diff options
author | Franz Pletz <fpletz@fnordicwalking.de> | 2016-09-01 23:40:05 +0200 |
---|---|---|
committer | Robin Gloster <mail@glob.in> | 2016-10-09 02:00:18 +0200 |
commit | 0d59fc1169654fa1f77e17ad73099895af7bba4d (patch) | |
tree | d63b79ad68e511aa7b301bc1c5ff47db858b3935 /pkgs/data | |
parent | cefe4a816d5486523948f5a20e7f6ad4d93297db (diff) |
cacerts: refactor, add blacklist option
Previously, the list of CA certificates was generated with a perl script which is included in curl. As this script is not very flexible, this commit refactors the expression to use the python script that Debian uses to generate their CA certificates from Mozilla's trust store in NSS. Additionally, an option was added to the cacerts derivation and the `security.pki` module to blacklist specific CAs.
Diffstat (limited to 'pkgs/data')
-rw-r--r-- | pkgs/data/misc/cacert/default.nix | 52 |
1 files changed, 38 insertions, 14 deletions
diff --git a/pkgs/data/misc/cacert/default.nix b/pkgs/data/misc/cacert/default.nix index 3ce6dc81a3967..5095fce8958e7 100644 --- a/pkgs/data/misc/cacert/default.nix +++ b/pkgs/data/misc/cacert/default.nix @@ -1,25 +1,49 @@ -{ stdenv, nss, curl, perl }: +{ stdenv, fetchurl, writeText, nss, python +, blacklist ? [] +, includeEmail ? false +}: + +with stdenv.lib; + +let + + certdata2pem = fetchurl { + name = "certdata2pem.py"; + url = "https://anonscm.debian.org/cgit/collab-maint/ca-certificates.git/plain/mozilla/certdata2pem.py?h=debian/20160104"; + sha256 = "0bw11mgfrf19qziyvdnq22kirp0nn54lfsanrg5h6djs6ig1c2im"; + }; + +in stdenv.mkDerivation rec { name = "nss-cacert-${nss.version}"; src = nss.src; - postPatch = '' - unpackFile ${curl.src}; + nativeBuildInputs = [ python ]; - # Remove dependency on LWP, curl is enough. Also, since curl here - # is working on a local file it will not actually get a 200 OK, so - # remove that expectation. - substituteInPlace curl-*/lib/mk-ca-bundle.pl \ - --replace 'use LWP::UserAgent;' "" \ - --replace ' && $out[0] == 200' "" - ''; + configurePhase = '' + ln -s nss/lib/ckfw/builtins/certdata.txt + + cat << EOF > blacklist.txt + ${concatStringsSep "\n" (map (c: ''"${c}"'') blacklist)} + EOF - nativeBuildInputs = [ curl perl ]; + cp ${certdata2pem} certdata2pem.py + ${optionalString includeEmail '' + # Disable CAs used for mail signing + substituteInPlace certdata2pem.py --replace \[\'CKA_TRUST_EMAIL_PROTECTION\'\] ''' + ''} + ''; buildPhase = '' - perl curl-*/lib/mk-ca-bundle.pl -d "file://$(pwd)/nss/lib/ckfw/builtins/certdata.txt" ca-bundle.crt + python certdata2pem.py | grep -vE '^(!|UNTRUSTED)' + + for cert in *.crt; do + echo $cert | cut -d. -f1 | sed -e 's,_, ,g' >> ca-bundle.crt + cat $cert >> ca-bundle.crt + echo >> ca-bundle.crt + done ''; installPhase = '' @@ -27,10 +51,10 @@ stdenv.mkDerivation rec { cp -v ca-bundle.crt $out/etc/ssl/certs ''; - meta = with stdenv.lib; { + meta = { homepage = http://curl.haxx.se/docs/caextract.html; description = "A bundle of X.509 certificates of public Certificate Authorities (CA)"; platforms = platforms.all; - maintainers = with maintainers; [ wkennington ]; + maintainers = with maintainers; [ wkennington fpletz ]; }; } |