2015-02-09 13:26:35 -05:00
|
|
|
|
;;; GNU Guix --- Functional package management for GNU
|
|
|
|
|
;;; Copyright © 2015 Andreas Enge <andreas@enge.fr>
|
2015-03-03 13:45:43 -05:00
|
|
|
|
;;; Copyright © 2015 Mark H Weaver <mhw@netris.org>
|
2017-07-28 08:50:52 -04:00
|
|
|
|
;;; Copyright © 2016, 2017 Ludovic Courtès <ludo@gnu.org>
|
2017-02-28 20:21:10 -05:00
|
|
|
|
;;; Copyright © 2017 Leo Famulari <leo@famulari.name>
|
2018-02-19 21:27:54 -05:00
|
|
|
|
;;; Copyright © 2017, 2018 Tobias Geerinckx-Rice <me@tobias.gr>
|
2015-02-09 13:26:35 -05:00
|
|
|
|
;;;
|
|
|
|
|
;;; This file is part of GNU Guix.
|
|
|
|
|
;;;
|
|
|
|
|
;;; GNU Guix is free software; you can redistribute it and/or modify it
|
|
|
|
|
;;; under the terms of the GNU General Public License as published by
|
|
|
|
|
;;; the Free Software Foundation; either version 3 of the License, or (at
|
|
|
|
|
;;; your option) any later version.
|
|
|
|
|
;;;
|
|
|
|
|
;;; GNU Guix is distributed in the hope that it will be useful, but
|
|
|
|
|
;;; WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
|
;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
|
;;; GNU General Public License for more details.
|
|
|
|
|
;;;
|
|
|
|
|
;;; You should have received a copy of the GNU General Public License
|
|
|
|
|
;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
|
|
|
|
|
|
(define-module (gnu packages certs)
|
|
|
|
|
#:use-module ((guix licenses) #:prefix license:)
|
|
|
|
|
#:use-module (guix packages)
|
|
|
|
|
#:use-module (guix download)
|
2015-02-10 14:55:53 -05:00
|
|
|
|
#:use-module (guix build-system gnu)
|
2015-02-09 13:26:35 -05:00
|
|
|
|
#:use-module (guix build-system trivial)
|
|
|
|
|
#:use-module (gnu packages)
|
gnu: Move content of openssl module into tls module.
* gnu/packages/openssl.scm (openssl, perl-net-ssleay): Move to...
* gnu/packages/tls.scm: ...here.
* gnu/packages/openssl.scm: Delete file.
* gnu-system.am (GNU_SYSTEM_MODULES): Unregister deleted file.
* gnu/packages/{admin.scm, bittorrent.scm, certs.scm, ci.scm,
cyrus-sasl.scm, databases.scm, dns.scm, ebook.scm, enlightenment.scm,
gnunet.scm, libreoffice.scm, links.scm, mail.scm, messaging.scm,
networking.scm, ntp.scm, openldap.scm, package-management.scm, pdf.scm,
python.scm, qt.scm, rdesktop.scm, rdf.scm, ruby.scm, ssh.scm,
synergy.scm, tor.scm, version-control.scm, video.scm, vpn.scm,
w3m.scm, web.scm, weechat.scm, xiph.scm}: Adapt module import.
2015-07-05 12:27:24 -04:00
|
|
|
|
#:use-module (gnu packages python)
|
2015-09-09 13:01:48 -04:00
|
|
|
|
#:use-module (gnu packages perl)
|
gnu: Move content of openssl module into tls module.
* gnu/packages/openssl.scm (openssl, perl-net-ssleay): Move to...
* gnu/packages/tls.scm: ...here.
* gnu/packages/openssl.scm: Delete file.
* gnu-system.am (GNU_SYSTEM_MODULES): Unregister deleted file.
* gnu/packages/{admin.scm, bittorrent.scm, certs.scm, ci.scm,
cyrus-sasl.scm, databases.scm, dns.scm, ebook.scm, enlightenment.scm,
gnunet.scm, libreoffice.scm, links.scm, mail.scm, messaging.scm,
networking.scm, ntp.scm, openldap.scm, package-management.scm, pdf.scm,
python.scm, qt.scm, rdesktop.scm, rdf.scm, ruby.scm, ssh.scm,
synergy.scm, tor.scm, version-control.scm, video.scm, vpn.scm,
w3m.scm, web.scm, weechat.scm, xiph.scm}: Adapt module import.
