1 files changed, 79 insertions, 25 deletions

diff --git a/sys/pki/ca.nix b/sys/pki/ca.nix
index 1c7dad1..2b74a89 100644
--- a/sys/pki/ca.nix
+++ b/sys/pki/ca.nix
@@ -1,38 +1,91 @@
 { config, lib, pkgs, ... }:
 with lib; let
   cfg = config.local.pki.ca;
-in
-{
-  options.local.pki.ca = mkOption {
-    readOnly = true;
 
-    type = with lib.types; attrsOf (submodule ({ config, name, ... }: {
-      options = {
-        cert = mkOption {
-          type = path;
-          readOnly = true;
-        };
+  inherit (pkgs.buildPackages) openssl;
 
-        crl = mkOption {
-          type = path;
-          readOnly = true;
-        };
+  certsType = leafOf: with lib.types; attrsOf (submodule ({ config, name, ... }: {
+    options = {
+      cert = mkOption {
+        type = path;
+        readOnly = true;
+      };
 
-        fullchain = mkOption {
-          type = path;
-          readOnly = true;
-        };
+      fingerprint.sha256 = mkOption {
+        type = str;
+        readOnly = true;
+      };
 
-        issuer = mkOption {
-          type = nullOr str;
-          readOnly = true;
-        };
+      fullchain = mkOption {
+        type = path;
+        readOnly = true;
       };
 
-      config.fullchain = pkgs.writeText "${name}-fullchain-crl.pem"
+      issuer = mkOption {
+        type = nullOr str;
+        readOnly = true;
+      };
+
+      path = mkOption {
+        type = str;
+        readOnly = true;
+      };
+    } // optionalAttrs (leafOf != null) {
+      commonName = mkOption {
+        type = str;
+        readOnly = true;
+      };
+    } // optionalAttrs (leafOf == null) {
+      crl = mkOption {
+        type = path;
+        readOnly = true;
+      };
+
+      certWithCrl = mkOption {
+        type = path;
+        readOnly = true;
+      };
+
+      leaves = mkOption {
+        type = certsType name;
+        readOnly = true;
+      };
+    };
+
+    config = {
+      fingerprint.sha256 = readFile (pkgs.runCommandNoCCLocal "cert-${config.path}-fprint-sha256" { } ''
+        ${openssl}/bin/openssl x509 -in ${config.cert} -noout -sha256 -fingerprint \
+          | sed 's/^.*=//' \
+          | tr -d $'\n' \
+          >$out
+      '');
+
+      fullchain = pkgs.writeText "${name}-fullchain-crl.pem"
         (concatStrings (map readFile
-          ([ config.cert config.crl ] ++ optional (config.issuer != null) cfg.${config.issuer}.fullchain)));
-    }));
+          (singleton (if leafOf != null then config.cert else config.certWithCrl)
+            ++ optional (config.issuer != null) cfg.${config.issuer}.fullchain)));
+
+      path = optionalString (config.issuer != null) (cfg.${config.issuer}.path + ".") + name;
+    } // optionalAttrs (leafOf != null) {
+      commonName = readFile (pkgs.runCommandNoCCLocal "cert-${config.path}-fprint-sha256" { } ''
+        ${openssl}/bin/openssl x509 -in ${config.cert} -noout -subject -nameopt multiline \
+          | grep commonName \
+          | sed 's/^.*=\s*//' \
+          | tr -d $'\n' \
+          >$out
+      '');
+
+      issuer = leafOf;
+    } // optionalAttrs (leafOf == null) {
+      certWithCrl = pkgs.writeText "${name}-cert-crl.pem"
+        (concatStrings (map readFile [ config.cert config.crl ]));
+    };
+  }));
+in
+{
+  options.local.pki.ca = mkOption {
+    type = certsType null;
+    readOnly = true;
   };
 
   config.local.pki.ca = {
@@ -52,6 +105,7 @@ in
       crl = ./public/root-crl.pem;
       cert = ./public/root-ca.pem;
       issuer = null;
+      leaves = { };
     };
   };
 }