cURL
Haxx ad
libcurl

curl's project page on SourceForge.net

Sponsors:
Haxx

cURL > Mailing List > Monthly Index > Single Mail

curl-tracker Archives

[curl:bugs] #1196 with NSS, some certs unselectable via --cert name:passwd syntax

From: jared jennings <sarynx_at_users.sf.net>
Date: Wed, 13 Feb 2013 20:13:57 +0000

Two ideas that likely won't work:

1. Split the argument to -E on the last colon, not the first. This enables the specification of certificates with (multiple!) colons in their names, but breaks existing behavior by making passphrases with colons in them impossible to specify on the command line.

2. Split on the first colon. If the certificate name thus obtained doesn't work, try splitting on the second colon, etc. The problem here is that figuring out the desired curl configuration given the command line switches and trying to connect using the configuration happen in very different parts of the code; bringing them together would be bad design and difficult to implement.

---
** [bugs:#1196] with NSS, some certs unselectable via --cert name:passwd syntax**
**Status:** open
**Created:** Wed Feb 13, 2013 07:57 PM UTC by jared jennings
**Last Updated:** Wed Feb 13, 2013 07:57 PM UTC
**Owner:** nobody
I need a way to tell the curl tool to use a certificate having a colon in its name.
With the curl tool, when I specify a client certificate to use via the -E or --cert switch, I can optionally specify a passphrase by appending a colon and the passphrase to the argument of the switch. In src/tool_getparam.c around line 1206, the first colon in the argument is found, using strchr, and everything after it is deemed to be the passphrase. Because of this decision, passphrases containing colons can be used, but certificates whose names contain colons cannot.
The use case is this: I've built curl against NSS, and I'm trying to use the certificate on my smartcard.
When you import a certificate from a file into an NSS database, it goes onto the token named "NSS Certificate DB." When you specify a certificate in the NSS database by its nickname, by default that certificate is sought on the "NSS Certificate DB" token. So if all you use with NSS is certificates you've imported from files, you never need a colon.
But if the certificate you want to use is stored on a different token (e.g., a smartcard), you have to name both the token and the certificate; the way to do so is with the syntax token:nickname - i.e. separating them by a colon. So the name of the certificate on my smartcard is "MY.FULL.NAME.1234567890:CAC ID Certificate".
Unfortunately when I hand that value to the -E switch, the curl tool parses that as a request to use the certificate named MY.FULL.NAME.1234567890, with the passphrase "CAC ID Certificate".
---
Sent from sourceforge.net because you indicated interest in <https://sourceforge.net/p/curl/bugs/1196/>
To unsubscribe from further messages, please visit <https://sourceforge.net/auth/prefs/>
Received on 2013-02-13

These mail archives are generated by hypermail.

donate! Page updated January 05, 2012.
web site info

File upload with ASP.NET