cafkafk/nixpkgs
cafkafk/nixpkgs
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 2

nixos/security/ca: enable support for compatibility bundles

Browse source 
Certain software stacks have no support for OpenSSL non-standard PEM format and will fail to use
our NixOS CA bundle.

For this, it is necessary to fallback on a 'compatibility' bundle which will contain no additional
trust rules.

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
This commit is contained in:
Raito Bezarius 2024-02-07 02:04:56 +01:00
parent af70ce2c47
commit 19159a2349
2 changed files with 17 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
nixos/modules/security/ca.nix
View file

@ -11,7 +11,8 @@ let
extraCertificateFiles = cfg.certificateFiles; extraCertificateFiles = cfg.certificateFiles;
extraCertificateStrings = cfg.certificates; extraCertificateStrings = cfg.certificates;
}; };
caBundle = "${cacertPackage}/etc/ssl/certs/ca-bundle.crt"; caBundleName = if cfg.useCompatibleBundle then "ca-no-trust-rules-bundle.crt" else "ca-bundle.crt";
caBundle = "${cacertPackage}/etc/ssl/certs/${caBundleName}";
in in
@ -23,6 +24,17 @@ in
internal = true; internal = true;
}; };
security.pki.useCompatibleBundle = mkEnableOption ''usage of a compatibility bundle.
Such a bundle consist exclusively of `BEGIN CERTIFICATE` and no `BEGIN TRUSTED CERTIFICATE`,
which is a OpenSSL specific PEM format.
It is known to be incompatible with certain software stacks.
Nevertheless, enabling this will strip all additional trust rules provided by the
certificates themselves, this can have security consequences depending on your usecases.
'';
security.pki.certificateFiles = mkOption { security.pki.certificateFiles = mkOption {
type = types.listOf types.path; type = types.listOf types.path;
default = []; default = [];

4
pkgs/data/misc/cacert/default.nix
View file

@ -71,6 +71,7 @@ stdenv.mkDerivation rec {
--ca_bundle_input "${extraCertificatesBundle}" ${lib.escapeShellArgs (map (arg: "${arg}") extraCertificateFiles)} \ --ca_bundle_input "${extraCertificatesBundle}" ${lib.escapeShellArgs (map (arg: "${arg}") extraCertificateFiles)} \
--blocklist "${blocklist}" \ --blocklist "${blocklist}" \
--ca_bundle_output ca-bundle.crt \ --ca_bundle_output ca-bundle.crt \
--ca_standard_bundle_output ca-no-trust-rules-bundle.crt \
--ca_unpacked_output unbundled \ --ca_unpacked_output unbundled \
--p11kit_output ca-bundle.trust.p11-kit --p11kit_output ca-bundle.trust.p11-kit
''; '';
@ -78,6 +79,9 @@ stdenv.mkDerivation rec {
installPhase = '' installPhase = ''
install -D -t "$out/etc/ssl/certs" ca-bundle.crt install -D -t "$out/etc/ssl/certs" ca-bundle.crt
# install standard PEM compatible bundle
install -D -t "$out/etc/ssl/certs" ca-no-trust-rules-bundle.crt
# install p11-kit specific output to p11kit output # install p11-kit specific output to p11kit output
install -D -t "$p11kit/etc/ssl/trust-source" ca-bundle.trust.p11-kit install -D -t "$p11kit/etc/ssl/trust-source" ca-bundle.trust.p11-kit