hurl icon indicating copy to clipboard operation
hurl copied to clipboard

Published 20 hours ago verified publisher icon Orange-OpenSource

Support for X.509 Client Certificates

Open ramkumarkb opened this issue 3 years ago • 4 comments

Hello,

First of all, thank you for Hurl. It is a very nice project!

Adding support for Client Certificates - PEM / PFX / P12 - formats while making mTLS HTTPS calls in Hurl would be really useful.

From curl man - PEM, DER, ENG and P12 are recognized types. If not specified, PEM is assumed.

Example: https://curl.se/docs/sslcerts.html

https://everything.curl.dev/usingcurl/tls#client-certificates

I think this request is similar to #166 - just has more details in terms the different certificate formats

ramkumarkb avatar Oct 06 '21 23:10 ramkumarkb

Yes! we'll definitely add it. we have really the benefit of using libcurl.

fabricereix avatar Oct 07 '21 06:10 fabricereix

Option --cacert has now been added (#314)

Only PEM format is supported for the time-being. We will support more in the future and also add the option --capath.

fabricereix avatar Oct 21 '21 11:10 fabricereix

any update on self-signed certificates? Couldn't find anywhere in the docs on how to use it

skitsanos avatar Jul 05 '22 10:07 skitsanos

There is nothing specific to self-signed certificates in Hurl. You could use -k to ignore the SSL warning.

fabricereix avatar Jul 05 '22 11:07 fabricereix

With 2.0.0, we have added --cert, --key and --ssl-no-revoke. With --cacert, I think we can close this issue. Fill free to reopen it if we should add other things.

jcamiel avatar Jan 27 '23 21:01 jcamiel

Hi @jcamiel, I love the new feature and will need to do further testing on my end. But I'm curious if hurl would be able to support PKCS#11 URIs? I need this so that PIV/CAC Smart Cards could be used with hurl.

I can do this successfully with curl if I build it with OpenSSL support and also install a custom PKCS11 engine for OpenSSL.

My main question here is if hurl leveraged any OpenSSL configuration files the way curl does as an environment variable named OPENSSL_CONF?

rogeruiz avatar Feb 13 '23 02:02 rogeruiz

After some testing locally, I found that I could point hurl to use the OpenSSL and cURL I've installed with Homebrew. But I also found that hurl is validating the input and not allowing me to submit URI strings for the --cert and --key file. Even if I make the URI a line in a file and set the input for the flags to the file, it won't execute the command because it cannot understand the format.

OPENSSL_CONF=~/Developer/checking-certs/test.conf hurl \
  -k \
  --key ~/Developer/checking-certs/piv_private_key_url \
  --cert ~/Developer/checking-certs/piv_cert_url \
  test.hurl
error: HTTP connection
  --> test.hurl:1:5
   |
 1 | GET https://api.tls.example.com/health
   |     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ (58) could not load PEM client certificate from /Users/rogeruiz/Developer/checking-certs/piv_cert_url, OpenSSL error error:0909006C:PEM routines:get_name:no start line, (no key found, wrong pass phrase, or wrong file format?)
   |

I'd like to contribute to the project and test this further as well. I believe it should be possible? But I'm also fairly new to Rust and libcurl. But I did have hope when I saw I could change the libcurl library and therefore leverage a different OpenSSL engine.

⬇️ Click here for the contents of ~/Developer/checking-certs/test.conf 
## OpenSSL Configuration for SC <-> PKCS#11
## REF: https://www.openssl.org/docs/man1.1.0/apps/config.html

## Initialization
openssl_conf = SSL_Configuration

[ SSL_Configuration ]
engines = SSL_Engines

## Engines
[ SSL_Engines ]
pkcs11 = ENG_PKCS11

# PKCS#11
# REF: https://github.com/OpenSC/libp11
[ ENG_PKCS11 ]
# dynamic_path = /usr/lib/x86_64-linux-gnu/engines-1.1/libpkcs11.so
dynamic_path = /usr/local/Cellar/[email protected]/1.1.1s/lib/engines-1.1/pkcs11.dylib
MODULE_PATH = /Library/OpenSC/lib/opensc-pkcs11.so

init = 0

Hope all this information helps!

thanks,

hurl 2.0.1 libcurl/7.87.0 (SecureTransport) OpenSSL/1.1.1s zlib/1.2.11 brotli/1.0.9 zstd/1.5.2 libidn2/2.3.4 libssh2/1.10.0 nghttp2/1.51.0
Features (libcurl):  alt-svc AsynchDNS brotli HSTS HTTP2 IDN IPv6 Largefile libz NTLM NTLM_WB SPNEGO SSL TLS-SRP UnixSockets zstd
Features (built-in): brotli

rogeruiz avatar Feb 13 '23 03:02 rogeruiz

Hi @rogeruiz

Contributions are welcome of course! A few points to help you:

  • I'm curious regarding Hurl with homebrew curl. Did you use the same method that we have documented in Hurl's FAQ or another one?
  • before implementing a feature within Hurl, we found that's easier to reproduce the usecase with curl. For instance, if you run Hurl with --verbose you should see the "equivalent" curl command line. Try this one before to be sure to have the right curl options. Then, you could try to reproduce it with libcurl for instance. It will help us a lot to have something reproducible with curl and with a libcurl sample we can see how to integrate it in Hurl. That said, everything around certificates has been difficult to implement for all platform
  • that lead me to the third point: we've really hard time to make every Hurl feature works on Linux, macOS, Windows. Especially features around certificate that depend on the underlying SSL library (OpenSSL, SecureTransport etc...). Just to say that making something work on macOS for instance is a first (important) step!

jcamiel avatar Feb 13 '23 08:02 jcamiel