···8181 let open Rresult.R.Infix in
8282 if Sys.win32 then windows_trust_anchors ()
8383 else
8484- let cmd = Bos.Cmd.(v "uname" % "-s") in
8585- Bos.OS.Cmd.(run_out cmd |> out_string |> success) >>= function
8686- | "FreeBSD" -> detect_one freebsd_location
8787- | "OpenBSD" -> detect_one openbsd_location
8888- | "Linux" -> detect_list linux_locations
8989- | "Darwin" ->
9090- let cmd =
9191- Bos.Cmd.(
9292- v "security" % "find-certificate" % "-a" % "-p"
9393- % macos_keychain_location)
9494- in
9595- Bos.OS.Cmd.(run_out cmd |> out_string |> success)
9696- | s -> Error (`Msg ("ca-certs: unknown system " ^ s ^ ".\n" ^ issue))
8484+ (* NixOS is special and sets "NIX_SSL_CERT_FILE" as location during builds *)
8585+ match Sys.getenv_opt "NIX_SSL_CERT_FILE" with
8686+ | Some x ->
8787+ Log.info (fun m -> m "using %s (from NIX_SSL_CERT_FILE)" x);
8888+ detect_one x
8989+ | None -> (
9090+ let cmd = Bos.Cmd.(v "uname" % "-s") in
9191+ Bos.OS.Cmd.(run_out cmd |> out_string |> success) >>= function
9292+ | "FreeBSD" -> detect_one freebsd_location
9393+ | "OpenBSD" -> detect_one openbsd_location
9494+ | "Linux" -> detect_list linux_locations
9595+ | "Darwin" ->
9696+ let cmd =
9797+ Bos.Cmd.(
9898+ v "security" % "find-certificate" % "-a" % "-p"
9999+ % macos_keychain_location)
100100+ in
101101+ Bos.OS.Cmd.(run_out cmd |> out_string |> success)
102102+ | s -> Error (`Msg ("ca-certs: unknown system " ^ s ^ ".\n" ^ issue)))
9710398104let authenticator ?crls ?allowed_hashes () =
99105 let open Rresult.R.Infix in
+2-1
lib/ca_certs.mli
···12121313val trust_anchors : unit -> (string, [> `Msg of string ]) result
1414(** [trust_anchors ()] detects the root CAs (trust anchors) in the operating
1515- system's trust store.
1515+ system's trust store. On Unix systems, if the environment variable
1616+ [NIX_SSL_CERT_FILE] is set, its value is used as path to the trust anchors.
1617 The successful result is a list of pem-encoded X509 certificates. *)