1 | use std::env; |
2 | use std::path::{Path, PathBuf}; |
3 | |
4 | /// The OpenSSL environment variable to configure what certificate file to use. |
5 | pub const ENV_CERT_FILE: &'static str = "SSL_CERT_FILE" ; |
6 | |
7 | /// The OpenSSL environment variable to configure what certificates directory to use. |
8 | pub const ENV_CERT_DIR: &'static str = "SSL_CERT_DIR" ; |
9 | |
10 | pub struct ProbeResult { |
11 | pub cert_file: Option<PathBuf>, |
12 | pub cert_dir: Option<PathBuf>, |
13 | } |
14 | |
15 | /// Probe the system for the directory in which CA certificates should likely be |
16 | /// found. |
17 | /// |
18 | /// This will only search known system locations. |
19 | pub fn find_certs_dirs() -> Vec<PathBuf> { |
20 | cert_dirs_iter().map(Path::to_path_buf).collect() |
21 | } |
22 | |
23 | // TODO: when we bump to 0.2, make this the `find_certs_dirs` function |
24 | fn cert_dirs_iter() -> impl Iterator<Item = &'static Path> { |
25 | // see http://gagravarr.org/writing/openssl-certs/others.shtml |
26 | [ |
27 | "/var/ssl" , |
28 | "/usr/share/ssl" , |
29 | "/usr/local/ssl" , |
30 | "/usr/local/openssl" , |
31 | "/usr/local/etc/openssl" , |
32 | "/usr/local/share" , |
33 | "/usr/lib/ssl" , |
34 | "/usr/ssl" , |
35 | "/etc/openssl" , |
36 | "/etc/pki/ca-trust/extracted/pem" , |
37 | "/etc/pki/tls" , |
38 | "/etc/ssl" , |
39 | "/etc/certs" , |
40 | "/opt/etc/ssl" , // Entware |
41 | "/data/data/com.termux/files/usr/etc/tls" , |
42 | "/boot/system/data/ssl" , |
43 | ] |
44 | .iter().map(Path::new).filter(|p: &&Path| p.exists()) |
45 | } |
46 | |
47 | /// Probe for SSL certificates on the system, then configure the SSL certificate `SSL_CERT_FILE` |
48 | /// and `SSL_CERT_DIR` environment variables in this process for OpenSSL to use. |
49 | /// |
50 | /// Preconfigured values in the environment variables will not be overwritten if the paths they |
51 | /// point to exist and are accessible. |
52 | pub fn init_ssl_cert_env_vars() { |
53 | try_init_ssl_cert_env_vars(); |
54 | } |
55 | |
56 | /// Probe for SSL certificates on the system, then configure the SSL certificate `SSL_CERT_FILE` |
57 | /// and `SSL_CERT_DIR` environment variables in this process for OpenSSL to use. |
58 | /// |
59 | /// Preconfigured values in the environment variables will not be overwritten if the paths they |
60 | /// point to exist and are accessible. |
61 | /// |
62 | /// Returns `true` if any certificate file or directory was found while probing. |
63 | /// Combine this with `has_ssl_cert_env_vars()` to check whether previously configured environment |
64 | /// variables are valid. |
65 | pub fn try_init_ssl_cert_env_vars() -> bool { |
66 | let ProbeResult { cert_file: Option, cert_dir: Option } = probe(); |
67 | // we won't be overwriting existing env variables because if they're valid probe() will have |
68 | // returned them unchanged |
69 | if let Some(path: &PathBuf) = &cert_file { |
70 | env::set_var(ENV_CERT_FILE, value:path); |
71 | } |
72 | if let Some(path: &PathBuf) = &cert_dir { |
73 | env::set_var(ENV_CERT_DIR, value:path); |
74 | } |
75 | |
76 | cert_file.is_some() || cert_dir.is_some() |
77 | } |
78 | |
79 | /// Check whether the OpenSSL `SSL_CERT_FILE` and/or `SSL_CERT_DIR` environment variable is |
80 | /// configured in this process with an existing file or directory. |
81 | /// |
82 | /// That being the case would indicate that certificates will be found successfully by OpenSSL. |
83 | /// |
84 | /// Returns `true` if either variable is set to an existing file or directory. |
85 | pub fn has_ssl_cert_env_vars() -> bool { |
86 | let probe: ProbeResult = probe_from_env(); |
87 | probe.cert_file.is_some() || probe.cert_dir.is_some() |
88 | } |
89 | |
90 | fn probe_from_env() -> ProbeResult { |
91 | let var: impl Fn(&str) -> Option = |name: &str| { |
92 | envOption::var_os(key:name) |
93 | .map(PathBuf::from) |
94 | .filter(|p: &PathBuf| p.exists()) |
95 | }; |
96 | ProbeResult { |
97 | cert_file: var(ENV_CERT_FILE), |
98 | cert_dir: var(ENV_CERT_DIR), |
99 | } |
100 | } |
101 | |
102 | pub fn probe() -> ProbeResult { |
103 | let mut result = probe_from_env(); |
104 | for certs_dir in cert_dirs_iter() { |
105 | // cert.pem looks to be an openssl 1.0.1 thing, while |
106 | // certs/ca-certificates.crt appears to be a 0.9.8 thing |
107 | let cert_filenames = [ |
108 | "cert.pem" , |
109 | "certs.pem" , |
110 | "ca-bundle.pem" , |
111 | "cacert.pem" , |
112 | "ca-certificates.crt" , |
113 | "certs/ca-certificates.crt" , |
114 | "certs/ca-root-nss.crt" , |
115 | "certs/ca-bundle.crt" , |
116 | "CARootCertificates.pem" , |
117 | "tls-ca-bundle.pem" , |
118 | ]; |
119 | if result.cert_file.is_none() { |
120 | result.cert_file = cert_filenames |
121 | .iter() |
122 | .map(|fname| certs_dir.join(fname)) |
123 | .find(|p| p.exists()); |
124 | } |
125 | if result.cert_dir.is_none() { |
126 | let cert_dir = certs_dir.join("certs" ); |
127 | if cert_dir.exists() { |
128 | result.cert_dir = Some(cert_dir); |
129 | } |
130 | } |
131 | if result.cert_file.is_some() && result.cert_dir.is_some() { |
132 | break; |
133 | } |
134 | } |
135 | result |
136 | } |
137 | |