All geek questions in one place

Cannot use libcurl to access a site requiring client authentication

Im using the below to install the certificate and key for client authentication.

curl_easy_setopt(curl,CURLOPT_SSLCERT,"clientCert.pem"); curl_easy_setopt(curl,CURLOPT_SSLCERTPASSWD,"changeit"); curl_easy_setopt(curl,CURLOPT_SSLCERTTYPE,"PEM"); curl_easy_setopt(curl,CURLOPT_SSLKEY,"privateKey.pem"); curl_easy_setopt(curl,CURLOPT_SSLKEYPASSWD,"changeit"); curl_easy_setopt(curl,CURLOPT_SSLKEYTYPE,"PEM");

The certificate does not have a password, I do not know why the SSLCERTPASSWD option actually exists, I just provided a dummy value. When I run the program on Linux, I get error code 58 and the error message could not install the private key file: type privateKey.pem PEM

On Windows, however, I get a failed to use a client certificate (key not found or wrong phrase?)

It seems that the certificate and the key do not match, but I do not know how to do this. I extracted both cert and key from the p12 file using openssl commands. The command I used to extract the key is

 openssl.exe pkcs12 -in client.p12 -nocerts -out privateKey.pem

and the command used to extract the certificate is

 openssl.exe pkcs12 -in client.p12 -nokeys -out clientCert.pem

The p12 file was successfully used in the browser to access the client authentication URL. Help before shooting yourself.

Edit: Here is the proof that the private key and certificate match each other:

 [ debugbld@nagara ~/curlm]$ openssl x509 -noout -modulus -in clientCert.pem | openssl md5 d7207cf82b771251471672dd54c59927 [ debugbld@nagara ~/curlm]$ openssl rsa -noout -modulus -in privateKey.pem | openssl md5 Enter pass phrase for privateKey.pem: d7207cf82b771251471672dd54c59927

So why is this not working?

+5
source share
3 answers

Using command line curl, I get the same error using the .pem file that was also obtained using openssl from the p12 file. P12 was also able to work properly with client authentication when importing into the browser. As you described, I think.

My problem arose because the .pem file did not specify the certificates in the correct order: it seems that every certificate in the file should be followed by an issuer certificate. I edited the file and reordered the sections, and the curl was happy .

For the record, my original .p12 file was obtained by backing up the certificate from Firefox.

Also note that in my case I did not receive a password request and received

 curl: (58) unable to set private key file: 'alice.pem' type PEM

before requesting a password

+3
source

I had similar problems, I found out that the problem is related to access rights to certificate files and private keys. The process running PHP did not have read access to these files.

One thing you can try (and it helped me figure it out) is to run the following code:

 $result=openssl_get_privatekey('file://path/to/private/key.pem','password');

and check if the return value is returned and there are no errors. I was getting:

 file_get_contents(/path/to/private/key.pem): failed to open stream: Permission denied
+2
source

Thanks to Hugh for the thread and the ragufer for the openssl hint. Later: both useful and misleading .; -)

Actually, I solved the problem, making sure that the path to the key file is correct. And this is why the openssl hint is misleading, let me know help me check if my PEM file was ok:

cURL needs the full path, but without the prefix 'file: //'. Although fopen is pleased with the relative path, cURL is not. So, all my tests for opening a key file were successful, but cURL was not.

Btw :.

 curl_easy_setopt(curl,CURLOPT_SSLCERTPASSWD,"changeit"); curl_easy_setopt(curl,CURLOPT_SSLCERTTYPE,"PEM"); curl_easy_setopt(curl,CURLOPT_SSLKEYTYPE,"PEM");

not needed, because the password is used only to decrypt the private key, and PEM is the default.

0
source

Source: https://habr.com/ru/post/978615/

More articles:


All Articles