{ lib , stdenv , writeText , fetchurl , buildcatrust , blacklist ? [] , extraCertificateFiles ? [] , extraCertificateStrings ? [] # Used by update.sh , nssOverride ? null # Used for tests only , runCommand , cacert , openssl }: let blocklist = writeText "cacert-blocklist.txt" (lib.concatStringsSep "\n" (blacklist ++ [ # Mozilla does not trust new certificates issued by these CAs after 2022/11/30¹ # in their products, but unfortunately we don't have such a fine-grained # solution for most system packages², so we decided to eject these. # # [1] https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/oxX69KFvsm4/m/yLohoVqtCgAJ # [2] https://utcc.utoronto.ca/~cks/space/blog/linux/CARootStoreTrustProblem "TrustCor ECA-1" "TrustCor RootCert CA-1" "TrustCor RootCert CA-2" ])); extraCertificatesBundle = writeText "cacert-extra-certificates-bundle.crt" (lib.concatStringsSep "\n\n" extraCertificateStrings); srcVersion = "3.89.1"; version = if nssOverride != null then nssOverride.version else srcVersion; meta = with lib; { homepage = "https://curl.haxx.se/docs/caextract.html"; description = "A bundle of X.509 certificates of public Certificate Authorities (CA)"; platforms = platforms.all; maintainers = with maintainers; [ fpletz lukegb ]; license = licenses.mpl20; }; certdata = stdenv.mkDerivation { pname = "nss-cacert-certdata"; inherit version; src = if nssOverride != null then nssOverride.src else fetchurl { url = "mirror://mozilla/security/nss/releases/NSS_${lib.replaceStrings ["."] ["_"] version}_RTM/src/nss-${version}.tar.gz"; hash = "sha256-OtrtuecMPF9AYDv2CgHjNhkKbb4Bkp05XxawH+hKAVY="; }; dontBuild = true; installPhase = '' runHook preInstall mkdir $out cp nss/lib/ckfw/builtins/certdata.txt $out runHook postInstall ''; inherit meta; }; in stdenv.mkDerivation rec { pname = "nss-cacert"; inherit version; src = certdata; outputs = [ "out" "unbundled" "p11kit" ]; nativeBuildInputs = [ buildcatrust ]; buildPhase = '' mkdir unbundled buildcatrust \ --certdata_input certdata.txt \ --ca_bundle_input "${extraCertificatesBundle}" ${lib.escapeShellArgs (map (arg: "${arg}") extraCertificateFiles)} \ --blocklist "${blocklist}" \ --ca_bundle_output ca-bundle.crt \ --ca_unpacked_output unbundled \ --p11kit_output ca-bundle.trust.p11-kit ''; installPhase = '' install -D -t "$out/etc/ssl/certs" ca-bundle.crt # install p11-kit specific output to p11kit output install -D -t "$p11kit/etc/ssl/trust-source" ca-bundle.trust.p11-kit # install individual certs in unbundled output install -D -t "$unbundled/etc/ssl/certs" unbundled/*.crt ''; setupHook = ./setup-hook.sh; passthru = { updateScript = ./update.sh; tests = let isTrusted = '' isTrusted() { # isTrusted for f in $1/etc/ssl/certs/*.crt; do if ! [[ -s "$f" ]]; then continue; fi fingerprint="$(openssl x509 -in "$f" -noout -fingerprint -sha256 | cut -f2 -d=)" if [[ "x$fingerprint" == "x$3" ]]; then # If the certificate is treated as rejected for TLS Web Server, then we consider it untrusted. if openssl x509 -in "$f" -noout -text | grep -q '^Rejected Uses:'; then if openssl x509 -in "$f" -noout -text | grep -A1 '^Rejected Uses:' | grep -q 'TLS Web Server'; then return 1 fi fi return 0 fi done return 1 } ''; in { # Test that building this derivation with a blacklist works, and that UTF-8 is supported. blacklist-utf8 = let blacklistCAToFingerprint = { # "blacklist" uses the CA name from the NSS bundle, but we check for presence using the SHA256 fingerprint. "CFCA EV