mirror of
https://github.com/privatevoid-net/nix-super.git
synced 2024-11-15 02:36:16 +02:00
c1ecf0bee9
This patch has been manually adapted from
14dc84ed03
Tested with:
$ NIX_SSL_CERT_FILE=$(nix-build '<nixpkgs>' -A cacert)/etc/ssl/certs/ca-bundle.crt nix-build --store $(mktemp -d) -E 'import <nix/fetchurl.nix> { url = https://google.com; }'
Finished at 16:57:50 after 1s
warning: found empty hash, assuming 'sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA='
this derivation will be built:
nix-output-monitor error: DerivationReadError /nix/store/4qljhy0jj2b0abjzpsbyarpia1bqylwc-google.com.drv: openFile: does not exist (No such file or directory)
/nix/store/4qljhy0jj2b0abjzpsbyarpia1bqylwc-google.com.drv
nix-output-monitor error: DerivationReadError /nix/store/4qljhy0jj2b0abjzpsbyarpia1bqylwc-google.com.drv: openFile: does not exist (No such file or directory)
nix-output-monitor error: DerivationReadError /nix/store/4qljhy0jj2b0abjzpsbyarpia1bqylwc-google.com.drv: openFile: does not exist (No such file or directory)
nix-output-monitor error: DerivationReadError /nix/store/4qljhy0jj2b0abjzpsbyarpia1bqylwc-google.com.drv: openFile: does not exist (No such file or directory)
google.com> building '/nix/store/4qljhy0jj2b0abjzpsbyarpia1bqylwc-google.com.drv'
nix-output-monitor error: DerivationReadError /nix/store/4qljhy0jj2b0abjzpsbyarpia1bqylwc-google.com.drv: openFile: does not exist (No such file or directory)
google.com> error:
nix-output-monitor error: DerivationReadError /nix/store/4qljhy0jj2b0abjzpsbyarpia1bqylwc-google.com.drv: openFile: does not exist (No such file or directory)
google.com> … writing file '/nix/store/0zynn4n8yx59bczy1mgh1lq2rnprvvrc-google.com'
nix-output-monitor error: DerivationReadError /nix/store/4qljhy0jj2b0abjzpsbyarpia1bqylwc-google.com.drv: openFile: does not exist (No such file or directory)
google.com>
nix-output-monitor error: DerivationReadError /nix/store/4qljhy0jj2b0abjzpsbyarpia1bqylwc-google.com.drv: openFile: does not exist (No such file or directory)
google.com> error: unable to download 'https://google.com': Problem with the SSL CA cert (path? access rights?) (77) error setting certificate file: /nix/store/nlgbippbbgn38hynjkp1ghiybcq1dqhx-nss-cacert-3.101.1/etc/ssl/certs/ca-bundle.crt
nix-output-monitor error: DerivationReadError /nix/store/4qljhy0jj2b0abjzpsbyarpia1bqylwc-google.com.drv: openFile: does not exist (No such file or directory)
nix-output-monitor error: DerivationReadError /nix/store/4qljhy0jj2b0abjzpsbyarpia1bqylwc-google.com.drv: openFile: does not exist (No such file or directory)
error: builder for '/nix/store/4qljhy0jj2b0abjzpsbyarpia1bqylwc-google.com.drv' failed with exit code 1
Now returns:
nix-env % NIX_SSL_CERT_FILE=$(nix-build '<nixpkgs>' -A cacert)/etc/ssl/certs/ca-bundle.crt nix-build --store $(mktemp -d) -E 'import <nix/fetchurl.nix> { url = https://google.com; }'
Finished at 17:05:48 after 0s
warning: found empty hash, assuming 'sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA='
this derivation will be built:
nix-output-monitor error: DerivationReadError /nix/store/4qljhy0jj2b0abjzpsbyarpia1bqylwc-google.com.drv: openFile: does not exist (No such file or directory)
/nix/store/4qljhy0jj2b0abjzpsbyarpia1bqylwc-google.com.drv
nix-output-monitor error: DerivationReadError /nix/store/4qljhy0jj2b0abjzpsbyarpia1bqylwc-google.com.drv: openFile: does not exist (No such file or directory)
nix-output-monitor error: DerivationReadError /nix/store/4qljhy0jj2b0abjzpsbyarpia1bqylwc-google.com.drv: openFile: does not exist (No such file or directory)
nix-output-monitor error: DerivationReadError /nix/store/4qljhy0jj2b0abjzpsbyarpia1bqylwc-google.com.drv: openFile: does not exist (No such file or directory)
google.com> building '/nix/store/4qljhy0jj2b0abjzpsbyarpia1bqylwc-google.com.drv'
nix-output-monitor error: DerivationReadError /nix/store/4qljhy0jj2b0abjzpsbyarpia1bqylwc-google.com.drv: openFile: does not exist (No such file or directory)
nix-output-monitor error: DerivationReadError /nix/store/4qljhy0jj2b0abjzpsbyarpia1bqylwc-google.com.drv: openFile: does not exist (No such file or directory)
error: hash mismatch in fixed-output derivation '/nix/store/4qljhy0jj2b0abjzpsbyarpia1bqylwc-google.com.drv':
