root certificate

root certificate

[Divan Santana]

Hi Guix :)

How does one import a root certificate for GuixSD?

I didn't see it in the manual.

(Hopefully I didn't miss it. I need to read up on using info within Emacs
better.)
--
Divan

Re: root certificate

[Joshua Branson]

Divan Santana <divan@santanas.co.za> writes:

> Hi Guix :)
>
> How does one import a root certificate for GuixSD?

This probably isn't helpful, but what is a root certificate?

>
> I didn't see it in the manual.
>
> (Hopefully I didn't miss it. I need to read up on using info within Emacs
> better.)
> --
> Divan

Re: root certificate

[myglc2]

On 06/11/2018 at 12:59 Joshua Branson writes:

> Divan Santana <divan@santanas.co.za> writes:
>
>> Hi Guix :)
>>
>> How does one import a root certificate for GuixSD?
>
> This probably isn't helpful, but what is a root certificate?
>
>>
>> I didn't see it in the manual.
>>
>> (Hopefully I didn't miss it. I need to read up on using info within Emacs
>> better.)
>> --
>> Divan

Hello Divan,

If you want to a bundle of standard CA certificates install "nss-certs".
It is probably already be installed as a system package since most of
the example GuixSd configs include it. But I have encountered at least
one situation where I needed to also install in as a user package,
e.g. 'guix package -i nss-certs'.

For details please see ...

(guix) Application Setup

... or ...

https://www.gnu.org/software/guix/manual/guix.html

HTH - George

Re: root certificate

[Divan Santana]

myglc2@gmail.com writes:

> On 06/11/2018 at 12:59 Joshua Branson writes:
>
>> Divan Santana <divan@santanas.co.za> writes:
>>
>>> Hi Guix :)
>>>
>>> How does one import a root certificate for GuixSD?
>>
>> This probably isn't helpful, but what is a root certificate?
>>
>>>
>>> I didn't see it in the manual.
>>>
>>> (Hopefully I didn't miss it. I need to read up on using info within Emacs
>>> better.)
>>> --
>>> Divan
>
> Hello Divan,
>
> If you want to a bundle of standard CA certificates install "nss-certs".
> It is probably already be installed as a system package since most of
> the example GuixSd configs include it. But I have encountered at least
> one situation where I needed to also install in as a user package,
> e.g. 'guix package -i nss-certs'.
>
> For details please see ...
>
> (guix) Application Setup
>
> ... or ...
>
> https://www.gnu.org/software/guix/manual/guix.html

So in my case, I have a root CA certificate for our organisition and
many internal sites have a certificate issued from this CA.

I want to import this self signed root CA so all sites with certs issued
by this org CA is trusted OS wide.

To do this on Arch one can:

#+begin_src sh
  wget -O /etc/ca-certificates/trust-source/anchors/fnb-ca.pem http://http://fqdn/pub/org-ca.crt
  trust extract-compat
#+end_src

Debian Family
#+begin_src sh
  mkdir /usr/share/ca-certificates/extra
  wget -O /usr/share/ca-certificates/extra/fnb-ca.crt http://http://fqdn/pub/org-ca.crt
  dpkg-reconfigure ca-certificates
#+end_src

I was hoping one could do the above within the system manifest file
config.scm ?

Else perhaps we do:
  wget -O /etc/ca-certificates/trust-source/anchors/fnb-ca.pem http://http://fqdn/pub/org-ca.crt
  trust extract-compat

Doing a command like this would make most of the apps(curl/wget/browser) on the system
trust these sites.
--
Divan

Re: root certificate

[Tonton]

[-- Attachment #1: Type: text/plain, Size: 916 bytes --]

I would look at the nss-certs package and make a package definition using
nss-certs as a template or even inheriting from it.

I have now had a quick look at nss-certs and it is too complex for me to
change without sitting down with it for a while. So I think I would then go
on to use the simple build system or what it is called.

Because what you need is basically copy a file to somewhere your browsers can
see it? To learn those paths I'd still look at nss-certs.
I see              (let ((certsdir (string-append %output "/etc/ssl/certs/"))
in there. That's probably your path.

