Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
cacerts: refactor, add blacklist option
Previously, the list of CA certificates was generated with a perl script which is included in curl. As this script is not very flexible, this commit refactors the expression to use the python script that Debian uses to generate their CA certificates from Mozilla's trust store in NSS. [SL: The following was true of the original commit but was backed out of the cherry pick]: Additionally, an option was added to the cacerts derivation and the `security.pki` module to blacklist specific CAs. (cherry picked from commit 0d59fc1)
- Loading branch information
Showing
1 changed file
with
38 additions
and
14 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,36 +1,60 @@ | ||
{ stdenv, nss, curl, perl }: | ||
{ stdenv, fetchurl, writeText, nss, python | ||
, blacklist ? [] | ||
, includeEmail ? false | ||
}: | ||
|
||
with stdenv.lib; | ||
|
||
let | ||
|
||
certdata2pem = fetchurl { | ||
name = "certdata2pem.py"; | ||
url = "https://anonscm.debian.org/cgit/collab-maint/ca-certificates.git/plain/mozilla/certdata2pem.py?h=debian/20160104"; | ||
sha256 = "0bw11mgfrf19qziyvdnq22kirp0nn54lfsanrg5h6djs6ig1c2im"; | ||
}; | ||
|
||
in | ||
|
||
stdenv.mkDerivation rec { | ||
name = "nss-cacert-${nss.version}"; | ||
|
||
src = nss.src; | ||
|
||
postPatch = '' | ||
unpackFile ${curl.src}; | ||
nativeBuildInputs = [ python ]; | ||
|
||
# Remove dependency on LWP, curl is enough. Also, since curl here | ||
# is working on a local file it will not actually get a 200 OK, so | ||
# remove that expectation. | ||
substituteInPlace curl-*/lib/mk-ca-bundle.pl \ | ||
--replace 'use LWP::UserAgent;' "" \ | ||
--replace ' && $out[0] == 200' "" | ||
''; | ||
configurePhase = '' | ||
ln -s nss/lib/ckfw/builtins/certdata.txt | ||
cat << EOF > blacklist.txt | ||
${concatStringsSep "\n" (map (c: ''"${c}"'') blacklist)} | ||
EOF | ||
nativeBuildInputs = [ curl perl ]; | ||
cp ${certdata2pem} certdata2pem.py | ||
${optionalString includeEmail '' | ||
# Disable CAs used for mail signing | ||
substituteInPlace certdata2pem.py --replace \[\'CKA_TRUST_EMAIL_PROTECTION\'\] ''' | ||
''} | ||
''; | ||
|
||
buildPhase = '' | ||
perl curl-*/lib/mk-ca-bundle.pl -d "file://$(pwd)/nss/lib/ckfw/builtins/certdata.txt" ca-bundle.crt | ||
python certdata2pem.py | grep -vE '^(!|UNTRUSTED)' | ||
for cert in *.crt; do | ||
echo $cert | cut -d. -f1 | sed -e 's,_, ,g' >> ca-bundle.crt | ||
cat $cert >> ca-bundle.crt | ||
echo >> ca-bundle.crt | ||
done | ||
''; | ||
|
||
installPhase = '' | ||
mkdir -pv $out/etc/ssl/certs | ||
cp -v ca-bundle.crt $out/etc/ssl/certs | ||
''; | ||
|
||
meta = with stdenv.lib; { | ||
meta = { | ||
homepage = http://curl.haxx.se/docs/caextract.html; | ||
description = "A bundle of X.509 certificates of public Certificate Authorities (CA)"; | ||
platforms = platforms.all; | ||
maintainers = with maintainers; [ wkennington ]; | ||
maintainers = with maintainers; [ wkennington fpletz ]; | ||
}; | ||
} |