2015-07-05 12:27:24 -04:00
|
|
|
|
#:use-module (gnu packages tls))
|
2015-02-09 13:26:35 -05:00
|
|
|
|
|
|
|
|
|
(define certdata2pem
|
|
|
|
|
(package
|
|
|
|
|
(name "certdata2pem")
|
|
|
|
|
(version "2013")
|
|
|
|
|
(source
|
2015-03-05 21:35:46 -05:00
|
|
|
|
(origin
|
2015-02-09 13:26:35 -05:00
|
|
|
|
(method url-fetch)
|
|
|
|
|
(uri
|
|
|
|
|
"http://pkgs.fedoraproject.org/cgit/ca-certificates.git/plain/certdata2pem.py?id=053dde8a2f5901e97028a58bf54e7d0ef8095a54")
|
2015-03-05 21:35:46 -05:00
|
|
|
|
(file-name "certdata2pem.py")
|
2015-02-09 13:26:35 -05:00
|
|
|
|
(sha256
|
|
|
|
|
(base32
|
|
|
|
|
"0zscrm41gnsf14zvlkxhy00h3dmgidyz645ldpda3y3vabnwv8dx"))))
|
|
|
|
|
(build-system trivial-build-system)
|
|
|
|
|
(inputs
|
|
|
|
|
`(("python" ,python-2)))
|
|
|
|
|
(arguments
|
|
|
|
|
`(#:modules ((guix build utils))
|
|
|
|
|
#:builder
|
|
|
|
|
(begin
|
|
|
|
|
(use-modules (guix build utils))
|
|
|
|
|
(let ((bin (string-append %output "/bin")))
|
|
|
|
|
(copy-file (assoc-ref %build-inputs "source") "certdata2pem.py")
|
|
|
|
|
(chmod "certdata2pem.py" #o555)
|
|
|
|
|
(substitute* "certdata2pem.py"
|
|
|
|
|
(("/usr/bin/python")
|
|
|
|
|
(string-append (assoc-ref %build-inputs "python")
|
|
|
|
|
"/bin/python"))
|
|
|
|
|
;; Use the file extension .pem instead of .crt.
|
|
|
|
|
(("crt") "pem"))
|
|
|
|
|
(mkdir-p bin)
|
|
|
|
|
(copy-file "certdata2pem.py"
|
|
|
|
|
(string-append bin "/certdata2pem.py"))))))
|
|
|
|
|
(synopsis "Python script to extract .pem data from certificate collection")
|
|
|
|
|
(description
|
|
|
|
|
"certdata2pem.py is a Python script to transform X.509 certificate
|
|
|
|
|
\"source code\" as contained, for example, in the Mozilla sources, into
|
|
|
|
|
.pem formatted certificates.")
|
|
|
|
|
(license license:gpl2+)
|
|
|
|
|
(home-page "http://pkgs.fedoraproject.org/cgit/ca-certificates.git/")))
|
2015-02-10 14:55:53 -05:00
|
|
|
|
|
|
|
|
|
(define-public nss-certs
|
2016-07-08 05:28:57 -04:00
|
|
|
|
(package
|
2015-02-10 14:55:53 -05:00
|
|
|
|
(name "nss-certs")
|
2018-03-12 12:38:55 -04:00
|
|
|
|
(version "3.36")
|
2016-07-08 05:28:57 -04:00
|
|
|
|
(source (origin
|
|
|
|
|
(method url-fetch)
|
|
|
|
|
(uri (let ((version-with-underscores
|
|
|
|
|
(string-join (string-split version #\.) "_")))
|
|
|
|
|
(string-append
|
|
|
|
|
"https://ftp.mozilla.org/pub/mozilla.org/security/nss/"
|
|
|
|
|
"releases/NSS_" version-with-underscores "_RTM/src/"
|
|
|
|
|
"nss-" version ".tar.gz")))
|
|
|
|
|
(sha256
|
|
|
|
|
(base32
|
2018-03-12 12:38:55 -04:00
|
|
|
|
