[E-devel] [PATCH] [ecore_con_url] Add CA validation control with SSL connections
Hello, With the ecore_con_url module, an application can take advantage of SSL/TLS connections (using HTTPS requests for instance) in order to exchange sensitive data with a server. However, the connection will always fail if the server certificate isn't signed by a certificate authority (CA) that is trusted by the system on which the application is run. There's no way to specify a custom CA to identify a specific server, or to disable CA validation for a specific connection. Also, it's not always possible (or a good solution) to add CAs to the ones the target system trusts, because admin rights are needed to do so most of the time. The attached patch adds a method to specify custom CAs to be used for validating the server certificate of a specific SSL-based request in order to fix the above-mentioned issue. That method may also be used to completely disable CA validation for the server certificate when server identification isn't needed. The javascript binding for that method is also included at the end of the patch. Please, consider that patch for inclusion in the trunk. Regards. -- PnB Index: ecore/src/lib/ecore_con/ecore_con_url.c === --- ecore/src/lib/ecore_con/ecore_con_url.c (revision 55780) +++ ecore/src/lib/ecore_con/ecore_con_url.c (working copy) @@ -1061,6 +1061,55 @@ } /** + * Set a custom CA to trust for SSL/TLS connections. + * + * Specify the path of a file (in PEM format) containing one or more + * CA certificate(s) to use for the validation of the server certificate. + * + * This function can also disable CA validation if @p ca_path is @c NULL. + * However, the server certificate still needs to be valid for the connection + * to succeed (i.e., the certificate must concern the server the + * connection is made to). + * + * @param url_con Connection object that will use the custom CA. + * @param ca_path Path to a CA certificate(s) file or @c NULL to disable + *CA validation. + * + * @return @c 0 on success. When cURL is used, non-zero return values + * are equal to cURL error codes. + */ +EAPI int +ecore_con_url_ssl_ca_set(Ecore_Con_Url *url_con, const char *ca_path) +{ + int res = -1; + +#ifdef HAVE_CURL + if (!ECORE_MAGIC_CHECK(url_con, ECORE_MAGIC_CON_URL)) + { + ECORE_MAGIC_FAIL(url_con, ECORE_MAGIC_CON_URL, "ecore_con_url_ssl_ca_set"); +return -1; + } + + if (url_con->active) return -1; + if (!url_con->url) return -1; + if (ca_path == NULL) + res = curl_easy_setopt(url_con->curl_easy, CURLOPT_SSL_VERIFYPEER, 0); + else + { + res = curl_easy_setopt(url_con->curl_easy, CURLOPT_SSL_VERIFYPEER, 1); + if (!res) + res = curl_easy_setopt(url_con->curl_easy, CURLOPT_CAINFO, ca_path); + } +#else + (void)url_con; + (void)ca_path; +#endif + + return res; +} + + +/** * @} */ Index: ecore/src/lib/ecore_con/Ecore_Con.h === --- ecore/src/lib/ecore_con/Ecore_Con.h (revision 55780) +++ ecore/src/lib/ecore_con/Ecore_Con.h (working copy) @@ -524,6 +524,8 @@ Eina_Bool verbose); EAPI void ecore_con_url_ftp_use_epsv_set(Ecore_Con_Url *url_con, Eina_Bool use_epsv); +EAPI int ecore_con_url_ssl_ca_set(Ecore_Con_Url *url_con, +const char *ca_path); /** * @} Index: BINDINGS/javascript/elixir/src/modules/bindings/ecore_con/ecore_con.c === --- BINDINGS/javascript/elixir/src/modules/bindings/ecore_con/ecore_con.c (revision 55780) +++ BINDINGS/javascript/elixir/src/modules/bindings/ecore_con/ecore_con.c (working copy) @@ -1610,6 +1610,27 @@ return JS_TRUE; } +static JSBool +elixir_ecore_con_url_ssl_ca_set(JSContext *cx, uintN argc, jsval *vp) +{ + Ecore_Con_Url *curl; + const char *filename; + const char *user; + const char *pass; + const char *upload_dir; + elixir_value_t val[2]; + + if (!elixir_params_check(cx, _ecore_con_url_string_params, val, argc, JS_ARGV(cx, vp))) + return JS_FALSE; + + GET_PRIVATE(cx, val[0].v.obj, curl); + filename = elixir_file_canonicalize(elixir_get_string_bytes(val[1].v.str, NULL)); + + JS_SET_RVAL(cx, vp, INT_TO_JSVAL(ecore_con_url_ssl_ca_set(curl, filename))); + + return JS_TRUE; +} + static void _elixir_ecore_con_lookup_cb(const char *canonname, const char *ip, @@ -1717,6 +1738,7 @@ ELIXIR_FN(ecore_con_url_time, 3, JSPROP_ENUMERATE, 0 ), ELIXIR_FN(ecore_con_url_ftp_upload, 4, JSPROP_ENUMERATE, 0 ), ELIXIR_FN(ecore_con_lookup, 3, JSPROP_ENUMERATE, 0), + ELIXIR_FN(ecore_con_url_ssl_ca_set, 2, JSPROP_ENUMERATE, 0 ), JS_FS_END }; ---
