libstore/filetransfer: add support for MTLS authentication

Certificate/private-key pair can be configured globally and it will be
handled by libcurl.

Author: vlaci

src/libstore/filetransfer.cc

@@ -371,6 +371,11 @@ struct curlFileTransfer : public FileTransfer
                 curl_easy_setopt(req, CURLOPT_SSL_VERIFYHOST, 0);
             }
 
+            if (settings.clientCertFile != "" && settings.clientKeyFile != "") {
+              curl_easy_setopt(req, CURLOPT_SSLCERT, settings.clientCertFile.get().c_str());
+              curl_easy_setopt(req, CURLOPT_SSLKEY, settings.clientKeyFile.get().c_str());
+            }
+
             #if !defined(_WIN32) && LIBCURL_VERSION_NUM >= 0x071000
             curl_easy_setopt(req, CURLOPT_SOCKOPTFUNCTION, cloexec_callback);
             #endif

src/libstore/include/nix/store/globals.hh

@@ -1066,6 +1066,26 @@ public:
         // Don't document the machine-specific default value
         false};
 
+    Setting<Path> clientCertFile{
+        this,
+        "",
+        "client-ssl-cert-file",
+        R"(
+          The path of a file containing a client TLS certificate used
+          to authenticate Nix to servers when using `https://`
+          downloads.
+        )"};
+
+    Setting<Path> clientKeyFile{
+        this,
+        "",
+        "client-ssl-key-file",
+        R"(
+          The path of a file containing a client TLS private key used
+          to authenticate Nix to servers when using `https://`
+          downloads.
+        )",};
+
 #ifdef __linux__
     Setting<bool> filterSyscalls{
         this, true, "filter-syscalls",