Specifying CA certificates for libdebuginfod

[Magne Hov <mhov@undo.io>]

[-- Attachment #1: Type: text/plain, Size: 1370 bytes --]

Hi,

I am posting here to continue a discussion from the #elfutils
libera.chat channel about whether libdebuginfod might benefit from
having a method of specifying a certificate bundle for libcurl.

Normally one would rely on the system's OpenSSL having been configured
with up-to-date certificates. However in my use-case I can't depend on
up-to-date certificates being installed on the system that I work with,
so I package certificates together with my application (which contains
libdebuginfod and its dependencies as a portable package).

Other components that my application uses already have ways of
specifying a certificate bundle. The curl tool supports custom
certificates with the CURL_CA_BUNDLE environment variable, but with
libcurl one must specify a custom certificate bundle with the
CURLOPT_CAINFO option via the API. I propose a new environment variable
DEBUGINFOD_CA_BUNDLE or similar which can be used to pass to libcurl.
Please see the attached patch below.

There is also an option of recognising CURL_CA_BUNDLE as that
environment variable is already established by the curl tool, but it
could also be good to keep the name separate to libdebuginfod.

I think having the option of specifying certificates could also be
helpful for other situations such as specifying a self-signed
certificate to use with servers under test.

Kind regards,
Magne


[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: patch --]
[-- Type: text/x-diff, Size: 1628 bytes --]

From 78363eed66c8098961c84980d485f87c8b43f25c Mon Sep 17 00:00:00 2001
From: Magne Hov <mhov@undo.io>
Date: Tue, 11 May 2021 16:24:51 +0100
Subject: [PATCH] libdebuginfod: specify client CA bundle with
 DEBUGINFOD_CA_BUNDLE

---
 debuginfod/debuginfod-client.c | 7 +++++++
 debuginfod/debuginfod.h.in     | 1 +
 2 files changed, 8 insertions(+)

diff --git a/debuginfod/debuginfod-client.c b/debuginfod/debuginfod-client.c
index de26af5b..b9165733 100644
--- a/debuginfod/debuginfod-client.c
+++ b/debuginfod/debuginfod-client.c
@@ -827,6 +827,13 @@ debuginfod_query_server (debuginfod_client *c,
       curl_easy_setopt(data[i].handle, CURLOPT_ACCEPT_ENCODING, "");
       curl_easy_setopt(data[i].handle, CURLOPT_HTTPHEADER, c->headers);
 
+      /* Pass SSL certificate to libcurl. */
+      const char *certfile = getenv(DEBUGINFOD_CA_BUNDLE);
+      if (certfile != NULL && strlen (certfile) > 0)
+      {
+          curl_easy_setopt(data[i].handle, CURLOPT_CAINFO, certfile);
+      }
+
       curl_multi_add_handle(curlm, data[i].handle);
       server_url = strtok_r(NULL, url_delim, &strtok_saveptr);
     }
diff --git a/debuginfod/debuginfod.h.in b/debuginfod/debuginfod.h.in
index 559ea947..3ed32f19 100644
--- a/debuginfod/debuginfod.h.in
+++ b/debuginfod/debuginfod.h.in
@@ -35,6 +35,7 @@
 #define DEBUGINFOD_TIMEOUT_ENV_VAR "DEBUGINFOD_TIMEOUT"
 #define DEBUGINFOD_PROGRESS_ENV_VAR "DEBUGINFOD_PROGRESS"
 #define DEBUGINFOD_VERBOSE_ENV_VAR "DEBUGINFOD_VERBOSE"
+#define DEBUGINFOD_CA_BUNDLE "DEBUGINFOD_CA_BUNDLE"
 
 /* The libdebuginfod soname.  */
 #define DEBUGINFOD_SONAME "@LIBDEBUGINFOD_SONAME@"
-- 
2.25.1