Re: [E-devel] [PATCH] [ecore_con_url] Add CA validation control with SSL connections
On Thursday 30 December 2010 14:32:30 PnB wrote: > Hello, > > With the ecore_con_url module, an application can take advantage of > SSL/TLS connections (using HTTPS requests for instance) in order to > exchange sensitive data with a server. However, the connection will > always fail if the server certificate isn't signed by a certificate > authority (CA) that is trusted by the system on which the application is > run. There's no way to specify a custom CA to identify a specific > server, or to disable CA validation for a specific connection. Also, > it's not always possible (or a good solution) to add CAs to the ones the > target system trusts, because admin rights are needed to do so most of > the time. > > The attached patch adds a method to specify custom CAs to be used for > validating the server certificate of a specific SSL-based request in > order to fix the above-mentioned issue. That method may also be used to > completely disable CA validation for the server certificate when server > identification isn't needed. > The javascript binding for that method is also included at the end of > the patch. > > Please, consider that patch for inclusion in the trunk. >From what I see, it will replace the CA bundle it originally uses, right? Doesn't it mean the original certificates will not be read anymore? Coding style-wise, the "}" for the else in ecore_con_url_ssl_ca_set is not aligned correctly. Trunk-wise, I wonder if this will have to wait for 1.0 to be included, as it is a new feature? -- Raphael Kubo da Costa ProFUSION embedded systems http://profusion.mobi -- Learn how Oracle Real Application Clusters (RAC) One Node allows customers to consolidate database storage, standardize their database environment, and, should the need arise, upgrade to a full multi-node Oracle RAC database without downtime or disruption http://p.sf.net/sfu/oracle-sfdevnl ___ enlightenment-devel mailing list enlightenment-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/enlightenment-devel
Re: [E-devel] [PATCH] [ecore_con_url] Add CA validation control with SSL connections
On Thu, 30 Dec 2010 15:16:47 -0200 Raphael Kubo da Costa wrote: > On Thursday 30 December 2010 14:32:30 PnB wrote: > > Hello, > > > > With the ecore_con_url module, an application can take advantage of > > SSL/TLS connections (using HTTPS requests for instance) in order to > > exchange sensitive data with a server. However, the connection will > > always fail if the server certificate isn't signed by a certificate > > authority (CA) that is trusted by the system on which the application is > > run. There's no way to specify a custom CA to identify a specific > > server, or to disable CA validation for a specific connection. Also, > > it's not always possible (or a good solution) to add CAs to the ones the > > target system trusts, because admin rights are needed to do so most of > > the time. > > > > The attached patch adds a method to specify custom CAs to be used for > > validating the server certificate of a specific SSL-based request in > > order to fix the above-mentioned issue. That method may also be used to > > completely disable CA validation for the server certificate when server > > identification isn't needed. > > The javascript binding for that method is also included at the end of > > the patch. > > > > Please, consider that patch for inclusion in the trunk. > > >From what I see, it will replace the CA bundle it originally uses, right? > Doesn't it mean the original certificates will not be read anymore? > > Coding style-wise, the "}" for the else in ecore_con_url_ssl_ca_set is not > aligned correctly. > > Trunk-wise, I wonder if this will have to wait for 1.0 to be included, as it > is a new feature? > Feature. Freeze. Save it before Vincent attacks you :) -- Mike Blumenkrantz Zentific: We run the three-legged race individually. -- Learn how Oracle Real Application Clusters (RAC) One Node allows customers to consolidate database storage, standardize their database environment, and, should the need arise, upgrade to a full multi-node Oracle RAC database without downtime or disruption http://p.sf.net/sfu/oracle-sfdevnl ___ enlightenment-devel mailing list enlightenment-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/enlightenment-devel
