Hello,

With the ecore_con_url module, an application can take advantage of SSL/TLS connections (using HTTPS requests for instance) in order to exchange sensitive data with a server. However, the connection will always fail if the server certificate isn't signed by a certificate authority (CA) that is trusted by the system on which the application is run. There's no way to specify a custom CA to identify a specific server, or to disable CA validation for a specific connection. Also, it's not always possible (or a good solution) to add CAs to the ones the target system trusts, because admin rights are needed to do so most of the time.

The attached patch adds a method to specify custom CAs to be used for validating the server certificate of a specific SSL-based request in order to fix the above-mentioned issue. That method may also be used to completely disable CA validation for the server certificate when server identification isn't needed. The javascript binding for that method is also included at the end of the patch.

Please, consider that patch for inclusion in the trunk.

Regards.

--
PnB
Index: ecore/src/lib/ecore_con/ecore_con_url.c
===================================================================
--- ecore/src/lib/ecore_con/ecore_con_url.c     (revision 55780)
+++ ecore/src/lib/ecore_con/ecore_con_url.c     (working copy)
@@ -1061,6 +1061,55 @@
 }
 
 /**
+ * Set a custom CA to trust for SSL/TLS connections.
+ * 
+ * Specify the path of a file (in PEM format) containing one or more
+ * CA certificate(s) to use for the validation of the server certificate.
+ * 
+ * This function can also disable CA validation if @p ca_path is @c NULL.
+ * However, the server certificate still needs to be valid for the connection
+ * to succeed (i.e., the certificate must concern the server the
+ * connection is made to).
+ * 
+ * @param url_con Connection object that will use the custom CA.
+ * @param ca_path Path to a CA certificate(s) file or @c NULL to disable
+ *                CA validation.
+ * 
+ * @return  @c 0 on success. When cURL is used, non-zero return values
+ *          are equal to cURL error codes.
+ */
+EAPI int
+ecore_con_url_ssl_ca_set(Ecore_Con_Url *url_con, const char *ca_path)
+{
+   int res = -1;
+
+#ifdef HAVE_CURL
+   if (!ECORE_MAGIC_CHECK(url_con, ECORE_MAGIC_CON_URL))
+     {
+       ECORE_MAGIC_FAIL(url_con, ECORE_MAGIC_CON_URL, 
"ecore_con_url_ssl_ca_set");
+            return -1;
+     }
+
+   if (url_con->active) return -1;
+   if (!url_con->url) return -1;
+   if (ca_path == NULL)
+     res = curl_easy_setopt(url_con->curl_easy, CURLOPT_SSL_VERIFYPEER, 0);
+   else
+     {
+       res = curl_easy_setopt(url_con->curl_easy, CURLOPT_SSL_VERIFYPEER, 1);
+       if (!res)
+         res = curl_easy_setopt(url_con->curl_easy, CURLOPT_CAINFO, ca_path);
+   }
+#else
+   (void)url_con;
+   (void)ca_path;
+#endif
+
+   return res;
+}
+
+
+/**
  * @}
  */
 
Index: ecore/src/lib/ecore_con/Ecore_Con.h
===================================================================
--- ecore/src/lib/ecore_con/Ecore_Con.h (revision 55780)
+++ ecore/src/lib/ecore_con/Ecore_Con.h (working copy)
@@ -524,6 +524,8 @@
                                                  Eina_Bool verbose);
 EAPI void              ecore_con_url_ftp_use_epsv_set(Ecore_Con_Url *url_con,
                                                       Eina_Bool use_epsv);
+EAPI int               ecore_con_url_ssl_ca_set(Ecore_Con_Url *url_con,
+                                                const char *ca_path);
 
 /**
  * @}
 
Index: BINDINGS/javascript/elixir/src/modules/bindings/ecore_con/ecore_con.c
===================================================================
--- BINDINGS/javascript/elixir/src/modules/bindings/ecore_con/ecore_con.c       
(revision 55780)
+++ BINDINGS/javascript/elixir/src/modules/bindings/ecore_con/ecore_con.c       
(working copy)
@@ -1610,6 +1610,27 @@
    return JS_TRUE;
 }
 
+static JSBool
+elixir_ecore_con_url_ssl_ca_set(JSContext *cx, uintN argc, jsval *vp)
+{
+   Ecore_Con_Url *curl;
+   const char *filename;
+   const char *user;
+   const char *pass;
+   const char *upload_dir;
+   elixir_value_t val[2];
+
+   if (!elixir_params_check(cx, _ecore_con_url_string_params, val, argc, 
JS_ARGV(cx, vp)))
+     return JS_FALSE;
+
+   GET_PRIVATE(cx, val[0].v.obj, curl);
+   filename = elixir_file_canonicalize(elixir_get_string_bytes(val[1].v.str, 
NULL));
+
+   JS_SET_RVAL(cx, vp, INT_TO_JSVAL(ecore_con_url_ssl_ca_set(curl, filename)));
+
+   return JS_TRUE;
+}
+
 static void
 _elixir_ecore_con_lookup_cb(const char *canonname,
                            const char *ip,
@@ -1717,6 +1738,7 @@
   ELIXIR_FN(ecore_con_url_time, 3, JSPROP_ENUMERATE, 0 ),
   ELIXIR_FN(ecore_con_url_ftp_upload, 4, JSPROP_ENUMERATE, 0 ),
   ELIXIR_FN(ecore_con_lookup, 3, JSPROP_ENUMERATE, 0),
+  ELIXIR_FN(ecore_con_url_ssl_ca_set, 2, JSPROP_ENUMERATE, 0 ),
   JS_FS_END
 };
 
------------------------------------------------------------------------------
Learn how Oracle Real Application Clusters (RAC) One Node allows customers
to consolidate database storage, standardize their database environment, and, 
should the need arise, upgrade to a full multi-node Oracle RAC database 
without downtime or disruption
http://p.sf.net/sfu/oracle-sfdevnl
_______________________________________________
enlightenment-devel mailing list
enlightenment-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/enlightenment-devel

Reply via email to