diff options
Diffstat (limited to 'gnu/packages/certs.scm')
-rw-r--r-- | gnu/packages/certs.scm | 124 |
1 files changed, 49 insertions, 75 deletions
diff --git a/gnu/packages/certs.scm b/gnu/packages/certs.scm index 9dcd733ffe..82e5b8c987 100644 --- a/gnu/packages/certs.scm +++ b/gnu/packages/certs.scm @@ -4,6 +4,8 @@ ;;; Copyright © 2016, 2017 Ludovic Courtès <ludo@gnu.org> ;;; Copyright © 2017 Leo Famulari <leo@famulari.name> ;;; Copyright © 2017, 2018 Tobias Geerinckx-Rice <me@tobias.gr> +;;; Copyright © 2021 Maxim Cournoyer <maxim.cournoyer@gmail.com> +;;; Copyright © 2021 Efraim Flashner <efraim@flashner.co.il> ;;; ;;; This file is part of GNU Guix. ;;; @@ -23,60 +25,53 @@ (define-module (gnu packages certs) #:use-module ((guix licenses) #:prefix license:) #:use-module (guix packages) + #:use-module (guix utils) #:use-module (guix download) #:use-module (guix build-system gnu) #:use-module (guix build-system trivial) #:use-module (gnu packages) - #:use-module (gnu packages python) + #:use-module (gnu packages nss) #:use-module (gnu packages perl) #:use-module (gnu packages tls)) (define certdata2pem - (package - (name "certdata2pem") - (version "2013") - (source - (origin - (method url-fetch) - (uri - "http://pkgs.fedoraproject.org/cgit/ca-certificates.git/plain/certdata2pem.py?id=053dde8a2f5901e97028a58bf54e7d0ef8095a54") - (file-name "certdata2pem.py") - (sha256 - (base32 - "0zscrm41gnsf14zvlkxhy00h3dmgidyz645ldpda3y3vabnwv8dx")))) - (build-system trivial-build-system) - (inputs - `(("python" ,python-2))) - (arguments - `(#:modules ((guix build utils)) - #:builder - (begin - (use-modules (guix build utils)) - (let ((bin (string-append %output "/bin"))) - (copy-file (assoc-ref %build-inputs "source") "certdata2pem.py") - (chmod "certdata2pem.py" #o555) - (substitute* "certdata2pem.py" - (("/usr/bin/python") - (string-append (assoc-ref %build-inputs "python") - "/bin/python")) - ;; Use the file extension .pem instead of .crt. - (("crt") "pem")) - (mkdir-p bin) - (copy-file "certdata2pem.py" - (string-append bin "/certdata2pem.py")) - #t)))) - (synopsis "Python script to extract .pem data from certificate collection") - (description - "certdata2pem.py is a Python script to transform X.509 certificate -\"source code\" as contained, for example, in the Mozilla sources, into -.pem formatted certificates.") - (license license:gpl2+) - (home-page "http://pkgs.fedoraproject.org/cgit/ca-certificates.git/"))) + (let ((revision "1") + (commit "4c576f350f44186d439179f63d5be19f710a73f5")) + (package + (name "certdata2pem") + (version "0.0.0") ;no version + (source (origin + (method url-fetch) + (uri (string-append + "https://raw.githubusercontent.com/sabotage-linux/sabotage/" + commit "/KEEP/certdata2pem.c")) + (sha256 + (base32 + "1rywp29q4l1cs2baplkbcravxqs4kw2cys4yifhfznbc210pskq6")))) + (build-system gnu-build-system) + (arguments + `(#:phases (modify-phases %standard-phases + (delete 'configure) + (replace 'build + (lambda _ + (invoke ,(cc-for-target) "certdata2pem.c" + "-o" "certdata2pem"))) + (delete 'check) ;no test suite + (replace 'install + (lambda* (#:key outputs #:allow-other-keys) + (let ((out (assoc-ref outputs "out"))) + (install-file "certdata2pem" + (string-append out "/bin")))))))) + (home-page "https://github.com/sabotage-linux/") + (synopsis "Utility to split TLS certificates data into multiple PEM files") + (description "This is a C version of the certdata2pem Python utility +that was originally contributed to Debian.") + (license license:isc)))) (define-public nss-certs (package (name "nss-certs") - (version "3.59") + (version "3.67") (source (origin (method url-fetch) (uri (let ((version-with-underscores @@ -87,56 +82,35 @@ "nss-" version ".tar.gz"))) (sha256 (base32 - "096fs3z21r171q24ca3rq53p1389xmvqz1f2rpm7nlm8r9s82ag6")))) + "0zyfi27lbdz1bmk9dmsivcya4phx25rzlxqcnjab69yd928rlm7n")))) (build-system gnu-build-system) (outputs '("out")) (native-inputs `(("certdata2pem" ,certdata2pem) - ("openssl" ,openssl) - ("perl" ,perl))) ;for OpenSSL's 'c_rehash' + ("openssl" ,openssl))) (inputs '()) (propagated-inputs '()) (arguments `(#:modules ((guix build gnu-build-system) (guix build utils) (rnrs io ports) - (srfi srfi-26) - (ice-9 regex)) + (srfi srfi-26)) #:phases (modify-phases (map (cut assq <> %standard-phases) '(set-paths install-locale unpack)) (add-after 'unpack 'install (lambda _ - (let ((certsdir (string-append %output "/etc/ssl/certs/")) - (trusted-rx (make-regexp "^# openssl-trust=[a-zA-Z]" - regexp/newline))) - - (define (maybe-install-cert file) - (let ((cert (call-with-input-file file get-string-all))) - (when (regexp-exec trusted-rx cert) - (call-with-output-file - (string-append certsdir file) - (cut display cert <>))))) - - (mkdir-p certsdir) + (let ((certsdir (string-append %output "/etc/ssl/certs/"))) (with-directory-excursion "nss/lib/ckfw/builtins/" - ;; extract single certificates from blob - (invoke "certdata2pem.py" "certdata.txt") - ;; copy selected .pem files into the output - (for-each maybe-install-cert - (find-files "." ".*\\.pem"))) - - (with-directory-excursion certsdir - ;; create symbolic links for and by openssl - ;; Strangely, the call (system* "c_rehash" certsdir) - ;; from inside the build dir fails with - ;; "Usage error; try -help." - ;; This looks like a bug in openssl-1.0.2, but we can also - ;; switch into the target directory. - (invoke "c_rehash" ".")) - #t)))))) - + (unless (file-exists? "blacklist.txt") + (call-with-output-file "blacklist.txt" (const #t))) + ;; Extract selected single certificates from blob. + (invoke "certdata2pem") + ;; Copy .crt files into the output. + (for-each (cut install-file <> certsdir) + (find-files "." ".*\\.crt$"))) + (invoke "openssl" "rehash" certsdir))))))) (synopsis "CA certificates from Mozilla") (description "This package provides certificates for Certification Authorities (CA) |