nixos/security.pki: handle PEMs w/o a final newline

According to the ABNF grammar for PEM files described in [RFC
7468][1], an eol character (i.e. a newline) is not mandatory after the
posteb line (i.e. "-----END CERTIFICATE-----" in the case of
certificates).

This commit makes our CA certificate bundler expression account for
the possibility that files in config.security.pki.certificateFiles
might not have final newlines, by using `awk` instead of `cat` to
concatenate them. (`awk` prints a final newline from each input file
even if the file doesn't end with a newline.)

[1]: https://datatracker.ietf.org/doc/html/rfc7468#section-3
This commit is contained in:
Keshav Kini 2021-05-16 10:59:56 -07:00
parent 72df572fa3
commit 348858f297

View File

@ -10,15 +10,10 @@ let
blacklist = cfg.caCertificateBlacklist; blacklist = cfg.caCertificateBlacklist;
}; };
caCertificates = pkgs.runCommand "ca-certificates.crt" caCertificates = pkgs.runCommand "ca-certificates.crt" {
{ files = files = cfg.certificateFiles ++ [ (builtins.toFile "extra.crt" (concatStringsSep "\n" cfg.certificates)) ];
cfg.certificateFiles ++ preferLocalBuild = true;
[ (builtins.toFile "extra.crt" (concatStringsSep "\n" cfg.certificates)) ]; } "awk 1 $files > $out"; # awk ensures a newline between each pair of consecutive files
preferLocalBuild = true;
}
''
cat $files > $out
'';
in in