recognized as password delimiter. If the nickname contains "\\", it needs to
be escaped as "\\\\" so that it is not recognized as an escape character.
+If curl is built against OpenSSL library, and the engine pkcs11 is available,
+then a PKCS#11 URI (RFC 7512) can be used to specify a certificate located in
+a PKCS#11 device. A string beginning with "pkcs11:" will be interpreted as a
+PKCS#11 URI. If a PKCS#11 URI is provided, then the --engine option will be set
+as "pkcs11" if none was provided and the --cert-type option will be set as
+"ENG" if none was provided.
+
(iOS and macOS only) If curl is built against Secure Transport, then the
certificate string can either be the name of a certificate/private key in the
system or user keychain, or the path to a PKCS#12-encoded certificate and
file. For SSH, if not specified, curl tries the following candidates in order:
'~/.ssh/id_rsa', '~/.ssh/id_dsa', './id_rsa', './id_dsa'.
+If curl is built against OpenSSL library, and the engine pkcs11 is available,
+then a PKCS#11 URI (RFC 7512) can be used to specify a private key located in a
+PKCS#11 device. A string beginning with "pkcs11:" will be interpreted as a
+PKCS#11 URI. If a PKCS#11 URI is provided, then the --engine option will be set
+as "pkcs11" if none was provided and the --key-type option will be set as
+"ENG" if none was provided.
+
If this option is used several times, the last one will be used.
}
return (UI_method_get_writer(UI_OpenSSL()))(ui, uis);
}
+
+/*
+ * Check if a given string is a PKCS#11 URI
+ */
+static bool is_pkcs11_uri(const char *string)
+{
+ if(strncasecompare(string, "pkcs11:", 7)) {
+ return TRUE;
+ }
+ else {
+ return FALSE;
+ }
+}
+
#endif
+static CURLcode Curl_ossl_set_engine(struct Curl_easy *data,
+ const char *engine);
+
static
int cert_stuff(struct connectdata *conn,
SSL_CTX* ctx,
case SSL_FILETYPE_ENGINE:
#if defined(USE_OPENSSL_ENGINE) && defined(ENGINE_CTRL_GET_CMD_FROM_NAME)
{
+ /* Implicitly use pkcs11 engine if none was provided and the
+ * cert_file is a PKCS#11 URI */
+ if(!data->state.engine) {
+ if(is_pkcs11_uri(cert_file)) {
+ if(Curl_ossl_set_engine(data, "pkcs11") != CURLE_OK) {
+ return 0;
+ }
+ }
+ }
+
if(data->state.engine) {
const char *cmd_name = "LOAD_CERT_CTRL";
struct {
#ifdef USE_OPENSSL_ENGINE
{ /* XXXX still needs some work */
EVP_PKEY *priv_key = NULL;
+
+ /* Implicitly use pkcs11 engine if none was provided and the
+ * key_file is a PKCS#11 URI */
+ if(!data->state.engine) {
+ if(is_pkcs11_uri(key_file)) {
+ if(Curl_ossl_set_engine(data, "pkcs11") != CURLE_OK) {
+ return 0;
+ }
+ }
+ }
+
if(data->state.engine) {
UI_METHOD *ui_method =
UI_create_method((char *)"curl user interface");
* looks like a RFC7512 PKCS#11 URI which can be used as-is.
* Also if cert_parameter contains no colon nor backslash, this
* means no passphrase was given and no characters escaped */
- if(!strncmp(cert_parameter, "pkcs11:", 7) ||
+ if(curl_strnequal(cert_parameter, "pkcs11:", 7) ||
!strpbrk(cert_parameter, ":\\")) {
*certname = strdup(cert_parameter);
return;
return FALSE;
}
+/*
+ * Check if a given string is a PKCS#11 URI
+ */
+static bool is_pkcs11_uri(const char *string)
+{
+ if(curl_strnequal(string, "pkcs11:", 7)) {
+ return TRUE;
+ }
+ else {
+ return FALSE;
+ }
+}
+
#ifdef __VMS
/*
* get_vms_file_size does what it takes to get the real size of the file
my_setopt_str(curl, CURLOPT_PINNEDPUBLICKEY, config->pinnedpubkey);
if(curlinfo->features & CURL_VERSION_SSL) {
+ /* Check if config->cert is a PKCS#11 URI and set the
+ * config->cert_type if necessary */
+ if(config->cert) {
+ if(!config->cert_type) {
+ if(is_pkcs11_uri(config->cert)) {
+ config->cert_type = strdup("ENG");
+ }
+ }
+ }
+
+ /* Check if config->key is a PKCS#11 URI and set the
+ * config->key_type if necessary */
+ if(config->key) {
+ if(!config->key_type) {
+ if(is_pkcs11_uri(config->key)) {
+ config->key_type = strdup("ENG");
+ }
+ }
+ }
+
+ /* Check if config->proxy_cert is a PKCS#11 URI and set the
+ * config->proxy_type if necessary */
+ if(config->proxy_cert) {
+ if(!config->proxy_cert_type) {
+ if(is_pkcs11_uri(config->proxy_cert)) {
+ config->proxy_cert_type = strdup("ENG");
+ }
+ }
+ }
+
+ /* Check if config->proxy_key is a PKCS#11 URI and set the
+ * config->proxy_key_type if necessary */
+ if(config->proxy_key) {
+ if(!config->proxy_key_type) {
+ if(is_pkcs11_uri(config->proxy_key)) {
+ config->proxy_key_type = strdup("ENG");
+ }
+ }
+ }
+
my_setopt_str(curl, CURLOPT_SSLCERT, config->cert);
my_setopt_str(curl, CURLOPT_PROXY_SSLCERT, config->proxy_cert);
my_setopt_str(curl, CURLOPT_SSLCERTTYPE, config->cert_type);
"foo:bar\\\\", "foo", "bar\\\\",
"foo:bar:", "foo", "bar:",
"foo\\::bar\\:", "foo:", "bar\\:",
+ "pkcs11:foobar", "pkcs11:foobar", NULL,
+ "PKCS11:foobar", "PKCS11:foobar", NULL,
+ "PkCs11:foobar", "PkCs11:foobar", NULL,
#ifdef WIN32
"c:\\foo:bar:baz", "c:\\foo", "bar:baz",
"c:\\foo\\:bar:baz", "c:\\foo:bar", "baz",
projects / thirdparty / curl.git / commitdiff
