diff options
author | Mark H Weaver <mhw@netris.org> | 2015-03-03 13:45:43 -0500 |
---|---|---|
committer | Mark H Weaver <mhw@netris.org> | 2015-03-03 13:49:12 -0500 |
commit | 41ce4601337c66301b80cff2a640c428efb64973 (patch) | |
tree | 56b59b9090067e7f58724c997d2659d3d45ac32d | |
parent | 78ab0746a523cc63eca0fd2fe55ac6c5b1ec5d5e (diff) | |
download | guix-41ce4601337c66301b80cff2a640c428efb64973.tar.gz |
gnu: nss-certs: Install only trusted CA certificates.
* gnu/packages/certs.scm (nss-certs): Only install certificates that include a non-empty "openssl-trust=" annotation.
-rw-r--r-- | gnu/packages/certs.scm | 52 |
1 files changed, 32 insertions, 20 deletions
diff --git a/gnu/packages/certs.scm b/gnu/packages/certs.scm index ab46143202..7818d48219 100644 --- a/gnu/packages/certs.scm +++ b/gnu/packages/certs.scm @@ -1,5 +1,6 @@ ;;; GNU Guix --- Functional package management for GNU ;;; Copyright © 2015 Andreas Enge <andreas@enge.fr> +;;; Copyright © 2015 Mark H Weaver <mhw@netris.org> ;;; ;;; This file is part of GNU Guix. ;;; @@ -80,36 +81,47 @@ (arguments `(#:modules ((guix build gnu-build-system) (guix build utils) - (srfi srfi-26)) + (rnrs io ports) + (srfi srfi-26) + (ice-9 regex)) #:imported-modules ((guix build gnu-build-system) (guix build utils)) #:phases (alist-cons-after 'unpack 'install (lambda _ - (let ((certsdir (string-append %output "/etc/ssl/certs/"))) + (let ((certsdir (string-append %output "/etc/ssl/certs/")) + (trusted-rx (make-regexp "^# openssl-trust=[a-zA-Z]" + regexp/newline))) + + (define (maybe-install-cert file) + (let ((cert (call-with-input-file file get-string-all))) + (when (regexp-exec trusted-rx cert) + (call-with-output-file + (string-append certsdir file) + (cut display cert <>))))) + (mkdir-p certsdir) (with-directory-excursion "nss/lib/ckfw/builtins/" ;; extract single certificates from blob (system* "certdata2pem.py" "certdata.txt") - ;; copy the .pem files into the output - (for-each - (lambda (file) - (copy-file file (string-append certsdir file))) - ;; FIXME: Some of the file names are UTF8 (?) and cause an - ;; error message such as - ;; find-files: - ;; ./EBG_Elektronik_Sertifika_Hizmet_Sa??lay??c??s??:2.8.76.175.115.66.28.142.116.2.pem: - ;; No such file or directory - (find-files "." ".*\\.pem"))) - (with-directory-excursion certsdir - ;; create symbolic links for and by openssl - ;; Strangely, the call (system* "c_rehash" certsdir) - ;; from inside the build dir fails with - ;; "Usage error; try -help." - ;; This looks like a bug in openssl-1.0.2, but we can also - ;; switch into the target directory. - (system* "c_rehash" ".")))) + ;; copy selected .pem files into the output + (for-each maybe-install-cert + ;; FIXME: Some of the file names are UTF8 (?) and + ;; cause an error message such as find-files: + ;; ./EBG_Elektronik_Sertifika_Hizmet_Sa??lay??c??s??:2.8.76.175.115.66.28.142.116.2.pem: + ;; No such file or directory + (find-files "." ".*\\.pem"))) + + (with-directory-excursion certsdir + ;; create symbolic links for and by openssl + ;; Strangely, the call (system* "c_rehash" certsdir) + ;; from inside the build dir fails with + ;; "Usage error; try -help." + ;; This looks like a bug in openssl-1.0.2, but we can also + ;; switch into the target directory. + (system* "c_rehash" ".")))) + (map (cut assq <> %standard-phases) '(set-paths unpack))))) (synopsis "CA certificates from Mozilla") |