specified: sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
84 lines
2.7 KiB
Nix
84 lines
2.7 KiB
Nix
# Test whether builtin:fetchurl properly performs TLS certificate
|
|
# checks on HTTPS servers.
|
|
|
|
{ lib, config, pkgs, ... }:
|
|
|
|
let
|
|
|
|
makeTlsCert = name: pkgs.runCommand name {
|
|
nativeBuildInputs = with pkgs; [ openssl ];
|
|
} ''
|
|
mkdir -p $out
|
|
openssl req -x509 \
|
|
-subj '/CN=${name}/' -days 49710 \
|
|
-addext 'subjectAltName = DNS:${name}' \
|
|
-keyout "$out/key.pem" -newkey ed25519 \
|
|
-out "$out/cert.pem" -noenc
|
|
'';
|
|
|
|
goodCert = makeTlsCert "good";
|
|
badCert = makeTlsCert "bad";
|
|
|
|
in
|
|
|
|
{
|
|
name = "nss-preload";
|
|
|
|
nodes = {
|
|
machine = { lib, pkgs, ... }: {
|
|
services.nginx = {
|
|
enable = true;
|
|
|
|
virtualHosts."good" = {
|
|
addSSL = true;
|
|
sslCertificate = "${goodCert}/cert.pem";
|
|
sslCertificateKey = "${goodCert}/key.pem";
|
|
root = pkgs.runCommand "nginx-root" {} ''
|
|
mkdir "$out"
|
|
echo 'hello world' > "$out/index.html"
|
|
'';
|
|
};
|
|
|
|
virtualHosts."bad" = {
|
|
addSSL = true;
|
|
sslCertificate = "${badCert}/cert.pem";
|
|
sslCertificateKey = "${badCert}/key.pem";
|
|
root = pkgs.runCommand "nginx-root" {} ''
|
|
mkdir "$out"
|
|
echo 'foobar' > "$out/index.html"
|
|
'';
|
|
};
|
|
};
|
|
|
|
security.pki.certificateFiles = [ "${goodCert}/cert.pem" ];
|
|
|
|
networking.hosts."127.0.0.1" = [ "good" "bad" ];
|
|
|
|
virtualisation.writableStore = true;
|
|
|
|
nix.settings.experimental-features = "nix-command";
|
|
};
|
|
};
|
|
|
|
testScript = { nodes, ... }: ''
|
|
machine.wait_for_unit("nginx")
|
|
machine.wait_for_open_port(443)
|
|
|
|
out = machine.succeed("curl https://good/index.html")
|
|
assert out == "hello world\n"
|
|
|
|
out = machine.succeed("cat ${badCert}/cert.pem > /tmp/cafile.pem; curl --cacert /tmp/cafile.pem https://bad/index.html")
|
|
assert out == "foobar\n"
|
|
|
|
# Fetching from a server with a trusted cert should work.
|
|
machine.succeed("nix build --no-substitute --expr 'import <nix/fetchurl.nix> { url = \"https://good/index.html\"; hash = \"sha256-qUiQTy8PR5uPgZdpSzAYSw0u0cHNKh7A+4XSmaGSpEc=\"; }'")
|
|
|
|
# Fetching from a server with an untrusted cert should fail.
|
|
err = machine.fail("nix build --no-substitute --expr 'import <nix/fetchurl.nix> { url = \"https://bad/index.html\"; hash = \"sha256-rsBwZF/lPuOzdjBZN2E08FjMM3JHyXit0Xi2zN+wAZ8=\"; }' 2>&1")
|
|
print(err)
|
|
assert "SSL certificate problem: self-signed certificate" in err
|
|
|
|
# Fetching from a server with a trusted cert should work via environment variable override.
|
|
machine.succeed("NIX_SSL_CERT_FILE=/tmp/cafile.pem nix build --no-substitute --expr 'import <nix/fetchurl.nix> { url = \"https://bad/index.html\"; hash = \"sha256-rsBwZF/lPuOzdjBZN2E08FjMM3JHyXit0Xi2zN+wAZ8=\"; }'")
|
|
'';
|
|
}
|