To use this definition with guix: put it in for
example /home/username/guix-modules/certs.scm and then add this directory to
your $GUIX_PACKAGE_PATH. I do the following in my .profile
export GUIX_PACKAGE_PATH="$HOME/guix-modules:$GUIX_PACKAGE_PATH"

I'm traveling and so might not respond quickly.

HTH
Tonton

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: root certificate

[Divan Santana]

Joshua Branson <jbranso@fastmail.com> writes:

> Divan Santana <divan@santanas.co.za> writes:
>
>> Hi Guix :)
>>
>> How does one import a root certificate for GuixSD?
>
> This probably isn't helpful, but what is a root certificate?

https://en.wikipedia.org/wiki/Root_certificate

In cryptography and computer security, a root certificate is a public
key certificate that identifies a root certificate authority (CA).[1]
Root certificates are self-signed and form the basis of an X.509-based
public key infrastructure (PKI).

So in my case, I have a root CA certificate for our organisition and
many internal sites have a certificate issued from this CA.


>> I didn't see it in the manual.
>>
>> (Hopefully I didn't miss it. I need to read up on using info within Emacs
>> better.)
>> --
>> Divan


--
Divan

Re: root certificate

[Chris Marusich]

[-- Attachment #1: Type: text/plain, Size: 7020 bytes --]

Hi Divan,

Divan Santana <divan@santanas.co.za> writes:

> Joshua Branson <jbranso@fastmail.com> writes:
>
>> Divan Santana <divan@santanas.co.za> writes:
>>
>>> Hi Guix :)
>>>
>>> How does one import a root certificate for GuixSD?
>>
>> This probably isn't helpful, but what is a root certificate?
>
> https://en.wikipedia.org/wiki/Root_certificate
>
> In cryptography and computer security, a root certificate is a public
> key certificate that identifies a root certificate authority (CA).[1]
> Root certificates are self-signed and form the basis of an X.509-based
> public key infrastructure (PKI).
>
> So in my case, I have a root CA certificate for our organisition and
> many internal sites have a certificate issued from this CA.

I intended to write a blog post about this very subject for the Guix
blog, but I haven't gotten around to it yet.  In short, to do what you
want, you can create package definitions like the following, and then
add them to the "packages" field of your operating system declaration:

--8<---------------cut here---------------start------------->8---
(define-module (my packages)
  #:use-module (guix packages)
  #:use-module (guix licenses)
  #:use-module (guix build-system trivial)
  #:use-module (guix gexp))

;; This example aggregates many certificates from a local directory, but
;; the same principle could be used to aggregate certificates from, say,
;; a remote Git repository that your company maintains.
(define-public my-ca-certificates
  (package
   (name "my-ca-certificates")
   (version "1")
   (source (local-file "/path/to/directory/containing/my/certs"
                       #:recursive? #t))
   (home-page "https://www.example.com")
   (license agpl3+)
   (build-system trivial-build-system)
   (arguments
    `(#:modules
      ((guix build utils))
      #:builder
      (begin
        (use-modules (guix build utils)
                     (srfi srfi-1)
                     (srfi srfi-26)
                     (ice-9 ftw))
        (let* ((ca-certificates (assoc-ref %build-inputs "source"))
               (crt-suffix ".crt")
               (is-certificate? (cut string-suffix? crt-suffix <>))
               (certificates (filter is-certificate?
                                     (scandir ca-certificates)))
               (out (assoc-ref %outputs "out"))
               (certificate-directory (string-append out
                                                     "/etc/ssl/certs"))
               (openssl (string-append (assoc-ref %build-inputs
                                                  "openssl")
                                       "/bin/openssl")))
          (mkdir-p certificate-directory)
          ;; When this package is installed into a profile, any files in the
          ;; package output's etc/ssl/certs directory ending in ".pem" will
          ;; also be put into a ca-certificates.crt bundle.  In the case of a
          ;; system profile, this bundle will be made available to the system
          ;; at activation time.  See the profile hooks defined in (guix
          ;; profiles) and the etc-service-type define in (gnu services) for
          ;; details.
          (for-each
           ;; Ensure the certificate is in an appropriate format.
           (lambda (certificate)
             (invoke
              openssl "x509"
              "-in" (string-append ca-certificates "/" certificate)
              "-outform" "PEM"
              "-out" (string-append
                      certificate-directory "/"
                      (basename certificate crt-suffix) ".pem")))
           certificates)
          #t))))
   (inputs
    `(("openssl" ,openssl)))
   (synopsis "My certificate authority certificates")
   (description synopsis)))

