[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[GNUnet-SVN] [gnurl] 84/178: schannel: add client certificate authentica
From: |
gnunet |
Subject: |
[GNUnet-SVN] [gnurl] 84/178: schannel: add client certificate authentication |
Date: |
Wed, 23 May 2018 12:25:19 +0200 |
This is an automated email from the git hooks/post-receive script.
ng0 pushed a commit to branch master
in repository gnurl.
commit e35b0256eb34f1fe562e3e2a2615beb50a391c52
Author: Archangel_SDY <address@hidden>
AuthorDate: Sat Mar 10 23:40:00 2018 +0800
schannel: add client certificate authentication
Users can now specify a client certificate in system certificates store
explicitly using expression like `--cert "CurrentUser\MY\<thumbprint>"`
Closes #2376
---
docs/libcurl/opts/CURLOPT_SSLCERT.3 | 3 +
lib/vtls/schannel.c | 121 +++++++++++++++++++++++++++++++++++-
2 files changed, 123 insertions(+), 1 deletion(-)
diff --git a/docs/libcurl/opts/CURLOPT_SSLCERT.3
b/docs/libcurl/opts/CURLOPT_SSLCERT.3
index 6e190dce1..3f40b73b9 100644
--- a/docs/libcurl/opts/CURLOPT_SSLCERT.3
+++ b/docs/libcurl/opts/CURLOPT_SSLCERT.3
@@ -38,6 +38,9 @@ you wish to authenticate with as it is named in the security
database. If you
want to use a file from the current directory, please precede it with "./"
prefix, in order to avoid confusion with a nickname.
+With WinSSL, this can be expression like "CurrentUser\\MY\\<thumbprint>" to
+refer to a certificate in the system certificates store.
+
When using a client certificate, you most likely also need to provide a
private key with \fICURLOPT_SSLKEY(3)\fP.
diff --git a/lib/vtls/schannel.c b/lib/vtls/schannel.c
index 11fc401f9..cbcc9c532 100644
--- a/lib/vtls/schannel.c
+++ b/lib/vtls/schannel.c
@@ -92,6 +92,12 @@
#endif
#endif
+#ifdef UNICODE
+#define CURL_CERT_STORE_PROV_SYSTEM CERT_STORE_PROV_SYSTEM_W
+#else
+#define CURL_CERT_STORE_PROV_SYSTEM CERT_STORE_PROV_SYSTEM_A
+#endif
+
#ifndef SP_PROT_SSL2_CLIENT
#define SP_PROT_SSL2_CLIENT 0x00000008
#endif
@@ -124,6 +130,9 @@
#define CURL_SCHANNEL_BUFFER_INIT_SIZE 4096
#define CURL_SCHANNEL_BUFFER_FREE_SIZE 1024
+#define CERT_THUMBPRINT_STR_LEN 40
+#define CERT_THUMBPRINT_DATA_LEN 20
+
/* Uncomment to force verbose output
* #define infof(x, y, ...) printf(y, __VA_ARGS__)
* #define failf(x, y, ...) printf(y, __VA_ARGS__)
@@ -228,6 +237,56 @@ set_ssl_version_min_max(SCHANNEL_CRED *schannel_cred,
struct connectdata *conn)
}
static CURLcode
+get_cert_location(TCHAR *path, DWORD *store_name, TCHAR **store_path,
+ TCHAR **thumbprint)
+{
+ TCHAR *sep;
+ size_t store_name_len;
+
+ sep = _tcschr(path, TEXT('\\'));
+ if(sep == NULL)
+ return CURLE_SSL_CONNECT_ERROR;
+
+ store_name_len = sep - path;
+
+ if(_tcsnccmp(path, TEXT("CurrentUser"), store_name_len) == 0)
+ *store_name = CERT_SYSTEM_STORE_CURRENT_USER;
+ else if(_tcsnccmp(path, TEXT("LocalMachine"), store_name_len) == 0)
+ *store_name = CERT_SYSTEM_STORE_LOCAL_MACHINE;
+ else if(_tcsnccmp(path, TEXT("CurrentService"), store_name_len) == 0)
+ *store_name = CERT_SYSTEM_STORE_CURRENT_SERVICE;
