diff options
| -rw-r--r-- | nixos/modules/security/ca.nix | 14 | ||||
| -rw-r--r-- | pkgs/data/misc/cacert/default.nix | 4 | ||||
| -rw-r--r-- | pkgs/development/python-modules/buildcatrust/default.nix | 4 |
3 files changed, 19 insertions, 3 deletions
diff --git a/nixos/modules/security/ca.nix b/nixos/modules/security/ca.nix index 3cd56bff04d18..ae188ea709dd5 100644 --- a/nixos/modules/security/ca.nix +++ b/nixos/modules/security/ca.nix @@ -11,7 +11,8 @@ let extraCertificateFiles = cfg.certificateFiles; extraCertificateStrings = cfg.certificates; }; - caBundle = "${cacertPackage}/etc/ssl/certs/ca-bundle.crt"; + caBundleName = if cfg.useCompatibleBundle then "ca-no-trust-rules-bundle.crt" else "ca-bundle.crt"; + caBundle = "${cacertPackage}/etc/ssl/certs/${caBundleName}"; in @@ -23,6 +24,17 @@ in internal = true; }; + security.pki.useCompatibleBundle = mkEnableOption ''usage of a compatibility bundle. + + Such a bundle consist exclusively of `BEGIN CERTIFICATE` and no `BEGIN TRUSTED CERTIFICATE`, + which is a OpenSSL specific PEM format. + + It is known to be incompatible with certain software stacks. + + Nevertheless, enabling this will strip all additional trust rules provided by the + certificates themselves, this can have security consequences depending on your usecases. + ''; + security.pki.certificateFiles = mkOption { type = types.listOf types.path; default = []; diff --git a/pkgs/data/misc/cacert/default.nix b/pkgs/data/misc/cacert/default.nix index 30f2ee38c72f8..4979fa6edfded 100644 --- a/pkgs/data/misc/cacert/default.nix +++ b/pkgs/data/misc/cacert/default.nix @@ -71,6 +71,7 @@ stdenv.mkDerivation rec { --ca_bundle_input "${extraCertificatesBundle}" ${lib.escapeShellArgs (map (arg: "${arg}") extraCertificateFiles)} \ --blocklist "${blocklist}" \ --ca_bundle_output ca-bundle.crt \ + --ca_standard_bundle_output ca-no-trust-rules-bundle.crt \ --ca_unpacked_output unbundled \ --p11kit_output ca-bundle.trust.p11-kit ''; @@ -78,6 +79,9 @@ stdenv.mkDerivation rec { installPhase = '' install -D -t "$out/etc/ssl/certs" ca-bundle.crt + # install standard PEM compatible bundle + install -D -t "$out/etc/ssl/certs" ca-no-trust-rules-bundle.crt + # install p11-kit specific output to p11kit output install -D -t "$p11kit/etc/ssl/trust-source" ca-bundle.trust.p11-kit diff --git a/pkgs/development/python-modules/buildcatrust/default.nix b/pkgs/development/python-modules/buildcatrust/default.nix index cb997ab801348..e56d50fb9d4da 100644 --- a/pkgs/development/python-modules/buildcatrust/default.nix +++ b/pkgs/development/python-modules/buildcatrust/default.nix @@ -7,12 +7,12 @@ buildPythonPackage rec { pname = "buildcatrust"; - version = "0.1.3"; + version = "0.2.1"; pyproject = true; src = fetchPypi { inherit pname version; - hash = "sha256:0s0m0fy943dakw9cbd40h46qmrhhgrcp292kppyb34m6y27sbagy"; + hash = "sha256-mjX+T5xo6cD1GxJ49Tx7zthPbGPFPYaf2qcNKVHEzJA="; }; nativeBuildInputs = [ |