (chmod "certdata2pem.py" #o555)
58 (substitute* "certdata2pem.py"
60 (string-append (assoc-ref %build-inputs "python")
62 ;; Use the file extension .pem instead of .crt.
65 (copy-file "certdata2pem.py"
66 (string-append bin "/certdata2pem.py"))
68 (synopsis "Python script to extract .pem data from certificate collection")
70 "certdata2pem.py is a Python script to transform X.509 certificate
71 \"source code\" as contained, for example, in the Mozilla sources, into
72 .pem formatted certificates.")
73 (license license:gpl2+)
74 (home-page "http://pkgs.fedoraproject.org/cgit/ca-certificates.git/")))
76 (define-public nss-certs
82 (uri (let ((version-with-underscores
83 (string-join (string-split version #\.) "_")))
85 "https://ftp.mozilla.org/pub/mozilla.org/security/nss/"
86 "releases/NSS_" version-with-underscores "_RTM/src/"
87 "nss-" version ".tar.gz")))
90 "096fs3z21r171q24ca3rq53p1389xmvqz1f2rpm7nlm8r9s82ag6"))))
91 (build-system gnu-build-system)
94 `(("certdata2pem" ,certdata2pem)
96 ("perl" ,perl))) ;for OpenSSL's 'c_rehash'
98 (propagated-inputs '())
100 `(#:modules ((guix build gnu-build-system)
107 (map (cut assq <> %standard-phases)
108 '(set-paths install-locale unpack))
109 (add-after 'unpack 'install
111 (let ((certsdir (string-append %output "/etc/ssl/certs/"))
112 (trusted-rx (make-regexp "^# openssl-trust=[a-zA-Z]"
115 (define (maybe-install-cert file)
116 (let ((cert (call-with-input-file file get-string-all)))
117 (when (regexp-exec trusted-rx cert)
118 (call-with-output-file
119 (string-append certsdir file)
120 (cut display cert <>)))))
123 (with-directory-excursion "nss/lib/ckfw/builtins/"
124 ;; extract single certificates from blob
125 (invoke "certdata2pem.py" "certdata.txt")
126 ;; copy selected .pem files into the output
127 (for-each maybe-install-cert
128 (find-files "." ".*\\.pem")))
130 (with-directory-excursion certsdir
131 ;; create symbolic links for and by openssl
132 ;; Strangely, the call (system* "c_rehash" certsdir)
133 ;; from inside the build dir fails with
134 ;; "Usage error; try -help."
135 ;; This looks like a bug in openssl-1.0.2, but we can also
136 ;; switch into the target directory.
137 (invoke "c_rehash" "."))
140 (synopsis "CA certificates from Mozilla")
142 "This package provides certificates for Certification Authorities (CA)
143 taken from the NSS package and thus ultimately from the Mozilla project.")
144 (home-page "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS")
145 (license license:mpl2.0)))
147 (define-public le-certs
152 (build-system trivial-build-system)
154 '(#:modules ((guix build utils))
157 (use-modules (guix build utils))
158 (let ((root-rsa (assoc-ref %build-inputs "isrgrootx1.pem"))
159 (root-ecdsa (assoc-ref %build-inputs "isrgrootx2.pem"))
160 (intermediate-rsa (assoc-ref %build-inputs "letsencryptauthorityr3.pem"))
161 (intermediate-ecdsa (assoc-ref %build-inputs "letsencryptauthoritye1.pem"))
162 (backup-rsa (assoc-ref %build-inputs "letsencryptauthorityr4.pem"))
163 (backup-ecdsa (assoc-ref %build-inputs "letsencryptauthoritye2.pem"))
164 (out (string-append (assoc-ref %outputs "out") "/etc/ssl/certs"))
165 (openssl (assoc-ref %build-inputs "openssl"))
166 (perl (assoc-ref %build-inputs "perl")))
170 (copy-file cert (string-append out "/"
171 (strip-store-file-name cert))))
172 (list root-rsa root-ecdsa
173 intermediate-rsa intermediate-ecdsa
174 backup-rsa backup-ecdsa))
176 ;; Create hash symlinks suitable for OpenSSL ('SSL_CERT_DIR' and
178 (chdir (string-append %output "/etc/ssl/certs"))
179 (invoke (string-append perl "/bin/perl")
180 (string-append openssl "/bin/c_rehash")
183 `(("openssl" ,openssl)
184 ("perl" ,perl))) ;for 'c_rehash'
186 `(; The Let's Encrypt root certificate, "ISRG Root X1".
190 (uri "https://letsencrypt.org/certs/isrgrootx1.pem")
193 "1la36n2f31j9s03v847ig6ny9lr875q3g7smnq33dcsmf2i5gd92"))))
194 ; Upcoming ECDSA Let's Encrypt root certificate, "ISRG Root X2"
195 ; Let's Encrypt describes it as "Active, limited availability"
199 (uri "https://letsencrypt.org/certs/isrg-root-x2.pem")
202 "04xh8912nwkghqydbqvvmslpqbcafgxgjh9qnn0z2vgy24g8hgd1"))))
203 ;; "Let’s Encrypt Authority R3", the active Let's Encrypt intermediate
205 ("letsencryptauthorityr3.pem"
208 (uri "https://letsencrypt.org/certs/lets-encrypt-r3.pem")
211 "0clxry49rx6qd3pgbzknpgzywbg3j96zy0227wwjnwivqj7inzhp"))))
212 ;; "Let’s Encrypt Authority E1", the active Let's Encrypt intermediate
213 ;; ECDSA certificate.
214 ("letsencryptauthoritye1.pem"
217 (uri "https://letsencrypt.org/certs/lets-encrypt-e1.pem")
220 "1zwrc6dlk1qig0z23x6x7fib14rrw41ccbf2ds0rw75zccc59xx0"))))
221 ;; "Let’s Encrypt Authority R4", the backup Let's Encrypt intermediate
222 ;; RSA certificate. This will be used for disaster recovery and will only be
223 ;; used should Let's Encrypt lose the ability to issue with "Let’s
224 ;; Encrypt Authority R3".
225 ("letsencryptauthorityr4.pem"
228 (uri "https://letsencrypt.org/certs/lets-encrypt-r4.pem")
231 "09bzxzbwb9x2xxan3p1fyj1pi2p5yks0879gwz5f28y9mzq8vmd8"))))
232 ;; "Let’s Encrypt Authority E2", the backup Let's Encrypt intermediate
233 ;; ECDSA certificate. This will be used for disaster recovery and will
234 ;; only be used should Let's Encrypt lose the ability to issue with "Let’s
235 ;; Encrypt Authority E1".
236 ("letsencryptauthoritye2.pem"
239 (uri "https://letsencrypt.org/certs/lets-encrypt-e2.pem")
242 "1wfmsa29lyi9dkh6xdcamb2rhkp5yl2ppnsgrzcrjl5c7gbqh9ml"))))))
243 (home-page "https://letsencrypt.org/certificates/")
244 (synopsis "Let's Encrypt root and intermediate certificates")
245 (description "This package provides a certificate store containing only the
246 Let's Encrypt root and intermediate certificates. It is intended to be used
248 (license license:public-domain)))