Resolves: #1219544 - ssl: set engine implicitly when a PKCS#11 URI is provided
This commit is contained in:
parent
35134a4aee
commit
178b0fc823
272
0001-curl-7.61.0-pkcs11.patch
Normal file
272
0001-curl-7.61.0-pkcs11.patch
Normal file
@ -0,0 +1,272 @@
|
|||||||
|
From a9a65ae9f6516faf042b36eca2450db7d34bff47 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
|
||||||
|
Date: Mon, 19 Feb 2018 14:31:06 +0100
|
||||||
|
Subject: [PATCH 1/2] ssl: set engine implicitly when a PKCS#11 URI is provided
|
||||||
|
|
||||||
|
This allows the use of PKCS#11 URI for certificates and keys without
|
||||||
|
setting the corresponding type as "ENG" and the engine as "pkcs11"
|
||||||
|
explicitly. If a PKCS#11 URI is provided for certificate, key,
|
||||||
|
proxy_certificate or proxy_key, the corresponding type is set as "ENG"
|
||||||
|
if not provided and the engine is set to "pkcs11" if not provided.
|
||||||
|
|
||||||
|
Acked-by: Nikos Mavrogiannopoulos
|
||||||
|
Closes #2333
|
||||||
|
|
||||||
|
Upstream-commit: 298d2565e2a2f06a859b7f5a1cc24ba7c87a8ce2
|
||||||
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||||
|
---
|
||||||
|
docs/cmdline-opts/cert.d | 7 ++++++
|
||||||
|
docs/cmdline-opts/key.d | 7 ++++++
|
||||||
|
lib/vtls/openssl.c | 38 ++++++++++++++++++++++++++++
|
||||||
|
src/tool_getparam.c | 2 +-
|
||||||
|
src/tool_operate.c | 53 ++++++++++++++++++++++++++++++++++++++++
|
||||||
|
tests/unit/unit1394.c | 3 +++
|
||||||
|
6 files changed, 109 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/docs/cmdline-opts/cert.d b/docs/cmdline-opts/cert.d
|
||||||
|
index adf62fc..510b833 100644
|
||||||
|
--- a/docs/cmdline-opts/cert.d
|
||||||
|
+++ b/docs/cmdline-opts/cert.d
|
||||||
|
@@ -23,6 +23,13 @@ nickname contains ":", it needs to be preceded by "\\" so that it is not
|
||||||
|
recognized as password delimiter. If the nickname contains "\\", it needs to
|
||||||
|
be escaped as "\\\\" so that it is not recognized as an escape character.
|
||||||
|
|
||||||
|
+If curl is built against OpenSSL library, and the engine pkcs11 is available,
|
||||||
|
+then a PKCS#11 URI (RFC 7512) can be used to specify a certificate located in
|
||||||
|
+a PKCS#11 device. A string beginning with "pkcs11:" will be interpreted as a
|
||||||
|
+PKCS#11 URI. If a PKCS#11 URI is provided, then the --engine option will be set
|
||||||
|
+as "pkcs11" if none was provided and the --cert-type option will be set as
|
||||||
|
+"ENG" if none was provided.
|
||||||
|
+
|
||||||
|
(iOS and macOS only) If curl is built against Secure Transport, then the
|
||||||
|
certificate string can either be the name of a certificate/private key in the
|
||||||
|
system or user keychain, or the path to a PKCS#12-encoded certificate and
|
||||||
|
diff --git a/docs/cmdline-opts/key.d b/docs/cmdline-opts/key.d
|
||||||
|
index fbf583a..4877b42 100644
|
||||||
|
--- a/docs/cmdline-opts/key.d
|
||||||
|
+++ b/docs/cmdline-opts/key.d
|
||||||
|
@@ -7,4 +7,11 @@ Private key file name. Allows you to provide your private key in this separate
|
||||||
|
file. For SSH, if not specified, curl tries the following candidates in order:
|
||||||
|
'~/.ssh/id_rsa', '~/.ssh/id_dsa', './id_rsa', './id_dsa'.
|
||||||
|
|
||||||
|
+If curl is built against OpenSSL library, and the engine pkcs11 is available,
|
||||||
|
+then a PKCS#11 URI (RFC 7512) can be used to specify a private key located in a
|
||||||
|
+PKCS#11 device. A string beginning with "pkcs11:" will be interpreted as a
|
||||||
|
+PKCS#11 URI. If a PKCS#11 URI is provided, then the --engine option will be set
|
||||||
|
+as "pkcs11" if none was provided and the --key-type option will be set as
|
||||||
|
+"ENG" if none was provided.
