cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: Using a trusted CA certificate from memory

From: Dave Reisner <d_at_falconindy.com>
Date: Sun, 29 May 2011 09:28:01 -0400

On Sun, May 29, 2011 at 11:03:54AM +0300, Ilan Tayari wrote:
> Hello all,
>
>
> First, thank you very much for this wonderful library. We're very
> pleased with its flexible abilities!
>
>
> I'm looking for an option to specify a single trusted root CA
> certificate that is already loaded into memory in PEM format.
>
> My situation is that my custom trusted root CA certificate is
> already embedded into my executable as a resource (in Windows), and
> loaded into memory, and I'm wondering if it can be used in Curl
> without saving it to a file first.
>
>
> I'm looking for an option in Curl that would do, internally,
> something akin to:
>
> (this is using OpenSSL. I don't know about other SSLs unfortunately)
>
>
> SetSingleTrustedCACert(const char* pPEM, int nSize, int nTrustDepth)
> {
> X509* pCert = NULL;
> BIO* pBio = BIO_new_mem_buf((void*)pPEM, nSize);
> if (pBio == NULL)
>
> ... Handle error
>
> if (PEM_read_bio_X509(pBio, &pCert, 0, NULL) == NULL)
>
> {
>
> BIO_free(pBio);
> ... Handle error
>
> }
>
>
> BIO_free(pBio);
>
> X509_STORE* pStore = SSL_CTX_get_cert_store(myCtx);
> if (pStore == NULL)
>
> ... Handle error
>
> if (!X509_STORE_add_cert(pStore, pCert))
>
> {
>
> X509_free(pCert);
> ... Handle error
>
> }
>
>
> X509_free(pCert);
> SSL_CTX_set_verify_depth(m_sslCtx, nTrustDepth);
>
>
> ... Return success
>
> }
>
>
> Is this possible at all? Or is saving to a file my only option?

Have a look at curl_easy_setopt's CURLOPT_SSL_CTX_FUNCTION. You get a
pointer to the SSL_CTX after all the initialization is done with it and
you're free to replace keys, certs and trust file settings. There's also
an example of this:

http://curl.haxx.se/libcurl/c/curlx.html

dave
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2011-05-29