From cf3013b4c0df4e01ea761d2fa2c6b69a38f9a5a4 Mon Sep 17 00:00:00 2001 From: rnhmjoj Date: Wed, 17 Nov 2021 00:56:36 +0100 Subject: [PATCH 1/3] p11-kit: add Fedora/RHEL trust store path Fedora and RHEL use a different location for the trust store, compared to other distros. Without this, validation of the CA root certificates fails in all nss applications. --- pkgs/development/libraries/p11-kit/default.nix | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/pkgs/development/libraries/p11-kit/default.nix b/pkgs/development/libraries/p11-kit/default.nix index 4ddc01ee6b2b..34a3788d7860 100644 --- a/pkgs/development/libraries/p11-kit/default.nix +++ b/pkgs/development/libraries/p11-kit/default.nix @@ -31,7 +31,11 @@ stdenv.mkDerivation rec { configureFlags = [ "--sysconfdir=/etc" "--localstatedir=/var" - "--with-trust-paths=/etc/ssl/trust-source:/etc/ssl/certs/ca-certificates.crt" + "--with-trust-paths=${lib.concatStringsSep ":" [ + "/etc/ssl/trust-source" # p11-kit trust source + "/etc/ssl/certs/ca-certificates.crt" # NixOS + Debian/Ubuntu/Arch/Gentoo... + "/etc/pki/tls/certs/ca-bundle.crt" # Fedora/CentOS + ]}" ]; enableParallelBuilding = true; From 6f3b6a2fea3278a91c120e67802b54a5823912d0 Mon Sep 17 00:00:00 2001 From: rnhmjoj Date: Wed, 17 Nov 2021 23:50:53 +0100 Subject: [PATCH 2/3] gnutls: enable p11-kit by default GnuTLS has a single hard-coded location for the system trust store, currently set to the path used by NixOS, Debian, Arch, Gentoo, etc. Since not all distributions use the same path, notably Fedora and RHEL, the certificate validation will break on some non-NixOS system. This can be solved by enabling the p11-kit integration, so that by default p11-kit (properly configured for all major distos) will provide GnuTLS with the CA roots though the PKCS #11 API. --- pkgs/development/libraries/gnutls/default.nix | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/pkgs/development/libraries/gnutls/default.nix b/pkgs/development/libraries/gnutls/default.nix index ace18afdeed8..0d39abe1ac3c 100644 --- a/pkgs/development/libraries/gnutls/default.nix +++ b/pkgs/development/libraries/gnutls/default.nix @@ -51,8 +51,10 @@ stdenv.mkDerivation rec { preConfigure = "patchShebangs ."; configureFlags = - lib.optional stdenv.isLinux "--with-default-trust-store-file=/etc/ssl/certs/ca-certificates.crt" - ++ [ + lib.optionals stdenv.isLinux [ + "--with-default-trust-store-file=/etc/ssl/certs/ca-certificates.crt" + "--with-default-trust-store-pkcs11=pkcs11:" + ] ++ [ "--disable-dependency-tracking" "--enable-fast-install" "--with-unbound-root-key-file=${dns-root-data}/root.key" From a19b4efc77b76d5c66edb31e2ae285f5c1c3ca17 Mon Sep 17 00:00:00 2001 From: rnhmjoj Date: Thu, 18 Nov 2021 22:19:46 +0100 Subject: [PATCH 3/3] nixos/tests/custom-ca: fix firefox test - allocate more memory (yay!) - fix processes not being really killed - fix firefox process hanging - remove the p11-kit log: it's not really useful --- nixos/tests/custom-ca.nix | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/nixos/tests/custom-ca.nix b/nixos/tests/custom-ca.nix index 4480519c7edc..6ed3510dd2cc 100644 --- a/nixos/tests/custom-ca.nix +++ b/nixos/tests/custom-ca.nix @@ -82,7 +82,7 @@ in # chromium-based browsers refuse to run as root test-support.displayManager.auto.user = "alice"; # browsers may hang with the default memory - virtualisation.memorySize = 500; + virtualisation.memorySize = 600; networking.hosts."127.0.0.1" = [ "good.example.com" "bad.example.com" ]; security.pki.certificateFiles = [ "${example-good-cert}/ca.crt" ]; @@ -162,7 +162,7 @@ in browser = command.split()[0] with subtest("Good certificate is trusted in " + browser): execute_as( - "alice", f"env P11_KIT_DEBUG=trust {command} https://good.example.com & >&2" + "alice", f"{command} https://good.example.com >&2 &" ) wait_for_window_as("alice", browser) machine.wait_for_text("It works!") @@ -170,9 +170,9 @@ in execute_as("alice", "xdotool key ctrl+w") # close tab with subtest("Unknown CA is untrusted in " + browser): - execute_as("alice", f"{command} https://bad.example.com & >&2") + execute_as("alice", f"{command} https://bad.example.com >&2 &") machine.wait_for_text(error) machine.screenshot("bad" + browser) - machine.succeed("pkill " + browser) + machine.succeed("pkill -f " + browser) ''; })