Merge pull request #17 from hannesm/nix

on Linux, respect NIX_SSL_CERT_FILE
mirage · Apr 22, 2021 · 5058d15 · 5058d15
2 parents f26a42a + fbcf970
commit 5058d15
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 14 deletions.
diff --git a/lib/ca_certs.ml b/lib/ca_certs.ml
@@ -81,19 +81,25 @@ let trust_anchors () =
   let open Rresult.R.Infix in
   if Sys.win32 then windows_trust_anchors ()
   else
-    let cmd = Bos.Cmd.(v "uname" % "-s") in
-    Bos.OS.Cmd.(run_out cmd |> out_string |> success) >>= function
-    | "FreeBSD" -> detect_one freebsd_location
-    | "OpenBSD" -> detect_one openbsd_location
-    | "Linux" -> detect_list linux_locations
-    | "Darwin" ->
-        let cmd =
-          Bos.Cmd.(
-            v "security" % "find-certificate" % "-a" % "-p"
-            % macos_keychain_location)
-        in
-        Bos.OS.Cmd.(run_out cmd |> out_string |> success)
-    | s -> Error (`Msg ("ca-certs: unknown system " ^ s ^ ".\n" ^ issue))
+    (* NixOS is special and sets "NIX_SSL_CERT_FILE" as location during builds *)
+    match Sys.getenv_opt "NIX_SSL_CERT_FILE" with
+    | Some x ->
+        Log.info (fun m -> m "using %s (from NIX_SSL_CERT_FILE)" x);
+        detect_one x
+    | None -> (
+        let cmd = Bos.Cmd.(v "uname" % "-s") in
+        Bos.OS.Cmd.(run_out cmd |> out_string |> success) >>= function
+        | "FreeBSD" -> detect_one freebsd_location
+        | "OpenBSD" -> detect_one openbsd_location
+        | "Linux" -> detect_list linux_locations
+        | "Darwin" ->
+            let cmd =
+              Bos.Cmd.(
+                v "security" % "find-certificate" % "-a" % "-p"
+                % macos_keychain_location)
+            in
+            Bos.OS.Cmd.(run_out cmd |> out_string |> success)
+        | s -> Error (`Msg ("ca-certs: unknown system " ^ s ^ ".\n" ^ issue)))
 
 let authenticator ?crls ?allowed_hashes () =
   let open Rresult.R.Infix in

diff --git a/lib/ca_certs.mli b/lib/ca_certs.mli
@@ -12,5 +12,6 @@ val authenticator :
 
 val trust_anchors : unit -> (string, [> `Msg of string ]) result
 (** [trust_anchors ()] detects the root CAs (trust anchors) in the operating
-    system's trust store.
+    system's trust store. On Unix systems, if the environment variable
+    [NIX_SSL_CERT_FILE] is set, its value is used as path to the trust anchors.
     The successful result is a list of pem-encoded X509 certificates. *)