From mboxrd@z Thu Jan 1 00:00:00 1970 From: Chris Marusich Subject: Re: root certificate Date: Tue, 12 Jun 2018 21:52:17 -0700 Message-ID: <87a7rzqoe6.fsf@gmail.com> References: <87y3flo3rc.fsf@santanas.co.za> <878t7ls1hw.fsf@fastmail.com> <87wov4o5cu.fsf@santanas.co.za> Mime-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:47237) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fSxlk-0002mF-3e for help-guix@gnu.org; Wed, 13 Jun 2018 00:52:29 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1fSxlg-0005fw-VK for help-guix@gnu.org; Wed, 13 Jun 2018 00:52:28 -0400 Received: from mail-pg0-x232.google.com ([2607:f8b0:400e:c05::232]:44529) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1fSxlg-0005eB-Lv for help-guix@gnu.org; Wed, 13 Jun 2018 00:52:24 -0400 Received: by mail-pg0-x232.google.com with SMTP id p21-v6so639488pgd.11 for ; Tue, 12 Jun 2018 21:52:24 -0700 (PDT) In-Reply-To: <87wov4o5cu.fsf@santanas.co.za> (Divan Santana's message of "Tue, 12 Jun 2018 09:04:40 +0200") List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: help-guix-bounces+gcggh-help-guix=m.gmane.org@gnu.org Sender: "Help-Guix" To: Divan Santana Cc: help-guix@gnu.org, Joshua Branson --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Hi Divan, Divan Santana writes: > Joshua Branson writes: > >> Divan Santana writes: >> >>> Hi Guix :) >>> >>> How does one import a root certificate for GuixSD? >> >> This probably isn't helpful, but what is a root certificate? > > https://en.wikipedia.org/wiki/Root_certificate > > In cryptography and computer security, a root certificate is a public > key certificate that identifies a root certificate authority (CA).[1] > Root certificates are self-signed and form the basis of an X.509-based > public key infrastructure (PKI). > > So in my case, I have a root CA certificate for our organisition and > many internal sites have a certificate issued from this CA. I intended to write a blog post about this very subject for the Guix blog, but I haven't gotten around to it yet. In short, to do what you want, you can create package definitions like the following, and then add them to the "packages" field of your operating system declaration: =2D-8<---------------cut here---------------start------------->8--- (define-module (my packages) #:use-module (guix packages) #:use-module (guix licenses) #:use-module (guix build-system trivial) #:use-module (guix gexp)) ;; This example aggregates many certificates from a local directory, but ;; the same principle could be used to aggregate certificates from, say, ;; a remote Git repository that your company maintains. (define-public my-ca-certificates (package (name "my-ca-certificates") (version "1") (source (local-file "/path/to/directory/containing/my/certs" #:recursive? #t)) (home-page "https://www.example.com") (license agpl3+) (build-system trivial-build-system) (arguments `(#:modules ((guix build utils)) #:builder (begin (use-modules (guix build utils) (srfi srfi-1) (srfi srfi-26) (ice-9 ftw)) (let* ((ca-certificates (assoc-ref %build-inputs "source")) (crt-suffix ".crt") (is-certificate? (cut string-suffix? crt-suffix <>)) (certificates (filter is-certificate? (scandir ca-certificates))) (out (assoc-ref %outputs "out")) (certificate-directory (string-append out "/etc/ssl/certs")) (openssl (string-append (assoc-ref %build-inputs "openssl") "/bin/openssl"))) (mkdir-p certificate-directory) ;; When this package is installed into a profile, any files in the ;; package output's etc/ssl/certs directory ending in ".pem" will ;; also be put into a ca-certificates.crt bundle. In the case of= a ;; system profile, this bundle will be made available to the syst= em ;; at activation time. See the profile hooks defined in (guix ;; profiles) and the etc-service-type define in (gnu services) for ;; details. (for-each ;; Ensure the certificate is in an appropriate format. (lambda (certificate) (invoke openssl "x509" "-in" (string-append ca-certificates "/" certificate) "-outform" "PEM" "-out" (string-append