Re: [E-devel] [PATCH] [ecore_con_url] Add CA validation control with SSL connections
Le 30/12/2010 18:16, Raphael Kubo da Costa a écrit : From what I see, it will replace the CA bundle it originally uses, right? Doesn't it mean the original certificates will not be read anymore? Yes. But it only affects the ecore_con_url you set it on, so it shouldn't break anything I guess. It will be up to the application (or its user) to decide whether it wants to use (or trust) the system CAs or its own. Coding style-wise, the "}" for the else in ecore_con_url_ssl_ca_set is not aligned correctly. Sorry about that. I fixed it in the attachment (as well as another indentation issue). Trunk-wise, I wonder if this will have to wait for 1.0 to be included, as it is a new feature? Actually, it looks more like an interface to a stable libcurl feature than a new feature to me. But I can wait though. Regards. -- PnB Index: ecore/src/lib/ecore_con/ecore_con_url.c === --- ecore/src/lib/ecore_con/ecore_con_url.c (revision 55780) +++ ecore/src/lib/ecore_con/ecore_con_url.c (working copy) @@ -1061,6 +1061,55 @@ } /** + * Set a custom CA to trust for SSL/TLS connections. + * + * Specify the path of a file (in PEM format) containing one or more + * CA certificate(s) to use for the validation of the server certificate. + * + * This function can also disable CA validation if @p ca_path is @c NULL. + * However, the server certificate still needs to be valid for the connection + * to succeed (i.e., the certificate must concern the server the + * connection is made to). + * + * @param url_con Connection object that will use the custom CA. + * @param ca_path Path to a CA certificate(s) file or @c NULL to disable + *CA validation. + * + * @return @c 0 on success. When cURL is used, non-zero return values + * are equal to cURL error codes. + */ +EAPI int +ecore_con_url_ssl_ca_set(Ecore_Con_Url *url_con, const char *ca_path) +{ + int res = -1; + +#ifdef HAVE_CURL + if (!ECORE_MAGIC_CHECK(url_con, ECORE_MAGIC_CON_URL)) + { + ECORE_MAGIC_FAIL(url_con, ECORE_MAGIC_CON_URL, "ecore_con_url_ssl_ca_set"); + return -1; + } + + if (url_con->active) return -1; + if (!url_con->url) return -1; + if (ca_path == NULL) + res = curl_easy_setopt(url_con->curl_easy, CURLOPT_SSL_VERIFYPEER, 0); + else + { + res = curl_easy_setopt(url_con->curl_easy, CURLOPT_SSL_VERIFYPEER, 1); + if (!res) + res = curl_easy_setopt(url_con->curl_easy, CURLOPT_CAINFO, ca_path); + } +#else + (void)url_con; + (void)ca_path; +#endif + + return res; +} + + +/** * @} */ Index: ecore/src/lib/ecore_con/Ecore_Con.h === --- ecore/src/lib/ecore_con/Ecore_Con.h (revision 55780) +++ ecore/src/lib/ecore_con/Ecore_Con.h (working copy) @@ -524,6 +524,8 @@ Eina_Bool verbose); EAPI void ecore_con_url_ftp_use_epsv_set(Ecore_Con_Url *url_con, Eina_Bool use_epsv); +EAPI int ecore_con_url_ssl_ca_set(Ecore_Con_Url *url_con, +const char *ca_path); /** * @} Index: BINDINGS/javascript/elixir/src/modules/bindings/ecore_con/ecore_con.c === --- BINDINGS/javascript/elixir/src/modules/bindings/ecore_con/ecore_con.c (revision 55780) +++ BINDINGS/javascript/elixir/src/modules/bindings/ecore_con/ecore_con.c (working copy) @@ -1610,6 +1610,27 @@ return JS_TRUE; } +static JSBool +elixir_ecore_con_url_ssl_ca_set(JSContext *cx, uintN argc, jsval *vp) +{ + Ecore_Con_Url *curl; + const char *filename; + const char *user; + const char *pass; + const char *upload_dir; + elixir_value_t val[2]; + + if (!elixir_params_check(cx, _ecore_con_url_string_params, val, argc, JS_ARGV(cx, vp))) + return JS_FALSE; + + GET_PRIVATE(cx, val[0].v.obj, curl); + filename = elixir_file_canonicalize(elixir_get_string_bytes(val[1].v.str, NULL)); + + JS_SET_RVAL(cx, vp, INT_TO_JSVAL(ecore_con_url_ssl_ca_set(curl, filename))); + + return JS_TRUE; +} + static void _elixir_ecore_con_lookup_cb(const char *canonname, const char *ip, @@ -1717,6 +1738,7 @@ ELIXIR_FN(ecore_con_url_time, 3, JSPROP_ENUMERATE, 0 ), ELIXIR_FN(ecore_con_url_ftp_upload, 4, JSPROP_ENUMERATE, 0 ), ELIXIR_FN(ecore_con_lookup, 3, JSPROP_ENUMERATE, 0), + ELIXIR_FN(ecore_con_url_ssl_ca_set, 2, JSPROP_ENUMERATE, 0 ), JS_FS_END }; -- Learn how Oracle Real Application Clusters (RAC) One Node allows customers to consolidate database storage, standardize their database environment, and, should the need arise, upgrade to a full multi-node Oracle RAC database without downtime or disru
Re: [E-devel] [PATCH] [ecore_con_url] Add CA validation control with SSL connections
On Thu, 30 Dec 2010, PnB wrote: Le 30/12/2010 18:16, Raphael Kubo da Costa a écrit : From what I see, it will replace the CA bundle it originally uses, right? Doesn't it mean the original certificates will not be read anymore? Yes. But it only affects the ecore_con_url you set it on, so it shouldn't break anything I guess. It will be up to the application (or its user) to decide whether it wants to use (or trust) the system CAs or its own. Coding style-wise, the "}" for the else in ecore_con_url_ssl_ca_set is not aligned correctly. Sorry about that. I fixed it in the attachment (as well as another indentation issue). Trunk-wise, I wonder if this will have to wait for 1.0 to be included, as it is a new feature? Actually, it looks more like an interface to a stable libcurl feature than a new feature to me. But I can wait though. http://en.wikipedia.org/wiki/Software_release_life_cycle#Beta http://en.wikipedia.org/wiki/Feature_complete so: * testing * bug fixing anything else is postponed after the release. Vincent-- Learn how Oracle Real Application Clusters (RAC) One Node allows customers to consolidate database storage, standardize their database environment, and, should the need arise, upgrade to a full multi-node Oracle RAC database without downtime or disruption http://p.sf.net/sfu/oracle-sfdevnl___ enlightenment-devel mailing list enlightenment-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/enlightenment-devel
Re: [E-devel] [PATCH] [ecore_con_url] Add CA validation control with SSL connections
Le 30/12/2010 22:10, Vincent Torri a écrit : > http://en.wikipedia.org/wiki/Software_release_life_cycle#Beta > http://en.wikipedia.org/wiki/Feature_complete > > so: > > * testing > * bug fixing > > anything else is postponed after the release. Thanks for the clarification. I'll wait then. -- PnB -- Learn how Oracle Real Application Clusters (RAC) One Node allows customers to consolidate database storage, standardize their database environment, and, should the need arise, upgrade to a full multi-node Oracle RAC database without downtime or disruption http://p.sf.net/sfu/oracle-sfdevnl ___ enlightenment-devel mailing list enlightenment-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/enlightenment-devel
Re: [E-devel] [PATCH] [ecore_con_url] Add CA validation control with SSL connections
On Fri, 31 Dec 2010 08:18:40 +0100 PnB said: > Le 30/12/2010 22:10, Vincent Torri a écrit : > > http://en.wikipedia.org/wiki/Software_release_life_cycle#Beta > > http://en.wikipedia.org/wiki/Feature_complete > > > > so: > > > > * testing > > * bug fixing > > > > anything else is postponed after the release. > > Thanks for the clarification. I'll wait then. please don't forget to remind us post 1.0 in case we forget to follow this up :) -- - Codito, ergo sum - "I code, therefore I am" -- The Rasterman (Carsten Haitzler)ras...@rasterman.com -- Gaining the trust of online customers is vital for the success of any company that requires sensitive data to be transmitted over the Web. Learn how to best implement a security strategy that keeps consumers' information secure and instills the confidence they need to proceed with transactions. http://p.sf.net/sfu/oracle-sfdevnl ___ enlightenment-devel mailing list enlightenment-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/enlightenment-devel