Added an option native_ca to proj.ini and an environment variable PROJ_NATIVE_CA to be able to configure curl to use the operating system CA store. (OSGeo#4356)

Fixes OSGeo#4338

Author: Robrecht-VS

data/proj.ini

@@ -42,6 +42,14 @@ only_best_default = off
 ; (added in PROJ 9.0)
 ; ca_bundle_path = /path/to/cabundle.pem
 
+; When this is set to on, the operating systems native CA store will be used for certificate verification
+; If you set this option to on and also set ca_bundle_path then during verification those certificates are
+; searched in addition to the native CA store.
+; (added in PROJ 9.6)
+; Valid values = on, off
+;native_ca = on
+
+
 ; Transverse Mercator (and UTM)  default algorithm: auto, evenden_snyder or poder_engsager
 ; * evenden_snyder is the fastest, but less accurate far from central meridian
 ; * poder_engsager is slower, but more accurate far from central meridian

docs/source/usage/environmentvars.rst

@@ -106,3 +106,11 @@ done by setting the variable with no content::
     Define a custom path to the CA Bundle file. This can be useful if `curl`
     and :envvar:`PROJ_NETWORK` are enabled. Alternatively, the 
     :c:func:`proj_curl_set_ca_bundle_path` function can be used.
+
+.. envvar:: PROJ_NATIVE_CA
+
+    .. versionadded:: 9.6.0
+    
+    When this is set to ON, the operating systems native CA store will be used for certificate verification
+    If you set this option to ON and also set PROJ_CURL_CA_BUNDLE then during verification those certificates are
+    searched in addition to the native CA store.

src/filemanager.cpp

@@ -1984,6 +1984,16 @@ void pj_load_ini(PJ_CONTEXT *ctx) {
             ci_equal(proj_only_best_default, "TRUE");
     }
 
+    const char *native_ca = getenv("PROJ_NATIVE_CA");
+    if (native_ca && native_ca[0] != '\0'){
+        ctx->native_ca = ci_equal(native_ca, "ON") ||
+                        ci_equal(native_ca, "YES") ||
+                        ci_equal(native_ca, "TRUE");
+    }
+    else {
+        native_ca = nullptr;
+    }
+
     ctx->iniFileLoaded = true;
     std::string content;
     auto file = std::unique_ptr<NS_PROJ::File>(
@@ -2050,6 +2060,11 @@ void pj_load_ini(PJ_CONTEXT *ctx) {
                     ci_equal(value, "ON") || ci_equal(value, "YES") ||
                     ci_equal(value, "TRUE");
             }
+            else if (native_ca == nullptr && key == "native_ca"){
+                ctx->native_ca =
+                    ci_equal(value, "ON") || ci_equal(value, "YES") ||
+                    ci_equal(value, "TRUE");
+            }
         }
 
         pos = content.find_first_not_of("\r\n", eol);

src/networkfilemanager.cpp

@@ -1595,6 +1595,13 @@ static std::string pj_context_get_bundle_path(PJ_CONTEXT *ctx) {
     return ctx->ca_bundle_path;
 }
 
+#if CURL_AT_LEAST_VERSION(7, 71, 0)
+static bool pj_context_get_native_ca(PJ_CONTEXT *ctx) {
+    pj_load_ini(ctx);
+    return ctx->native_ca;
+}
+#endif
+
 // ---------------------------------------------------------------------------
 
 CurlFileHandle::CurlFileHandle(PJ_CONTEXT *ctx, const char *url, CURL *handle)
@@ -1622,7 +1629,19 @@ CurlFileHandle::CurlFileHandle(PJ_CONTEXT *ctx, const char *url, CURL *handle)
 #if defined(SSL_OPTIONS)
     // https://curl.se/libcurl/c/CURLOPT_SSL_OPTIONS.html
     auto ssl_options = static_cast<long>(SSL_OPTIONS);
+#if CURL_AT_LEAST_VERSION(7, 71, 0)
+    if (pj_context_get_native_ca(ctx)) {
+        ssl_options = ssl_options | CURLSSLOPT_NATIVE_CA;
+    }
+#endif
     CHECK_RET(ctx, curl_easy_setopt(handle, CURLOPT_SSL_OPTIONS, ssl_options));
+#else
+#if CURL_AT_LEAST_VERSION(7, 71, 0)
+    if (pj_context_get_native_ca(ctx)){
+        CHECK_RET(ctx, curl_easy_setopt(handle, CURLOPT_SSL_OPTIONS,
+                                        (long)CURLSSLOPT_NATIVE_CA));
+    }
+#endif
 #endif
 
     const auto ca_bundle_path = pj_context_get_bundle_path(ctx);

src/proj_internal.h

@@ -820,6 +820,7 @@ struct pj_ctx {
     std::string endpoint{};
     projNetworkCallbacksAndData networking{};
     std::string ca_bundle_path{};
+    bool native_ca=false;
     projGridChunkCache gridChunkCache{};
     TMercAlgo defaultTmercAlgo =
         TMercAlgo::PODER_ENGSAGER; // can be overridden by content of proj.ini