From: Daniel Stenberg <daniel@haxx.se>
Date: Sat, 3 Jun 2023 21:48:37 +0000 (+0200)
Subject: curl: add --ca-native and --proxy-ca-native
X-Git-Tag: curl-8_2_0~155
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=9ad23c38e5e80a96d4ac71cb1e16008b7d9d355d;p=thirdparty%2Fcurl.git

curl: add --ca-native and --proxy-ca-native

These are two boolean options to ask curl to use the native OS's CA
store when verifying TLS servers. For peers and for proxies
respectively.

They currently only have an effect for curl on Windows when built to use
OpenSSL for TLS.

Closes #11049
---

diff --git a/docs/cmdline-opts/Makefile.inc b/docs/cmdline-opts/Makefile.inc
index 208a66718c..149db5878a 100644
--- a/docs/cmdline-opts/Makefile.inc
+++ b/docs/cmdline-opts/Makefile.inc
@@ -30,6 +30,7 @@ DPAGES = \
   append.d \
   aws-sigv4.d \
   basic.d \
+  ca-native.d \
   cacert.d \
   capath.d \
   cert-status.d \
@@ -170,6 +171,7 @@ DPAGES = \
   proto.d \
   proxy-anyauth.d \
   proxy-basic.d \
+  proxy-ca-native.d \
   proxy-cacert.d \
   proxy-capath.d \
   proxy-cert-type.d \
diff --git a/docs/cmdline-opts/ca-native.d b/docs/cmdline-opts/ca-native.d
new file mode 100644
index 0000000000..30b068a32a
--- /dev/null
+++ b/docs/cmdline-opts/ca-native.d
@@ -0,0 +1,19 @@
+c: Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
+SPDX-License-Identifier: curl
+Long: ca-native
+Help: Use CA certificates from the native OS
+Protocols: TLS
+Category: tls
+See-also: cacert capath insecure
+Example: --ca-native $URL
+Added: 8.2.0
+Multi: boolean
+---
+Tells curl to use the CA store from the native operating system to verify the
+peer. By default, curl will otherwise use a CA store provided in a single file
+or directory, but when using this option it will interface the operating
+system's own vault.
+
+This option only works for curl on Windows when built to use OpenSSL. When
+curl on Windows is built to use Schannel, this feature is implied and curl
+then only uses the native CA store.
diff --git a/docs/cmdline-opts/proxy-ca-native.d b/docs/cmdline-opts/proxy-ca-native.d
new file mode 100644
index 0000000000..1498947768
--- /dev/null
+++ b/docs/cmdline-opts/proxy-ca-native.d
@@ -0,0 +1,19 @@
+c: Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
+SPDX-License-Identifier: curl
+Long: proxy-ca-native
+Help: Use CA certificates from the native OS for proxy
+Protocols: TLS
+Category: tls
+See-also: cacert capath insecure
+Example: --ca-native $URL
+Added: 8.2.0
+Multi: boolean
+---
+Tells curl to use the CA store from the native operating system to verify the
+HTTPS proxy. By default, curl will otherwise use a CA store provided in a
+single file or directory, but when using this option it will interface the
+operating system's own vault.
+
+This option only works for curl on Windows when built to use OpenSSL. When
+curl on Windows is built to use Schannel, this feature is implied and curl
+then only uses the native CA store.
diff --git a/docs/options-in-versions b/docs/options-in-versions
index d34dd33f01..a4307b6abf 100644
--- a/docs/options-in-versions
+++ b/docs/options-in-versions
@@ -16,6 +16,7 @@
 --append (-a)                        4.8
 --aws-sigv4                          7.75.0
 --basic                              7.10.6
+--ca-native                          8.2.0
 --cacert                             7.5
 --capath                             7.9.8
 --cert (-E)                          5.0
@@ -157,6 +158,7 @@
 --proxy (-x)                         4.0
 --proxy-anyauth                      7.13.2
 --proxy-basic                        7.12.0
+--proxy-ca-native                    8.2.0
 --proxy-cacert                       7.52.0
 --proxy-capath                       7.52.0
 --proxy-cert                         7.52.0
diff --git a/src/tool_cfgable.h b/src/tool_cfgable.h
index 9609dcdb73..a0442ff434 100644
--- a/src/tool_cfgable.h
+++ b/src/tool_cfgable.h
@@ -259,7 +259,8 @@ struct OperationConfig {
   bool ssl_revoke_best_effort; /* ignore SSL revocation offline/missing
                                   revocation list errors */
 