(define-public my-ca-certificate
  (package
   (name "my-ca-certificate")
   (version "1")
   ;; You might also be able to set the source to #f and just embed the
   ;; certificate directly into the builder below.
   (source (plain-file (string-append name ".pem") "\
-----BEGIN CERTIFICATE-----
Put your cert here.
-----END CERTIFICATE-----
"))
   (home-page "https://www.example.com")
   (license agpl3+)
   (build-system trivial-build-system)
   (arguments
    `(#:modules
      ((guix build utils))
      #:builder
      (begin
        (use-modules (guix build utils))
        (let* ((my-certificate (assoc-ref %build-inputs "source"))
               (out (assoc-ref %outputs "out"))
               (cert-dir (string-append out "/etc/ssl/certs")))
          (mkdir-p cert-dir)
          (copy-file my-certificate (string-append cert-dir "/" ,name ".pem"))
          #t))))
   (synopsis "My certificate authority certificate")
   (description synopsis)))
--8<---------------cut here---------------end--------------->8---

When you add a package like the above to your operating system
declaration's "packages" field and reconfigure your system, you will
install the certificates system-wide.

In GuixSD, when you build a new system generation, there is a profile
hook that essentially collects all the certificates that you would find
in the $PROFILE/etc/ssl/certs directory and bundles them up into the
single $PROFILE/etc/ssl/certs/ca-certificates.crt file (here, $PROFILE
refers to the system profile, i.e.  the one that the
/run/current-system/profile symlink points to).  When it's done, you
will have a copy of your certificate in an individual file at
$PROFILE/etc/ssl/certs/your-cert.pem, and also in the bundle at
$PROFILE/etc/ssl/certs/ca-certificates.crt.  This is necessary because
some software needs the bundle:

https://lists.gnu.org/archive/html/guix-devel/2015-02/msg00429.html

Anyway, to install your certificates system-wide, you "just" have to
write a package definition that deposits your certificates in the
$OUT/etc/ssl/certs directory (where $OUT is the output path of the
package).  I think the files containing the certificates also need to
end in the suffix ".pem" in order for this specific profile hook to
work.  See the profile hook source code for details (in
guix/profiles.scm).

So, you can add your certificates.  But it relies on the behavior of a
profile hook that (I think) isn't yet discussed in the manual.  It
works, which is great, but I think it would be better if we provided a
first-class way to configure this in the operating system declaration.
Perhaps we need an "x509-certificates" service which one can extend with
certificates, origins, or packages that build certificates.

Finally, keep in mind that even if you add your certificate to the
system like this, not all software will use it.  For example, IceCat
ignores the system certificates (because that's what Firefox does, and
IceCat is a derivative of Firefox); instead, it maintains its own trust
database.  Java is similar.  For many programs, though, adding
certificates as above is sufficient.

-- 
Chris

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]

Re: root certificate

[Mark H Weaver]

Hi Divan,

Divan Santana <divan@santanas.co.za> writes:

> How does one import a root certificate for GuixSD?
>
> I didn't see it in the manual.

You didn't see it because we don't yet have a polished way to do this,
unfortunately.  The good news is that we've already laid the groundwork
for supporting local certificate stores.

Our 'le-certs' package in gnu/packages/certs.scm is a good template for
making custom certificate packages, and can be easily adapted to your
needs.

For now, you could simply make a copy of the 'le-certs' package, but
with a different package name and different certificate inputs.

