cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: OpenSSL ENGINE 2nd version

From: Götz Babin-Ebell <babinebell_at_trustcenter.de>
Date: Mon, 17 Dec 2001 17:49:04 +0100

Daniel Stenberg wrote:
>
> On Fri, 14 Dec 2001, Götz Babin-Ebell wrote:
>
> > Today I had some time to look in my patch for OpenSSL ENGINE. According to
> > the comments from Daniel I did some changes:
>
> I like this version a lot more. This is near perfect, I'd say. Currently I
> can only see one little detail that I'd like your comment on before I go
> ahead and apply the lot:
>
> > - case CURLOPT_SSLCERTPASSWD:
>
> You remove this option. That'll make all programs that use this to suddenly
> fail when this has been applied.

No.
Since CURLOPT_SSLCERTPASSWD and CURLOPT_SSLKEYPASSWD should have the
same
number, a CURLOPT_SSLCERTPASSWD will internally handled as a
CURLOPT_SSLKEYPASSWD...

> This option seems to have been replaced with the CURLOPT_SSLKEYPASSWD option.

In curl/curl.h both symbols are defined (with the same number...)

> Is there any reason why we can't accept both to set the password for the
> private key? The password isn't required for the certificate anyway, is it? I
> mean, isn't the option badly named in the first place?

It is.
That is the reason I added CURLOPT_SSLKEYPASSWD.
(With CURLOPT_SSLCERTPASSWD becomming depreached...)

> Another little nit:
>
> You have some error-reporting conditional on the preprocessor symbol DEBUG.
> Without that, there's no "plain text" error reported. You should set one with
> failf() in the same manner as other code. Humans appreciate error texts! ;-)

let's have a look.
[...]
#ifdef DEBUG
        fprintf(stderr,"set default crypto engine\n");
#endif
here we were able to set the crypto engine.
No error case...
      }
      else
      {
#ifdef DEBUG
        fprintf(stderr,"set default crypto engine failed\n");
#endif
        return CURLE_SSL_ENGINE_SETFAILED;
OK. Thats wrong.
please replace it with a
        failf(data, "set default crypto engine failed");
        return CURLE_SSL_ENGINE_SETFAILED;

> Do you have any little test source code that uses this?

I didn't write my own application.
I only adapted main.c...

> It would be a really swell addition to the docs/examples section...

It is primarily a example to use curl with SSL.
A quick (not tested) example is atteched.

> We will also need all options
> documented in docs/curl_easy_setopt.3, but we don't have to do it all at
> once...

Documentation ?
The documantation is in the files with the suffixes .h and .c ;-)

-- 
Goetz Babin-Ebell, TC TrustCenter AG, http://www.trustcenter.de
Sonninstr. 24-28, 20097 Hamburg, Germany
Tel.: +49-(0)40 80 80 26 -0,  Fax: +49-(0)40 80 80 26 -126

/*****************************************************************************
 * _ _ ____ _
 * Project ___| | | | _ \| |
 * / __| | | | |_) | |
 * | (__| |_| | _ <| |___
 * \___|\___/|_| \_\_____|
 *
 * $Id: simple.c,v 1.2 2001/02/20 13:56:39 bagder Exp $
 */

#include <stdio.h>

#include <curl/curl.h>
#include <curl/types.h>
#include <curl/easy.h>

/* to make this work under windows, use the win32-functions from the
   win32socket.c file as well */

/* some requirements for this to work:
   1. set pCertFile to the file with the client certificate
   2. if the key is passphrase protected, set pPassphrase to the
        passphrase you use
   3. if you are using a crypto engine:
   3.1. set a #define USE_ENGINE
   3.2. set pEngine to the name of the crypto engine you use
   3.3. set pKeyName to the key identifier you want to use
   4. if you don't use a crypto engine:
   4.1. set pKeyName to the file name of your client key
   4.2. if the format of the key file is DER, set pKeyType to "DER"

   !! verify of the server certificate is not implemented here !!
*/

int main(int argc, char **argv)
{
  CURL *curl;
  CURLcode res;
  FILE *headerfile;

  const char *pCertFile = "testcert.pem";

  const char *pKeyName;
  const char *pKeyType;

  const char *pEngine;

#if USE_ENGINE
  pKeyName = "rsa_test";
  pKeyType = "ENG";
  pEngine = "chil"; /* for nChiper HSM... */
#else
  pKeyName = "testkey.pem";
  pKeyType = "PEM";
  pEngine = NULL;
#endif

  const char *pPassphrase = NULL;

  headerfile = fopen("dumpit", "w");

  curl = curl_easy_init();
  if(curl) {
    /* what call to write: */
    curl_easy_setopt(curl, CURLOPT_URL, "https://curl.haxx.se");
    curl_easy_setopt(curl, CURLOPT_WRITEHEADER, headerfile);

    while(1) /* do some ugly short cut... */
    {
       if (pEngine) /* use crypto engine */
       {
          if (curl_easy_setopt(curl, CURLOPT_SSLENGINE,pEngine) != CURLE_OK)
          { /* load the crypto engine */
             fprintf(stderr,"can't set crypto engine\n");
             break;
          }
          if (curl_easy_setopt(curl, CURLOPT_SSLENGINE_DEFAULT,1) != CURLE_OK)
          { /* set the crypto engine as default */
                                /* only needed for the first time you load
                                   a engine in a curl object... */
             fprintf(stderr,"can't set crypto engine as default\n");
             break;
          }
       }
                                /* cert is stored PEM coded in file... */
                                /* since PEM is default, we needn't set it for PEM */
       curl_easy_setopt(curl,CURLOPT_SSLCERTTYPE,"PEM");
                                /* set the cert for client authentication */
       curl_easy_setopt(curl,CURLOPT_SSLCERT,pCertFile);
                                /* sorry, for engine we must set the passphrase
                                   (if the key has one...) */
       if (pPassphrase)
          curl_easy_setopt(curl,CURLOPT_SSLKEYPASSWD,pPassphrase);
                                /* if we use a key stored in a crypto engine,
                                   we must set the key type to "ENG" */
       curl_easy_setopt(curl,CURLOPT_SSLKEYTYPE,pKeyType);
                                /* set the private key (file or ID in engine) */
       curl_easy_setopt(curl,CURLOPT_SSLKEY,pKeyName);
       
       res = curl_easy_perform(curl);
       break; /* we are done... */
    }
    /* always cleanup */
    curl_easy_cleanup(curl);
  }
  return 0;
}

Received on 2001-12-17