support CAfile in memory #6109
support CAfile in memory #6109
Conversation
gvollant
force-pushed
the
gv_bundled_cacert
branch
from
2d3d2c9
to
a36417c
Compare
bagder
changed the title
|
It'd be helpful if you provided a description in this PR so that we can tell what this PR is! |
|
I added on my fork https://github.com/gvollant/curl a rebased version of #4679 I just wanted a rebased version of this PR to test it against current curl master Validation : 397e11b [397e11b] original description: It works for openssl right now, but I don't actually expect you want a ~19k line cacert.h file in source control, so I'm looking for guidance on how you might accept a feature like this. Options I've thought of: @JCMais want work on this PR |
|
@moparisthebest I also invited you on my curl fork git repo |
|
I understand that and I think it's all good. I just think a PR submitted to the porject should have a description if title isn't detailed enough, so that we all can read and understand what it is about without having to click around and read up on older closed previous pull-requests with their own individual histories. |
|
What I'm most interested in about this PR is the If we can get this merged and then work later on the remaining parts to get the ca file bundled in the binary directly, it would be better. macOS build is failing on the |
|
The github actions CI jobs seem to have gone nuts and "brew install" fails almost all the time the last few days... :-/ |
gvollant
force-pushed
the
gv_bundled_cacert
branch
from
a36417c
to
7b9b21a
Compare
gvollant
force-pushed
the
gv_bundled_cacert
branch
from
7b9b21a
to
285ae72
Compare
|
Do you know when this feature may be finished? |
gvollant
force-pushed
the
gv_bundled_cacert
branch
3 times, most recently
from
ff88b0d
to
fadb293
Compare
|
It seem unsucessful check are same than other recent PR |
|
@bagder I believe the test error are same than other current PR ? |
|
I'm sorry, I'm still waiting for a description of this PR. Please update. |
gvollant
force-pushed
the
gv_bundled_cacert
branch
from
fadb293
to
dbc3e1d
Compare
|
@moparisthebest @JCMais @nadrolinux I suggest you test this rebased version |
gvollant
force-pushed
the
gv_bundled_cacert
branch
from
dbc3e1d
to
cb1ea34
Compare
|
There are still questions in the description. Is this then still work in progress or even actually a draft? |
|
for me it is a draft |
|
your review is welcome |
gvollant
force-pushed
the
gv_bundled_cacert
branch
from
cb1ea34
to
aa82cb5
Compare
gvollant
force-pushed
the
gv_bundled_cacert
branch
2 times, most recently
from
8e99b65
to
0bab71e
Compare
gvollant
force-pushed
the
gv_bundled_cacert
branch
from
0bab71e
to
8121560
Compare
|
👉 View analysis in DeepCode’s Dashboard | Configure the bot |
|
Retry DeepCode |
|
@bagder hello, I have no idea about the "DeepCode failed to analyze this pull request" message... |
|
That's just deepcode being silly. Ignore it. |
| or more certificates to verify the HTTPS server with. | ||
|
|
||
| If \fICURLOPT_SSL_VERIFYPEER(3)\fP is zero and you avoid verifying the | ||
| server's certificate, \fICURLOPT_CAINFO(3)\fP need not even indicate an |
There was a problem hiding this comment.
You meant it to say CURLOPT_CAINFO_PEM here? The text talks about "accessible file" and I don't understand why this is present for this option that doesn't even work with files?
There was a problem hiding this comment.
I just say now CURLOPT_CAINFO_PEM is not needed
lib/urldata.h
Outdated
| @@ -254,6 +254,7 @@ struct ssl_primary_config { | |||
| char *pinned_key; | |||
| struct curl_blob *cert_blob; | |||
| char *curves; /* list of curves to use */ | |||
| char *ca_file_pem; | |||
There was a problem hiding this comment.
Why call this 'file' when it isn't a file at all? It points to a buffer holding PEM formatting, right?
There was a problem hiding this comment.
replaced all ca_file_pem by ca_info_pem
lib/vtls/openssl.c
Outdated
| @@ -3025,6 +3081,15 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data, | |||
| infof(data, "error importing windows ca store, continuing anyway\n"); | |||
| } | |||
| #endif | |||
| if(ca_file_pem && load_cacert_from_memory(backend->ctx, ca_file_pem)) { | |||
There was a problem hiding this comment.
load_cacert_from_memory() returns a CURLcode but here you ignore that and just assumes the error is always due to badfile. Isn't it better to use the passed back return code?
There was a problem hiding this comment.
I rewrote this line and return the result of load_cacert_from_memory
|
|
||
|
|
||
| The application does not have to keep the string around after setting this | ||
| option. |
There was a problem hiding this comment.
This description doesn't say (yet), but I got curious: what happens if a user sets both *CAINFO and *CAINFO_PEM ? Does one of them override the other or how does it work? I think we need to explain.
