Login/Register
How to make libcurl look in the Mac Keychain for certificates
Asked Answered
Solved macossecurityhttpslibcurlkeychain
F

3

12

My code is trying to access an HTTPS server and it has its own certificate. Example, the IP is "10.0.1.101".

If I go through Safari and access "http://10.0.1.101", everything's OK. I do a simple curl_easy_perform() for this URL and data can be pulled from the HTTP URL. Cool.

I then try to access "https://10.0.1.101" (yes, HTTPS) and from Safari, I accept the certificate and give it a "trust" option and after that, Safari access to the HTTPS URL is OK.

So the certificate has been added to the Mac Keychain but when I try a curl_easy_perform() on the HTTPS URL, it still returns with a CURLE_SSL_CACERT. libcurl could not authenticate the HTTPS certificate with known CA certificates.

What is the missing link between libcurl's certificate checking and Mac Keychain? Is there even a link at all? Is it possible to make libcurl look into the Mac Keychain for certificates? If so, how?

Fernald answered 16/9, 2011 at 1:10 Comment(4)
Can we use CURLOPT_CAINFO option to point to a keychain file?Fernald
There's a security command in terminal, I think you can use the output of that command to get the trust chain. (I'm not a certificate or terminal expert, tried in a script and it works with curl)Pungent
@Marcelo Alves, thanks. It looks like a good starting point but if you can, will you share the steps how you did it?Fernald
I've tried "security add-trusted-cert PathToPEMFile.pem" on both user and system keychain but libcurl still fails.Fernald
F
5

Nope. libcurl built to use OpenSSL will only read CA certs from a single PEM file or from a directory of CA certs that have been prepared OpenSSL-style.

There's no special magic for the Mac Keychain implemented.

Food answered 16/9, 2011 at 6:38 Comment(2)
Really? Well then, this is weird. My machine running Mountain Lion "just works" and recognizes the cert fine, but my machine running Yosemite is no go.Recuperative
Notice that this answer was posted in 2011, thus libcurl doesn't support OS X keychain at that time.Rudiment
B
10

"New" curl on Mac OS does not "look" at system Keychain database (old curl versions worked great with -E option).

You can still make it work with curl on newer versions of Mac OS:

brew install curl

(installs version of curl that works with Client Certificates read from Keychain)

and then something like:

/usr/local/opt/curl/bin/curl -E wlad https://mail.securedbyclientcertificate.com/access/

(in -E you type name of your client certificate in Keychain database)

Mac OS will ask you for permission to read from Keychain, type your MacOS password and select "Always Allow"..

Browning answered 30/7, 2018 at 18:29 Comment(4)
phew! that was quite helpful.Trill
I'm on a new Macbook with macOS 10.15.5. I have MacPorts, but using the 'native' ver of curl. When I try to d/l the latest youtube-dl: sudo curl -L https://yt-dl.org/downloads/latest/youtube-dl -o /usr/local/bin/youtube-dl, I get a cert expired error. he youtube-dl maintainers say their cert is valid & up-to-date. How can I fix this?Luminal
Even the latest version in brew install curl doesnt support reading from keychain. I had to installed to a specific version to make it work. documenting it here in case someone really needs it. brew extract --version=7.69 curl homebrew/cask and brew install [email protected]Lanza
We can specify certificate like ` CURL_CA_BUNDLE=./cacert.pem curl 'local.io'` For more, see curl.se/docs/sslcerts.htmlExpiatory
J
6

In current versions of MacOS you can tell the system installed curl to use the Keychain using the CURL_SSL_BACKEND environment variable e.g. to use a named client cert from the Keychain (it will pop up a Keychain authentication dialogue):

CURL_SSL_BACKEND=secure-transport curl --cert "My Cert" htps://10.0.1.101/
Jataka answered 7/10, 2022 at 10:48 Comment(0)
F
5

Nope. libcurl built to use OpenSSL will only read CA certs from a single PEM file or from a directory of CA certs that have been prepared OpenSSL-style.

There's no special magic for the Mac Keychain implemented.

Food answered 16/9, 2011 at 6:38 Comment(2)
Really? Well then, this is weird. My machine running Mountain Lion "just works" and recognizes the cert fine, but my machine running Yosemite is no go.Recuperative
Notice that this answer was posted in 2011, thus libcurl doesn't support OS X keychain at that time.Rudiment

© 2022 - 2024 — McMap. All rights reserved.