You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

214 lines
8.7 KiB

  1. ;;; GNU Guix --- Functional package management for GNU
  2. ;;; Copyright © 2015 Andreas Enge <andreas@enge.fr>
  3. ;;; Copyright © 2015 Mark H Weaver <mhw@netris.org>
  4. ;;; Copyright © 2016, 2017 Ludovic Courtès <ludo@gnu.org>
  5. ;;; Copyright © 2017 Leo Famulari <leo@famulari.name>
  6. ;;; Copyright © 2017, 2018 Tobias Geerinckx-Rice <me@tobias.gr>
  7. ;;;
  8. ;;; This file is part of GNU Guix.
  9. ;;;
  10. ;;; GNU Guix is free software; you can redistribute it and/or modify it
  11. ;;; under the terms of the GNU General Public License as published by
  12. ;;; the Free Software Foundation; either version 3 of the License, or (at
  13. ;;; your option) any later version.
  14. ;;;
  15. ;;; GNU Guix is distributed in the hope that it will be useful, but
  16. ;;; WITHOUT ANY WARRANTY; without even the implied warranty of
  17. ;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  18. ;;; GNU General Public License for more details.
  19. ;;;
  20. ;;; You should have received a copy of the GNU General Public License
  21. ;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
  22. (define-module (gnu packages certs)
  23. #:use-module ((guix licenses) #:prefix license:)
  24. #:use-module (guix packages)
  25. #:use-module (guix download)
  26. #:use-module (guix build-system gnu)
  27. #:use-module (guix build-system trivial)
  28. #:use-module (gnu packages)
  29. #:use-module (gnu packages python)
  30. #:use-module (gnu packages perl)
  31. #:use-module (gnu packages tls))
  32. (define certdata2pem
  33. (package
  34. (name "certdata2pem")
  35. (version "2013")
  36. (source
  37. (origin
  38. (method url-fetch)
  39. (uri
  40. "http://pkgs.fedoraproject.org/cgit/ca-certificates.git/plain/certdata2pem.py?id=053dde8a2f5901e97028a58bf54e7d0ef8095a54")
  41. (file-name "certdata2pem.py")
  42. (sha256
  43. (base32
  44. "0zscrm41gnsf14zvlkxhy00h3dmgidyz645ldpda3y3vabnwv8dx"))))
  45. (build-system trivial-build-system)
  46. (inputs
  47. `(("python" ,python-2)))
  48. (arguments
  49. `(#:modules ((guix build utils))
  50. #:builder
  51. (begin
  52. (use-modules (guix build utils))
  53. (let ((bin (string-append %output "/bin")))
  54. (copy-file (assoc-ref %build-inputs "source") "certdata2pem.py")
  55. (chmod "certdata2pem.py" #o555)
  56. (substitute* "certdata2pem.py"
  57. (("/usr/bin/python")
  58. (string-append (assoc-ref %build-inputs "python")
  59. "/bin/python"))
  60. ;; Use the file extension .pem instead of .crt.
  61. (("crt") "pem"))
  62. (mkdir-p bin)
  63. (copy-file "certdata2pem.py"
  64. (string-append bin "/certdata2pem.py"))
  65. #t))))
  66. (synopsis "Python script to extract .pem data from certificate collection")
  67. (description
  68. "certdata2pem.py is a Python script to transform X.509 certificate
  69. \"source code\" as contained, for example, in the Mozilla sources, into
  70. .pem formatted certificates.")
  71. (license license:gpl2+)
  72. (home-page "http://pkgs.fedoraproject.org/cgit/ca-certificates.git/")))
  73. (define-public nss-certs
  74. (package
  75. (name "nss-certs")
  76. (version "3.52.1")
  77. (source (origin
  78. (method url-fetch)
  79. (uri (let ((version-with-underscores
  80. (string-join (string-split version #\.) "_")))
  81. (string-append
  82. "https://ftp.mozilla.org/pub/mozilla.org/security/nss/"
  83. "releases/NSS_" version-with-underscores "_RTM/src/"
  84. "nss-" version ".tar.gz")))
  85. (sha256
  86. (base32
  87. "0y4jb9095f7bbgw7d7kvzm4c3g4p5i6y68fwhb8wlkpb7b1imj5w"))))
  88. (build-system gnu-build-system)
  89. (outputs '("out"))
  90. (native-inputs
  91. `(("certdata2pem" ,certdata2pem)
  92. ("openssl" ,openssl)
  93. ("perl" ,perl))) ;for OpenSSL's 'c_rehash'
  94. (inputs '())
  95. (propagated-inputs '())
  96. (arguments
  97. `(#:modules ((guix build gnu-build-system)
  98. (guix build utils)
  99. (rnrs io ports)
  100. (srfi srfi-26)
  101. (ice-9 regex))
  102. #:phases
  103. (modify-phases
  104. (map (cut assq <> %standard-phases)
  105. '(set-paths install-locale unpack))
  106. (add-after 'unpack 'install
  107. (lambda _
  108. (let ((certsdir (string-append %output "/etc/ssl/certs/"))
  109. (trusted-rx (make-regexp "^# openssl-trust=[a-zA-Z]"
  110. regexp/newline)))
  111. (define (maybe-install-cert file)
  112. (let ((cert (call-with-input-file file get-string-all)))
  113. (when (regexp-exec trusted-rx cert)
  114. (call-with-output-file
  115. (string-append certsdir file)
  116. (cut display cert <>)))))
  117. (mkdir-p certsdir)
  118. (with-directory-excursion "nss/lib/ckfw/builtins/"
  119. ;; extract single certificates from blob
  120. (invoke "certdata2pem.py" "certdata.txt")
  121. ;; copy selected .pem files into the output
  122. (for-each maybe-install-cert
  123. (find-files "." ".*\\.pem")))
  124. (with-directory-excursion certsdir
  125. ;; create symbolic links for and by openssl
  126. ;; Strangely, the call (system* "c_rehash" certsdir)
  127. ;; from inside the build dir fails with
  128. ;; "Usage error; try -help."
