On Thu, Sep 20, 2012 at 02:31:08PM -0400, Andrew Prout wrote: > The attached patch adds a new option for curl_easy_setopt: > CURLOPT_SSLENGINE_WITH_OPT. It's be nice if this feature could be > merged into libcurl. It's an variation of CURLOPT_SSLENGINE that lets > you set the pre and post engine init commands to be passed to OpenSSL. > More info is available at: > http://www.openssl.org/docs/crypto/engine.html#Advanced_configuration_support > > The patch was originally written for libcurl v7.22, but I've updated > the option ID to avoid conflicts and it applies & compiles against > v7.27. > > Below is a simplified example of a program that uses the dynamic > engine to load a PKCS#11 based on the "Using Engine_pkcs11 with the > openssl command" example from: > http://www.opensc-project.org/engine_pkcs11/wiki/QuickStart > > -Andrew Prout > > ---------------------- > > CURL *ch = NULL; > struct curl_sslengineinfo ei; > char *preopts[] = { > "SO_PATH", "/usr/lib64/openssl/engines/engine_pkcs11.so", > "ID", "pkcs11", > "LIST_ADD", "1", > "LOAD", NULL, > "MODULE_PATH", "/path/to/my/pkcs11.so", > NULL }; > char *CertID = "d3a805a58810fbe89ece27d9f5e3170e61eb3e2b"; // ID field > from PKCS#11 library, use pkcs11-tool to discover > > ei.enginename = "dynamic"; > ei.preopt = preopts; > ei.postopt = NULL; > > curl_global_init(CURL_GLOBAL_ALL); > ch = curl_easy_init(); > curl_easy_setopt(ch, CURLOPT_URL, "https://localhost/restricted"); > curl_easy_setopt(ch, CURLOPT_SSLENGINE_WITH_OPT, &ei); > curl_easy_setopt(ch, CURLOPT_SSLCERTTYPE, "ENG"); > curl_easy_setopt(ch, CURLOPT_SSLCERT, CertID); > curl_easy_setopt(ch, CURLOPT_SSLKEYTYPE, "ENG"); > curl_easy_setopt(ch, CURLOPT_SSLKEY, CertID); > curl_easy_perform(ch);
I can see the need for this option, but this patch stands out as not being in the same style as other libcurl options. Passing in a struct, creating a NULL-terminated pointer list, and setting three separate options at once are all examples of this. I suggest separating the pre and post options into two separate curl_easy_setopt calls and leaving the CURLOPT_SSLENGINE option alone. And I suggest using one of the existing list types to store the name/value list pairs. The struct curl_slist type is the obvious one to use for this, but the fact that the contents are paired almost makes me want to abuse struct curl_httppost instead. There's actually a pretty good mapping between what's required for these options and the curl_httppost types; CURLFORM_COPYNAME would contain the name part of each option, and CURLFORM_COPYCONTENTS would contain the value part. As elegant as that would be, it may be abusing the intended use of this type a bit too much. >>> Dan ------------------------------------------------------------------- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.html