curl-library
Re: Patch to add CURLOPT_SSLENGINE_WITH_OPT for curl_easy_setopt
Date: Sat, 22 Sep 2012 10:38:18 +0200
On Thu, Sep 20, 2012 at 02:31:08PM -0400, Andrew Prout wrote:
> The attached patch adds a new option for curl_easy_setopt:
> CURLOPT_SSLENGINE_WITH_OPT. It's be nice if this feature could be
> merged into libcurl. It's an variation of CURLOPT_SSLENGINE that lets
> you set the pre and post engine init commands to be passed to OpenSSL.
> More info is available at:
> http://www.openssl.org/docs/crypto/engine.html#Advanced_configuration_support
>
> The patch was originally written for libcurl v7.22, but I've updated
> the option ID to avoid conflicts and it applies & compiles against
> v7.27.
>
> Below is a simplified example of a program that uses the dynamic
> engine to load a PKCS#11 based on the "Using Engine_pkcs11 with the
> openssl command" example from:
> http://www.opensc-project.org/engine_pkcs11/wiki/QuickStart
>
> -Andrew Prout
>
> ----------------------
>
> CURL *ch = NULL;
> struct curl_sslengineinfo ei;
> char *preopts[] = {
> "SO_PATH", "/usr/lib64/openssl/engines/engine_pkcs11.so",
> "ID", "pkcs11",
> "LIST_ADD", "1",
> "LOAD", NULL,
> "MODULE_PATH", "/path/to/my/pkcs11.so",
> NULL };
> char *CertID = "d3a805a58810fbe89ece27d9f5e3170e61eb3e2b"; // ID field
> from PKCS#11 library, use pkcs11-tool to discover
>
> ei.enginename = "dynamic";
> ei.preopt = preopts;
> ei.postopt = NULL;
>
> curl_global_init(CURL_GLOBAL_ALL);
> ch = curl_easy_init();
> curl_easy_setopt(ch, CURLOPT_URL, "https://localhost/restricted");
> curl_easy_setopt(ch, CURLOPT_SSLENGINE_WITH_OPT, &ei);
> curl_easy_setopt(ch, CURLOPT_SSLCERTTYPE, "ENG");
> curl_easy_setopt(ch, CURLOPT_SSLCERT, CertID);
> curl_easy_setopt(ch, CURLOPT_SSLKEYTYPE, "ENG");
> curl_easy_setopt(ch, CURLOPT_SSLKEY, CertID);
> curl_easy_perform(ch);
I can see the need for this option, but this patch stands out as not
being in the same style as other libcurl options. Passing in a struct,
creating a NULL-terminated pointer list, and setting three separate
options at once are all examples of this.
I suggest separating the pre and post options into two separate
curl_easy_setopt calls and leaving the CURLOPT_SSLENGINE option alone.
And I suggest using one of the existing list types to store the
name/value list pairs. The struct curl_slist type is the obvious one to
use for this, but the fact that the contents are paired almost makes
me want to abuse struct curl_httppost instead. There's actually a
pretty good mapping between what's required for these options and the
curl_httppost types; CURLFORM_COPYNAME would contain the name part of
each option, and CURLFORM_COPYCONTENTS would contain the value part. As
elegant as that would be, it may be abusing the intended use of this
type a bit too much.
>>> Dan
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2012-09-22