certificate-directory "/" (basename certificate crt-suffix) ".pem"))) certificates) #t)))) (inputs `(("openssl" ,openssl))) (synopsis "My certificate authority certificates") (description synopsis))) (define-public my-ca-certificate (package (name "my-ca-certificate") (version "1") ;; You might also be able to set the source to #f and just embed the ;; certificate directly into the builder below. (source (plain-file (string-append name ".pem") "\ =2D----BEGIN CERTIFICATE----- Put your cert here. =2D----END CERTIFICATE----- ")) (home-page "https://www.example.com") (license agpl3+) (build-system trivial-build-system) (arguments `(#:modules ((guix build utils)) #:builder (begin (use-modules (guix build utils)) (let* ((my-certificate (assoc-ref %build-inputs "source")) (out (assoc-ref %outputs "out")) (cert-dir (string-append out "/etc/ssl/certs"))) (mkdir-p cert-dir) (copy-file my-certificate (string-append cert-dir "/" ,name ".pem= ")) #t)))) (synopsis "My certificate authority certificate") (description synopsis))) =2D-8<---------------cut here---------------end--------------->8--- When you add a package like the above to your operating system declaration's "packages" field and reconfigure your system, you will install the certificates system-wide. In GuixSD, when you build a new system generation, there is a profile hook that essentially collects all the certificates that you would find in the $PROFILE/etc/ssl/certs directory and bundles them up into the single $PROFILE/etc/ssl/certs/ca-certificates.crt file (here, $PROFILE refers to the system profile, i.e. the one that the /run/current-system/profile symlink points to). When it's done, you will have a copy of your certificate in an individual file at $PROFILE/etc/ssl/certs/your-cert.pem, and also in the bundle at $PROFILE/etc/ssl/certs/ca-certificates.crt. This is necessary because some software needs the bundle: https://lists.gnu.org/archive/html/guix-devel/2015-02/msg00429.html Anyway, to install your certificates system-wide, you "just" have to write a package definition that deposits your certificates in the $OUT/etc/ssl/certs directory (where $OUT is the output path of the package). I think the files containing the certificates also need to end in the suffix ".pem" in order for this specific profile hook to work. See the profile hook source code for details (in guix/profiles.scm). So, you can add your certificates. But it relies on the behavior of a profile hook that (I think) isn't yet discussed in the manual. It works, which is great, but I think it would be better if we provided a first-class way to configure this in the operating system declaration. Perhaps we need an "x509-certificates" service which one can extend with certificates, origins, or packages that build certificates. Finally, keep in mind that even if you add your certificate to the system like this, not all software will use it. For example, IceCat ignores the system certificates (because that's what Firefox does, and IceCat is a derivative of Firefox); instead, it maintains its own trust database. Java is similar. For many programs, though, adding certificates as above is sufficient. =2D-=20 Chris --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEy/WXVcvn5+/vGD+x3UCaFdgiRp0FAlsgowEACgkQ3UCaFdgi Rp2UJxAAgZQzJa4ZvDnrVh+TdfLrKuxccUk6kNuQ5OzkJpfn/VTABm7W4yjzqCKl alFpVhIBjxKUJ/4WLFhPkS+aEN7iRC8JaTSIPQ+YGwaMYxWtMSgWXdidnFbBita4 zDGxOZMefRZA53ls3S+YUg+20ZVrHWauZKy5ph4ALWbyzurVgT4sleELPexumd7b 9T2f7nBJCLC/e5jWRYpSNsAY3pMa/oKJNheDOEDfyxO60tWUz22pLZTiFXfyrX77 Vlh594wq4ERD5Isk2jS+y02gKhPotlaVz+Hh+jShWDl0+SniUSY8s0z+psTYe/AW eUgRgN5cIZxLMS7T7qkGybRhWJBmiAyCQURSiGEpYO6Z4sfDrJ+1ndHUG3veS/Lw rMoBGHalCU08e9hFr6176kk6em6FoNO/tB2etPALfY5sM3hZab6BJt+R660Tu48B sZIGMJfOT62pWa6BJJcpoecUTr8A0WxbwgMUUPt3aciHC19eIHxh4y2zyGpFl6uj 0E+tYUwVakR1Ee7d3QmwgNsoQYrVssjfb7B4Hca/Jrnm54aq2Y3d7yv8eI73mX2h /dEy0ybvEHkUi0Kspb7fIRybatIT21DHdU+2ZldzRsq3rfcCcdCxEnANIUxY5RKu 47fscIA+OIYjS24Ad2udoX09wwK9odYm/iAIYA3E73ZkHkyHy8M= =/4uU -----END PGP SIGNATURE----- --=-=-=--