Buy commercial curl support from WolfSSL. We help you work
out your issues, debug your libcurl applications, use the API, port to new
platforms, add new features and more. With a team lead by the curl founder
himself.
Re: curl option for specifying more client certificates
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Von Hawkins via curl-users <curl-users_at_lists.haxx.se>
Date: Tue, 8 Mar 2022 13:52:21 -0600
Please excuse the top-post.
Have you looked into the Mozilla NSS support? Curl used to support certificates in a cert9.db. I don’t know if it still does.
When I was using those, the server-end built trust chains properly, so I didn’t need to include chain certs, but that might work.
NSS also supports fairly arbitrary integrations with other pkcs11 libraries/engines.
—Von
Sent from my iPhone
> On Mar 7, 2022, at 10:54 AM, Eero Aaltonen via curl-users <curl-users_at_lists.haxx.se> wrote:
>
> Dear list,
>
> I have an Aventra PKCS#15 smart card, which exposes private keys and
> certificates via a PKCS#11 API. The card has been been initialized with
> a personal key and certificate + intermediate and Root CA certificates.
>
> I tried to use curl to make request to a server that requires client
> certificate authentication. I was able to make a request with
>
> curl --engine pkcs11 --key-type ENG --key PKCS11KEYURI --cert-type ENG
> --cert PKCS11CERTURI <URL>
>
> The problems are that:
> * only the leaf certificate is sent in the request
> * The PKCS#11 v2.40 API, species that a CKO_CERTIFICATE can have (a
> single) "X.509 public key certificate"
> * I do not see any way to specify additional client certificates for
> the request
>
> Running curl 7.68 on Ubuntu 20.04, but I don't see anything on
> https://linux.die.net/man/1/curl
> either.
>
> So I think being able to use PKCS#11 tokens for client authentication
> will require either:
> * changing '--cert' option so that it can be specified multiple times
> (and applied)
> * or adding a new option for specifying additional certificates.
>
>
> If some version of curl accepts using a key from an OpenSSL engine and
> a certificate bundle from a file, then that would be also serve as a
> band aid. curl 7.68 does not seem to accept that.
>
> --
> Kind regards,
> Eero Aaltonen
>
> --
> Unsubscribe: https://lists.haxx.se/listinfo/curl-users
> Etiquette: https://curl.haxx.se/mail/etiquette.html
Date: Tue, 8 Mar 2022 13:52:21 -0600
Please excuse the top-post.
Have you looked into the Mozilla NSS support? Curl used to support certificates in a cert9.db. I don’t know if it still does.
When I was using those, the server-end built trust chains properly, so I didn’t need to include chain certs, but that might work.
NSS also supports fairly arbitrary integrations with other pkcs11 libraries/engines.
—Von
Sent from my iPhone
> On Mar 7, 2022, at 10:54 AM, Eero Aaltonen via curl-users <curl-users_at_lists.haxx.se> wrote:
>
> Dear list,
>
> I have an Aventra PKCS#15 smart card, which exposes private keys and
> certificates via a PKCS#11 API. The card has been been initialized with
> a personal key and certificate + intermediate and Root CA certificates.
>
> I tried to use curl to make request to a server that requires client
> certificate authentication. I was able to make a request with
>
> curl --engine pkcs11 --key-type ENG --key PKCS11KEYURI --cert-type ENG
> --cert PKCS11CERTURI <URL>
>
> The problems are that:
> * only the leaf certificate is sent in the request
> * The PKCS#11 v2.40 API, species that a CKO_CERTIFICATE can have (a
> single) "X.509 public key certificate"
> * I do not see any way to specify additional client certificates for
> the request
>
> Running curl 7.68 on Ubuntu 20.04, but I don't see anything on
> https://linux.die.net/man/1/curl
> either.
>
> So I think being able to use PKCS#11 tokens for client authentication
> will require either:
> * changing '--cert' option so that it can be specified multiple times
> (and applied)
> * or adding a new option for specifying additional certificates.
>
>
> If some version of curl accepts using a key from an OpenSSL engine and
> a certificate bundle from a file, then that would be also serve as a
> band aid. curl 7.68 does not seem to accept that.
>
> --
> Kind regards,
> Eero Aaltonen
>
> --
> Unsubscribe: https://lists.haxx.se/listinfo/curl-users
> Etiquette: https://curl.haxx.se/mail/etiquette.html
-- Unsubscribe: https://lists.haxx.se/listinfo/curl-users Etiquette: https://curl.haxx.se/mail/etiquette.htmlReceived on 2022-03-09