  129. ;; This looks like a bug in openssl-1.0.2, but we can also
  130. ;; switch into the target directory.
  131. (invoke "c_rehash" "."))
  132. #t))))))
  133. (synopsis "CA certificates from Mozilla")
  134. (description
  135. "This package provides certificates for Certification Authorities (CA)
  136. taken from the NSS package and thus ultimately from the Mozilla project.")
  137. (home-page "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS")
  138. (license license:mpl2.0)))
  139. (define-public le-certs
  140. (package
  141. (name "le-certs")
  142. (version "0")
  143. (source #f)
  144. (build-system trivial-build-system)
  145. (arguments
  146. '(#:modules ((guix build utils))
  147. #:builder
  148. (begin
  149. (use-modules (guix build utils))
  150. (let ((root (assoc-ref %build-inputs "isrgrootx1.pem"))
  151. (intermediate (assoc-ref %build-inputs "letsencryptauthorityx3.pem"))
  152. (backup (assoc-ref %build-inputs "letsencryptauthorityx4.pem"))
  153. (out (string-append (assoc-ref %outputs "out") "/etc/ssl/certs"))
  154. (openssl (assoc-ref %build-inputs "openssl"))
  155. (perl (assoc-ref %build-inputs "perl")))
  156. (mkdir-p out)
  157. (for-each
  158. (lambda (cert)
  159. (copy-file cert (string-append out "/"
  160. (strip-store-file-name cert))))
  161. (list root intermediate backup))
  162. ;; Create hash symlinks suitable for OpenSSL ('SSL_CERT_DIR' and
  163. ;; similar.)
  164. (chdir (string-append %output "/etc/ssl/certs"))
  165. (invoke (string-append perl "/bin/perl")
  166. (string-append openssl "/bin/c_rehash")
  167. ".")))))
  168. (native-inputs
  169. `(("openssl" ,openssl)
  170. ("perl" ,perl))) ;for 'c_rehash'
  171. (inputs
  172. `(; The Let's Encrypt root certificate, "ISRG Root X1".
  173. ("isrgrootx1.pem"
  174. ,(origin
  175. (method url-fetch)
  176. (uri "https://letsencrypt.org/certs/isrgrootx1.pem")
  177. (sha256
  178. (base32
  179. "1la36n2f31j9s03v847ig6ny9lr875q3g7smnq33dcsmf2i5gd92"))))
  180. ;; "Let’s Encrypt Authority X3", the active Let's Encrypt intermediate
  181. ;; certificate.
  182. ("letsencryptauthorityx3.pem"
  183. ,(origin
  184. (method url-fetch)
  185. (uri "https://letsencrypt.org/certs/letsencryptauthorityx3.pem")
  186. (sha256
  187. (base32
  188. "100lxxvqv4fj563bm03zzk5r36hq5jx9nnrajzs38g825c5k0cg2"))))
  189. ;; "Let’s Encrypt Authority X4", the backup Let's Encrypt intermediate
  190. ;; certificate. This will be used for disaster recovery and will only be
  191. ;; used should Let's Encrypt lose the ability to issue with "Let’s
  192. ;; Encrypt Authority X3".
  193. ("letsencryptauthorityx4.pem"
  194. ,(origin
  195. (method url-fetch)
  196. (uri "https://letsencrypt.org/certs/letsencryptauthorityx4.pem")
  197. (sha256
  198. (base32
  199. "0d5256gwf73drq6q6jala28rfzhrgbk5pjfq27vc40ly91pdyh8m"))))))
  200. (home-page "https://letsencrypt.org/certificates/")
  201. (synopsis "Let's Encrypt root and intermediate certificates")
  202. (description "This package provides a certificate store containing only the
  203. Let's Encrypt root and intermediate certificates. It is intended to be used
  204. within Guix.")
  205. (license license:public-domain)))