curl: add --ca-native and --proxy-ca-native

These are two boolean options to ask curl to use the native OS's CA
store when verifying TLS servers. For peers and for proxies
respectively.

They currently only have an effect for curl on Windows when built to use
OpenSSL for TLS.

Closes #11049

diff --git a/docs/cmdline-opts/Makefile.inc b/docs/cmdline-opts/Makefile.inc
index 208a66718c7f553d6b41eed23c3192de3971d791..149db5878a7a8ba637aa670b320ecdc321db391b 100644 (file)
--- a/docs/cmdline-opts/Makefile.inc
+++ b/docs/cmdline-opts/Makefile.inc
@@ -30,6 +30,7 @@ DPAGES = \
   append.d \
   aws-sigv4.d \
   basic.d \
+  ca-native.d \
   cacert.d \
   capath.d \
   cert-status.d \
@@ -170,6 +171,7 @@ DPAGES = \
   proto.d \
   proxy-anyauth.d \
   proxy-basic.d \
+  proxy-ca-native.d \
   proxy-cacert.d \
   proxy-capath.d \
   proxy-cert-type.d \

diff --git a/docs/cmdline-opts/ca-native.d b/docs/cmdline-opts/ca-native.d
new file mode 100644 (file)
index 0000000..30b068a
--- /dev/null
+++ b/docs/cmdline-opts/ca-native.d
@@ -0,0 +1,19 @@
+c: Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
+SPDX-License-Identifier: curl
+Long: ca-native
+Help: Use CA certificates from the native OS
+Protocols: TLS
+Category: tls
+See-also: cacert capath insecure
+Example: --ca-native $URL
+Added: 8.2.0
+Multi: boolean
+---
+Tells curl to use the CA store from the native operating system to verify the
+peer. By default, curl will otherwise use a CA store provided in a single file
+or directory, but when using this option it will interface the operating
+system's own vault.
+
+This option only works for curl on Windows when built to use OpenSSL. When
+curl on Windows is built to use Schannel, this feature is implied and curl
+then only uses the native CA store.

diff --git a/docs/cmdline-opts/proxy-ca-native.d b/docs/cmdline-opts/proxy-ca-native.d
new file mode 100644 (file)
index 0000000..1498947
--- /dev/null
+++ b/docs/cmdline-opts/proxy-ca-native.d
@@ -0,0 +1,19 @@
+c: Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
+SPDX-License-Identifier: curl
+Long: proxy-ca-native
+Help: Use CA certificates from the native OS for proxy
+Protocols: TLS
+Category: tls
+See-also: cacert capath insecure
+Example: --ca-native $URL
+Added: 8.2.0
+Multi: boolean
+---
+Tells curl to use the CA store from the native operating system to verify the
+HTTPS proxy. By default, curl will otherwise use a CA store provided in a
+single file or directory, but when using this option it will interface the
+operating system's own vault.
+
+This option only works for curl on Windows when built to use OpenSSL. When
+curl on Windows is built to use Schannel, this feature is implied and curl
+then only uses the native CA store.

diff --git a/docs/options-in-versions b/docs/options-in-versions
index d34dd33f01a413c26666e6d2d424ca93fc9f3523..a4307b6abff4dbba3117b0078782975384e0c4d9 100644 (file)
--- a/docs/options-in-versions
+++ b/docs/options-in-versions
@@ -16,6 +16,7 @@
 --append (-a)                        4.8
 --aws-sigv4                          7.75.0
 --basic                              7.10.6
+--ca-native                          8.2.0
 --cacert                             7.5
 --capath                             7.9.8
 --cert (-E)                          5.0
@@ -157,6 +158,7 @@
 --proxy (-x)                         4.0
 --proxy-anyauth                      7.13.2
 --proxy-basic                        7.12.0
+--proxy-ca-native                    8.2.0
 --proxy-cacert                       7.52.0
 --proxy-capath                       7.52.0
 --proxy-cert                         7.52.0

diff --git a/src/tool_cfgable.h b/src/tool_cfgable.h
index 9609dcdb7373f66beab87c7d20edc08f52fa7767..a0442ff4341eeca5f80d46d7cffa7f09a43965a8 100644 (file)
--- a/src/tool_cfgable.h
+++ b/src/tool_cfgable.h
@@ -259,7 +259,8 @@ struct OperationConfig {
   bool ssl_revoke_best_effort; /* ignore SSL revocation offline/missing
                                   revocation list errors */
 