+ else if(_tcsnccmp(path, TEXT("Services"), store_name_len) == 0)
+ *store_name = CERT_SYSTEM_STORE_SERVICES;
+ else if(_tcsnccmp(path, TEXT("Users"), store_name_len) == 0)
+ *store_name = CERT_SYSTEM_STORE_USERS;
+ else if(_tcsnccmp(path, TEXT("CurrentUserGroupPolicy"),
+ store_name_len) == 0)
+ *store_name = CERT_SYSTEM_STORE_CURRENT_USER_GROUP_POLICY;
+ else if(_tcsnccmp(path, TEXT("LocalMachineGroupPolicy"),
+ store_name_len) == 0)
+ *store_name = CERT_SYSTEM_STORE_LOCAL_MACHINE_GROUP_POLICY;
+ else if(_tcsnccmp(path, TEXT("LocalMachineEnterprise"),
+ store_name_len) == 0)
+ *store_name = CERT_SYSTEM_STORE_LOCAL_MACHINE_ENTERPRISE;
+ else
+ return CURLE_SSL_CONNECT_ERROR;
+
+ *store_path = sep + 1;
+
+ sep = _tcschr(*store_path, TEXT('\\'));
+ if(sep == NULL)
+ return CURLE_SSL_CONNECT_ERROR;
+
+ *sep = 0;
+
+ *thumbprint = sep + 1;
+ if(_tcslen(*thumbprint) != CERT_THUMBPRINT_STR_LEN)
+ return CURLE_SSL_CONNECT_ERROR;
+
+ return CURLE_OK;
+}
+
+static CURLcode
schannel_connect_step1(struct connectdata *conn, int sockindex)
{
ssize_t written = -1;
@@ -241,6 +300,7 @@ schannel_connect_step1(struct connectdata *conn, int
sockindex)
unsigned char alpn_buffer[128];
#endif
SCHANNEL_CRED schannel_cred;
+ PCCERT_CONTEXT client_certs[1] = { NULL };
SECURITY_STATUS sspi_status = SEC_E_OK;
struct curl_schannel_cred *old_cred = NULL;
struct in_addr addr;
@@ -309,7 +369,7 @@ schannel_connect_step1(struct connectdata *conn, int
sockindex)
/* TODO s/data->set.ssl.no_revoke/SSL_SET_OPTION(no_revoke)/g */
if(data->set.ssl.no_revoke)
schannel_cred.dwFlags |= SCH_CRED_IGNORE_NO_REVOCATION_CHECK |
- SCH_CRED_IGNORE_REVOCATION_OFFLINE;
+ SCH_CRED_IGNORE_REVOCATION_OFFLINE;
else
schannel_cred.dwFlags |= SCH_CRED_REVOCATION_CHECK_CHAIN;
#endif
@@ -361,11 +421,67 @@ schannel_connect_step1(struct connectdata *conn, int
sockindex)
return CURLE_SSL_CONNECT_ERROR;
}
+ /* client certificate */
+ if(data->set.ssl.cert) {
+ DWORD cert_store_name;
+ TCHAR *cert_store_path;
+ TCHAR *cert_thumbprint_str;
+ CRYPT_HASH_BLOB cert_thumbprint;
+ BYTE cert_thumbprint_data[CERT_THUMBPRINT_DATA_LEN];
+ HCERTSTORE cert_store;
+
+ TCHAR *cert_path = Curl_convert_UTF8_to_tchar(data->set.ssl.cert);
+ if(!cert_path)
+ return CURLE_OUT_OF_MEMORY;
+
+ result = get_cert_location(cert_path, &cert_store_name,
+ &cert_store_path, &cert_thumbprint_str);
+ if(result != CURLE_OK) {
+ Curl_unicodefree(cert_path);
+ return result;
+ }
+
+ cert_store = CertOpenStore(CURL_CERT_STORE_PROV_SYSTEM, 0, NULL,
+ cert_store_name, cert_store_path);
+ if(!cert_store) {
+ Curl_unicodefree(cert_path);
+ return CURLE_SSL_CONNECT_ERROR;
+ }
+
+ cert_thumbprint.pbData = cert_thumbprint_data;
+ cert_thumbprint.cbData = CERT_THUMBPRINT_DATA_LEN;
+
+ if(!CryptStringToBinary(cert_thumbprint_str, CERT_THUMBPRINT_STR_LEN,
+ CRYPT_STRING_HEXRAW,
+ cert_thumbprint_data, &cert_thumbprint.cbData,
+ NULL, NULL)) {
+ Curl_unicodefree(cert_path);
+ return CURLE_SSL_CONNECT_ERROR;
+ }
+
+ client_certs[0] = CertFindCertificateInStore(
+ cert_store, X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, 0,
