Support root cert validation on CURL (#4821)

* Only CURL >= 7.44 supports root cert validation * Update Changelog
2023-07-28 09:39:05 -07:00 · 2023-07-28 09:39:05 -07:00 · db328891d5
commit db328891d5
parent e77eff6ab4
3 changed files with 12 additions and 0 deletions
--- a/sdk/core/azure-core/CHANGELOG.md
+++ b/sdk/core/azure-core/CHANGELOG.md
@ -8,6 +8,8 @@

 ### Bugs Fixed

+- [[#4792]](https://github.com/Azure/azure-sdk-for-cpp/issues/4792) Only support CURL's root cert validation when CURL version is >= 7.77.0.
+
 ### Other Changes

 ## 1.10.1 (2023-07-06)
--- a/sdk/core/azure-core/inc/azure/core/http/curl_transport.hpp
+++ b/sdk/core/azure-core/inc/azure/core/http/curl_transport.hpp
@ -62,6 +62,8 @@ namespace Azure { namespace Core { namespace Http {
     * @remark More about this option:
     * https://curl.se/libcurl/c/CURLOPT_CAINFO_BLOB.html
     *
+     * @warning Requires libcurl >= 7.44.0
+     *
     */
    std::string PemEncodedExpectedRootCertificates;
  };
--- a/sdk/core/azure-core/src/http/curl/curl.cpp
+++ b/sdk/core/azure-core/src/http/curl/curl.cpp
@ -307,11 +307,13 @@ Azure::Core::Http::CurlTransportOptions CurlTransportOptionsFromTransportOptions
  curlOptions.SslOptions.EnableCertificateRevocationListCheck
      = transportOptions.EnableCertificateRevocationListCheck;

+#if LIBCURL_VERSION_NUM >= 0x074D00 // 7.77.0
  if (!transportOptions.ExpectedTlsRootCertificate.empty())
  {
    curlOptions.SslOptions.PemEncodedExpectedRootCertificates
        = PemEncodeFromBase64(transportOptions.ExpectedTlsRootCertificate, "CERTIFICATE");
  }
+#endif
  curlOptions.SslVerifyPeer = !transportOptions.DisableTlsCertificateValidation;
  return curlOptions;
 }
@ -1297,10 +1299,14 @@ inline std::string GetConnectionKey(std::string const& host, CurlTransportOption
  key.append(",");
  key.append(options.SslOptions.AllowFailedCrlRetrieval ? "FC" : "0");
  key.append(",");
+#if LIBCURL_VERSION_NUM >= 0x074D00 // 7.77.0
  key.append(
      !options.SslOptions.PemEncodedExpectedRootCertificates.empty() ? std::to_string(
          std::hash<std::string>{}(options.SslOptions.PemEncodedExpectedRootCertificates))
                                                                     : "0");
+#else
+  key.append("0");
+#endif
  key.append(",");
  // using DefaultConnectionTimeout or 0 result in the same setting
  key.append(
@ -2308,6 +2314,7 @@ CurlConnection::CurlConnection(
    }
  }

+#if LIBCURL_VERSION_NUM >= 0x074D00 // 7.77.0
  if (!options.SslOptions.PemEncodedExpectedRootCertificates.empty())
  {
    curl_blob rootCertBlob
@ -2323,6 +2330,7 @@ CurlConnection::CurlConnection(
          + std::string(curl_easy_strerror(result)));
    }
  }
+#endif

 #if defined(AZ_PLATFORM_WINDOWS)
  long sslOption = 0;