|
||||||
|
+
|
||||||
|
If this option is used several times, the last one will be used.
|
||||||
|
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
|
||||||
|
index 0b1929b..bc46eca 100644
|
||||||
|
--- a/lib/vtls/openssl.c
|
||||||
|
+++ b/lib/vtls/openssl.c
|
||||||
|
@@ -558,8 +558,25 @@ static int ssl_ui_writer(UI *ui, UI_STRING *uis)
|
||||||
|
}
|
||||||
|
return (UI_method_get_writer(UI_OpenSSL()))(ui, uis);
|
||||||
|
}
|
||||||
|
+
|
||||||
|
+/*
|
||||||
|
+ * Check if a given string is a PKCS#11 URI
|
||||||
|
+ */
|
||||||
|
+static bool is_pkcs11_uri(const char *string)
|
||||||
|
+{
|
||||||
|
+ if(strncasecompare(string, "pkcs11:", 7)) {
|
||||||
|
+ return TRUE;
|
||||||
|
+ }
|
||||||
|
+ else {
|
||||||
|
+ return FALSE;
|
||||||
|
+ }
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
#endif
|
||||||
|
|
||||||
|
+static CURLcode Curl_ossl_set_engine(struct Curl_easy *data,
|
||||||
|
+ const char *engine);
|
||||||
|
+
|
||||||
|
static
|
||||||
|
int cert_stuff(struct connectdata *conn,
|
||||||
|
SSL_CTX* ctx,
|
||||||
|
@@ -622,6 +639,16 @@ int cert_stuff(struct connectdata *conn,
|
||||||
|
case SSL_FILETYPE_ENGINE:
|
||||||
|
#if defined(USE_OPENSSL_ENGINE) && defined(ENGINE_CTRL_GET_CMD_FROM_NAME)
|
||||||
|
{
|
||||||
|
+ /* Implicitly use pkcs11 engine if none was provided and the
|
||||||
|
+ * cert_file is a PKCS#11 URI */
|
||||||
|
+ if(!data->state.engine) {
|
||||||
|
+ if(is_pkcs11_uri(cert_file)) {
|
||||||
|
+ if(Curl_ossl_set_engine(data, "pkcs11") != CURLE_OK) {
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
if(data->state.engine) {
|
||||||
|
const char *cmd_name = "LOAD_CERT_CTRL";
|
||||||
|
struct {
|
||||||
|
@@ -798,6 +825,17 @@ int cert_stuff(struct connectdata *conn,
|
||||||
|
#ifdef USE_OPENSSL_ENGINE
|
||||||
|
{ /* XXXX still needs some work */
|
||||||
|
EVP_PKEY *priv_key = NULL;
|
||||||
|
+
|
||||||
|
+ /* Implicitly use pkcs11 engine if none was provided and the
|
||||||
|
+ * key_file is a PKCS#11 URI */
|
||||||
|
+ if(!data->state.engine) {
|
||||||
|
+ if(is_pkcs11_uri(key_file)) {
|
||||||
|
+ if(Curl_ossl_set_engine(data, "pkcs11") != CURLE_OK) {
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
if(data->state.engine) {
|
||||||
|
UI_METHOD *ui_method =
|
||||||
|
UI_create_method((char *)"curl user interface");
|
||||||
|
diff --git a/src/tool_getparam.c b/src/tool_getparam.c
|
||||||
|
index cc3fcf3..a7bb7f9 100644
|
||||||
|
--- a/src/tool_getparam.c
|
||||||
|
+++ b/src/tool_getparam.c
|
||||||
|
@@ -342,7 +342,7 @@ void parse_cert_parameter(const char *cert_parameter,
|
||||||
|
* looks like a RFC7512 PKCS#11 URI which can be used as-is.
