| 1 | use std::env; |
| 2 | use std::path::{Path, PathBuf}; |
|---|
| 3 | |
|---|
| 4 | /// The OpenSSL environment variable to configure what certificate file to use. |
|---|
| 5 | pub const ENV_CERT_FILE: &'static str = "SSL_CERT_FILE" ; |
|---|
| 6 | |
|---|
| 7 | /// The OpenSSL environment variable to configure what certificates directory to use. |
|---|
| 8 | pub const ENV_CERT_DIR: &'static str = "SSL_CERT_DIR" ; |
|---|
| 9 | |
|---|
| 10 | pub struct ProbeResult { |
|---|
| 11 | pub cert_file: Option<PathBuf>, |
|---|
| 12 | pub cert_dir: Option<PathBuf>, |
|---|
| 13 | } |
|---|
| 14 | |
|---|
| 15 | /// Probe the system for the directory in which CA certificates should likely be |
|---|
| 16 | /// found. |
|---|
| 17 | /// |
|---|
| 18 | /// This will only search known system locations. |
|---|
| 19 | pub fn find_certs_dirs() -> Vec<PathBuf> { |
|---|
| 20 | cert_dirs_iter().map(Path::to_path_buf).collect() |
|---|
| 21 | } |
|---|
| 22 | |
|---|
| 23 | // TODO: when we bump to 0.2, make this the `find_certs_dirs` function |
|---|
| 24 | fn cert_dirs_iter() -> impl Iterator<Item = &'static Path> { |
|---|
| 25 | // see http://gagravarr.org/writing/openssl-certs/others.shtml |
|---|
| 26 | [ |
|---|
| 27 | "/var/ssl" , |
|---|
| 28 | "/usr/share/ssl" , |
|---|
| 29 | "/usr/local/ssl" , |
|---|
| 30 | "/usr/local/openssl" , |
|---|
| 31 | "/usr/local/etc/openssl" , |
|---|
| 32 | "/usr/local/share" , |
|---|
| 33 | "/usr/lib/ssl" , |
|---|
| 34 | "/usr/ssl" , |
|---|
| 35 | "/etc/openssl" , |
|---|
| 36 | "/etc/pki/ca-trust/extracted/pem" , |
|---|
| 37 | "/etc/pki/tls" , |
|---|
| 38 | "/etc/ssl" , |
|---|
| 39 | "/etc/certs" , |
|---|
| 40 | "/opt/etc/ssl" , // Entware |
|---|
| 41 | "/data/data/com.termux/files/usr/etc/tls" , |
|---|
| 42 | "/boot/system/data/ssl" , |
|---|
| 43 | ] |
|---|
| 44 | .iter().map(Path::new).filter(|p: &&Path| p.exists()) |
|---|
| 45 | } |
|---|
| 46 | |
|---|
| 47 | /// Probe for SSL certificates on the system, then configure the SSL certificate `SSL_CERT_FILE` |
|---|
| 48 | /// and `SSL_CERT_DIR` environment variables in this process for OpenSSL to use. |
|---|
| 49 | /// |
|---|
| 50 | /// Preconfigured values in the environment variables will not be overwritten if the paths they |
|---|
| 51 | /// point to exist and are accessible. |
|---|
| 52 | pub fn init_ssl_cert_env_vars() { |
|---|
| 53 | try_init_ssl_cert_env_vars(); |
|---|
| 54 | } |
|---|
| 55 | |
|---|
| 56 | /// Probe for SSL certificates on the system, then configure the SSL certificate `SSL_CERT_FILE` |
|---|
| 57 | /// and `SSL_CERT_DIR` environment variables in this process for OpenSSL to use. |
|---|
| 58 | /// |
|---|
| 59 | /// Preconfigured values in the environment variables will not be overwritten if the paths they |
|---|
| 60 | /// point to exist and are accessible. |
|---|
| 61 | /// |
|---|
| 62 | /// Returns `true` if any certificate file or directory was found while probing. |
|---|
| 63 | /// Combine this with `has_ssl_cert_env_vars()` to check whether previously configured environment |
|---|
| 64 | /// variables are valid. |
|---|
