add OCAML_EXTRA_CA_CERTS env variable

mirage · Aug 29, 2024 · 82c1fae · 82c1fae
1 parent 2c5c0bc
commit 82c1fae
Show file tree

Hide file tree

Showing 2 changed files with 31 additions and 10 deletions.
diff --git a/lib/ca_certs.ml b/lib/ca_certs.ml
@@ -78,7 +78,7 @@ let windows_trust_anchors () =
   in
   Ok (X509.Certificate.encode_pem_multiple cert_list)
 
-let trust_anchors () =
+let system_trust_anchors () =
   if Sys.win32 then windows_trust_anchors ()
   else
     (* NixOS is special and sets "NIX_SSL_CERT_FILE" as location during builds *)
@@ -107,6 +107,22 @@ let trust_anchors () =
             Bos.OS.Cmd.(run_out cmd |> out_string |> success)
         | s -> Error (`Msg ("ca-certs: unknown system " ^ s ^ ".\n" ^ issue)))
 
+let extra_trust_anchors () =
+  match Sys.getenv_opt "OCAML_EXTRA_CA_CERTS" with
+  | None -> Ok ""
+  | Some x ->
+      Log.info (fun m -> m "using %s (from OCAML_EXTRA_CA_CERTS)" x);
+      detect_one x
+
+let trust_anchors () =
+  let* cas = system_trust_anchors () in
+  match extra_trust_anchors () with
+  | Ok "" -> Ok cas
+  | Ok extra_cas -> Ok (cas ^ "\n" ^ extra_cas)
+  | Error (`Msg msg) ->
+      Log.warn (fun m -> m "Ignoring extra trust anchors: %s." msg);
+      Ok cas
+
 let decode_pem_multiple data =
   X509.Certificate.fold_decode_pem_multiple
     (fun acc -> function
@@ -118,8 +134,8 @@ let decode_pem_multiple data =
 
 let authenticator ?crls ?allowed_hashes () =
   let* data = trust_anchors () in
-  let time () = Some (Ptime_clock.now ()) in
-  let cas = decode_pem_multiple data in
-  match cas with
+  match decode_pem_multiple data with
   | [] -> Error (`Msg ("ca-certs: empty trust anchors.\n" ^ issue))
-  | _ -> Ok (X509.Authenticator.chain_of_trust ?crls ?allowed_hashes ~time cas)
+  | cas ->
+      let time () = Some (Ptime_clock.now ()) in
+      Ok (X509.Authenticator.chain_of_trust ?crls ?allowed_hashes ~time cas)
diff --git a/lib/ca_certs.mli b/lib/ca_certs.mli
@@ -4,15 +4,20 @@ val authenticator :
   unit ->
   (X509.Authenticator.t, [> `Msg of string ]) result
 (** [authenticator ~crls ~allowed_hashes ()] detects the root CAs (trust
-    anchors) in the operating system's trust store using {!trust_anchors}. It
-    constructs an authenticator with the current timestamp {!Ptime_clock.now},
+    anchors) in the operating system's trust store using {!trust_anchors}.
+    It constructs an authenticator with the current timestamp {!Ptime_clock.now},
     and the provided [~crls] and [~allowed_hashes] arguments. The resulting
     authenticator can be used for {!Tls.Config.client}.
     Returns [Error `Msg msg] if detection did not succeed. *)
 
 val trust_anchors : unit -> (string, [> `Msg of string ]) result
 (** [trust_anchors ()] detects the root CAs (trust anchors) in the operating
-    system's trust store. On Unix systems, if the environment variable
-    [SSL_CERT_FILE] is set, its value is used as path to the trust anchors.
-    Otherwise, if [NIX_SSL_CERT_FILE] is set, its value is used.
+    system's trust store. Additional CAs can be provided by setting the
+    environment variable [OCAML_EXTRA_CA_CERTS] to a filename containing
+    pem-encoded X509 certificates.
+
+    On Unix systems, if the environment variable [SSL_CERT_FILE] is set, its
+    value is used as path to the system trust anchors.  Otherwise, if
+    [NIX_SSL_CERT_FILE] is set, its value is used.
+
     The successful result is a list of pem-encoded X509 certificates. *)