"1580qc0a4s8v3k3vg7zz4xly4alkjrw7qq9zy2nf6p4v56wcfg53"))))
|
2015-02-10 14:55:53 -05:00
|
|
|
|
(build-system gnu-build-system)
|
|
|
|
|
(outputs '("out"))
|
|
|
|
|
(native-inputs
|
|
|
|
|
`(("certdata2pem" ,certdata2pem)
|
2015-09-09 13:01:48 -04:00
|
|
|
|
("openssl" ,openssl)
|
|
|
|
|
("perl" ,perl))) ;for OpenSSL's 'c_rehash'
|
2015-02-10 14:55:53 -05:00
|
|
|
|
(inputs '())
|
|
|
|
|
(propagated-inputs '())
|
|
|
|
|
(arguments
|
|
|
|
|
`(#:modules ((guix build gnu-build-system)
|
|
|
|
|
(guix build utils)
|
2015-03-03 13:45:43 -05:00
|
|
|
|
(rnrs io ports)
|
|
|
|
|
(srfi srfi-26)
|
|
|
|
|
(ice-9 regex))
|
2015-02-10 14:55:53 -05:00
|
|
|
|
#:phases
|
2018-02-19 21:27:54 -05:00
|
|
|
|
(modify-phases
|
|
|
|
|
(map (cut assq <> %standard-phases)
|
|
|
|
|
'(set-paths install-locale unpack))
|
|
|
|
|
(add-after 'unpack 'install
|
2015-02-10 14:55:53 -05:00
|
|
|
|
(lambda _
|
2015-03-03 13:45:43 -05:00
|
|
|
|
(let ((certsdir (string-append %output "/etc/ssl/certs/"))
|
|
|
|
|
(trusted-rx (make-regexp "^# openssl-trust=[a-zA-Z]"
|
|
|
|
|
regexp/newline)))
|
|
|
|
|
|
|
|
|
|
(define (maybe-install-cert file)
|
|
|
|
|
(let ((cert (call-with-input-file file get-string-all)))
|
|
|
|
|
(when (regexp-exec trusted-rx cert)
|
|
|
|
|
(call-with-output-file
|
|
|
|
|
(string-append certsdir file)
|
|
|
|
|
(cut display cert <>)))))
|
|
|
|
|
|
2015-02-10 14:55:53 -05:00
|
|
|
|
(mkdir-p certsdir)
|
|
|
|
|
(with-directory-excursion "nss/lib/ckfw/builtins/"
|
|
|
|
|
;; extract single certificates from blob
|
2018-03-23 03:25:12 -04:00
|
|
|
|
(invoke "certdata2pem.py" "certdata.txt")
|
2015-03-03 13:45:43 -05:00
|
|
|
|
;; copy selected .pem files into the output
|
|
|
|
|
(for-each maybe-install-cert
|
|
|
|
|
(find-files "." ".*\\.pem")))
|
|
|
|
|
|
|
|
|
|
(with-directory-excursion certsdir
|
|
|
|
|
;; create symbolic links for and by openssl
|
|
|
|
|
;; Strangely, the call (system* "c_rehash" certsdir)
|
|
|
|
|
;; from inside the build dir fails with
|
|
|
|
|
;; "Usage error; try -help."
|
|
|
|
|
;; This looks like a bug in openssl-1.0.2, but we can also
|
|
|
|
|
;; switch into the target directory.
|
2018-02-19 21:27:54 -05:00
|
|
|
|
(invoke "c_rehash" "."))
|
|
|
|
|
#t))))))
|
2015-03-03 13:45:43 -05:00
|
|
|
|
|
2015-02-10 14:55:53 -05:00
|
|
|
|
(synopsis "CA certificates from Mozilla")
|
|
|
|
|
(description
|
2016-07-08 05:28:57 -04:00
|
|
|
|
"This package provides certificates for Certification Authorities (CA)
|
|
|
|
|
taken from the NSS package and thus ultimately from the Mozilla project.")
