From a332922a526f91876fc8ffa73a45322800bf0e73 Mon Sep 17 00:00:00 2001 From: Alessandro Ghedini Date: Fri, 20 Mar 2015 19:03:53 +0100 Subject: gtls: implement CURLOPT_CERTINFO --- docs/libcurl/opts/CURLOPT_CERTINFO.3 | 13 ++++++------- lib/vtls/gtls.c | 18 ++++++++++++++++++ lib/vtls/gtls.h | 3 +++ lib/x509asn1.c | 5 ++--- lib/x509asn1.h | 6 +++--- 5 files changed, 32 insertions(+), 13 deletions(-) diff --git a/docs/libcurl/opts/CURLOPT_CERTINFO.3 b/docs/libcurl/opts/CURLOPT_CERTINFO.3 index 8c01711dd..a508b867b 100644 --- a/docs/libcurl/opts/CURLOPT_CERTINFO.3 +++ b/docs/libcurl/opts/CURLOPT_CERTINFO.3 @@ -5,7 +5,7 @@ .\" * | (__| |_| | _ <| |___ .\" * \___|\___/|_| \_\_____| .\" * -.\" * Copyright (C) 1998 - 2014, Daniel Stenberg, , et al. +.\" * Copyright (C) 1998 - 2015, Daniel Stenberg, , et al. .\" * .\" * This software is licensed as described in the file COPYING, which .\" * you should have received as part of this distribution. The terms @@ -29,11 +29,10 @@ CURLOPT_CERTINFO \- request SSL certificate information CURLcode curl_easy_setopt(CURL *handle, CURLOPT_CERTINFO, long certinfo); .SH DESCRIPTION Pass a long set to 1 to enable libcurl's certificate chain info gatherer. With -this enabled, libcurl (if built with OpenSSL, NSS or GSKit) will -extract lots of information and data about the certificates in the certificate -chain used in the SSL connection. This data may then be retrieved after a -transfer using \fIcurl_easy_getinfo(3)\fP and its option -\fICURLINFO_CERTINFO\fP. +this enabled, libcurl will extract lots of information and data about the +certificates in the certificate chain used in the SSL connection. This data may +then be retrieved after a transfer using \fIcurl_easy_getinfo(3)\fP and its +option \fICURLINFO_CERTINFO\fP. .SH DEFAULT 0 .SH PROTOCOLS @@ -41,7 +40,7 @@ All TLS-based .SH EXAMPLE TODO .SH AVAILABILITY -Added in 7.19.1 +This option is supported by the OpenSSL, GnuTLS, NSS and GSKit backends. .SH RETURN VALUE Returns CURLE_OK if the option is supported, and CURLE_UNKNOWN_OPTION if not. .SH "SEE ALSO" diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c index fbf4586e8..53412a1a2 100644 --- a/lib/vtls/gtls.c +++ b/lib/vtls/gtls.c @@ -53,6 +53,7 @@ #include "select.h" #include "rawstr.h" #include "warnless.h" +#include "x509asn1.h" #include "curl_printf.h" #include "curl_memory.h" /* The last #include file should be: */ @@ -837,6 +838,23 @@ gtls_connect_step3(struct connectdata *conn, infof(data, "\t common name: WARNING couldn't obtain\n"); } + if(data->set.ssl.certinfo) { + unsigned int i; + + result = Curl_ssl_init_certinfo(data, cert_list_size); + if(result) + return result; + + for(i = 0; i < cert_list_size; i++) { + const char *beg = (const char *) chainp[i].data; + const char *end = beg + chainp[i].size; + + result = Curl_extract_certinfo(conn, i, beg, end); + if(result) + return result; + } + } + if(data->set.ssl.verifypeer) { /* This function will try to verify the peer's certificate and return its status (trusted, invalid etc.). The value of status should be one or diff --git a/lib/vtls/gtls.h b/lib/vtls/gtls.h index af1cb5b10..dcae44225 100644 --- a/lib/vtls/gtls.h +++ b/lib/vtls/gtls.h @@ -57,6 +57,9 @@ bool Curl_gtls_cert_status_request(void); /* this backend supports the CAPATH option */ #define have_curlssl_ca_path 1 +/* this backend supports CURLOPT_CERTINFO */ +#define have_curlssl_certinfo 1 + /* API setup for GnuTLS */ #define curlssl_init Curl_gtls_init #define curlssl_cleanup Curl_gtls_cleanup diff --git a/lib/x509asn1.c b/lib/x509asn1.c index 4d50f0e0c..8b32d6bf7 100644 --- a/lib/x509asn1.c +++ b/lib/x509asn1.c @@ -22,7 +22,7 @@ #include "curl_setup.h" -#if defined(USE_GSKIT) || defined(USE_NSS) +#if defined(USE_GSKIT) || defined(USE_NSS) || defined(USE_GNUTLS) #include #include "urldata.h" @@ -209,7 +209,6 @@ static const char * octet2str(const char * beg, const char * end) } static const char * bit2str(const char * beg, const char * end) - { /* Convert an ASN.1 bit string to a printable string. Return the dynamically allocated string, or NULL if an error occurs. */ @@ -1024,7 +1023,7 @@ CURLcode Curl_extract_certinfo(struct connectdata * conn, return CURLE_OK; } -#endif /* USE_GSKIT or USE_NSS */ +#endif /* USE_GSKIT or USE_NSS or USE_GNUTLS */ #if defined(USE_GSKIT) diff --git a/lib/x509asn1.h b/lib/x509asn1.h index 075c424f3..caa5f6f33 100644 --- a/lib/x509asn1.h +++ b/lib/x509asn1.h @@ -8,7 +8,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2014, Daniel Stenberg, , et al. + * Copyright (C) 1998 - 2015, Daniel Stenberg, , et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms @@ -25,7 +25,7 @@ #include "curl_setup.h" -#if defined(USE_GSKIT) || defined(USE_NSS) +#if defined(USE_GSKIT) || defined(USE_NSS) || defined(USE_GNUTLS) #include "urldata.h" @@ -127,5 +127,5 @@ CURLcode Curl_extract_certinfo(struct connectdata * conn, int certnum, CURLcode Curl_verifyhost(struct connectdata * conn, const char * beg, const char * end); -#endif /* USE_GSKIT or USE_NSS */ +#endif /* USE_GSKIT or USE_NSS or USE_GNUTLS */ #endif /* HEADER_CURL_X509ASN1_H */ -- cgit v1.2.3