|
||||||
|
* Also if cert_parameter contains no colon nor backslash, this
|
||||||
|
* means no passphrase was given and no characters escaped */
|
||||||
|
- if(!strncmp(cert_parameter, "pkcs11:", 7) ||
|
||||||
|
+ if(curl_strnequal(cert_parameter, "pkcs11:", 7) ||
|
||||||
|
!strpbrk(cert_parameter, ":\\")) {
|
||||||
|
*certname = strdup(cert_parameter);
|
||||||
|
return;
|
||||||
|
diff --git a/src/tool_operate.c b/src/tool_operate.c
|
||||||
|
index 26fc251..25d450c 100644
|
||||||
|
--- a/src/tool_operate.c
|
||||||
|
+++ b/src/tool_operate.c
|
||||||
|
@@ -113,6 +113,19 @@ static bool is_fatal_error(CURLcode code)
|
||||||
|
return FALSE;
|
||||||
|
}
|
||||||
|
|
||||||
|
+/*
|
||||||
|
+ * Check if a given string is a PKCS#11 URI
|
||||||
|
+ */
|
||||||
|
+static bool is_pkcs11_uri(const char *string)
|
||||||
|
+{
|
||||||
|
+ if(curl_strnequal(string, "pkcs11:", 7)) {
|
||||||
|
+ return TRUE;
|
||||||
|
+ }
|
||||||
|
+ else {
|
||||||
|
+ return FALSE;
|
||||||
|
+ }
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
#ifdef __VMS
|
||||||
|
/*
|
||||||
|
* get_vms_file_size does what it takes to get the real size of the file
|
||||||
|
@@ -1073,6 +1086,46 @@ static CURLcode operate_do(struct GlobalConfig *global,
|
||||||
|
my_setopt_str(curl, CURLOPT_PINNEDPUBLICKEY, config->pinnedpubkey);
|
||||||
|
|
||||||
|
if(curlinfo->features & CURL_VERSION_SSL) {
|
||||||
|
+ /* Check if config->cert is a PKCS#11 URI and set the
|
||||||
|
+ * config->cert_type if necessary */
|
||||||
|
+ if(config->cert) {
|
||||||
|
+ if(!config->cert_type) {
|
||||||
|
+ if(is_pkcs11_uri(config->cert)) {
|
||||||
|
+ config->cert_type = strdup("ENG");
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ /* Check if config->key is a PKCS#11 URI and set the
|
||||||
|
+ * config->key_type if necessary */
|
||||||
|
+ if(config->key) {
|
||||||
|
+ if(!config->key_type) {
|
||||||
|
+ if(is_pkcs11_uri(config->key)) {
|
||||||
|
+ config->key_type = strdup("ENG");
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ /* Check if config->proxy_cert is a PKCS#11 URI and set the
|
||||||
|
+ * config->proxy_type if necessary */
|
||||||
|
+ if(config->proxy_cert) {
|
||||||
|
+ if(!config->proxy_cert_type) {
|
||||||
|
+ if(is_pkcs11_uri(config->proxy_cert)) {
|
||||||
|
+ config->proxy_cert_type = strdup("ENG");
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ /* Check if config->proxy_key is a PKCS#11 URI and set the
|
||||||
|
+ * config->proxy_key_type if necessary */
|
||||||
|
+ if(config->proxy_key) {
|
||||||
|
+ if(!config->proxy_key_type) {
|
||||||
|
+ if(is_pkcs11_uri(config->proxy_key)) {
|
||||||
|
+ config->proxy_key_type = strdup("ENG");
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
my_setopt_str(curl, CURLOPT_SSLCERT, config->cert);
|
||||||
|
my_setopt_str(curl, CURLOPT_PROXY_SSLCERT, config->proxy_cert);
|
||||||
|
my_setopt_str(curl, CURLOPT_SSLCERTTYPE, config->cert_type);
|
||||||
|
diff --git a/tests/unit/unit1394.c b/tests/unit/unit1394.c
|
||||||
|
index 667991d..010f052 100644
|
||||||
|
--- a/tests/unit/unit1394.c
|
||||||
|
+++ b/tests/unit/unit1394.c
|
||||||
|
@@ -56,6 +56,9 @@ UNITTEST_START
|
||||||
|
"foo:bar\\\\", "foo", "bar\\\\",
|
||||||
|
"foo:bar:", "foo", "bar:",
|
||||||
|
"foo\\::bar\\:", "foo:", "bar\\:",
|
||||||
|
+ "pkcs11:foobar", "pkcs11:foobar", NULL,
|
||||||
|
+ "PKCS11:foobar", "PKCS11:foobar", NULL,
|
||||||
|
+ "PkCs11:foobar", "PkCs11:foobar", NULL,
|
||||||
|
#ifdef WIN32
|
||||||
|
"c:\\foo:bar:baz", "c:\\foo", "bar:baz",
|
||||||
|
"c:\\foo\\:bar:baz", "c:\\foo:bar", "baz",
|
||||||
|
--
|
||||||
|
2.17.1
|
||||||
|
|
||||||
|
|
||||||
|
From 2be42ac65f4c345ed3ddc97917c8ef54e13fcbfd Mon Sep 17 00:00:00 2001
|
||||||
