http-binary-cache-store: Add 'ssl-cert' and 'ssl-key' settings

Those are set via the store's URI, e.g.:

    https://substituter.invalid?ssl-cert=/path/to/cert.pem&ssl-key=/path/to/key.pem

Author: ztzg

doc/manual/rl-next/mtls-substituter.md

@@ -0,0 +1,13 @@
+---
+synopsis: Support substituters using mTLS (client certificate) authentication 
+issues: []
+prs: [13030]
+---
+
+Added support for `ssl-cert` and `ssl-key` options in substituter URLs.
+
+Example:
+
+    https://substituter.invalid?ssl-cert=/path/to/cert.pem&ssl-key=/path/to/key.pem
+
+When these options are configured, Nix will use this certificate/private key pair to authenticate to the server.

src/libstore/filetransfer.cc

@@ -410,6 +410,12 @@ struct curlFileTransfer : public FileTransfer
             if (writtenToSink)
                 curl_easy_setopt(req, CURLOPT_RESUME_FROM_LARGE, writtenToSink);
 
+            if (!request.sslCert.empty())
+                curl_easy_setopt(req, CURLOPT_SSLCERT, request.sslCert.c_str());
+
+            if (!request.sslKey.empty())
+                curl_easy_setopt(req, CURLOPT_SSLKEY, request.sslKey.c_str());
+
             curl_easy_setopt(req, CURLOPT_ERRORBUFFER, errbuf);
             errbuf[0] = 0;
 

src/libstore/http-binary-cache-store.cc

@@ -152,11 +152,28 @@ class HttpBinaryCacheStore :
 
     FileTransferRequest makeRequest(const std::string & path)
     {
-        return FileTransferRequest(
-            hasPrefix(path, "https://") || hasPrefix(path, "http://") || hasPrefix(path, "file://")
+        bool absolute = hasPrefix(path, "https://") || hasPrefix(path, "http://") || hasPrefix(path, "file://");
+
+        FileTransferRequest request(
+            absolute
             ? path
             : config->cacheUri + "/" + path);
 
+        if (!absolute) {
+            Path sslCert = config->sslCert.get();
+            if (!sslCert.empty()) {
+                debug("configuring SSL client certificate '%s' for '%s'", sslCert, request.uri);
+                request.sslCert = sslCert;
+            }
+
+            Path sslKey = config->sslKey.get();
+            if (!sslKey.empty()) {
+                debug("configuring SSL client certificate key '%s' for '%s'", sslKey, request.uri);
+                request.sslKey = sslKey;
+            }
+        }
+
+        return request;
     }
 
     void getFile(const std::string & path, Sink & sink) override

src/libstore/include/nix/store/filetransfer.hh

@@ -65,6 +65,8 @@ struct FileTransferRequest
     std::string uri;
     Headers headers;
     std::string expectedETag;
+    Path sslCert;
+    Path sslKey;
     bool verifyTLS = true;
     bool head = false;
     bool post = false;

src/libstore/include/nix/store/http-binary-cache-store.hh

@@ -13,6 +13,12 @@ struct HttpBinaryCacheStoreConfig : std::enable_shared_from_this<HttpBinaryCache
 
     Path cacheUri;
 
+    const Setting<std::string> sslCert{
+        this, "", "ssl-cert", "An optional SSL client certificate in PEM format; see CURLOPT_SSLCERT."};
+
+    const Setting<std::string> sslKey{
+        this, "", "ssl-key", "The SSL client certificate key in PEM format; see CURLOPT_SSLKEY."};
+
     static const std::string name()
     {
         return "HTTP Binary Cache Store";