Merge branch 'master' into core-updates

[jackhill/guix/guix.git] / gnu / packages / certs.scm

diff --git a/gnu/packages/certs.scm b/gnu/packages/certs.scm
index ab46143..b27577b 100644 (file)
--- a/gnu/packages/certs.scm
+++ b/gnu/packages/certs.scm
@@ -1,5 +1,7 @@
 ;;; GNU Guix --- Functional package management for GNU
 ;;; Copyright © 2015 Andreas Enge <andreas@enge.fr>
+;;; Copyright © 2015 Mark H Weaver <mhw@netris.org>
+;;; Copyright © 2016 Ludovic Courtès <ludo@gnu.org>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -23,19 +25,20 @@
   #:use-module (guix build-system gnu)
   #:use-module (guix build-system trivial)
   #:use-module (gnu packages)
-  #:use-module (gnu packages gnuzilla)
-  #:use-module (gnu packages openssl)
-  #:use-module (gnu packages python))
+  #:use-module (gnu packages python)
+  #:use-module (gnu packages perl)
+  #:use-module (gnu packages tls))
 
 (define certdata2pem
   (package
     (name "certdata2pem")
     (version "2013")
     (source
-    (origin
+     (origin
       (method url-fetch)
         (uri
           "http://pkgs.fedoraproject.org/cgit/ca-certificates.git/plain/certdata2pem.py?id=053dde8a2f5901e97028a58bf54e7d0ef8095a54")
+        (file-name "certdata2pem.py")
         (sha256
           (base32
             "0zscrm41gnsf14zvlkxhy00h3dmgidyz645ldpda3y3vabnwv8dx"))))
@@ -68,51 +71,71 @@
    (home-page "http://pkgs.fedoraproject.org/cgit/ca-certificates.git/")))
 
 (define-public nss-certs
-  (package (inherit nss) ; to reuse the source, version and some metadata
+  (package
     (name "nss-certs")
+    (version "3.27.1")
+    (source (origin
+              (method url-fetch)
+              (uri (let ((version-with-underscores
+                          (string-join (string-split version #\.) "_")))
+                     (string-append
+                      "https://ftp.mozilla.org/pub/mozilla.org/security/nss/"
+                      "releases/NSS_" version-with-underscores "_RTM/src/"
+                      "nss-" version ".tar.gz")))
+              (sha256
+               (base32
+                "0sraxk26swlgl7rl742rkfp5k251v5z3lqw9k8ikin0cjfhkfdpx"))))
     (build-system gnu-build-system)
     (outputs '("out"))
     (native-inputs
      `(("certdata2pem" ,certdata2pem)
-       ("openssl" ,openssl)))
+       ("openssl" ,openssl)
+       ("perl" ,perl)))                           ;for OpenSSL's 'c_rehash'
     (inputs '())
     (propagated-inputs '())
     (arguments
      `(#:modules ((guix build gnu-build-system)
                   (guix build utils)
-                  (srfi srfi-26))
-       #:imported-modules ((guix build gnu-build-system)
-                           (guix build utils))
+                  (rnrs io ports)
+                  (srfi srfi-26)
+                  (ice-9 regex))
        #:phases
          (alist-cons-after
            'unpack 'install
            (lambda _
-             (let ((certsdir (string-append %output "/etc/ssl/certs/")))
+             (let ((certsdir (string-append %output "/etc/ssl/certs/"))
+                   (trusted-rx (make-regexp "^# openssl-trust=[a-zA-Z]"
+                                            regexp/newline)))
+
+               (define (maybe-install-cert file)
+                 (let ((cert (call-with-input-file file get-string-all)))
+                   (when (regexp-exec trusted-rx cert)
+                     (call-with-output-file
+                         (string-append certsdir file)
+                       (cut display cert <>)))))
+
                (mkdir-p certsdir)
                (with-directory-excursion "nss/lib/ckfw/builtins/"
                  ;; extract single certificates from blob
                  (system* "certdata2pem.py" "certdata.txt")
-                 ;; copy the .pem files into the output
-                 (for-each
-                   (lambda (file)
-                     (copy-file file (string-append certsdir file)))
-                   ;; FIXME: Some of the file names are UTF8 (?) and cause an
-                   ;; error message such as 
-                   ;; find-files:
-                   ;; ./EBG_Elektronik_Sertifika_Hizmet_Sa??lay??c??s??:2.8.76.175.115.66.28.142.116.2.pem:
-                   ;; No such file or directory
-                   (find-files "." ".*\\.pem")))
-                 (with-directory-excursion certsdir
-                   ;; create symbolic links for and by openssl
-                   ;; Strangely, the call (system* "c_rehash" certsdir)
-                   ;; from inside the build dir fails with
-                   ;; "Usage error; try -help."
-                   ;; This looks like a bug in openssl-1.0.2, but we can also
-                   ;; switch into the target directory.
-                   (system* "c_rehash" "."))))
+                 ;; copy selected .pem files into the output
+                 (for-each maybe-install-cert
+                           (find-files "." ".*\\.pem")))
+
+               (with-directory-excursion certsdir
+                 ;; create symbolic links for and by openssl
+                 ;; Strangely, the call (system* "c_rehash" certsdir)
+                 ;; from inside the build dir fails with
+                 ;; "Usage error; try -help."
+                 ;; This looks like a bug in openssl-1.0.2, but we can also
+                 ;; switch into the target directory.
+                 (system* "c_rehash" "."))))
+
            (map (cut assq <> %standard-phases)
-                '(set-paths unpack)))))
+                '(set-paths install-locale unpack)))))
     (synopsis "CA certificates from Mozilla")
     (description
-      "This package provides certificates for Certification Authorities (CA)
-taken from the NSS package and thus ultimately from the Mozilla project.")))
+     "This package provides certificates for Certification Authorities (CA)
+taken from the NSS package and thus ultimately from the Mozilla project.")
+    (home-page "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS")
+    (license license:mpl2.0)))