-  bool native_ca_store;        /* use the native os ca store */
+  bool native_ca_store;        /* use the native OS CA store */
+  bool proxy_native_ca_store;  /* use the native OS CA store for proxy */
   bool ssl_auto_client_cert;   /* automatically locate and use a client
                                   certificate for authentication (Schannel) */
   bool proxy_ssl_auto_client_cert; /* proxy version of ssl_auto_client_cert */
diff --git a/src/tool_getparam.c b/src/tool_getparam.c
index 8a06b6d624..cee56d0baf 100644
--- a/src/tool_getparam.c
+++ b/src/tool_getparam.c
@@ -247,6 +247,8 @@ static const struct LongShort aliases[]= {
   {"Ed", "key-type",                 ARG_STRING},
   {"Ee", "pass",                     ARG_STRING},
   {"Ef", "engine",                   ARG_STRING},
+  {"EG", "ca-native",                ARG_BOOL},
+  {"EH", "proxy-ca-native",          ARG_BOOL},
   {"Eg", "capath",                   ARG_FILENAME},
   {"Eh", "pubkey",                   ARG_STRING},
   {"Ei", "hostpubmd5",               ARG_STRING},
@@ -1723,9 +1725,15 @@ ParameterError getparameter(const char *flag, /* f or -long-flag */
         cleanarg(clearthis);
         GetFileAndPassword(nextarg, &config->cert, &config->key_passwd);
         break;
-      case 'a': /* CA info PEM file */
+      case 'a': /* --cacert CA info PEM file */
         GetStr(&config->cacert, nextarg);
         break;
+      case 'G': /* --ca-native */
+        config->native_ca_store = toggle;
+        break;
+      case 'H': /* --proxy-ca-native */
+        config->proxy_native_ca_store = toggle;
+        break;
       case 'b': /* cert file type */
         GetStr(&config->cert_type, nextarg);
         break;
diff --git a/src/tool_listhelp.c b/src/tool_listhelp.c
index 61550de72d..b6f85fcb81 100644
--- a/src/tool_listhelp.c
+++ b/src/tool_listhelp.c
@@ -51,6 +51,9 @@ const struct helptxt helptext[] = {
   {"    --basic",
    "Use HTTP Basic Authentication",
    CURLHELP_AUTH},
+  {"    --ca-native",
+   "Use CA certificates from the native OS",
+   CURLHELP_TLS},
   {"    --cacert <file>",
    "CA certificate to verify peer against",
    CURLHELP_TLS},
@@ -274,7 +277,7 @@ const struct helptxt helptext[] = {
    "Use HTTP 1.1",
    CURLHELP_HTTP},
   {"    --http2",
-   "Use HTTP 2",
+   "Use HTTP/2",
    CURLHELP_HTTP},
   {"    --http2-prior-knowledge",
    "Use HTTP 2 without HTTP/1.1 Upgrade",
@@ -474,6 +477,9 @@ const struct helptxt helptext[] = {
   {"    --proxy-basic",
    "Use Basic authentication on the proxy",
    CURLHELP_PROXY | CURLHELP_AUTH},
+  {"    --proxy-ca-native",
+   "Use CA certificates from the native OS for proxy",
+   CURLHELP_TLS},
   {"    --proxy-cacert <file>",
    "CA certificate to verify peer against for proxy",
    CURLHELP_PROXY | CURLHELP_TLS},
diff --git a/src/tool_operate.c b/src/tool_operate.c
index ce84183022..9dea412b03 100644
--- a/src/tool_operate.c
+++ b/src/tool_operate.c
@@ -1779,7 +1779,9 @@ static CURLcode single_transfer(struct GlobalConfig *global,
               (config->proxy_ssl_allow_beast ?
                CURLSSLOPT_ALLOW_BEAST : 0) |
               (config->proxy_ssl_auto_client_cert ?
-               CURLSSLOPT_AUTO_CLIENT_CERT : 0);
+               CURLSSLOPT_AUTO_CLIENT_CERT : 0) |
+              (config->proxy_native_ca_store ?
+               CURLSSLOPT_NATIVE_CA : 0);
 
             if(mask)
               my_setopt_bitmask(curl, CURLOPT_PROXY_SSL_OPTIONS, mask);