1
0
mirror of https://github.com/moparisthebest/curl synced 2024-12-25 09:38:54 -05:00

mbedtls: add support for cert and key blob options

CURLOPT_SSLCERT_BLOB and CURLOPT_SSLKEY_BLOB weren't usable with
mbedtls backend, so the support was added.

Closes #7157
This commit is contained in:
Laurent Dufresne 2021-05-31 20:52:05 +02:00 committed by Daniel Stenberg
parent e5dfc88eb8
commit 05e0453050
No known key found for this signature in database
GPG Key ID: 5CC908FDB71E12C2

View File

@ -250,6 +250,7 @@ mbed_connect_step1(struct Curl_easy *data, struct connectdata *conn,
const bool verifypeer = SSL_CONN_CONFIG(verifypeer);
const char * const ssl_capath = SSL_CONN_CONFIG(CApath);
char * const ssl_cert = SSL_SET_OPTION(primary.clientcert);
const struct curl_blob *ssl_cert_blob = SSL_SET_OPTION(primary.cert_blob);
const char * const ssl_crlfile = SSL_SET_OPTION(CRLfile);
const char * const hostname = SSL_HOST_NAME();
const long int port = SSL_HOST_PORT();
@ -341,15 +342,30 @@ mbed_connect_step1(struct Curl_easy *data, struct connectdata *conn,
}
}
if(ssl_cert_blob) {
const unsigned char *blob_data =
(const unsigned char *)ssl_cert_blob->data;
ret = mbedtls_x509_crt_parse(&backend->clicert, blob_data,
ssl_cert_blob->len);
if(ret) {
#ifdef MBEDTLS_ERROR_C
mbedtls_strerror(ret, errorbuf, sizeof(errorbuf));
#endif /* MBEDTLS_ERROR_C */
failf(data, "Error parsing client cert blob - mbedTLS: (-0x%04X) %s",
-ret, errorbuf);
return CURLE_SSL_CERTPROBLEM;
}
}
/* Load the client private key */
mbedtls_pk_init(&backend->pk);
if(SSL_SET_OPTION(key) || SSL_SET_OPTION(key_blob)) {
if(SSL_SET_OPTION(key)) {
ret = mbedtls_pk_parse_keyfile(&backend->pk, SSL_SET_OPTION(key),
SSL_SET_OPTION(key_passwd));
if(ret == 0 && !(mbedtls_pk_can_do(&backend->pk, MBEDTLS_PK_RSA) ||
mbedtls_pk_can_do(&backend->pk, MBEDTLS_PK_ECKEY)))
ret = MBEDTLS_ERR_PK_TYPE_MISMATCH;
if(ret) {
#ifdef MBEDTLS_ERROR_C
@ -357,10 +373,32 @@ mbed_connect_step1(struct Curl_easy *data, struct connectdata *conn,
#endif /* MBEDTLS_ERROR_C */
failf(data, "Error reading private key %s - mbedTLS: (-0x%04X) %s",
SSL_SET_OPTION(key), -ret, errorbuf);
return CURLE_SSL_CERTPROBLEM;
}
}
else {
const struct curl_blob *ssl_key_blob = SSL_SET_OPTION(key_blob);
const unsigned char *key_data =
(const unsigned char *)ssl_key_blob->data;
const char *passwd = SSL_SET_OPTION(key_passwd);
ret = mbedtls_pk_parse_key(&backend->pk, key_data, ssl_key_blob->len,
(const unsigned char *)passwd,
passwd ? strlen(passwd) : 0);
if(ret) {
#ifdef MBEDTLS_ERROR_C
mbedtls_strerror(ret, errorbuf, sizeof(errorbuf));
#endif /* MBEDTLS_ERROR_C */
failf(data, "Error parsing private key - mbedTLS: (-0x%04X) %s",
-ret, errorbuf);
return CURLE_SSL_CERTPROBLEM;
}
}
if(ret == 0 && !(mbedtls_pk_can_do(&backend->pk, MBEDTLS_PK_RSA) ||
mbedtls_pk_can_do(&backend->pk, MBEDTLS_PK_ECKEY)))
ret = MBEDTLS_ERR_PK_TYPE_MISMATCH;
}
/* Load the CRL */
mbedtls_x509_crl_init(&backend->crl);
@ -468,7 +506,7 @@ mbed_connect_step1(struct Curl_easy *data, struct connectdata *conn,
&backend->cacert,
&backend->crl);
if(SSL_SET_OPTION(key)) {
if(SSL_SET_OPTION(key) || SSL_SET_OPTION(key_blob)) {
mbedtls_ssl_conf_own_cert(&backend->config,
&backend->clicert, &backend->pk);
}