Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

curl with GnuTLS doesn't support pkcs1{1,2} #14925

Closed
sergiodj opened this issue Sep 15, 2024 · 6 comments
Closed

curl with GnuTLS doesn't support pkcs1{1,2} #14925

sergiodj opened this issue Sep 15, 2024 · 6 comments

Comments

@sergiodj
Copy link

I did this

Hi,

This is the upstream counterpart of https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1077060.

As you're probably aware, recently Debian has made a decision to link curl against libcurl built with GnuTLS support (instead of OpenSSL), and we're now in the process of collecting feedback from the community about possible issues with the transition.

Something that was raised recently was that the support for pkcs11 and pkcs12 stopped working with GnuTLS. Upon a closer inspection of curl's code, I noticed that it doesn't seem to make use of the primitives (pkcs11 and pkcs12) necessary for implementing support for such standards.

I expected the following

It would be great if we could have proper support for pkcs1{1,2}. I believe this is one of the most important features that is missing from the GnuTLS version of curl.

curl/libcurl version

The downstream bug was filed against version 8.9.1-2, but the GnuTLS support code still doesn't have pkcs* support on master.

operating system

Debian GNU/Linux

@sergiodj
Copy link
Author

Cc @samueloph @charles2910 @guilherme-puida

@tatsuhiro-t
Copy link
Contributor

#14991 adds PKCS#12 support.

As for PKCS#11, the documentation of gnutls_certificate_set_x509_key_file2, which curl currently uses when password is given, says it supports PKCS#11 URI:

In case the certfile is provided as a PKCS 11 URL, then the certificate, and its present issuers in the token are imported (i.e., forming the required trust chain).

With some adjustment, curl might be able to support PKCS#11 as well, but I am not an expert in this area, and does not know how to test this stuff.

@tatsuhiro-t
Copy link
Contributor

I setup softhsm2 and imported private key and certificate, and then giving pkcs#11 to curl just works:

curl --cert 'pkcs11:URL' --pass <PIN> https://...

@tatsuhiro-t
Copy link
Contributor

@sergiodj PKCS#12 support will be available in the next curl release. GnuTLS backend should have already supported PKCS#11 with --cert option.
I think we can close this issue now.

@sergiodj
Copy link
Author

Hi @tatsuhiro-t,

Thanks for the feedback and for implementing the feature! Much appreciated.

I see that @charles2910 already notified the reporters in the Debian bug, which is good because they have the proper setup to test things. We'll let you know if there's any problem.

Cheers.

@bagder
Copy link
Member

bagder commented Oct 3, 2024

Closing this, as it seems it supports both (now).

@bagder bagder closed this as completed Oct 3, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Development

No branches or pull requests

3 participants