2008-11-08 Tatsuhiro Tsujikawa <t-tujikawa@users.sourceforge.net>

	Added client certificate authentication for SSL/TLS.
	Currently a private key must be decrypted for use with aria2.
	If a user accidentally gives encrypted file to aria2 then
	following thing happens:
	If encrypted private key is given to aria2, it behaves
	differently depending on the ssl library it uses. If aria2 built
	with openssl then openssl prompts the user for password.
	If aria2 build with gnutls then	aria2 exists with error at start up.
	* src/DownloadEngineFactory.cc
	* src/MultiUrlRequestInfo.cc
	* src/OptionHandlerFactory.cc
	* src/option_processing.cc
	* src/prefs.cc
	* src/prefs.h
	* src/usage_text.h

ChangeLog

@@ -1,3 +1,21 @@
+2008-11-08  Tatsuhiro Tsujikawa  <t-tujikawa@users.sourceforge.net>
+
+	Added client certificate authentication for SSL/TLS.
+	Currently a private key must be decrypted for use with aria2.
+	If a user accidentally gives encrypted file to aria2 then following
+	thing happens:
+	If encrypted private key is given to aria2, it behaves differently
+	depending on the ssl library it uses. If aria2 built with openssl then
+	openssl prompts the user for password. If aria2 build with gnutls then
+	aria2 exists with error at start up.
+	* src/DownloadEngineFactory.cc
+	* src/MultiUrlRequestInfo.cc
+	* src/OptionHandlerFactory.cc
+	* src/option_processing.cc
+	* src/prefs.cc
+	* src/prefs.h
+	* src/usage_text.h
+	
 2008-11-08  Tatsuhiro Tsujikawa  <t-tujikawa@users.sourceforge.net>
 
 	Introduced TLSContext that holds TLS related data that can be shared

src/DownloadEngineFactory.cc

@@ -54,10 +54,6 @@
 #include "TimedHaltCommand.h"
 #include "DownloadResult.h"
 #include "ServerStatMan.h"
-#ifdef ENABLE_SSL
-# include "SocketCore.h"
-# include "TLSContext.h"
-#endif // ENABLE_SSL
 
 namespace aria2 {
 
@@ -86,11 +82,6 @@ DownloadEngineFactory::newDownloadEngine(Option* op,
   DownloadEngineHandle e(new DownloadEngine());
   e->option = op;
 
-#ifdef ENABLE_SSL
-  SharedHandle<TLSContext> tlsContext(new TLSContext());
-  SocketCore::setTLSContext(tlsContext);
-#endif
-
   RequestGroupManHandle
     requestGroupMan(new RequestGroupMan(workingSet, MAX_CONCURRENT_DOWNLOADS,
 					op));

src/MultiUrlRequestInfo.cc

@@ -54,6 +54,10 @@
 #include "File.h"
 #include "Netrc.h"
 #include "AuthConfigFactory.h"
+#ifdef ENABLE_SSL
+# include "SocketCore.h"
+# include "TLSContext.h"
+#endif // ENABLE_SSL
 
 namespace aria2 {
 
@@ -132,6 +136,16 @@ int MultiUrlRequestInfo::execute()
     }
     e->setAuthConfigFactory(authConfigFactory);
 
+#ifdef ENABLE_SSL
+    SharedHandle<TLSContext> tlsContext(new TLSContext());
+    if(_option->defined(PREF_CERTIFICATE) &&
+       _option->defined(PREF_PRIVATE_KEY)) {
+      tlsContext->addClientKeyFile(_option->get(PREF_CERTIFICATE),
+				   _option->get(PREF_PRIVATE_KEY));
+    }
+    SocketCore::setTLSContext(tlsContext);
+#endif
+
     std::string serverStatIf = _option->get(PREF_SERVER_STAT_IF);
     if(!serverStatIf.empty()) {
       e->_requestGroupMan->loadServerStat(serverStatIf);

