/**
* Parse the CIVICRM_CXN_CA constant. It may have the following
* values:
* - 'CiviRootCA'|undefined -- Use the production civicrm.org root CA
* - 'CiviTestRootCA' -- Use the test civicrm.org root CA
* - 'none' -- Do not perform any certificate verification.
*
* This constant is emphatically *not* exposed through Civi's "Settings"
* system (or any other runtime-editable datastore). Manipulating
* this setting can expose the system to man-in-the-middle attacks,
* and allowing runtime manipulation would create a new vector
* for escalating privileges. This setting must only be manipulated
* by developers and sysadmins who already have full privileges
* to edit the source.
*
* @return string|NULL
* The PEM-encoded root certificate. NULL if verification is disabled.
* @throws CRM_Core_Exception
*/
public static function getCACert()
{
if (!defined('CIVICRM_CXN_CA') || CIVICRM_CXN_CA === 'CiviRootCA') {
$file = Constants::getCert();
} elseif (CIVICRM_CXN_CA === 'CiviTestRootCA') {
$file = Constants::getTestCert();
} elseif (CIVICRM_CXN_CA === 'none') {
return NULL;
} else {
throw new \CRM_Core_Exception("CIVICRM_CXN_CA is invalid.");
}
$content = file_get_contents($file);
if (empty($content)) {
// Fail hard. Returning an empty value is not acceptable.
throw new \CRM_Core_Exception("Error loading CA certificate: {$file}");
}
return $content;
}
/**
* @return string
*/
public function getCaCert()
{
if ($this->caCert === self::AUTOLOAD) {
$this->caCert = file_get_contents(Constants::getCert());
}
return $this->caCert;
}
