cURL / Mailing Lists / curl-library / Single Mail


Properly Implementing a Patch for CAINFO / ISSUERCERT

From: Georg Wicherski <>
Date: Mon, 18 Jun 2012 19:20:30 +0200


I need to implement a patch against libcurl that makes it read the CA
PEM data for CAINFO and ISSUERCERT from a memory buffer provided
directly with curl_easy_setopt rather than providing it a file path.

Now I've figured out the trivial neccessary changes to do that
(basically create a BIO with BIO_new_mem_buf and then use

However, I want to make sure my patch gets accepted upstream. We're
linking against libcurl statically thanks to it's BSD license, but we
want to contribute to the OpenSource cause and also have better
maintainability (I hope merging upgrading our then-to-be-vanilla libcurl
within our source tree will be easier then).

My approach was to simply see if the provided buffer starts with
"-----BEGIN CERTIFICATE-----" and then read the PEM data from the memory
buffer instead of treating it as a file path. I would just like to check
if such a dual-purpose / self-configuring API is fine with the upstream

Note for the paranoid: We're not generating things on the fly or do
other bad things that violate proper crypto best-practices. We simply
want to pin on a specific CA (run by us) due to the recent rogue or
hacked CA debacles. Reading this CA cert from a memory buffer is a
requirement for us, since it makes our cross-platform deployment _a lot_

A simple "yes, go with looking for that string and we'll accept upstream
and write docs ourselves" would be most appreciated. ;)

List admin:
Received on 2012-06-18