cURL / Mailing Lists / curl-library / Single Mail

curl-library

[PATCHES] CRL support and Issuer Check support patches

From: Arnaud Ebalard <arno_at_natisbad.org>
Date: Fri, 23 May 2008 16:21:23 +0200

Hi,

Please find attached for discussion a set of patches developed by
Axel (in Cc, but not on the list, so please keep him in Cc) and I
adding functionalities related to SSL/TLS support in libcrul:

- support for CRL
- support for Issuer check

They are against version 7.18.1 and apply one on top of each other.

The main reason for developing the patches is a need for another set
of patches we have against Debian APT https method (provided by
apt-transport-https package), but it might be useful to others.

Because we used our modified APT https method (based on libcurl-gnutls)
for the tests, we can only provide feedback for the behavior of the
gnutls flavour even if our patches also have [untested] code for OpenSSL
and NSS flavours.

Comments are welcome. Patches are described below.

## crl_support.patch

The first patch (crl_support.patch) adds support of CRL for gnutls,
openssl and NSS flavours of libcurl.

More precisely, it adds CURLOPT_CRLFILE option that allows specifying a
file containing CRL information in PEM format (multiple CRL can be
concatenated together).

For OpenSSL, X509_V_FLAG_CRL_CHECK and X509_V_FLAG_CRL_CHECK_AL flags
are both set, requiring CRL check and for the whole chain if a CRL
file is passed.

For gnutls and NSS, there is no way to influence the behavior w.r.t
the status of CRL checks.

It has been tested against a https server with different CRL files
(not provided, revoked server certificate, non-revoked server
certficate) and works ok AFAICT.

If there is some simple way to test the OpenSSL and NSS support, just
tell us.

## issuer_check.patch

In multi-levels PKI, there is sometimes a need to limit/check the
issuer of the server certificate by providing a hint. Some apps allow
passing the DN of the expected issuer as a string or more simply by
passing the expected issuer certificate.

This patch adds support for CURLOPT_ISSUERCERT option, which allows
passing the expected issuer certificate file in PEM format. If the
option is provided, then, after the usual certificate check procedure
(done as usual), provided issuer certificate is compared with the
information in the peer certificate.

For gnutls, it uses gnutls_x509_crt_check_issuer() against the two
certs.

For OpenSSL, it uses X509_check_issued() against the two
certificates.

NSS version has comments. It tries to mimic the behaviour of OpenSSL
X509_check_issued() function.

It has been tested against a https server with two different
certificates (issuer one and another one) and works ok AFAICT.

Again, if there is some simple way to test the OpenSSL and NSS
support, just tell us.

Cheers,

a+

  • text/x-diff attachment: stored
  • text/x-diff attachment: stored
  • application/pgp-signature attachment: stored
Received on 2008-05-23