ROOT" = "5C:C3:D7:8E:4E:1D:5E:45:54:7A:04:E6:87:3E:64:F9:0C:F9:53:6D:1C:CC:2E:F8:00:F3:55:C4:C5:FD:70:FD"; "NetLock Arany (Class Gold) Főtanúsítvány" = "6C:61:DA:C3:A2:DE:F0:31:50:6B:E0:36:D2:A6:FE:40:19:94:FB:D1:3D:F9:C8:D4:66:59:92:74:C4:46:EC:98"; }; mapBlacklist = f: lib.concatStringsSep "\n" (lib.mapAttrsToList f blacklistCAToFingerprint); in runCommand "verify-the-cacert-filter-output" { cacert = cacert.unbundled; cacertWithExcludes = (cacert.override { blacklist = builtins.attrNames blacklistCAToFingerprint; }).unbundled; nativeBuildInputs = [ openssl ]; } '' ${isTrusted} # Ensure that each certificate is in the main "cacert". ${mapBlacklist (caName: caFingerprint: '' isTrusted "$cacert" "${caName}" "${caFingerprint}" || ({ echo "CA fingerprint ${caFingerprint} (${caName}) is missing from the CA bundle. Consider picking a different CA for the blacklist test." >&2 exit 1 }) '')} # Ensure that each certificate is NOT in the "cacertWithExcludes". ${mapBlacklist (caName: caFingerprint: '' isTrusted "$cacertWithExcludes" "${caName}" "${caFingerprint}" && ({ echo "CA fingerprint ${caFingerprint} (${caName}) is present in the cacertWithExcludes bundle." >&2 exit 1 }) '')} touch "$out" ''; # Test that we can add additional certificates to the store, and have them be trusted. extra-certificates = let extraCertificateStr = '' -----BEGIN CERTIFICATE----- MIIB5DCCAWqgAwIBAgIUItvsAYEIdYDkOIo5sdDYMcUaNuIwCgYIKoZIzj0EAwIw KTEnMCUGA1UEAwweTml4T1MgY2FjZXJ0IGV4dHJhIGNlcnRpZmljYXRlMB4XDTIx MDYxMjE5MDQzMFoXDTIyMDYxMjE5MDQzMFowKTEnMCUGA1UEAwweTml4T1MgY2Fj ZXJ0IGV4dHJhIGNlcnRpZmljYXRlMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEuP8y lAm6ZyQt9v/P6gTlV/a9R+D61WjucW04kaegOhg8csiluimYodiSv0Pbgymu+Zxm A3Bz9QGmytaYTiJ16083rJkwwIhqoYl7kWsLzreSTaLz87KH+rdeol59+H0Oo1Mw UTAdBgNVHQ4EFgQUCxuHfvqI4YVU5M+A0+aKvd1LrdswHwYDVR0jBBgwFoAUCxuH fvqI4YVU5M+A0+aKvd1LrdswDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAgNo ADBlAjEArgxgjdNmRlSEuai0dzlktmBEDZKy2Iiul+ttSoce9ohfEVYESwO602HW keVvI56vAjBCro3dc3m2TuktiKO6lQV56PUEyxko4H/sR5pnHlduCGRDlFzQKXf/ pMMmtj7cVb8= -----END CERTIFICATE----- ''; extraCertificateFile = ./test-cert-file.crt; extraCertificatesToFingerprint = { # String above "NixOS cacert extra certificate string" = "A3:20:D0:84:96:97:25:FF:98:B8:A9:6D:A3:7C:89:95:6E:7A:77:21:92:F3:33:E9:31:AF:5E:03:CE:A9:E5:EE"; # File "NixOS cacert extra certificate file" = "88:B8:BE:A7:57:AC:F1:FE:D6:98:8B:50:E0:BD:0A:AE:88:C7:DF:70:26:E1:67:5E:F5:F6:91:27:FF:02:D4:A5"; }; mapExtra = f: lib.concatStringsSep "\n" (lib.mapAttrsToList f extraCertificatesToFingerprint); in runCommand "verify-the-cacert-extra-output" { cacert = cacert.unbundled; cacertWithExtras = (cacert.override { extraCertificateStrings = [ extraCertificateStr ]; extraCertificateFiles = [ extraCertificateFile ]; }).unbundled; nativeBuildInputs = [ openssl ]; } '' ${isTrusted} # Ensure that the extra certificate is not in the main "cacert". ${mapExtra (extraName: extraFingerprint: '' isTrusted "$cacert" "${extraName}" "${extraFingerprint}" && ({ echo "'extra' CA fingerprint ${extraFingerprint} (${extraName}) is present in the main CA bundle." >&2 exit 1 }) '')} # Ensure that the extra certificates ARE in the "cacertWithExtras". ${mapExtra (extraName: extraFingerprint: '' isTrusted "$cacertWithExtras" "${extraName}" "${extraFingerprint}" || ({ echo "CA fingerprint ${extraFingerprint} (${extraName}) is not present in the cacertWithExtras bundle." >&2 exit 1 }) '')} touch "$out" ''; }; }; inherit meta; }