| 65 | pub fn try_init_ssl_cert_env_vars() -> bool { |
|---|
| 66 | let ProbeResult { cert_file: Option, cert_dir: Option } = probe(); |
|---|
| 67 | // we won't be overwriting existing env variables because if they're valid probe() will have |
|---|
| 68 | // returned them unchanged |
|---|
| 69 | if let Some(path: &PathBuf) = &cert_file { |
|---|
| 70 | env::set_var(ENV_CERT_FILE, value:path); |
|---|
| 71 | } |
|---|
| 72 | if let Some(path: &PathBuf) = &cert_dir { |
|---|
| 73 | env::set_var(ENV_CERT_DIR, value:path); |
|---|
| 74 | } |
|---|
| 75 | |
|---|
| 76 | cert_file.is_some() || cert_dir.is_some() |
|---|
| 77 | } |
|---|
| 78 | |
|---|
| 79 | /// Check whether the OpenSSL `SSL_CERT_FILE` and/or `SSL_CERT_DIR` environment variable is |
|---|
| 80 | /// configured in this process with an existing file or directory. |
|---|
| 81 | /// |
|---|
| 82 | /// That being the case would indicate that certificates will be found successfully by OpenSSL. |
|---|
| 83 | /// |
|---|
| 84 | /// Returns `true` if either variable is set to an existing file or directory. |
|---|
| 85 | pub fn has_ssl_cert_env_vars() -> bool { |
|---|
| 86 | let probe: ProbeResult = probe_from_env(); |
|---|
| 87 | probe.cert_file.is_some() || probe.cert_dir.is_some() |
|---|
| 88 | } |
|---|
| 89 | |
|---|
| 90 | fn probe_from_env() -> ProbeResult { |
|---|
| 91 | let var: impl Fn(&str) -> Option = |name: &str| { |
|---|
| 92 | envOption::var_os(key:name) |
|---|
| 93 | .map(PathBuf::from) |
|---|
| 94 | .filter(|p: &PathBuf| p.exists()) |
|---|
| 95 | }; |
|---|
| 96 | ProbeResult { |
|---|
| 97 | cert_file: var(ENV_CERT_FILE), |
|---|
| 98 | cert_dir: var(ENV_CERT_DIR), |
|---|
| 99 | } |
|---|
| 100 | } |
|---|
| 101 | |
|---|
| 102 | pub fn probe() -> ProbeResult { |
|---|
| 103 | let mut result = probe_from_env(); |
|---|
| 104 | for certs_dir in cert_dirs_iter() { |
|---|
| 105 | // cert.pem looks to be an openssl 1.0.1 thing, while |
|---|
| 106 | // certs/ca-certificates.crt appears to be a 0.9.8 thing |
|---|
| 107 | let cert_filenames = [ |
|---|
| 108 | "cert.pem" , |
|---|
| 109 | "certs.pem" , |
|---|
| 110 | "ca-bundle.pem" , |
|---|
| 111 | "cacert.pem" , |
|---|
| 112 | "ca-certificates.crt" , |
|---|
| 113 | "certs/ca-certificates.crt" , |
|---|
| 114 | "certs/ca-root-nss.crt" , |
|---|
| 115 | "certs/ca-bundle.crt" , |
|---|
| 116 | "CARootCertificates.pem" , |
|---|
| 117 | "tls-ca-bundle.pem" , |
|---|
| 118 | ]; |
|---|
| 119 | if result.cert_file.is_none() { |
|---|
| 120 | result.cert_file = cert_filenames |
|---|
| 121 | .iter() |
|---|
| 122 | .map(|fname| certs_dir.join(fname)) |
|---|
| 123 | .find(|p| p.exists()); |
|---|
| 124 | } |
|---|
| 125 | if result.cert_dir.is_none() { |
|---|
| 126 | let cert_dir = certs_dir.join("certs" ); |
|---|
| 127 | if cert_dir.exists() { |
|---|
| 128 | result.cert_dir = Some(cert_dir); |
|---|
| 129 | } |
|---|
| 130 | } |
|---|
| 131 | if result.cert_file.is_some() && result.cert_dir.is_some() { |
|---|
| 132 | break; |
|---|
| 133 | } |
|---|
| 134 | } |
|---|
| 135 | result |
|---|
| 136 | } |
|---|
| 137 | |
|---|