|
|
|
|
|
(home-page "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS")
|
|
|
|
|
(license license:mpl2.0)))
|
2017-02-28 20:21:10 -05:00
|
|
|
|
|
|
|
|
|
(define-public le-certs
|
|
|
|
|
(package
|
|
|
|
|
(name "le-certs")
|
|
|
|
|
(version "0")
|
|
|
|
|
(source #f)
|
|
|
|
|
(build-system trivial-build-system)
|
|
|
|
|
(arguments
|
|
|
|
|
'(#:modules ((guix build utils))
|
|
|
|
|
#:builder
|
|
|
|
|
(begin
|
|
|
|
|
(use-modules (guix build utils))
|
|
|
|
|
(let ((root (assoc-ref %build-inputs "isrgrootx1.pem"))
|
|
|
|
|
(intermediate (assoc-ref %build-inputs "letsencryptauthorityx3.pem"))
|
|
|
|
|
(backup (assoc-ref %build-inputs "letsencryptauthorityx4.pem"))
|
2017-07-28 08:50:52 -04:00
|
|
|
|
(out (string-append (assoc-ref %outputs "out") "/etc/ssl/certs"))
|
|
|
|
|
(openssl (assoc-ref %build-inputs "openssl"))
|
|
|
|
|
(perl (assoc-ref %build-inputs "perl")))
|
2017-02-28 20:21:10 -05:00
|
|
|
|
(mkdir-p out)
|
|
|
|
|
(for-each
|
|
|
|
|
(lambda (cert)
|
|
|
|
|
(copy-file cert (string-append out "/"
|
|
|
|
|
(strip-store-file-name cert))))
|
2017-07-28 08:50:52 -04:00
|
|
|
|
(list root intermediate backup))
|
|
|
|
|
|
|
|
|
|
;; Create hash symlinks suitable for OpenSSL ('SSL_CERT_DIR' and
|
|
|
|
|
;; similar.)
|
|
|
|
|
(chdir (string-append %output "/etc/ssl/certs"))
|
2018-03-23 03:27:24 -04:00
|
|
|
|
(invoke (string-append perl "/bin/perl")
|
|
|
|
|
(string-append openssl "/bin/c_rehash")
|
|
|
|
|
".")))))
|
2017-07-28 08:50:52 -04:00
|
|
|
|
(native-inputs
|
|
|
|
|
`(("openssl" ,openssl)
|
|
|
|
|
("perl" ,perl))) ;for 'c_rehash'
|
2017-02-28 20:21:10 -05:00
|
|
|
|
(inputs
|
|
|
|
|
`(; The Let's Encrypt root certificate, "ISRG Root X1".
|
|
|
|
|
("isrgrootx1.pem"
|
|
|
|
|
,(origin
|
|
|
|
|
(method url-fetch)
|
|
|
|
|
(uri "https://letsencrypt.org/certs/isrgrootx1.pem")
|
|
|
|
|
(sha256
|
|
|
|
|
(base32
|
|
|
|
|
"0zhd1ps7sz4w1x52xk3v7ng6d0rcyi7y7rcrplwkmilnq5hzjv1y"))))
|
|
|
|
|
;; "Let’s Encrypt Authority X3", the active Let's Encrypt intermediate
|
|
|
|
|
;; certificate.
|
|
|
|
|
("letsencryptauthorityx3.pem"
|
|
|
|
|
,(origin
|
|
|
|
|
(method url-fetch)
|
|
|
|
|
(uri "https://letsencrypt.org/certs/letsencryptauthorityx3.pem")
|
|
|
|
|
(sha256
|
|
|
|
|
(base32
|
|
|
|
|
"0zbamj6c7zqw1j9mbqygc8k1ykgj6xiisp9svmlif5lkbnyjhnkk"))))
|
|
|
|
|
;; "Let’s Encrypt Authority X4", the backup Let's Encrypt intermediate
|
|
|
|
|
;; certificate. This will be used for disaster recovery and will only be
|
|
|
|
|
;; used should Let's Encrypt lose the ability to issue with "Let’s
|
|
|
|
|
;; Encrypt Authority X3".
|
|
|
|
|
("letsencryptauthorityx4.pem"
|
|
|
|
|
,(origin
|
|
|
|
|
(method url-fetch)
|
|
|
|
|
(uri "https://letsencrypt.org/certs/letsencryptauthorityx4.pem")
|
|
|
|
|
(sha256
|
|
|
|
|
(base32
|
|
|
|
|
"003dc94c8qwj634h0dq743x7hqv9rdcfaisdksprkmi2jd107xq4"))))))
|
|
|
|
|
(home-page "https://letsencrypt.org/certificates/")
|
|
|
|
|
(synopsis "Let's Encrypt root and intermediate certificates")
|
|
|
|
|
(description "This package provides a certificate store containing only the
|
|
|
|
|
Let's Encrypt root and intermediate certificates. It is intended to be used
|
|
|
|
|
within Guix.")
|
|
|
|
|
(license license:public-domain)))
|