Re: [PATCH] gnutls: Support CURLOPT_KEYPASSWD using gnutls_certificate_set_x509_key_file2

Mike Crowe Tue, 22 Sep 2015 01:46:43 -0700

> On Mon, Sep 21, 2015 at 10:34:55AM +0100, Mike Crowe wrote:
> > diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c
> > index c54dfc1..9f3ea10 100644
> > --- a/lib/vtls/gtls.c
> > +++ b/lib/vtls/gtls.c
> > @@ -656,15 +656,41 @@ gtls_connect_step1(struct connectdata *conn,
> >  #endif
> >  
> >    if(data->set.str[STRING_CERT]) {
> > -    if(gnutls_certificate_set_x509_key_file(
> > -         conn->ssl[sockindex].cred,
> > -         data->set.str[STRING_CERT],
> > -         data->set.str[STRING_KEY] ?
> > -         data->set.str[STRING_KEY] : data->set.str[STRING_CERT],
> > -         do_file_type(data->set.str[STRING_CERT_TYPE]) ) !=
> > -       GNUTLS_E_SUCCESS) {
> > -      failf(data, "error reading X.509 key or certificate file");
> > -      return CURLE_SSL_CONNECT_ERROR;
> > +    if(data->set.str[STRING_KEY_PASSWD]) {
> > +#if HAVE_GNUTLS_CERTIFICATE_SET_X509_KEY_FILE2
> > +      const unsigned int supported_key_encryption_algorithms =
> > +        GNUTLS_PKCS_USE_PKCS12_3DES | GNUTLS_PKCS_USE_PKCS12_ARCFOUR |
> > +        GNUTLS_PKCS_USE_PKCS12_RC2_40 | GNUTLS_PKCS_USE_PBES2_3DES |
> > +        GNUTLS_PKCS_USE_PBES2_AES_128 | GNUTLS_PKCS_USE_PBES2_AES_192 |
> > +        GNUTLS_PKCS_USE_PBES2_AES_256;
> > +      if(gnutls_certificate_set_x509_key_file2(
> > +           conn->ssl[sockindex].cred,
> > +           data->set.str[STRING_CERT],
> > +           data->set.str[STRING_KEY] ?
> > +           data->set.str[STRING_KEY] : data->set.str[STRING_CERT],
> > +           do_file_type(data->set.str[STRING_CERT_TYPE]),
> > +           data->set.str[STRING_KEY_PASSWD],
> > +           supported_key_encryption_algorithms) !=
> > +         GNUTLS_E_SUCCESS) {
> > +        failf(data,
> > +              "error reading X.509 potentially-encrypted key certificate 
> > file");
> > +        return CURLE_SSL_CONNECT_ERROR;
> > +#else
> > +        failf(data, "gnutls lacks support for encrypted key files");
> > +        return CURLE_SSL_CONNECT_ERROR;

On Monday 21 September 2015 at 17:21:20 +0200, Alessandro Ghedini wrote:
> IMO this failure should happen much earlier, ideally when CURLOPT_KEYPASSWD is
> set in Curl_setopt(), like we do for e.g. CURLOPT_SSL_VERIFYSTATUS. Other TLS
> backends that support CURLOPT_KEYPASSWD should be updated as well, but that
> should probably go in a separate patch.

The main part of the patch tries to bring GnuTLS up to the same level of
functionality as OpenSSL (and presumably other SSL backends.) I believe
that your suggestion would involve modifying all the SSL backends.

I agree that detecting failure earlier would be useful but since the
certificate, the key and the password are all be set in any order using
separate curl_easy_setopt calls, I don't believe that it can be
done reliably at that stage whilst maintaining compatibility.

Mike.
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette:  http://curl.haxx.se/mail/etiquette.html

Re: [PATCH] gnutls: Support CURLOPT_KEYPASSWD using gnutls_certificate_set_x509_key_file2

Reply via email to