-  bool native_ca_store;        /* use the native os ca store */
+  bool native_ca_store;        /* use the native OS CA store */
+  bool proxy_native_ca_store;  /* use the native OS CA store for proxy */
   bool ssl_auto_client_cert;   /* automatically locate and use a client
                                   certificate for authentication (Schannel) */
   bool proxy_ssl_auto_client_cert; /* proxy version of ssl_auto_client_cert */

diff --git a/src/tool_getparam.c b/src/tool_getparam.c
index 8a06b6d62423d3e55dd6524c396f278bc4351357..cee56d0baf26c43524c10ab1516cf8ef23fbe528 100644 (file)
--- a/src/tool_getparam.c
+++ b/src/tool_getparam.c
@@ -247,6 +247,8 @@ static const struct LongShort aliases[]= {
   {"Ed", "key-type",                 ARG_STRING},
   {"Ee", "pass",                     ARG_STRING},
   {"Ef", "engine",                   ARG_STRING},
+  {"EG", "ca-native",                ARG_BOOL},
+  {"EH", "proxy-ca-native",          ARG_BOOL},
   {"Eg", "capath",                   ARG_FILENAME},
   {"Eh", "pubkey",                   ARG_STRING},
   {"Ei", "hostpubmd5",               ARG_STRING},
@@ -1723,9 +1725,15 @@ ParameterError getparameter(const char *flag, /* f or -long-flag */
         cleanarg(clearthis);
         GetFileAndPassword(nextarg, &config->cert, &config->key_passwd);
         break;
-      case 'a': /* CA info PEM file */
+      case 'a': /* --cacert CA info PEM file */
         GetStr(&config->cacert, nextarg);
         break;
+      case 'G': /* --ca-native */
+        config->native_ca_store = toggle;
+        break;
+      case 'H': /* --proxy-ca-native */
+        config->proxy_native_ca_store = toggle;
+        break;
       case 'b': /* cert file type */
         GetStr(&config->cert_type, nextarg);
         break;

diff --git a/src/tool_listhelp.c b/src/tool_listhelp.c
index 61550de72d90e37f17efc17801f0575379d086ea..b6f85fcb81138d980c576bdaed5bbac999df6cd4 100644 (file)
--- a/src/tool_listhelp.c
+++ b/src/tool_listhelp.c
@@ -51,6 +51,9 @@ const struct helptxt helptext[] = {
   {"    --basic",
    "Use HTTP Basic Authentication",
    CURLHELP_AUTH},
+  {"    --ca-native",
+   "Use CA certificates from the native OS",
+   CURLHELP_TLS},
   {"    --cacert <file>",
    "CA certificate to verify peer against",
    CURLHELP_TLS},
@@ -274,7 +277,7 @@ const struct helptxt helptext[] = {
    "Use HTTP 1.1",
    CURLHELP_HTTP},
   {"    --http2",
-   "Use HTTP 2",
+   "Use HTTP/2",
    CURLHELP_HTTP},
   {"    --http2-prior-knowledge",
    "Use HTTP 2 without HTTP/1.1 Upgrade",
@@ -474,6 +477,9 @@ const struct helptxt helptext[] = {
   {"    --proxy-basic",
    "Use Basic authentication on the proxy",
    CURLHELP_PROXY | CURLHELP_AUTH},
+  {"    --proxy-ca-native",
+   "Use CA certificates from the native OS for proxy",
+   CURLHELP_TLS},
   {"    --proxy-cacert <file>",
    "CA certificate to verify peer against for proxy",
    CURLHELP_PROXY | CURLHELP_TLS},

diff --git a/src/tool_operate.c b/src/tool_operate.c
index ce841830226eaffabb95d529fa52de26910de418..9dea412b0329627938d6533f46a12ad8bb5c4480 100644 (file)
--- a/src/tool_operate.c
+++ b/src/tool_operate.c
@@ -1779,7 +1779,9 @@ static CURLcode single_transfer(struct GlobalConfig *global,
               (config->proxy_ssl_allow_beast ?
                CURLSSLOPT_ALLOW_BEAST : 0) |
               (config->proxy_ssl_auto_client_cert ?
-               CURLSSLOPT_AUTO_CLIENT_CERT : 0);
+               CURLSSLOPT_AUTO_CLIENT_CERT : 0) |
+              (config->proxy_native_ca_store ?
+               CURLSSLOPT_NATIVE_CA : 0);
 
             if(mask)
               my_setopt_bitmask(curl, CURLOPT_PROXY_SSL_OPTIONS, mask);