From 7c4b4ce1f385a3f577c9640ee2e88797f348ccc6 Mon Sep 17 00:00:00 2001 From: Robin COURGEON Date: Wed, 28 May 2025 18:56:17 +0200 Subject: [PATCH] fixup! Make openssl backend work with pkcs11 certificate On windows, sslcert and sslkey containing pkcs11 uri does not work using the openssl backend. Fixed by forcing the correct libcurl option when detecting a pkcs11 uri, much like what the curl binary is doing. Signed-off-by: Robin Courgeon --- http.c | 24 ++++++++++++++++++++---- 1 file changed, 20 insertions(+), 4 deletions(-) diff --git a/http.c b/http.c index d5396a3ce2ba34..bbbc9c18a995ac 100644 --- a/http.c +++ b/http.c @@ -1109,16 +1109,32 @@ static CURL *get_curl_handle(void) curl_easy_setopt(result, CURLOPT_SSL_CIPHER_LIST, ssl_cipherlist); - if (ssl_cert) - curl_easy_setopt(result, CURLOPT_SSLCERT, ssl_cert); if (ssl_cert_type) curl_easy_setopt(result, CURLOPT_SSLCERTTYPE, ssl_cert_type); + if (ssl_cert) { + curl_easy_setopt(result, CURLOPT_SSLCERT, ssl_cert); + if (istarts_with(ssl_cert, "pkcs11:")) { + if (ssl_cert_type && strcasecmp(ssl_cert_type, "eng")){ + warning(_("Using non \"ENG\" type for a pkcs11 uri sslcert")); + } + curl_easy_setopt(result, CURLOPT_SSLCERTTYPE, "ENG"); + curl_easy_setopt(result, CURLOPT_SSLENGINE, "pkcs11"); + } + } if (has_cert_password()) curl_easy_setopt(result, CURLOPT_KEYPASSWD, cert_auth.password); - if (ssl_key) - curl_easy_setopt(result, CURLOPT_SSLKEY, ssl_key); if (ssl_key_type) curl_easy_setopt(result, CURLOPT_SSLKEYTYPE, ssl_key_type); + if (ssl_key) { + curl_easy_setopt(result, CURLOPT_SSLKEY, ssl_key); + if (istarts_with(ssl_cert, "pkcs11:")) { + if (ssl_cert_type && strcasecmp(ssl_cert_type, "eng")){ + warning(_("Using non \"ENG\" type for a pkcs11 uri sslkey")); + } + curl_easy_setopt(result, CURLOPT_SSLCERTTYPE, "ENG"); + curl_easy_setopt(result, CURLOPT_SSLENGINE, "pkcs11"); + } + } if (ssl_capath) curl_easy_setopt(result, CURLOPT_CAPATH, ssl_capath); if (ssl_pinnedkey)