cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: Properly Implementing a Patch for CAINFO / ISSUERCERT

From: Peter Sylvester <peter.sylvester_at_edelweb.fr>
Date: Tue, 19 Jun 2012 08:40:52 +0200

On 06/18/2012 07:20 PM, Georg Wicherski wrote:
> Hi,
>
> I need to implement a patch against libcurl that makes it read the CA
> PEM data for CAINFO and ISSUERCERT from a memory buffer provided
> directly with curl_easy_setopt rather than providing it a file path.

No, you don't need this. :-) What you want is to hard code some
data that represents a certificate and use it as trust anchor.

well, openssl x509 -C creates a buffer and length containing the
data from the cert in der encoding. include this into your
program. should be 'trivial' (see below).

You can use the ssl initialisation callback,
decode the cert in you main program, set the
ssl callback parameter, and in the callback
add it to the trust STORE.
no bio, no pem, just d2i_x509.

>
> Now I've figured out the trivial neccessary changes to do that
> (basically create a BIO with BIO_new_mem_buf and then use
> PEM_read_bio_X509).
oh, I think it was 30 years ago that someone warned me
"beware of those who use the word 'trivial'" :-)

>
> However, I want to make sure my patch gets accepted upstream. We're
> linking against libcurl statically thanks to it's BSD license, but we
> want to contribute to the OpenSource cause and also have better
> maintainability (I hope merging upgrading our then-to-be-vanilla libcurl
> within our source tree will be easier then).
>
> My approach was to simply see if the provided buffer starts with
> "-----BEGIN CERTIFICATE-----" and then read the PEM data from the memory
> buffer instead of treating it as a file path. I would just like to check
> if such a dual-purpose / self-configuring API is fine with the upstream
> maintainers.
>
> Note for the paranoid: We're not generating things on the fly or do
> other bad things that violate proper crypto best-practices. We simply
> want to pin on a specific CA (run by us) due to the recent rogue or
> hacked CA debacles. Reading this CA cert from a memory buffer is a
> requirement for us, since it makes our cross-platform deployment _a lot_
> easier.
>
> A simple "yes, go with looking for that string and we'll accept upstream
> and write docs ourselves" would be most appreciated. ;)
>
>
> Thanks,
> Georg
> -------------------------------------------------------------------
> List admin: http://cool.haxx.se/list/listinfo/curl-library
> Etiquette: http://curl.haxx.se/mail/etiquette.html

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2012-06-19