From 348858f2971310be9fba9a8ce3ee214dad5630c0 Mon Sep 17 00:00:00 2001 From: Keshav Kini Date: Sun, 16 May 2021 10:59:56 -0700 Subject: [PATCH] nixos/security.pki: handle PEMs w/o a final newline According to the ABNF grammar for PEM files described in [RFC 7468][1], an eol character (i.e. a newline) is not mandatory after the posteb line (i.e. "-----END CERTIFICATE-----" in the case of certificates). This commit makes our CA certificate bundler expression account for the possibility that files in config.security.pki.certificateFiles might not have final newlines, by using `awk` instead of `cat` to concatenate them. (`awk` prints a final newline from each input file even if the file doesn't end with a newline.) [1]: https://datatracker.ietf.org/doc/html/rfc7468#section-3 --- nixos/modules/security/ca.nix | 13 ++++--------- 1 file changed, 4 insertions(+), 9 deletions(-) diff --git a/nixos/modules/security/ca.nix b/nixos/modules/security/ca.nix index 1c4ee421fc56..7df86e71423f 100644 --- a/nixos/modules/security/ca.nix +++ b/nixos/modules/security/ca.nix @@ -10,15 +10,10 @@ let blacklist = cfg.caCertificateBlacklist; }; - caCertificates = pkgs.runCommand "ca-certificates.crt" - { files = - cfg.certificateFiles ++ - [ (builtins.toFile "extra.crt" (concatStringsSep "\n" cfg.certificates)) ]; - preferLocalBuild = true; - } - '' - cat $files > $out - ''; + caCertificates = pkgs.runCommand "ca-certificates.crt" { + files = cfg.certificateFiles ++ [ (builtins.toFile "extra.crt" (concatStringsSep "\n" cfg.certificates)) ]; + preferLocalBuild = true; + } "awk 1 $files > $out"; # awk ensures a newline between each pair of consecutive files in