1--- 2c: Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al. 3SPDX-License-Identifier: curl 4Title: CURLOPT_ISSUERCERT_BLOB 5Section: 3 6Source: libcurl 7See-also: 8 - CURLOPT_CRLFILE (3) 9 - CURLOPT_ISSUERCERT (3) 10 - CURLOPT_SSL_VERIFYHOST (3) 11 - CURLOPT_SSL_VERIFYPEER (3) 12Protocol: 13 - TLS 14TLS-backend: 15 - OpenSSL 16--- 17 18# NAME 19 20CURLOPT_ISSUERCERT_BLOB - issuer SSL certificate from memory blob 21 22# SYNOPSIS 23 24~~~c 25#include <curl/curl.h> 26 27CURLcode curl_easy_setopt(CURL *handle, CURLOPT_ISSUERCERT_BLOB, 28 struct curl_blob *stblob); 29~~~ 30 31# DESCRIPTION 32 33Pass a pointer to a curl_blob structure, which contains information (pointer 34and size) about a memory block with binary data of a CA certificate in PEM 35format. If the option is set, an additional check against the peer certificate 36is performed to verify the issuer is indeed the one associated with the 37certificate provided by the option. This additional check is useful in 38multi-level PKI where one needs to enforce that the peer certificate is from a 39specific branch of the tree. 40 41This option should be used in combination with the 42CURLOPT_SSL_VERIFYPEER(3) option. Otherwise, the result of the check is 43not considered as failure. 44 45A specific error code (CURLE_SSL_ISSUER_ERROR) is defined with the option, 46which is returned if the setup of the SSL/TLS session has failed due to a 47mismatch with the issuer of peer certificate (CURLOPT_SSL_VERIFYPEER(3) 48has to be set too for the check to fail). 49 50If the blob is initialized with the flags member of struct curl_blob set to 51CURL_BLOB_COPY, the application does not have to keep the buffer around after 52setting this. 53 54This option is an alternative to CURLOPT_ISSUERCERT(3) which instead 55expects a filename as input. 56 57# DEFAULT 58 59NULL 60 61# EXAMPLE 62 63~~~c 64 65extern char *certificateData; 66extern size_t filesize; 67 68int main(void) 69{ 70 CURL *curl = curl_easy_init(); 71 if(curl) { 72 CURLcode res; 73 struct curl_blob blob; 74 curl_easy_setopt(curl, CURLOPT_URL, "https://example.com/"); 75 blob.data = certificateData; 76 blob.len = filesize; 77 blob.flags = CURL_BLOB_COPY; 78 curl_easy_setopt(curl, CURLOPT_ISSUERCERT_BLOB, &blob); 79 res = curl_easy_perform(curl); 80 curl_easy_cleanup(curl); 81 } 82} 83~~~ 84 85# AVAILABILITY 86 87Added in 7.71.0. This option is supported by the OpenSSL backends. 88 89# RETURN VALUE 90 91Returns CURLE_OK if the option is supported, CURLE_UNKNOWN_OPTION if not, or 92CURLE_OUT_OF_MEMORY if there was insufficient heap space. 93
