Download
Browse source Changelog
Documentation
Project   Known bugs   TODO Protocols   CA bundle   HTTP Cookies   HTTP/2   SSL Certs Releases   Version numbers curl tool   man page   Tutorial   HTTP scripting Who and Why
libcurl
API Bindings Competitors Examples Features Mailing list Related libs Using libcurl Tutorial Testimonials
Get Help
curl-library curl-users curl-announce curl-commits Etiquette
Development
Autobuilds Code Style Contribute Internals Release Notes Release Procedure Roadmap Run Tests Security Specifications Test curl
News
Changelog Release table
cURL / Mailing Lists / curl-library / Single Mail

curl-library

RE: Using PKCS12 certificate from memory

From: Gilles Vollant <vollant.g_at_gmail.com>
Date: Wed, 21 Sep 2016 09:08:25 +0200

-----Message d'origine-----
De : Gilles Vollant [mailto:vollant.g_at_gmail.com]
Envoyé : mercredi 21 septembre 2016 09:08
À : 'Gilles Olivier Vollant'
Objet : RE: Using PKCS12 certificate from memory

I tried the "binary" option you suggested, and this not perform well. Only the base64 option does the job.

On url.c (line 1917 on curl 7.50.3) the "case CURLOPT_SSLCERT" call setstropt which does a strdup.

Base64 is, pehaps, also more easy for user of libcurl using other langage than C or C++ and binding.

I think the maintainer of curl must choose between a base64 approach, with less modification on curl code, or a binary approach, which need modification on url.c (by example)

Regards
Gilles Vollant

---------- Forwarded message ----------
From: Daniel Stenberg <daniel_at_haxx.se>
Date: 2016-08-05 23:40 GMT+02:00
Subject: Re: Using PKCS12 certificate from memory
To: libcurl development <curl-library_at_cool.haxx.se>

On Fri, 5 Aug 2016, Gilles Vollant wrote:
My suggestion : giving a way to use a certificate from memory buffer in the different SSL layer. I think "base64:*" as filename, like my darwinssl patch is the more easy way.

That's indeed perfectly possible but would still require users to have to base64 encode the cert for no good reason, only to have the library immediately decode it again. Maybe we could offer an alternative approach where we accept a struct like :

 struct cert {
   char magic[4];
   char *cert;
   size_t certlen;
 };

... and the magic struct member needs to contain a certain pattern for it to be valid so that libcurl can detect it being different than a path given to it. Like "\x01mem" or similar. We could even offer a macro/function that properly inits such a struct:

 #define curl_init_cert_struct(struct, ptr, len) \
  do { \
    memcpy(struct->magic, MAGIC, 4); \
    struct->cert = ptr; \
    struct->certlen = len; \
  } while(0)

curl_easy_setopt(handle, CURLOPT_SSL_CERT, struct);

... we could then possibly also re-use that magic struct approach for other options that take file names as input. 

-- 
 / daniel.haxx.se
-------------------------------------------------------------------
List admin: https://cool.haxx.se/list/listinfo/curl-library
Etiquette:  https://curl.haxx.se/mail/etiquette.html
-------------------------------------------------------------------
List admin: https://cool.haxx.se/list/listinfo/curl-library
Etiquette:  https://curl.haxx.se/mail/etiquette.html
Received on 2016-09-21