Something like this (untested):

--8<---------------cut here---------------start------------->8---
(define-public my-root-cert
  (package
    (name "my-root-cert")
    (version "0")
    (source #f)
    (build-system trivial-build-system)
    (arguments
     '(#:modules ((guix build utils))
       #:builder
       (begin
         (use-modules (guix build utils))
         (let ((root (assoc-ref %build-inputs "my-root-cert.pem"))
               (out (string-append (assoc-ref %outputs "out") "/etc/ssl/certs"))
               (openssl (assoc-ref %build-inputs "openssl"))
               (perl (assoc-ref %build-inputs "perl")))
           (mkdir-p out)
           (copy-file cert (string-append out "/" (strip-store-file-name cert)))

           ;; Create hash symlinks suitable for OpenSSL ('SSL_CERT_DIR' and
           ;; similar.)
           (chdir (string-append %output "/etc/ssl/certs"))
           (invoke (string-append perl "/bin/perl")
                   (string-append openssl "/bin/c_rehash")
                   ".")))))
    (native-inputs
     `(("openssl" ,openssl)
       ("perl" ,perl)))                           ;for 'c_rehash'
    (inputs
     `(("my-root-cert.pem"
        ,(origin
           (method url-fetch)
           (uri "https://example.com/certs/my-root-cert.pem")
           (sha256
            (base32
             "eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee"))))))
    (home-page "https://example.com/certs/my-root-cert.pem")
    (synopsis "My self-signed root certificate")
    (description "This package provides my self-signed root certificate.")
    (license license:public-domain)))
--8<---------------cut here---------------end--------------->8---

and then you would need to add this package to the 'packages' field of
your OS configuration, and reconfigure your system.

However, it would be good to provide a way to more easily create custom
certificate packages from a set of .pem files, perhaps by changing the
above package definition into a procedure that accepts a list of root
certificates and dynamically creates a certificate package.  If you'd
like to work on this, I'd be glad to discuss it further.

    Regards,
      Mark

Re: root certificate

[Mark H Weaver]

Mark H Weaver <mhw@netris.org> writes:

> Something like this (untested):
>
> (define-public my-root-cert
>   (package
>     (name "my-root-cert")
>     (version "0")
>     (source #f)
>     (build-system trivial-build-system)
>     (arguments
>      '(#:modules ((guix build utils))
>        #:builder
>        (begin
>          (use-modules (guix build utils))
>          (let ((root (assoc-ref %build-inputs "my-root-cert.pem"))

Sorry, that 'root' in the line above should be 'cert'.

      Mark

Re: root certificate

[Chris Marusich]

[-- Attachment #1: Type: text/plain, Size: 862 bytes --]

Mark H Weaver <mhw@netris.org> writes:

>            ;; Create hash symlinks suitable for OpenSSL ('SSL_CERT_DIR' and
>            ;; similar.)
>            (chdir (string-append %output "/etc/ssl/certs"))
>            (invoke (string-append perl "/bin/perl")
>                    (string-append openssl "/bin/c_rehash")
>                    ".")))))

I didn't know about c_rehash until now.  Interesting!  In the past, I've
defined my own certificate packages as described in my own separate
replies to this thread, and they worked even though I didn't invoke
c_rehash.  Could this simply have been because the software I use
happens to work even when the symlinks created by c_rehash don't exist?

It looks like the ca-certificate-bundle profile hook (defined in
guix/profiles.scm) doesn't currently invoke c_rehash.  Should it?

-- 
Chris

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]

Re: root certificate

[Mark H Weaver]

Hi Chris,

Chris Marusich <cmmarusich@gmail.com> writes:

> Mark H Weaver <mhw@netris.org> writes:
>
>>            ;; Create hash symlinks suitable for OpenSSL ('SSL_CERT_DIR' and
>>            ;; similar.)
>>            (chdir (string-append %output "/etc/ssl/certs"))
>>            (invoke (string-append perl "/bin/perl")
>>                    (string-append openssl "/bin/c_rehash")
>>                    ".")))))
>
> I didn't know about c_rehash until now.  Interesting!  In the past, I've
> defined my own certificate packages as described in my own separate
> replies to this thread, and they worked even though I didn't invoke
> c_rehash.  Could this simply have been because the software I use
> happens to work even when the symlinks created by c_rehash don't exist?

According to the c_rehash man page, "many programs that use OpenSSL
require directories to be set up like this in order to find
certificates."  I'm not sure, but I guess that programs based on GnuTLS
do not need the symlinks.

> It looks like the ca-certificate-bundle profile hook (defined in
> guix/profiles.scm) doesn't currently invoke c_rehash.  Should it?

If I understand correctly, as long as each certificate package runs
'c_rehash' individually, then running 'c_rehash' during the profile hook
should have no effect, because all of the certificates will already have
their associated hash symlinks installed.

     Regards,
       Mark