There was a problem hiding this comment.
load_cacert_from_memory just add certificate. I moved it after loading *CAINFO, so both are loaded.
There was a problem hiding this comment.
Then please mention in the man page that this provided PEM data is used in addition to any other CA certs loaded with other option(s).
gvollant
force-pushed
the
gv_bundled_cacert
branch
5 times, most recently
from
8b5d11f
to
4cd02dc
Compare
|
@jay @bagder After thinking, there is pro and cons using a string or a curl_blob For string:
for curl_blob
|
|
|
||
| /* if we didn't end up importing anything, treat that as an error */ | ||
| if(count > 0) | ||
| result = CURLE_OK; |
There was a problem hiding this comment.
I find this comment slightly misleading since the return code of the import functions is not checked. I don't think it should fail if there was nothing to import in the certificate, and I wonder if it should fail at all since other certificates may be read in. Maybe make it always a warning instead of just in the insecure case. Interested in what others think about this.
There was a problem hiding this comment.
Here's another thing, every time an X509_store_add_ is called it increases the reference count, so what if it's called twice don't you have to free two objects x509 and crl?
"X509_STORE_add_cert() and X509_STORE_add_crl() add the respective object to the X509_STORE's local storage. Untrusted objects should not be added in this way. The added object's reference count is incremented by one, hence the caller retains ownership of the object and needs to free it when it is no longer needed."
Edit: Nevermind I think I misinterpreted it. We actually do want the objects to have an increased reference count since they are now part of the x509 store, the reference count having later been decremented by X509_INFO_free
There was a problem hiding this comment.
I find this comment slightly misleading since the return code of the import functions is not checked.
This was true on first version, but now load_cacert_from_memory value is checked (as requester by @bagder ).
But I think we must remove this test and don't fail if there is nothing to import.
There was a problem hiding this comment.
ok, I removed the test
CURLOPT_CAINFO_BLOB would be consistent with some of the other ssl cert blob options. Also those blob options allow ASN1 binary format as well, I think, even if they are not documented that way. |
|
|
||
|
|
||
| The application does not have to keep the string around after setting this | ||
| option. |
There was a problem hiding this comment.
Then please mention in the man page that this provided PEM data is used in addition to any other CA certs loaded with other option(s).
lib/vtls/openssl.c
Outdated
| return result; | ||
| } | ||
| /* Only warning if no certificate verification is required. */ | ||
| infof(data, "error setting certificate file, continuing anyway\n"); |
There was a problem hiding this comment.
- It didn't "set" a file though, did it? It failed to import a CA cert from the given PEM buffer, right?
- Also, is that really a reason for failing the connection? What if a CA bundle on file is also used?
- If the function failed due to out of memory I think it should fail no matter what
| ++count; | ||
| } | ||
| if(itmp->crl) { | ||
| X509_STORE_add_crl(cts, itmp->crl); |
There was a problem hiding this comment.
So the PEM buffer can also provide a CRL! Should be mentioned in the docs, right?
I think this is an excellent point that I hadn't though of before! What a difficult decision... But I'll confess I now maybe lean towards a blob! 😨 |
gvollant
force-pushed
the
gv_bundled_cacert
branch
from
4cd02dc
to
087d295
Compare
|
I opened another PR #6662 with a blob version. When decision will be made between CURLOPT_CAINFO_PEM and CURLOPT_CAINFO_BLOB , one of these PR will need to be closed |
gvollant
force-pushed
the
gv_bundled_cacert
branch
from
087d295
to
275e573
Compare
|
My option is that #6662 is better. |
…Y_CAINFO_PEM Let applications provide the CA bundle to libcurl as a PEM formatted in-memory buffer. Rebased branch bundled_cacert from moparisthebest Validation : 397e11b [397e11b] Parents : 4506607 Auteur : moparisthebest <admin@moparisthebest.com> Date : vendredi 3 avril 2020 00:32:42 Auteur : moparisthebest Date de validation : samedi 4 avril 2020 00:31:23 Add CURLOPT_CAINFO_PEM
gvollant
force-pushed
the
gv_bundled_cacert
branch
from
b96b8d3
to
9ff2f20
Compare
|
Jay worked on new #6662, so I close this PR |
- New options CURLOPT_CAINFO_BLOB and CURLOPT_PROXY_CAINFO_BLOB to specify in-memory PEM certificates for OpenSSL, Schannel (Windows) and Secure Transport (Apple) SSL backends. Prior to this change PEM certificates could only be imported from a file and not from memory. Co-authored-by: moparisthebest@users.noreply.github.com Ref: #4679 Ref: #5677 Ref: #6109 Closes #6662
|
#6662 is now merged with CA as blob |
Adds
CURLOPT_CAINFO_PEMandCURLOPT_PROXY_CAINFO_PEMthat let applications provide the CA bundle to libcurl as a PEM formatted in-memory buffer.