1 files changed, 29 insertions, 12 deletions

diff --git a/pki/ca.nix b/pki/ca.nix
index 70640be..f0ca33d 100644
--- a/pki/ca.nix
+++ b/pki/ca.nix
@@ -2,7 +2,7 @@
 with lib; let
   cfg = config.local.pki.ca;
 
-  inherit (pkgs.buildPackages) openssl;
+  openssl = getExe pkgs.buildPackages.openssl;
 
   certsType = leafOf: with lib.types; attrsOf (submodule ({ config, name, ... }: {
     options = {
@@ -11,9 +11,16 @@ with lib; let
         readOnly = true;
       };
 
-      fingerprint.sha256 = mkOption {
-        type = str;
-        readOnly = true;
+      fingerprint = {
+        sha1-lower = mkOption {
+          type = str;
+          readOnly = true;
+        };
+
+        sha256-bytes-upper = mkOption {
+          type = str;
+          readOnly = true;
+        };
       };
 
       fullchain = mkOption {
@@ -53,12 +60,22 @@ with lib; let
     };
 
     config = {
-      fingerprint.sha256 = readFile (pkgs.runCommandNoCCLocal "cert-${config.path}-fprint-sha256" { } ''
-        ${openssl}/bin/openssl x509 -in ${config.cert} -noout -sha256 -fingerprint \
-          | sed 's/^.*=//' \
-          | tr -d $'\n' \
-          >$out
-      '');
+      fingerprint = {
+        sha1-lower = readFile (pkgs.runCommandNoCCLocal "cert-${config.path}-fprint-sha1-lower" { } ''
+          ${openssl} x509 -in ${config.cert} -noout -sha1 -fingerprint \
+            | sed 's/^.*=//' \
+            | tr -d $':\n' \
+            | tr '[A-Z]' '[a-z]' \
+            >>$out
+        '');
+
+        sha256-bytes-upper = readFile (pkgs.runCommandNoCCLocal "cert-${config.path}-fprint-sha256-bytes-upper" { } ''
+          ${openssl} x509 -in ${config.cert} -noout -sha256 -fingerprint \
+            | sed 's/^.*=//' \
+            | tr -d $'\n' \
+            >>$out
+        '');
+      };
 
       fullchain = pkgs.writeText "${name}-fullchain-crl.pem"
         (concatStrings (map readFile
@@ -67,8 +84,8 @@ with lib; let
 
       path = optionalString (config.issuer != null) (cfg.${config.issuer}.path + ".") + name;
     } // optionalAttrs (leafOf != null) {
-      commonName = readFile (pkgs.runCommandNoCCLocal "cert-${config.path}-fprint-sha256" { } ''
-        ${openssl}/bin/openssl x509 -in ${config.cert} -noout -subject -nameopt multiline \
+      commonName = readFile (pkgs.runCommandNoCCLocal "cert-${config.path}-common-name" { } ''
+        ${openssl} x509 -in ${config.cert} -noout -subject -nameopt multiline \
           | grep commonName \
           | sed 's/^.*=\s*//' \
           | tr -d $'\n' \