src/OptionHandlerFactory.cc

@@ -429,6 +429,13 @@ OptionHandlers OptionHandlerFactory::createOptionHandlers()
     handlers.push_back(op);
   }
   // HTTP Specific Options
+  {
+    SharedHandle<OptionHandler> op(new DefaultOptionHandler
+				   (PREF_CERTIFICATE,
+				    TEXT_CERTIFICATE));
+    op->addTag(TAG_HTTP);
+    handlers.push_back(op);
+  }
   {
     SharedHandle<OptionHandler> op(new BooleanOptionHandler
 				   (PREF_ENABLE_HTTP_KEEP_ALIVE,
@@ -498,6 +505,13 @@ OptionHandlers OptionHandlerFactory::createOptionHandlers()
 				    true));
     handlers.push_back(op);
   }
+  {
+    SharedHandle<OptionHandler> op(new DefaultOptionHandler
+				   (PREF_PRIVATE_KEY,
+				    TEXT_PRIVATE_KEY));
+    op->addTag(TAG_HTTP);
+    handlers.push_back(op);
+  }
   {
     SharedHandle<OptionHandler> op(new DefaultOptionHandler
 				   (PREF_REFERER,

src/option_processing.cc

@@ -182,6 +182,8 @@ Option* option_processing(int argc, char* const argv[])
       { PREF_FTP_PROXY.c_str(), required_argument, &lopt, 228 },
       { PREF_ALL_PROXY.c_str(), required_argument, &lopt, 229 },
       { PREF_PROXY_METHOD.c_str(), required_argument, &lopt, 230 },
+      { PREF_CERTIFICATE.c_str(), required_argument, &lopt, 231 },
+      { PREF_PRIVATE_KEY.c_str(), required_argument, &lopt, 232 },
 #if defined ENABLE_BITTORRENT || defined ENABLE_METALINK
       { PREF_SHOW_FILES.c_str(), no_argument, NULL, 'S' },
       { PREF_SELECT_FILE.c_str(), required_argument, &lopt, 21 },
@@ -450,6 +452,12 @@ Option* option_processing(int argc, char* const argv[])
       case 230:
 	cmdstream << PREF_PROXY_METHOD << "=" << optarg << "\n";
 	break;
+      case 231:
+	cmdstream << PREF_CERTIFICATE << "=" << optarg << "\n";
+	break;
+      case 232:
+	cmdstream << PREF_PRIVATE_KEY << "=" << optarg << "\n";
+	break;
       }
       break;
     }

src/prefs.cc

@@ -180,6 +180,10 @@ const std::string PREF_ENABLE_HTTP_PIPELINING("enable-http-pipelining");
 const std::string PREF_MAX_HTTP_PIPELINING("max-http-pipelining");
 // value: string
 const std::string PREF_HEADER("header");
+// value: string that your file system recognizes as a file name.
+const std::string PREF_CERTIFICATE("certificate");
+// value: string that your file system recognizes as a file name.
+const std::string PREF_PRIVATE_KEY("private-key");
 
 /** 
  * Proxy related preferences

src/prefs.h

@@ -86,7 +86,7 @@ extern const std::string PREF_STARTUP_IDLE_TIME;
 // value: prealloc | none
 extern const std::string PREF_FILE_ALLOCATION;
 extern const std::string V_PREALLOC;
-#// value: 1*digit
+// value: 1*digit
 extern const std::string PREF_NO_FILE_ALLOCATION_LIMIT;
 // value: true | false
 extern const std::string PREF_ALLOW_OVERWRITE;
@@ -184,6 +184,10 @@ extern const std::string PREF_ENABLE_HTTP_PIPELINING;
 extern const std::string PREF_MAX_HTTP_PIPELINING;
 // value: string
 extern const std::string PREF_HEADER;
+// value: string that your file system recognizes as a file name.
+extern const std::string PREF_CERTIFICATE;
+// value: string that your file system recognizes as a file name.
+extern const std::string PREF_PRIVATE_KEY;
 
 /**;
  * Proxy related preferences

src/usage_text.h

@@ -389,3 +389,12 @@ _(" --auto-save-interval=SEC     Save a control file(*.aria2) every SEC seconds.
   "                              If 0 is given, a control file is not saved during\n"\
   "                              download. aria2 saves a control file when it stops\n"\
   "                              regardless of the value.")
+#define TEXT_CERTIFICATE \
+_(" --certificate=FILE           Use the client certificate in FILE.\n"\
+  "                              The certificate must be in PEM format.\n"\
+  "                              You may use --private-key option to specify the\n"\
+  "                              private key.")
+#define TEXT_PRIVATE_KEY \
+_(" --private-key=FILE           Use the private key in FILE.\n"\
+  "                              The private key must be decrypted and in PEM\n"\
+  "                              format. See also --certificate option.")