|
From: Kamil Dudka <kdudka@redhat.com>
|
||||||
|
Date: Thu, 9 Aug 2018 15:34:22 +0200
|
||||||
|
Subject: [PATCH 2/2] docs: add files needed to regenerate curl.1 man page
|
||||||
|
|
||||||
|
Bug: https://github.com/curl/curl/pull/2856
|
||||||
|
---
|
||||||
|
docs/cmdline-opts/disallow-username-in-url.d | 7 +++++++
|
||||||
|
docs/cmdline-opts/haproxy-protocol.d | 11 +++++++++++
|
||||||
|
2 files changed, 18 insertions(+)
|
||||||
|
create mode 100644 docs/cmdline-opts/disallow-username-in-url.d
|
||||||
|
create mode 100644 docs/cmdline-opts/haproxy-protocol.d
|
||||||
|
|
||||||
|
diff --git a/docs/cmdline-opts/disallow-username-in-url.d b/docs/cmdline-opts/disallow-username-in-url.d
|
||||||
|
new file mode 100644
|
||||||
|
index 0000000..a7f46ea
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/docs/cmdline-opts/disallow-username-in-url.d
|
||||||
|
@@ -0,0 +1,7 @@
|
||||||
|
+Long: disallow-username-in-url
|
||||||
|
+Help: Disallow username in url
|
||||||
|
+Protocols: HTTP
|
||||||
|
+Added: 7.61.0
|
||||||
|
+See-also: proto
|
||||||
|
+---
|
||||||
|
+This tells curl to exit if passed a url containing a username.
|
||||||
|
diff --git a/docs/cmdline-opts/haproxy-protocol.d b/docs/cmdline-opts/haproxy-protocol.d
|
||||||
|
new file mode 100644
|
||||||
|
index 0000000..cc41c9c
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/docs/cmdline-opts/haproxy-protocol.d
|
||||||
|
@@ -0,0 +1,11 @@
|
||||||
|
+Long: haproxy-protocol
|
||||||
|
+Help: Send HAProxy PROXY protocol v1 header
|
||||||
|
+Protocols: HTTP
|
||||||
|
+Added: 7.60.0
|
||||||
|
+---
|
||||||
|
+Send a HAProxy PROXY protocol v1 header at the beginning of the connection. This
|
||||||
|
+is used by some load balancers and reverse proxies to indicate the client's
|
||||||
|
+true IP address and port.
|
||||||
|
+
|
||||||
|
+This option is primarily useful when sending test requests to a service that
|
||||||
|
+expects this header.
|
||||||
|
--
|
||||||
|
2.17.1
|
||||||
|
|
@ -1,10 +1,13 @@
|
|||||||
Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
|
Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
|
||||||
Name: curl
|
Name: curl
|
||||||
Version: 7.61.0
|
Version: 7.61.0
|
||||||
Release: 4%{?dist}
|
Release: 5%{?dist}
|
||||||
License: MIT
|
License: MIT
|
||||||
Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz
|
Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz
|
||||||
|
|
||||||
|
# ssl: set engine implicitly when a PKCS#11 URI is provided (#1219544)
|
||||||
|
Patch1: 0001-curl-7.61.0-pkcs11.patch
|
||||||
|
|
||||||
# patch making libcurl multilib ready
|
# patch making libcurl multilib ready
|
||||||
Patch101: 0101-curl-7.32.0-multilib.patch
|
Patch101: 0101-curl-7.32.0-multilib.patch
|
||||||
|
|
||||||
@ -155,6 +158,7 @@ be installed.
|
|||||||
%setup -q
|
%setup -q
|
||||||
|
|
||||||
# upstream patches
|
# upstream patches
|
||||||
|
%patch1 -p1
|
||||||
|
|
||||||
# Fedora patches
|
# Fedora patches
|
||||||
%patch101 -p1
|
%patch101 -p1
|
||||||
@ -321,6 +325,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
|
|||||||
%{_libdir}/libcurl.so.4.[0-9].[0-9].minimal
|
%{_libdir}/libcurl.so.4.[0-9].[0-9].minimal
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Thu Aug 09 2018 Kamil Dudka <kdudka@redhat.com> - 7.61.0-5
|
||||||
|
- ssl: set engine implicitly when a PKCS#11 URI is provided (#1219544)
|
||||||
|
|
||||||
* Tue Aug 07 2018 Kamil Dudka <kdudka@redhat.com> - 7.61.0-4
|
* Tue Aug 07 2018 Kamil Dudka <kdudka@redhat.com> - 7.61.0-4
|
||||||
- relax crypto policy for the test-suite to make it pass again (#1610888)
|
- relax crypto policy for the test-suite to make it pass again (#1610888)
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user