New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nss: add option to use p11-kit #96763
Conversation
I might be mixing things up, but certdata2pem is already how nixpkgs/nixos is getting its ca certs. From nss. So why extract them here again? |
Because I didn't know that: I thought cacert was a different CA bundle. I'll remove that part, thank you. |
Done. I removed the (duplicated) part. |
ping |
So, do you have any objection? I'd like for nss to use the system trust store in |
No objections, but I also don't feel comfortable approving/merging this, because I don't feel like I know enough about nss and/or p11-kit. |
This pull request has been mentioned on NixOS Discourse. There might be relevant details there: |
@@ -126,6 +133,11 @@ in stdenv.mkDerivation rec { | |||
chmod 0755 $out/bin/nss-config | |||
''; | |||
|
|||
postInstall = stdenv.lib.optionalString useP11kit '' | |||
# Replace built-in trust with p11-kit connection | |||
ln -sf ${p11-kit}/lib/pkcs11/p11-kit-trust.so $out/lib/libnssckbi.so |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So, how do we gurantee that the ABI between this "fake" output and the one defined in the header files matches? Is that defined in the PKCS#11 standard?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's a good question: the library is designed to be used like this, so I assume it's ABI compatible with nss, but I'm not sure.
Even if it is, this could be an issue if nss introduces an ABI incompatible change and Nixpkgs is updated before p11-kit. It should be noted p11-kit is maintained and used by red hat, so it should be update quickly enough.
What was the situation before that? Did all the applications linking to NSS use the bundled trust store that came with NSS? I still wonder if there wouldn't be a better way to deal with this but I fear NSS doesn't really care much about system wide certs. |
I think so, certainly they aren't using the system wide store.
Probably not, red hat/fedora was in the same situation and p11-kit is what they came up with. |
Can you please target staging with the mass rebuild and fix the merge conflict? |
I added a test to check that the Building this on staging would probably take days, but you can avoid the rebuilds by running it from master and using { system.replaceRuntimeDependencies =
let
nss-p11kit = pkgs.nss.overrideDerivation (old: {
postInstall = ''
# Replace built-in trust with p11-kit connection
ln -sf ${pkgs.p11-kit}/lib/pkcs11/p11-kit-trust.so $out/lib/libnssckbi.so
'';
});
in [{ original = pkgs.nss; replacement = nss-p11kit; }];
} |
81c0389
to
bef086f
Compare
@GrahamcOfBorg eval |
Staging is broken right now. |
I saw FRidh pushed a commit to fix the eval but it's still broken (differently). |
yes another fix in e3961ff |
@GrahamcOfBorg test custom-ca |
9b2866b
to
2a1c8c3
Compare
Thanks to the test, I'm now pretty confident this PR won't wreak havoc on Nixpkgs. |
Wow, the integration test is awesome. Thanks for that! |
This commit adds an option to replace libnssckbi with the p11-kit-trust[1] module. It makes all NSS application (like Firefox, Chromium, etc.) use the system trust store (/etc/ssl/certs/ in NixOS) and other PKCS#11 modules without ad-hoc configuration. This approach was first implemented in Fedora[2] and other distributions like Arch Linux, later. [1]: https://p11-glue.github.io/p11-glue/p11-kit/manual/trust-nss.html [2]: https://fedoraproject.org/wiki/Features/SharedSystemCertificates
This is a NixOS test for the security.pki options.
Thank you! I have fixed the conflict (stdenv.lib -> lib change) and rebased. I tested again |
@rnhmjoj the commit message says:
It however seems p11-kit doesn't properly discover PKCS#11 modules on NixOS. I opened #171978. |
Motivation for this change
The original motivation is #8247
After multiple attempts it seems I have finally understood how to use p11-kit-trust.
So far I've only built nss and tested the system trust store is used by qtwebengine.
Firefox and other Mozilla programs should be tested as well.
This commit adds an option to replace libnssckbi with the p11-kit-trust1 module. It makes all NSS application (like Firefox, Chromium, etc.) use the system trust store (/etc/ssl/certs/ in NixOS) and other PKCS#11 modules without ad-hoc configuration. Enabling the option will additionally generate a p11-kit compatible
module of the Mozilla CA bundle.
This approach was first implemented in Fedora2 and other distributions like Arch Linux, later. The certdata2pem.py script is in fact taken, and some of the build code adapted, from the ca-certificates Fedora package3.
Things done
sandbox
innix.conf
on non-NixOS linux)nix path-info -S
before and after)