diff options
author | rnhmjoj <rnhmjoj@inventati.org> | 2020-08-31 11:07:34 +0200 |
---|---|---|
committer | rnhmjoj <rnhmjoj@inventati.org> | 2021-01-24 10:50:52 +0100 |
commit | b9bb98cf49c24b94a66d38630661b3249ac8ae19 (patch) | |
tree | a55fd762242dd629fba4e6c649e60abe453e896e /pkgs/development/libraries/nss | |
parent | 5d637e001675a776c664c90a772df5c2196e1fd5 (diff) | |
download | nixpkgs-b9bb98cf49c24b94a66d38630661b3249ac8ae19.tar nixpkgs-b9bb98cf49c24b94a66d38630661b3249ac8ae19.tar.gz nixpkgs-b9bb98cf49c24b94a66d38630661b3249ac8ae19.tar.bz2 nixpkgs-b9bb98cf49c24b94a66d38630661b3249ac8ae19.tar.lz nixpkgs-b9bb98cf49c24b94a66d38630661b3249ac8ae19.tar.xz nixpkgs-b9bb98cf49c24b94a66d38630661b3249ac8ae19.tar.zst nixpkgs-b9bb98cf49c24b94a66d38630661b3249ac8ae19.zip |
nss: add option to use p11-kit
This commit adds an option to replace libnssckbi with the p11-kit-trust[1] module. It makes all NSS application (like Firefox, Chromium, etc.) use the system trust store (/etc/ssl/certs/ in NixOS) and other PKCS#11 modules without ad-hoc configuration. This approach was first implemented in Fedora[2] and other distributions like Arch Linux, later. [1]: https://p11-glue.github.io/p11-glue/p11-kit/manual/trust-nss.html [2]: https://fedoraproject.org/wiki/Features/SharedSystemCertificates
Diffstat (limited to 'pkgs/development/libraries/nss')
-rw-r--r-- | pkgs/development/libraries/nss/default.nix | 10 |
1 files changed, 9 insertions, 1 deletions
diff --git a/pkgs/development/libraries/nss/default.nix b/pkgs/development/libraries/nss/default.nix index 8c98d7ae9bb..aa691092f85 100644 --- a/pkgs/development/libraries/nss/default.nix +++ b/pkgs/development/libraries/nss/default.nix @@ -1,4 +1,7 @@ -{ lib, stdenv, fetchurl, nspr, perl, zlib, sqlite, darwin, fixDarwinDylibNames, buildPackages, ninja +{ lib, stdenv, fetchurl, nspr, perl, zlib +, sqlite, ninja +, darwin, fixDarwinDylibNames, buildPackages +, useP11kit ? true, p11-kit , # allow FIPS mode. Note that this makes the output non-reproducible. # https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_Tech_Notes/nss_tech_note6 enableFIPS ? false @@ -139,6 +142,11 @@ in stdenv.mkDerivation rec { chmod 0755 $out/bin/nss-config ''; + postInstall = stdenv.lib.optionalString useP11kit '' + # Replace built-in trust with p11-kit connection + ln -sf ${p11-kit}/lib/pkcs11/p11-kit-trust.so $out/lib/libnssckbi.so + ''; + postFixup = let isCross = stdenv.hostPlatform != stdenv.buildPlatform; nss = if isCross then buildPackages.nss.tools else "$out"; |