gazagnaire.org / ca-certs
upstream: github.com/mirage/ca-certs
0
fork

Configure Feed

Select the types of activity you want to include in your feed.

add OCAML_EXTRA_CA_CERTS env variable (#30)

authored by

art-w and committed by
GitHub 8d2baf43 b54cbe6b

+29 -8
+21 -5
lib/ca_certs.ml
··· 78 78 in 79 79 Ok (X509.Certificate.encode_pem_multiple cert_list) 80 80 81 - let trust_anchors () = 81 + let system_trust_anchors () = 82 82 if Sys.win32 then windows_trust_anchors () 83 83 else 84 84 (* NixOS is special and sets "NIX_SSL_CERT_FILE" as location during builds *) ··· 107 107 Bos.OS.Cmd.(run_out cmd |> out_string |> success) 108 108 | s -> Error (`Msg ("ca-certs: unknown system " ^ s ^ ".\n" ^ issue))) 109 109 110 + let extra_trust_anchors () = 111 + match Sys.getenv_opt "OCAML_EXTRA_CA_CERTS" with 112 + | None -> Ok "" 113 + | Some x -> 114 + Log.info (fun m -> m "using %s (from OCAML_EXTRA_CA_CERTS)" x); 115 + detect_one x 116 + 117 + let trust_anchors () = 118 + let* cas = system_trust_anchors () in 119 + match extra_trust_anchors () with 120 + | Ok "" -> Ok cas 121 + | Ok extra_cas -> Ok (cas ^ "\n" ^ extra_cas) 122 + | Error (`Msg msg) -> 123 + Log.warn (fun m -> m "Ignoring extra trust anchors: %s." msg); 124 + Ok cas 125 + 110 126 let decode_pem_multiple data = 111 127 X509.Certificate.fold_decode_pem_multiple 112 128 (fun acc -> function ··· 118 134 119 135 let authenticator ?crls ?allowed_hashes () = 120 136 let* data = trust_anchors () in 121 - let time () = Some (Ptime_clock.now ()) in 122 - let cas = decode_pem_multiple data in 123 - match cas with 137 + match decode_pem_multiple data with 124 138 | [] -> Error (`Msg ("ca-certs: empty trust anchors.\n" ^ issue)) 125 - | _ -> Ok (X509.Authenticator.chain_of_trust ?crls ?allowed_hashes ~time cas) 139 + | cas -> 140 + let time () = Some (Ptime_clock.now ()) in 141 + Ok (X509.Authenticator.chain_of_trust ?crls ?allowed_hashes ~time cas)
+8 -3
lib/ca_certs.mli
··· 12 12 13 13 val trust_anchors : unit -> (string, [> `Msg of string ]) result 14 14 (** [trust_anchors ()] detects the root CAs (trust anchors) in the operating 15 - system's trust store. On Unix systems, if the environment variable 16 - [SSL_CERT_FILE] is set, its value is used as path to the trust anchors. 17 - Otherwise, if [NIX_SSL_CERT_FILE] is set, its value is used. 15 + system's trust store. Additional CAs can be provided by setting the 16 + environment variable [OCAML_EXTRA_CA_CERTS] to a filename containing 17 + pem-encoded X509 certificates. 18 + 19 + On Unix systems, if the environment variable [SSL_CERT_FILE] is set, its 20 + value is used as path to the system trust anchors. Otherwise, if 21 + [NIX_SSL_CERT_FILE] is set, its value is used. 22 + 18 23 The successful result is a list of pem-encoded X509 certificates. *)