nixos/security.pki: handle PEMs w/o a final newline

According to the ABNF grammar for PEM files described in [RFC 7468][1], an eol character (i.e. a newline) is not mandatory after the posteb line (i.e. "-----END CERTIFICATE-----" in the case of certificates). This commit makes our CA certificate bundler expression account for the possibility that files in config.security.pki.certificateFiles might not have final newlines, by using `awk` instead of `cat` to concatenate them. (`awk` prints a final newline from each input file even if the file doesn't end with a newline.) [1]: https://datatracker.ietf.org/doc/html/rfc7468#section-3
2024-11-27 01:13:05 +00:00 · 2021-05-16 10:59:56 -07:00 · 2021-05-16 10:59:56 -07:00 · 348858f297
commit 348858f297
parent 72df572fa3
1 changed files with 4 additions and 9 deletions
--- a/nixos/modules/security/ca.nix
+++ b/nixos/modules/security/ca.nix
@ -10,15 +10,10 @@ let
    blacklist = cfg.caCertificateBlacklist;
  };

-  caCertificates = pkgs.runCommand "ca-certificates.crt"
-    { files =
-        cfg.certificateFiles ++
-        [ (builtins.toFile "extra.crt" (concatStringsSep "\n" cfg.certificates)) ];
-      preferLocalBuild = true;
-     }
-    ''
-      cat $files > $out
-    '';
+  caCertificates = pkgs.runCommand "ca-certificates.crt" {
+    files = cfg.certificateFiles ++ [ (builtins.toFile "extra.crt" (concatStringsSep "\n" cfg.certificates)) ];
+    preferLocalBuild = true;
+  } "awk 1 $files > $out";  # awk ensures a newline between each pair of consecutive files

 in