aboutsummaryrefslogtreecommitdiff
path: root/gnu
diff options
context:
space:
mode:
authorMark H Weaver <mhw@netris.org>2015-03-03 13:45:43 -0500
committerMark H Weaver <mhw@netris.org>2015-03-03 13:49:12 -0500
commit41ce4601337c66301b80cff2a640c428efb64973 (patch)
tree56b59b9090067e7f58724c997d2659d3d45ac32d /gnu
parent78ab0746a523cc63eca0fd2fe55ac6c5b1ec5d5e (diff)
downloadgnu-guix-41ce4601337c66301b80cff2a640c428efb64973.tar
gnu-guix-41ce4601337c66301b80cff2a640c428efb64973.tar.gz
gnu: nss-certs: Install only trusted CA certificates.
* gnu/packages/certs.scm (nss-certs): Only install certificates that include a non-empty "openssl-trust=" annotation.
Diffstat (limited to 'gnu')
-rw-r--r--gnu/packages/certs.scm52
1 files changed, 32 insertions, 20 deletions
diff --git a/gnu/packages/certs.scm b/gnu/packages/certs.scm
index ab46143202..7818d48219 100644
--- a/gnu/packages/certs.scm
+++ b/gnu/packages/certs.scm
@@ -1,5 +1,6 @@
;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2015 Andreas Enge <andreas@enge.fr>
+;;; Copyright © 2015 Mark H Weaver <mhw@netris.org>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -80,36 +81,47 @@
(arguments
`(#:modules ((guix build gnu-build-system)
(guix build utils)
- (srfi srfi-26))
+ (rnrs io ports)
+ (srfi srfi-26)
+ (ice-9 regex))
#:imported-modules ((guix build gnu-build-system)
(guix build utils))
#:phases
(alist-cons-after
'unpack 'install
(lambda _
- (let ((certsdir (string-append %output "/etc/ssl/certs/")))
+ (let ((certsdir (string-append %output "/etc/ssl/certs/"))
+ (trusted-rx (make-regexp "^# openssl-trust=[a-zA-Z]"
+ regexp/newline)))
+
+ (define (maybe-install-cert file)
+ (let ((cert (call-with-input-file file get-string-all)))
+ (when (regexp-exec trusted-rx cert)
+ (call-with-output-file
+ (string-append certsdir file)
+ (cut display cert <>)))))
+
(mkdir-p certsdir)
(with-directory-excursion "nss/lib/ckfw/builtins/"
;; extract single certificates from blob
(system* "certdata2pem.py" "certdata.txt")
- ;; copy the .pem files into the output
- (for-each
- (lambda (file)
- (copy-file file (string-append certsdir file)))
- ;; FIXME: Some of the file names are UTF8 (?) and cause an
- ;; error message such as
- ;; find-files:
- ;; ./EBG_Elektronik_Sertifika_Hizmet_Sa??lay??c??s??:2.8.76.175.115.66.28.142.116.2.pem:
- ;; No such file or directory
- (find-files "." ".*\\.pem")))
- (with-directory-excursion certsdir
- ;; create symbolic links for and by openssl
- ;; Strangely, the call (system* "c_rehash" certsdir)
- ;; from inside the build dir fails with
- ;; "Usage error; try -help."
- ;; This looks like a bug in openssl-1.0.2, but we can also
- ;; switch into the target directory.
- (system* "c_rehash" "."))))
+ ;; copy selected .pem files into the output
+ (for-each maybe-install-cert
+ ;; FIXME: Some of the file names are UTF8 (?) and
+ ;; cause an error message such as find-files:
+ ;; ./EBG_Elektronik_Sertifika_Hizmet_Sa??lay??c??s??:2.8.76.175.115.66.28.142.116.2.pem:
+ ;; No such file or directory
+ (find-files "." ".*\\.pem")))
+
+ (with-directory-excursion certsdir
+ ;; create symbolic links for and by openssl
+ ;; Strangely, the call (system* "c_rehash" certsdir)
+ ;; from inside the build dir fails with
+ ;; "Usage error; try -help."
+ ;; This looks like a bug in openssl-1.0.2, but we can also
+ ;; switch into the target directory.
+ (system* "c_rehash" "."))))
+
(map (cut assq <> %standard-phases)
'(set-paths unpack)))))
(synopsis "CA certificates from Mozilla")