cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: [PATCH] gnutls: Support CURLOPT_KEYPASSWD using gnutls_certificate_set_x509_key_file2

From: Mike Crowe <mac_at_mcrowe.com>
Date: Tue, 22 Sep 2015 09:44:27 +0100

> On Mon, Sep 21, 2015 at 10:34:55AM +0100, Mike Crowe wrote:
> > diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c
> > index c54dfc1..9f3ea10 100644
> > --- a/lib/vtls/gtls.c
> > +++ b/lib/vtls/gtls.c
> > @@ -656,15 +656,41 @@ gtls_connect_step1(struct connectdata *conn,
> > #endif
> >
> > if(data->set.str[STRING_CERT]) {
> > - if(gnutls_certificate_set_x509_key_file(
> > - conn->ssl[sockindex].cred,
> > - data->set.str[STRING_CERT],
> > - data->set.str[STRING_KEY] ?
> > - data->set.str[STRING_KEY] : data->set.str[STRING_CERT],
> > - do_file_type(data->set.str[STRING_CERT_TYPE]) ) !=
> > - GNUTLS_E_SUCCESS) {
> > - failf(data, "error reading X.509 key or certificate file");
> > - return CURLE_SSL_CONNECT_ERROR;
> > + if(data->set.str[STRING_KEY_PASSWD]) {
> > +#if HAVE_GNUTLS_CERTIFICATE_SET_X509_KEY_FILE2
> > + const unsigned int supported_key_encryption_algorithms =
> > + GNUTLS_PKCS_USE_PKCS12_3DES | GNUTLS_PKCS_USE_PKCS12_ARCFOUR |
> > + GNUTLS_PKCS_USE_PKCS12_RC2_40 | GNUTLS_PKCS_USE_PBES2_3DES |
> > + GNUTLS_PKCS_USE_PBES2_AES_128 | GNUTLS_PKCS_USE_PBES2_AES_192 |
> > + GNUTLS_PKCS_USE_PBES2_AES_256;
> > + if(gnutls_certificate_set_x509_key_file2(
> > + conn->ssl[sockindex].cred,
> > + data->set.str[STRING_CERT],
> > + data->set.str[STRING_KEY] ?
> > + data->set.str[STRING_KEY] : data->set.str[STRING_CERT],
> > + do_file_type(data->set.str[STRING_CERT_TYPE]),
> > + data->set.str[STRING_KEY_PASSWD],
> > + supported_key_encryption_algorithms) !=
> > + GNUTLS_E_SUCCESS) {
> > + failf(data,
> > + "error reading X.509 potentially-encrypted key certificate file");
> > + return CURLE_SSL_CONNECT_ERROR;
> > +#else
> > + failf(data, "gnutls lacks support for encrypted key files");
> > + return CURLE_SSL_CONNECT_ERROR;

On Monday 21 September 2015 at 17:21:20 +0200, Alessandro Ghedini wrote:
> IMO this failure should happen much earlier, ideally when CURLOPT_KEYPASSWD is
> set in Curl_setopt(), like we do for e.g. CURLOPT_SSL_VERIFYSTATUS. Other TLS
> backends that support CURLOPT_KEYPASSWD should be updated as well, but that
> should probably go in a separate patch.

The main part of the patch tries to bring GnuTLS up to the same level of
functionality as OpenSSL (and presumably other SSL backends.) I believe
that your suggestion would involve modifying all the SSL backends.

I agree that detecting failure earlier would be useful but since the
certificate, the key and the password are all be set in any order using
separate curl_easy_setopt calls, I don't believe that it can be
done reliably at that stage whilst maintaining compatibility.

Mike.
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2015-09-22