From af70ce2c476e9de57172e6c95617e43e0df62266 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sun, 11 Feb 2024 16:04:21 +0100 Subject: [PATCH 1/2] buildcatrust: 0.1.3 -> 0.2.1 https://github.com/lukegb/buildcatrust/releases/tag/v0.2.0 https://github.com/lukegb/buildcatrust/releases/tag/v0.2.1 It contains support for exporting the bundle without additional trust rules. Signed-off-by: Raito Bezarius --- pkgs/development/python-modules/buildcatrust/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/python-modules/buildcatrust/default.nix b/pkgs/development/python-modules/buildcatrust/default.nix index cb997ab801348..e56d50fb9d4da 100644 --- a/pkgs/development/python-modules/buildcatrust/default.nix +++ b/pkgs/development/python-modules/buildcatrust/default.nix @@ -7,12 +7,12 @@ buildPythonPackage rec { pname = "buildcatrust"; - version = "0.1.3"; + version = "0.2.1"; pyproject = true; src = fetchPypi { inherit pname version; - hash = "sha256:0s0m0fy943dakw9cbd40h46qmrhhgrcp292kppyb34m6y27sbagy"; + hash = "sha256-mjX+T5xo6cD1GxJ49Tx7zthPbGPFPYaf2qcNKVHEzJA="; }; nativeBuildInputs = [ From 19159a234916d7169e15d267e6ee1c9462790319 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Wed, 7 Feb 2024 02:04:56 +0100 Subject: [PATCH 2/2] nixos/security/ca: enable support for compatibility bundles Certain software stacks have no support for OpenSSL non-standard PEM format and will fail to use our NixOS CA bundle. For this, it is necessary to fallback on a 'compatibility' bundle which will contain no additional trust rules. Signed-off-by: Raito Bezarius --- nixos/modules/security/ca.nix | 14 +++++++++++++- pkgs/data/misc/cacert/default.nix | 4 ++++ 2 files changed, 17 insertions(+), 1 deletion(-) diff --git a/nixos/modules/security/ca.nix b/nixos/modules/security/ca.nix index 3cd56bff04d18..ae188ea709dd5 100644 --- a/nixos/modules/security/ca.nix +++ b/nixos/modules/security/ca.nix @@ -11,7 +11,8 @@ let extraCertificateFiles = cfg.certificateFiles; extraCertificateStrings = cfg.certificates; }; - caBundle = "${cacertPackage}/etc/ssl/certs/ca-bundle.crt"; + caBundleName = if cfg.useCompatibleBundle then "ca-no-trust-rules-bundle.crt" else "ca-bundle.crt"; + caBundle = "${cacertPackage}/etc/ssl/certs/${caBundleName}"; in @@ -23,6 +24,17 @@ in internal = true; }; + security.pki.useCompatibleBundle = mkEnableOption ''usage of a compatibility bundle. + + Such a bundle consist exclusively of `BEGIN CERTIFICATE` and no `BEGIN TRUSTED CERTIFICATE`, + which is a OpenSSL specific PEM format. + + It is known to be incompatible with certain software stacks. + + Nevertheless, enabling this will strip all additional trust rules provided by the + certificates themselves, this can have security consequences depending on your usecases. + ''; + security.pki.certificateFiles = mkOption { type = types.listOf types.path; default = []; diff --git a/pkgs/data/misc/cacert/default.nix b/pkgs/data/misc/cacert/default.nix index 30f2ee38c72f8..4979fa6edfded 100644 --- a/pkgs/data/misc/cacert/default.nix +++ b/pkgs/data/misc/cacert/default.nix @@ -71,6 +71,7 @@ stdenv.mkDerivation rec { --ca_bundle_input "${extraCertificatesBundle}" ${lib.escapeShellArgs (map (arg: "${arg}") extraCertificateFiles)} \ --blocklist "${blocklist}" \ --ca_bundle_output ca-bundle.crt \ + --ca_standard_bundle_output ca-no-trust-rules-bundle.crt \ --ca_unpacked_output unbundled \ --p11kit_output ca-bundle.trust.p11-kit ''; @@ -78,6 +79,9 @@ stdenv.mkDerivation rec { installPhase = '' install -D -t "$out/etc/ssl/certs" ca-bundle.crt + # install standard PEM compatible bundle + install -D -t "$out/etc/ssl/certs" ca-no-trust-rules-bundle.crt + # install p11-kit specific output to p11kit output install -D -t "$p11kit/etc/ssl/trust-source" ca-bundle.trust.p11-kit