Buy commercial curl support from WolfSSL. We help you work
out your issues, debug your libcurl applications, use the API, port to new
platforms, add new features and more. With a team lead by the curl founder
himself.
curl option for specifying more client certificates
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Eero Aaltonen via curl-users <curl-users_at_lists.haxx.se>
Date: Mon, 07 Mar 2022 18:55:17 +0200
Dear list,
I have an Aventra PKCS#15 smart card, which exposes private keys and
certificates via a PKCS#11 API. The card has been been initialized with
a personal key and certificate + intermediate and Root CA certificates.
I tried to use curl to make request to a server that requires client
certificate authentication. I was able to make a request with
curl --engine pkcs11 --key-type ENG --key PKCS11KEYURI --cert-type ENG
--cert PKCS11CERTURI <URL>
The problems are that:
* only the leaf certificate is sent in the request
* The PKCS#11 v2.40 API, species that a CKO_CERTIFICATE can have (a
single) "X.509 public key certificate"
* I do not see any way to specify additional client certificates for
the request
Running curl 7.68 on Ubuntu 20.04, but I don't see anything on
https://linux.die.net/man/1/curl
either.
So I think being able to use PKCS#11 tokens for client authentication
will require either:
* changing '--cert' option so that it can be specified multiple times
(and applied)
* or adding a new option for specifying additional certificates.
If some version of curl accepts using a key from an OpenSSL engine and
a certificate bundle from a file, then that would be also serve as a
band aid. curl 7.68 does not seem to accept that.
Date: Mon, 07 Mar 2022 18:55:17 +0200
Dear list,
I have an Aventra PKCS#15 smart card, which exposes private keys and
certificates via a PKCS#11 API. The card has been been initialized with
a personal key and certificate + intermediate and Root CA certificates.
I tried to use curl to make request to a server that requires client
certificate authentication. I was able to make a request with
curl --engine pkcs11 --key-type ENG --key PKCS11KEYURI --cert-type ENG
--cert PKCS11CERTURI <URL>
The problems are that:
* only the leaf certificate is sent in the request
* The PKCS#11 v2.40 API, species that a CKO_CERTIFICATE can have (a
single) "X.509 public key certificate"
* I do not see any way to specify additional client certificates for
the request
Running curl 7.68 on Ubuntu 20.04, but I don't see anything on
https://linux.die.net/man/1/curl
either.
So I think being able to use PKCS#11 tokens for client authentication
will require either:
* changing '--cert' option so that it can be specified multiple times
(and applied)
* or adding a new option for specifying additional certificates.
If some version of curl accepts using a key from an OpenSSL engine and
a certificate bundle from a file, then that would be also serve as a
band aid. curl 7.68 does not seem to accept that.
-- Kind regards, Eero Aaltonen -- Unsubscribe: https://lists.haxx.se/listinfo/curl-users Etiquette: https://curl.haxx.se/mail/etiquette.htmlReceived on 2022-03-07