cURL / Mailing Lists / curl-library / Single Mail

curl-library

Embed client cert and key into libcurl when using mbed TLS as backend

From: Thomas Glanzmann <thomas_at_glanzmann.de>
Date: Wed, 6 Jan 2016 07:55:15 +0100

Hello Mindaugas,

> https://stackoverflow.com/questions/34543265/how-to-load-pem-certificate-together-with-private-key-in-libcurl-using-mbedtls

the following untested patch against libcurl should do what you want:

diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c
index da869e2..31058ef 100644
--- a/lib/vtls/mbedtls.c
+++ b/lib/vtls/mbedtls.c
@@ -68,6 +68,9 @@ static mbedtls_entropy_context entropy;
 
 static int entropy_init_initialized = 0;
 
+static const char *cert = "-----BEGIN CERTIFICATE----- ....";
+static const char *key = "-----BEGIN RSA PRIVATE KEY----- ....";
+
 /* start of entropy_init_mutex() */
 static void entropy_init_mutex(mbedtls_entropy_context *ctx)
 {
@@ -300,6 +303,17 @@ mbedtls_connect_step1(struct connectdata *conn,
     }
   }
 
+ ret = mbedtls_x509_crt_parse(&connssl->clicert, cert, sizeof(cert));
+ if(ret) {
+#ifdef MBEDTLS_ERROR_C
+ mbedtls_strerror(ret, errorbuf, sizeof(errorbuf));
+#endif /* MBEDTLS_ERROR_C */
+ failf(data, "Error reading client cert file %s - mbedTLS: (-0x%04X) %s",
+ cert, -ret, errorbuf);
+
+ return CURLE_SSL_CERTPROBLEM;
+ }
+
   /* Load the client private key */
   if(data->set.str[STRING_KEY]) {
     mbedtls_pk_init(&connssl->pk);
@@ -319,6 +333,22 @@ mbedtls_connect_step1(struct connectdata *conn,
     }
   }
 
+ mbedtls_pk_init(&connssl->pk);
+ ret = mbedtls_pk_parse_key(&connssl->pk, key, sizeof(key), NULL, 0);
+ if(ret == 0 && !mbedtls_pk_can_do(&connssl->pk, MBEDTLS_PK_RSA))
+ ret = MBEDTLS_ERR_PK_TYPE_MISMATCH;
+
+ if(ret) {
+#ifdef MBEDTLS_ERROR_C
+ mbedtls_strerror(ret, errorbuf, sizeof(errorbuf));
+#endif /* MBEDTLS_ERROR_C */
+ failf(data, "Error reading private key %s - mbedTLS: (-0x%04X) %s",
+ key, -ret, errorbuf);
+
+ return CURLE_SSL_CERTPROBLEM;
+ }
+ }
+
   /* Load the CRL */
   memset(&connssl->crl, 0, sizeof(mbedtls_x509_crl));

You have to compile libcurl afterwards.

Cheers,
        Thomas
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2016-01-06