Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

curl_easy_setopt with CURLOPT_SSLCERT_BLOB seems not to work. #6816

Closed
MonkeybreadSoftware opened this issue Mar 31, 2021 · 5 comments
Closed

curl_easy_setopt with CURLOPT_SSLCERT_BLOB seems not to work. #6816

MonkeybreadSoftware opened this issue Mar 31, 2021 · 5 comments
Labels

Comments

@MonkeybreadSoftware
Copy link
Contributor

@MonkeybreadSoftware MonkeybreadSoftware commented Mar 31, 2021

I did this

curl_easy_setopt with CURLOPT_SSLCERT_BLOB seems not to work.

58: unable to set private key file: '(memory blob)' type PEM

I expected the following

The key is used.

curl/libcurl version

7.76.0 from today.

operating system

macOS

Darwin MyMac.lan 19.6.0 Darwin Kernel Version 19.6.0: Tue Jan 12 22:13:05 PST 2021; root:xnu-6153.141.16~1/RELEASE_X86_64 x86_64

@MonkeybreadSoftware
Copy link
Contributor Author

@MonkeybreadSoftware MonkeybreadSoftware commented Mar 31, 2021

We pass PEM data with the option and I can verify it got 6000 bytes and a non NULL pointer in curl_blob.
flags = CURL_BLOB_COPY

PS: Bug is also in 7.75.0.

@MonkeybreadSoftware
Copy link
Contributor Author

@MonkeybreadSoftware MonkeybreadSoftware commented Mar 31, 2021

I put some debug code in SSL_CTX_use_PrivateKey_bio:

  if(type == SSL_FILETYPE_PEM)
{
    BUF_MEM *bptr = NULL;
	BIO_get_mem_ptr(in, &bptr);
    fprintf(stderr, "bptr: %p %d\n", bptr->data, (int) bptr->length );

   
    pkey = PEM_read_bio_PrivateKey(in, NULL, passwd_callback,
                                   (void *)key_passwd);
{
    unsigned long e = ERR_get_error();
	char buffer[500] = {0};
	ERR_error_string_n(e, buffer, sizeof(buffer));
	fprintf(stderr, "error %d: %s\n", (int) e, buffer);
}
}

and the output is:

bptr: 0x7fd88aa76f4b 0
error 151584876: error:0909006C:PEM routines:get_name:no start line
error 0: error:00000000:lib(0):func(0):reason(0)

So while it shows clearly for us in l our log above, the length is > 6000 for the PEM, but at point of PEM_read_bio_PrivateKey, the length is zero! And Openssl can't find the --- BEGIN in the PEM.

@MonkeybreadSoftware
Copy link
Contributor Author

@MonkeybreadSoftware MonkeybreadSoftware commented Mar 31, 2021

I added logging for the created BIO object and it has the size:

  if(ssl_cert || ssl_cert_blob || ssl_cert_type) {
    BIO *ssl_cert_bio = NULL;
    BIO *ssl_key_bio = NULL;
    if(ssl_cert_blob) {
      /* the typecast of blob->len is fine since it is guaranteed to never be
         larger than CURL_MAX_INPUT_LENGTH */
      ssl_cert_bio = BIO_new_mem_buf(ssl_cert_blob->data,
                                     (int)ssl_cert_blob->len);
      if(!ssl_cert_bio)
        result = CURLE_OUT_OF_MEMORY;
    
    {
    	BUF_MEM *bptr = NULL;
		BIO_get_mem_ptr(ssl_cert_bio, &bptr);
    	fprintf(stderr, "ssl_cert_bio: %p %d\n", bptr->data, (int) bptr->length );
	}

ssl_cert_bio: 0x7fe928173418 6451
tell bio2: 0
bptr: 0x7fe928174d4b 0
error 151584876: error:0909006C:PEM routines:get_name:no start line
error 0: error:00000000:lib(0):func(0):reason(0)

So somewhere between that and the later point the length is lost, and internal pointer changes!

@MonkeybreadSoftware
Copy link
Contributor Author

@MonkeybreadSoftware MonkeybreadSoftware commented Mar 31, 2021

Seems like some of the BIO taking functions read the content of the BIO, so you can't reuse it.
So I put cloning in for those BIO with BIO_new_mem_buf.

@MonkeybreadSoftware
Copy link
Contributor Author

@MonkeybreadSoftware MonkeybreadSoftware commented Mar 31, 2021

I made a pull request with fixes:
#6817

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants