From 419a0f39acdfdff50c3fbc878ecbe67ca628d855 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sandro=20J=C3=A4ckel?= Date: Fri, 30 Jul 2021 15:10:52 +0200 Subject: [PATCH] cacert: convert to pname + version, format, cleanup --- pkgs/data/misc/cacert/default.nix | 134 +++++++++++++++--------------- 1 file changed, 69 insertions(+), 65 deletions(-) diff --git a/pkgs/data/misc/cacert/default.nix b/pkgs/data/misc/cacert/default.nix index b4a8ebc4ef27..bd67e2a58f12 100644 --- a/pkgs/data/misc/cacert/default.nix +++ b/pkgs/data/misc/cacert/default.nix @@ -1,28 +1,17 @@ -{ lib, stdenv, fetchurl, nss, python3 -, blacklist ? [] +{ lib +, stdenv +, fetchurl +, nss +, python3 +, blacklist ? [ ] -# Used for tests only + # Used for tests only , runCommand , cacert , openssl }: -with lib; - let - version = "3.66"; - - underscoreVersion = builtins.replaceStrings ["."] ["_"] version; -in - -stdenv.mkDerivation { - name = "nss-cacert-${version}"; - - src = fetchurl { - url = "mirror://mozilla/security/nss/releases/NSS_${underscoreVersion}_RTM/src/nss-${version}.tar.gz"; - sha256 = "1jfdnh5l4k57r2vb07s06hqi7m2qzk0d9x25lsdsrw3cflx9x9w9"; - }; - certdata2pem = fetchurl { name = "certdata2pem.py"; urls = [ @@ -31,6 +20,16 @@ stdenv.mkDerivation { ]; sha256 = "1d4q27j1gss0186a5m8bs5dk786w07ccyq0qi6xmd2zr1a8q16wy"; }; +in + +stdenv.mkDerivation rec { + pname = "nss-cacert"; + version = "3.66"; + + src = fetchurl { + url = "mirror://mozilla/security/nss/releases/NSS_${lib.replaceStrings ["."] ["_"] version}_RTM/src/nss-${version}.tar.gz"; + sha256 = "1jfdnh5l4k57r2vb07s06hqi7m2qzk0d9x25lsdsrw3cflx9x9w9"; + }; outputs = [ "out" "unbundled" ]; @@ -40,11 +39,11 @@ stdenv.mkDerivation { ln -s nss/lib/ckfw/builtins/certdata.txt cat << EOF > blacklist.txt - ${concatStringsSep "\n" (map (c: ''"${c}"'') blacklist)} + ${lib.concatStringsSep "\n" (map (c: ''"${c}"'') blacklist)} EOF # copy from the store, otherwise python will scan it for imports - cat "$certdata2pem" > certdata2pem.py + cat "${certdata2pem}" > certdata2pem.py ''; buildPhase = '' @@ -63,61 +62,66 @@ stdenv.mkDerivation { # install individual certs in unbundled output mkdir -pv $unbundled/etc/ssl/certs cp -v *.crt $unbundled/etc/ssl/certs - rm -f $unbundled/etc/ssl/certs/ca-bundle.crt # not wanted in unbundled + rm $unbundled/etc/ssl/certs/ca-bundle.crt # not wanted in unbundled ''; setupHook = ./setup-hook.sh; - passthru.updateScript = ./update.sh; - passthru.tests = { - # Test that building this derivation with a blacklist works, and that UTF-8 is supported. - blacklist-utf8 = let - blacklistCAToFingerprint = { - # "blacklist" uses the CA name from the NSS bundle, but we check for presence using the SHA256 fingerprint. - "CFCA EV ROOT" = "5C:C3:D7:8E:4E:1D:5E:45:54:7A:04:E6:87:3E:64:F9:0C:F9:53:6D:1C:CC:2E:F8:00:F3:55:C4:C5:FD:70:FD"; - "NetLock Arany (Class Gold) Főtanúsítvány" = "6C:61:DA:C3:A2:DE:F0:31:50:6B:E0:36:D2:A6:FE:40:19:94:FB:D1:3D:F9:C8:D4:66:59:92:74:C4:46:EC:98"; - }; - mapBlacklist = f: concatStringsSep "\n" (mapAttrsToList f blacklistCAToFingerprint); - in runCommand "verify-the-cacert-filter-output" { - cacert = cacert.unbundled; - cacertWithExcludes = (cacert.override { - blacklist = builtins.attrNames blacklistCAToFingerprint; - }).unbundled; + passthru = { + updateScript = ./update.sh; + tests = { + # Test that building this derivation with a blacklist works, and that UTF-8 is supported. + blacklist-utf8 = + let + blacklistCAToFingerprint = { + # "blacklist" uses the CA name from the NSS bundle, but we check for presence using the SHA256 fingerprint. + "CFCA EV ROOT" = "5C:C3:D7:8E:4E:1D:5E:45:54:7A:04:E6:87:3E:64:F9:0C:F9:53:6D:1C:CC:2E:F8:00:F3:55:C4:C5:FD:70:FD"; + "NetLock Arany (Class Gold) Főtanúsítvány" = "6C:61:DA:C3:A2:DE:F0:31:50:6B:E0:36:D2:A6:FE:40:19:94:FB:D1:3D:F9:C8:D4:66:59:92:74:C4:46:EC:98"; + }; + mapBlacklist = f: lib.concatStringsSep "\n" (lib.mapAttrsToList f blacklistCAToFingerprint); + in + runCommand "verify-the-cacert-filter-output" + { + cacert = cacert.unbundled; + cacertWithExcludes = (cacert.override { + blacklist = builtins.attrNames blacklistCAToFingerprint; + }).unbundled; - nativeBuildInputs = [ openssl ]; - } '' - isPresent() { - # isPresent - for f in $1/etc/ssl/certs/*.crt; do - fingerprint="$(openssl x509 -in "$f" -noout -fingerprint -sha256 | cut -f2 -d=)" - if [[ "x$fingerprint" == "x$3" ]]; then - return 0 - fi - done - return 1 - } + nativeBuildInputs = [ openssl ]; + } '' + isPresent() { + # isPresent + for f in $1/etc/ssl/certs/*.crt; do + fingerprint="$(openssl x509 -in "$f" -noout -fingerprint -sha256 | cut -f2 -d=)" + if [[ "x$fingerprint" == "x$3" ]]; then + return 0 + fi + done + return 1 + } - # Ensure that each certificate is in the main "cacert". - ${mapBlacklist (caName: caFingerprint: '' - isPresent "$cacert" "${caName}" "${caFingerprint}" || ({ - echo "CA fingerprint ${caFingerprint} (${caName}) is missing from the CA bundle. Consider picking a different CA for the blacklist test." >&2 - exit 1 - }) - '')} + # Ensure that each certificate is in the main "cacert". + ${mapBlacklist (caName: caFingerprint: '' + isPresent "$cacert" "${caName}" "${caFingerprint}" || ({ + echo "CA fingerprint ${caFingerprint} (${caName}) is missing from the CA bundle. Consider picking a different CA for the blacklist test." >&2 + exit 1 + }) + '')} - # Ensure that each certificate is NOT in the "cacertWithExcludes". - ${mapBlacklist (caName: caFingerprint: '' - isPresent "$cacertWithExcludes" "${caName}" "${caFingerprint}" && ({ - echo "CA fingerprint ${caFingerprint} (${caName}) is present in the cacertWithExcludes bundle." >&2 - exit 1 - }) - '')} + # Ensure that each certificate is NOT in the "cacertWithExcludes". + ${mapBlacklist (caName: caFingerprint: '' + isPresent "$cacertWithExcludes" "${caName}" "${caFingerprint}" && ({ + echo "CA fingerprint ${caFingerprint} (${caName}) is present in the cacertWithExcludes bundle." >&2 + exit 1 + }) + '')} - touch $out - ''; + touch $out + ''; + }; }; - meta = { + meta = with lib; { homepage = "https://curl.haxx.se/docs/caextract.html"; description = "A bundle of X.509 certificates of public Certificate Authorities (CA)"; platforms = platforms.all;