+ CERT_FIND_HASH, &cert_thumbprint, NULL);
+
+ Curl_unicodefree(cert_path);
+
+ if(client_certs[0]) {
+ schannel_cred.cCreds = 1;
+ schannel_cred.paCred = client_certs;
+ }
+
+ CertCloseStore(cert_store, 0);
+ }
+
/* allocate memory for the re-usable credential handle */
BACKEND->cred = (struct curl_schannel_cred *)
calloc(1, sizeof(struct curl_schannel_cred));
if(!BACKEND->cred) {
failf(data, "schannel: unable to allocate memory");
+
+ if(client_certs[0])
+ CertFreeCertificateContext(client_certs[0]);
+
return CURLE_OUT_OF_MEMORY;
}
BACKEND->cred->refcount = 1;
@@ -379,6 +495,9 @@ schannel_connect_step1(struct connectdata *conn, int
sockindex)
&BACKEND->cred->cred_handle,
&BACKEND->cred->time_stamp);
+ if(client_certs[0])
+ CertFreeCertificateContext(client_certs[0]);
+
if(sspi_status != SEC_E_OK) {
if(sspi_status == SEC_E_WRONG_PRINCIPAL)
failf(data, "schannel: SNI or certificate check failed: %s",
--
To stop receiving notification emails like this one, please contact
address@hidden
- [GNUnet-SVN] [gnurl] 157/178: travis: add build using NSS, (continued)
- [GNUnet-SVN] [gnurl] 157/178: travis: add build using NSS, gnunet, 2018/05/23
- [GNUnet-SVN] [gnurl] 150/178: vtls: fix missing commas, gnunet, 2018/05/23
- [GNUnet-SVN] [gnurl] 153/178: RELEASE-NOTES: synced, gnunet, 2018/05/23
- [GNUnet-SVN] [gnurl] 160/178: cookies: do not take cookie name as a parameter, gnunet, 2018/05/23
- [GNUnet-SVN] [gnurl] 166/178: tests: Fix format specifiers, gnunet, 2018/05/23
- [GNUnet-SVN] [gnurl] 171/178: http2: use the correct function pointer typedef, gnunet, 2018/05/23
- [GNUnet-SVN] [gnurl] 167/178: ntlm: Fix format specifiers, gnunet, 2018/05/23
- [GNUnet-SVN] [gnurl] 77/178: system.h: Add sparcv8plus to oracle/sunpro 32-bit detection, gnunet, 2018/05/23
- [GNUnet-SVN] [gnurl] 80/178: test1148: tolerate progress updates better, gnunet, 2018/05/23
- [GNUnet-SVN] [gnurl] 65/178: test1136: fix cookie order after commit c990eadd1277, gnunet, 2018/05/23
- [GNUnet-SVN] [gnurl] 84/178: schannel: add client certificate authentication,
gnunet <=
- [GNUnet-SVN] [gnurl] 74/178: duphandle: make sure CURLOPT_RESOLVE is duplicated fine too, gnunet, 2018/05/23
- [GNUnet-SVN] [gnurl] 66/178: winbuild: updated the documentation, gnunet, 2018/05/23
- [GNUnet-SVN] [gnurl] 79/178: ssh: show libSSH2 error code when closing fails, gnunet, 2018/05/23
- [GNUnet-SVN] [gnurl] 92/178: detect_proxy: only show proxy use if it had contents, gnunet, 2018/05/23
- [GNUnet-SVN] [gnurl] 82/178: configure: keep LD_LIBRARY_PATH changes local, gnunet, 2018/05/23
- [GNUnet-SVN] [gnurl] 96/178: http2: avoid strstr() on data not zero terminated, gnunet, 2018/05/23
- [GNUnet-SVN] [gnurl] 93/178: ftplistparser: keep state between invokes, gnunet, 2018/05/23
- [GNUnet-SVN] [gnurl] 112/178: examples/http2-upload: expand buffer to avoid silly warning, gnunet, 2018/05/23
- [GNUnet-SVN] [gnurl] 104/178: http2: convert an assert to run-time check, gnunet, 2018/05/23
- [GNUnet-SVN] [gnurl] 97/178: http2: clear the "drain counter" when a stream is closed, gnunet, 2018/05/23