From c50ba6a354d939db008f2d5d4cd8da1dcda9ec12 Mon Sep 17 00:00:00 2001 From: Daiderd Jordan Date: Tue, 15 Jan 2019 22:14:56 +0100 Subject: [PATCH] security.pki: add test for ca-certificates.crt --- release.nix | 1 + tests/security-pki.nix | 24 ++++++++++++++++++++++++ 2 files changed, 25 insertions(+) create mode 100644 tests/security-pki.nix diff --git a/release.nix b/release.nix index 11471414..78c43b3a 100644 --- a/release.nix +++ b/release.nix @@ -98,6 +98,7 @@ let tests.nixpkgs-overlays = makeTest ./tests/nixpkgs-overlays.nix; tests.programs-ssh = makeTest ./tests/programs-ssh.nix; tests.programs-zsh = makeTest ./tests/programs-zsh.nix; + tests.security-pki = makeTest ./tests/security-pki.nix; tests.services-activate-system = makeTest ./tests/services-activate-system.nix; tests.services-buildkite-agent = makeTest ./tests/services-buildkite-agent.nix; tests.services-nix-daemon = makeTest ./tests/services-nix-daemon.nix; diff --git a/tests/security-pki.nix b/tests/security-pki.nix new file mode 100644 index 00000000..7aa8ec86 --- /dev/null +++ b/tests/security-pki.nix @@ -0,0 +1,24 @@ +{ config, pkgs, ... }: + +{ + security.pki.certificates = [ + '' + Fake Root CA + ------------ + '' + ]; + + test = '' + echo "checking for ca-certificates.crt in /etc" >&2 + test -e ${config.out}/etc/ssl/certs/ca-certificates.crt + + echo "checking NIX_SSL_CERT_FILE in set-environment" >&2 + grep 'NIX_SSL_CERT_FILE="/etc/ssl/certs/ca-certificates.crt"' ${config.system.build.setEnvironment} + + echo "checking for certificates in ca-certificates.crt" >&2 + grep -q 'BEGIN CERTIFICATE' ${config.out}/etc/ssl/certs/ca-certificates.crt + + echo "checking for extra certificate in ca-certificates.crt" >&2 + grep 'Fake Root CA' ${config.out}/etc/ssl/certs/ca-certificates.crt + ''; +}