1use std::env;
2use std::path::{Path, PathBuf};
3
4/// The OpenSSL environment variable to configure what certificate file to use.
5pub const ENV_CERT_FILE: &'static str = "SSL_CERT_FILE";
6
7/// The OpenSSL environment variable to configure what certificates directory to use.
8pub const ENV_CERT_DIR: &'static str = "SSL_CERT_DIR";
9
10pub struct ProbeResult {
11 pub cert_file: Option<PathBuf>,
12 pub cert_dir: Option<PathBuf>,
13}
14
15/// Probe the system for the directory in which CA certificates should likely be
16/// found.
17///
18/// This will only search known system locations.
19pub fn find_certs_dirs() -> Vec<PathBuf> {
20 cert_dirs_iter().map(Path::to_path_buf).collect()
21}
22
23// TODO: when we bump to 0.2, make this the `find_certs_dirs` function
24fn cert_dirs_iter() -> impl Iterator<Item = &'static Path> {
25 // see http://gagravarr.org/writing/openssl-certs/others.shtml
26 [
27 "/var/ssl",
28 "/usr/share/ssl",
29 "/usr/local/ssl",
30 "/usr/local/openssl",
31 "/usr/local/etc/openssl",
32 "/usr/local/share",
33 "/usr/lib/ssl",
34 "/usr/ssl",
35 "/etc/openssl",
36 "/etc/pki/ca-trust/extracted/pem",
37 "/etc/pki/tls",
38 "/etc/ssl",
39 "/etc/certs",
40 "/opt/etc/ssl", // Entware
41 "/data/data/com.termux/files/usr/etc/tls",
42 "/boot/system/data/ssl",
43 ]
44 .iter().map(Path::new).filter(|p: &&Path| p.exists())
45}
46
47/// Probe for SSL certificates on the system, then configure the SSL certificate `SSL_CERT_FILE`
48/// and `SSL_CERT_DIR` environment variables in this process for OpenSSL to use.
49///
50/// Preconfigured values in the environment variables will not be overwritten if the paths they
51/// point to exist and are accessible.
52pub fn init_ssl_cert_env_vars() {
53 try_init_ssl_cert_env_vars();
54}
55
56/// Probe for SSL certificates on the system, then configure the SSL certificate `SSL_CERT_FILE`
57/// and `SSL_CERT_DIR` environment variables in this process for OpenSSL to use.
58///
59/// Preconfigured values in the environment variables will not be overwritten if the paths they
60/// point to exist and are accessible.
61///
62/// Returns `true` if any certificate file or directory was found while probing.
63/// Combine this with `has_ssl_cert_env_vars()` to check whether previously configured environment
64/// variables are valid.
65pub fn try_init_ssl_cert_env_vars() -> bool {
66 let ProbeResult { cert_file: Option, cert_dir: Option } = probe();
67 // we won't be overwriting existing env variables because if they're valid probe() will have
68 // returned them unchanged
69 if let Some(path: &PathBuf) = &cert_file {
70 env::set_var(ENV_CERT_FILE, value:path);
71 }
72 if let Some(path: &PathBuf) = &cert_dir {
73 env::set_var(ENV_CERT_DIR, value:path);
74 }
75
76 cert_file.is_some() || cert_dir.is_some()
77}
78
79/// Check whether the OpenSSL `SSL_CERT_FILE` and/or `SSL_CERT_DIR` environment variable is
80/// configured in this process with an existing file or directory.
81///
82/// That being the case would indicate that certificates will be found successfully by OpenSSL.
83///
84/// Returns `true` if either variable is set to an existing file or directory.
85pub fn has_ssl_cert_env_vars() -> bool {
86 let probe: ProbeResult = probe_from_env();
87 probe.cert_file.is_some() || probe.cert_dir.is_some()
88}
89
90fn probe_from_env() -> ProbeResult {
91 let var: impl Fn(&'static str) -> Option<…> = |name: &'static str| {
92 envOption::var_os(key:name)
93 .map(PathBuf::from)
94 .filter(|p: &PathBuf| p.exists())
95 };
96 ProbeResult {
97 cert_file: var(ENV_CERT_FILE),
98 cert_dir: var(ENV_CERT_DIR),
99 }
100}
101
102pub fn probe() -> ProbeResult {
103 let mut result = probe_from_env();
104 for certs_dir in cert_dirs_iter() {
105 // cert.pem looks to be an openssl 1.0.1 thing, while
106 // certs/ca-certificates.crt appears to be a 0.9.8 thing
107 let cert_filenames = [
108 "cert.pem",
109 "certs.pem",
110 "ca-bundle.pem",
111 "cacert.pem",
112 "ca-certificates.crt",
113 "certs/ca-certificates.crt",
114 "certs/ca-root-nss.crt",
115 "certs/ca-bundle.crt",
116 "CARootCertificates.pem",
117 "tls-ca-bundle.pem",
118 ];
119 if result.cert_file.is_none() {
120 result.cert_file = cert_filenames
121 .iter()
122 .map(|fname| certs_dir.join(fname))
123 .find(|p| p.exists());
124 }
125 if result.cert_dir.is_none() {
126 let cert_dir = certs_dir.join("certs");
127 if cert_dir.exists() {
128 result.cert_dir = Some(cert_dir);
129 }
130 }
131 if result.cert_file.is_some() && result.cert_dir.is_some() {
132 break;
133 }
134 }
135 result
136}
137