use std::env; use std::path::{Path, PathBuf}; /// The OpenSSL environment variable to configure what certificate file to use. pub const ENV_CERT_FILE: &'static str = "SSL_CERT_FILE"; /// The OpenSSL environment variable to configure what certificates directory to use. pub const ENV_CERT_DIR: &'static str = "SSL_CERT_DIR"; pub struct ProbeResult { pub cert_file: Option, pub cert_dir: Option, } /// Probe the system for the directory in which CA certificates should likely be /// found. /// /// This will only search known system locations. pub fn find_certs_dirs() -> Vec { cert_dirs_iter().map(Path::to_path_buf).collect() } // TODO: when we bump to 0.2, make this the `find_certs_dirs` function fn cert_dirs_iter() -> impl Iterator { // see http://gagravarr.org/writing/openssl-certs/others.shtml [ "/var/ssl", "/usr/share/ssl", "/usr/local/ssl", "/usr/local/openssl", "/usr/local/etc/openssl", "/usr/local/share", "/usr/lib/ssl", "/usr/ssl", "/etc/openssl", "/etc/pki/ca-trust/extracted/pem", "/etc/pki/tls", "/etc/ssl", "/etc/certs", "/opt/etc/ssl", // Entware "/data/data/com.termux/files/usr/etc/tls", "/boot/system/data/ssl", ] .iter().map(Path::new).filter(|p| p.exists()) } /// Probe for SSL certificates on the system, then configure the SSL certificate `SSL_CERT_FILE` /// and `SSL_CERT_DIR` environment variables in this process for OpenSSL to use. /// /// Preconfigured values in the environment variables will not be overwritten if the paths they /// point to exist and are accessible. pub fn init_ssl_cert_env_vars() { try_init_ssl_cert_env_vars(); } /// Probe for SSL certificates on the system, then configure the SSL certificate `SSL_CERT_FILE` /// and `SSL_CERT_DIR` environment variables in this process for OpenSSL to use. /// /// Preconfigured values in the environment variables will not be overwritten if the paths they /// point to exist and are accessible. /// /// Returns `true` if any certificate file or directory was found while probing. /// Combine this with `has_ssl_cert_env_vars()` to check whether previously configured environment /// variables are valid. pub fn try_init_ssl_cert_env_vars() -> bool { let ProbeResult { cert_file, cert_dir } = probe(); // we won't be overwriting existing env variables because if they're valid probe() will have // returned them unchanged if let Some(path) = &cert_file { env::set_var(ENV_CERT_FILE, path); } if let Some(path) = &cert_dir { env::set_var(ENV_CERT_DIR, path); } cert_file.is_some() || cert_dir.is_some() } /// Check whether the OpenSSL `SSL_CERT_FILE` and/or `SSL_CERT_DIR` environment variable is /// configured in this process with an existing file or directory. /// /// That being the case would indicate that certificates will be found successfully by OpenSSL. /// /// Returns `true` if either variable is set to an existing file or directory. pub fn has_ssl_cert_env_vars() -> bool { let probe = probe_from_env(); probe.cert_file.is_some() || probe.cert_dir.is_some() } fn probe_from_env() -> ProbeResult { let var = |name| { env::var_os(name) .map(PathBuf::from) .filter(|p| p.exists()) }; ProbeResult { cert_file: var(ENV_CERT_FILE), cert_dir: var(ENV_CERT_DIR), } } pub fn probe() -> ProbeResult { let mut result = probe_from_env(); for certs_dir in cert_dirs_iter() { // cert.pem looks to be an openssl 1.0.1 thing, while // certs/ca-certificates.crt appears to be a 0.9.8 thing let cert_filenames = [ "cert.pem", "certs.pem", "ca-bundle.pem", "cacert.pem", "ca-certificates.crt", "certs/ca-certificates.crt", "certs/ca-root-nss.crt", "certs/ca-bundle.crt", "CARootCertificates.pem", "tls-ca-bundle.pem", ]; if result.cert_file.is_none() { result.cert_file = cert_filenames .iter() .map(|fname| certs_dir.join(fname)) .find(|p| p.exists()); } if result.cert_dir.is_none() { let cert_dir = certs_dir.join("certs"); if cert_dir.exists() { result.cert_dir = Some(cert_dir); } } if result.cert_file.is_some() && result.cert_dir.is_some() { break; } } result }