Re: CA certificates

[Mark H Weaver <mhw@netris.org>]

Andreas Enge <andreas@enge.fr> writes:

> The attached patch series
> 1) adds a (private) python script to extract single certificates in .pem 
>    format from a big textfile in mozilla source format;
> 2) adds the package nss-certs, which contains the certificates thus extracted
>    in OUT/etc/ssl/certs, preprocessed with c_rehash for use with openssl;

Excellent, thanks very much! :)

> 3) adds "etc/ssl/certs" as a native-search-path for SSL_CERT_DIR to openssl.
>
> So if you do a
>    guix package -i openssl nss-certs youtube-dl
> and add SSL_CERT_DIR as stipulated by the text output after the installation,
> things work out of the box.
>
> The search path definition means that we could have alternative root
> certificate packages (potentially one per certification authority) and that
> the user could install the ones he trusts.

Sounds good!  It should be noted, however, that GnuTLS will currently
only use the certs in /etc/ssl/certs unless some application-specific
setting is provided.  This will later be improved with the 'p11-kit'
solution.

> The patches currently are in a branch wip-certs. Suggestions are
> welcome.

Regarding this commit:

> From b703198b70850017c2ed5e3510790898a214b7bd Mon Sep 17 00:00:00 2001
> From: Andreas Enge <andreas@enge.fr>
> Date: Tue, 10 Feb 2015 19:55:53 +0000
> Subject: gnu: Add nss-certs, certificates extracted from nss
> 
> * gnu/packages/certs.scm (nss-certs): New variable.
> ---
[...]
> +       #:phases
> +         (alist-cons-after
> +           'unpack 'install
> +           (lambda _
> +             (let ((certsdir (string-append %output "/etc/ssl/certs/")))
> +               (mkdir-p certsdir)
> +               (with-directory-excursion "nss/lib/ckfw/builtins/"
> +                 ;; extract single certificates from blob
> +                 (system* "certdata2pem.py" "certdata.txt")
> +                 ;; copy the .pem files into the output
> +                 (for-each
> +                   (lambda (file)
> +                     (copy-file file (string-append certsdir file)))
> +                   ;; FIXME: Some of the file names are UTF8 (?) and cause an
> +                   ;; error message such as 
> +                   ;; find-files:
> +                   ;; ./EBG_Elektronik_Sertifika_Hizmet_Sa??lay??c??s??:2.8.76.175.115.66.28.142.116.2.pem:
> +                   ;; No such file or directory
> +                   (find-files "." ".*\\.pem")))

Guile converts POSIX byte strings (e.g. file names) to strings using to
the current locale encoding, but the default locale in our build
environment is "C" which means ASCII-only.

I would advocate using a UTF-8 locale for all builds by default.

For now, I would try putting the following code at the beginning of your
custom 'install' phase:

--8<---------------cut here---------------start------------->8---
             (setenv "LOCPATH" (getcwd))
             (zero? (system* "localedef" "--no-archive"
                             "--prefix" (getcwd) "-i" "en_US"
                             "-f" "UTF-8" "./en_US.UTF-8"))
             (setlocale LC_ALL "en_US.UTF-8")
--8<---------------cut here---------------end--------------->8---

    Thanks!
      Mark