ruby-core

Tanaka Akira <akr@m17n.org> writes:

> In article <7zfyi7wy13.fsf@epictetus.iss.local>,
>   "Marshall T. Vandegrift" <mvandegrift@iss.net> writes:
>
>> The attached patch modifies 'open-uri.rb' to allow users to specify
>> SSL client certificates and keys for HTTPS sessions.
>
> 1. Why :ssl_cert and :ssl_key are separated?

Well, the cheeky answer is because they're separate. :-)

I think that it's most common to load these items from separate files,
and even if not, the way the OpenSSL library and Ruby bindings are
written, it's easier to pull the X.509 certificate and private key out
of a PKCS#12 structure than cram them into one.

Convention-wise, OpenSSL, the Ruby OpenSSL bindings, 'net/https', and
other SSL-using library modules all expect the certificate and key to
be separate.  OpenSSL doesn't really provide a convenient data
structure to bundle them together.

> 2. I think the option name(s) should contain a word "client".

My reasoning behind the names was keeping clear the mapping to
'net/https' -- just as :ssl_verify_mode maps to Net::HTTP#verify_mode,
:ssl_cert maps to HTTP#cert and :ssl_key maps to HTTP#key.

If you think that it's more clear to use :ssl_client_key and
:ssl_client_cert, I've attached to this message a patch which uses
those names instead.

Thank you!

-- 
Marshall T. Vandegrift <mvandegrift@iss.net>
ISS.Researcher | 404.236.3986w 518.859.4559m

Attachments (1)

open-uri-ssl_cert-patch-2.diff (2.05 KB, text/x-patch)

--- ruby-trunk/lib/open-uri.rb	2006-06-13 13:46:48.000000000 -0400
+++ ruby-modified/lib/open-uri.rb	2006-06-16 14:18:15.000000000 -0400
@@ -101,6 +101,8 @@
     :read_timeout => true,
     :ssl_ca_cert => nil,
     :ssl_verify_mode => nil,
+    :ssl_client_cert => nil,
+    :ssl_client_key => nil
   }
 
   def OpenURI.check_options(options) # :nodoc:
@@ -282,6 +284,24 @@
       else
         store.set_default_paths
       end
+      if options[:ssl_client_cert]
+        if options[:ssl_client_cert].is_a? OpenSSL::X509::Certificate
+          http.cert = options[:ssl_client_cert]
+        else
+          http.cert = OpenSSL::X509::Certificate.new(File.read(options[:ssl_client_cert]))
+        end
+      end
+      if options[:ssl_client_key]
+        if options[:ssl_client_key].is_a? OpenSSL::PKey::PKey
+          http.key = options[:ssl_client_key]
+        else
+          begin
+            http.key = OpenSSL::PKey::DSA.new(File.read(options[:ssl_client_key]))
+          rescue OpenSSL::PKey::DSAError
+            http.key = OpenSSL::PKey::RSA.new(File.read(options[:ssl_client_key]))
+          end
+        end
+      end
       store.set_default_paths
       http.cert_store = store
     end
@@ -607,6 +627,24 @@
     #
     #  :ssl_verify_mode is used to specify openssl verify mode.
     #
+    # [:ssl_client_cert]
+    #  Synopsis:
+    #    :ssl_client_cert=>filename
+    #    :ssl_client_cert=>x509cert
+    #
+    #  :ssl_client_cert is used to specify a client certificate for
+    #  SSL.  It may be either a filename or an
+    #  OpenSSL::X509::Certificate object.
+    #
+    # [:ssl_client_key]
+    #  Synopsis:
+    #    :ssl_client_key=>filename
+    #    :ssl_client_key=>pkey
+    #
+    #  :ssl_client_key is used to specify a detached client private
+    #  key for SSL.  It may be either a filename or an
+    #  OpenSSL::PKey::PKey object.
+    #
     # OpenURI::OpenRead#open returns an IO like object if block is not given.
     # Otherwise it yields the IO object and return the value of the block.
     # The IO object is extended with OpenURI::Meta.

Thread

Prev Next

In This Thread

Prev Next