Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

wolfssl: Allow use of certificate chain #12634

Closed
wants to merge 1 commit into from
Closed

wolfssl: Allow use of certificate chain #12634

wants to merge 1 commit into from

Conversation

lealem47
Copy link

@lealem47 lealem47 commented Jan 4, 2024

Fixes ZD#17158.
Customer is using a certificate chain. Leaf cert + intermediate cert.

@github-actions github-actions bot added the TLS label Jan 4, 2024
@bagder
Copy link
Member

bagder commented Jan 4, 2024

Please elaborate on what this change does and why we want it!

Why does the type of the certificate change what function to call?

@lealem47
Copy link
Author

lealem47 commented Jan 4, 2024

wolfSSL_CTX_use_certificate_chain_file should be used instead of wolfSSL_CTX_use_certificate_file with PEM files so that a user can load in a certificate chain and have it be properly utilized by the wolfSSL library. Failure to do so can cause an authentication error since the peer will need have the intermediate certs to verify a leaf cert (see ZD#17158). Concatenated certificate chains are not valid in DER format, so wolfSSL_CTX_use_certificate_file is still used for that case.

@jay
Copy link
Member

jay commented Jan 4, 2024

It's probably ok. It's similar to what we do for client certs when using OpenSSL, see here.

I say probably because I don't know if wolfSSL_CTX_use_certificate_chain_file has exactly the same behavior as OpenSSL. OpenSSL's SSL_CTX_use_certificate_chain_file apparently has an undocumented parsing that allows private keys in the chain file but wolfSSL may not; I found this bug when searching but it's several years old.

@bagder bagder removed the needs-info label Jan 5, 2024
@bagder
Copy link
Member

bagder commented Jan 5, 2024

Use of this function is the solution suggested by wolfSSL engineers. However, I would like to offer this slightly cleaned up alternative take:

diff --git a/lib/vtls/wolfssl.c b/lib/vtls/wolfssl.c
index 5250e091b..a3c017cea 100644
--- a/lib/vtls/wolfssl.c
+++ b/lib/vtls/wolfssl.c
@@ -581,24 +581,29 @@ wolfssl_connect_step1(struct Curl_cfilter *cf, struct Curl_easy *data)
 
   /* Load the client certificate, and private key */
   if(ssl_config->primary.clientcert && ssl_config->key) {
     int file_type = do_file_type(ssl_config->cert_type);
 
-    if(file_type == WOLFSSL_FILETYPE_PEM &&
-            wolfSSL_CTX_use_certificate_chain_file(backend->ctx,
-                                        ssl_config->primary.clientcert) != 1) {
-      failf(data, "unable to use client certificate (no key or wrong pass"
-            " phrase?)");
-      return CURLE_SSL_CONNECT_ERROR;
+    if(file_type == WOLFSSL_FILETYPE_PEM) {
+      if(wolfSSL_CTX_use_certificate_chain_file(backend->ctx,
+                                                ssl_config->primary.clientcert)
+         != 1) {
+        failf(data, "unable to use client certificate");
+        return CURLE_SSL_CONNECT_ERROR;
+      }
     }
-    else if(file_type == WOLFSSL_FILETYPE_ASN1 &&
-            wolfSSL_CTX_use_certificate_file(backend->ctx,
-                                        ssl_config->primary.clientcert,
-                                        file_type) != 1) {
-      failf(data, "unable to use client certificate (no key or wrong pass"
-            " phrase?)");
-      return CURLE_SSL_CONNECT_ERROR;
+    else if(file_type == WOLFSSL_FILETYPE_ASN1) {
+      if(wolfSSL_CTX_use_certificate_file(backend->ctx,
+                                          ssl_config->primary.clientcert,
+                                          file_type) != 1) {
+        failf(data, "unable to use client certificate");
+        return CURLE_SSL_CONNECT_ERROR;
+      }
+    }
+    else {
+      failf(data, "unknown cert type");
+      return CURLE_BAD_FUNCTION_ARGUMENT;
     }
 
     file_type = do_file_type(ssl_config->key_type);
     if(wolfSSL_CTX_use_PrivateKey_file(backend->ctx, ssl_config->key,
                                        file_type) != 1) {

@jay
Copy link
Member

jay commented Jan 5, 2024

That looks fine as well.

@lealem47
Copy link
Author

lealem47 commented Jan 5, 2024

Yes that looks good to me

@bagder bagder closed this in afdb6c2 Jan 6, 2024
@bagder
Copy link
Member

bagder commented Jan 6, 2024

Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bagder bagder bagder approved these changes

Assignees
No one assigned
Labels
TLS
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@lealem47 @bagder @jay