cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: Questions and proposals about SSL and pinned public key

From: moparisthebest <admin_at_moparisthebest.com>
Date: Mon, 13 Oct 2014 10:16:54 -0400

Hello all,

On 10/10/2014 02:08 PM, Patrick Monnerat wrote:

> 4) I would like to split the backend-specific pkp_pin_peer_pubkey() (of
> openssl and gtls) into a backend-specific part that gets the key from
> the certificate and a generic part cooking the pinned public key and
> comparing: this would avoid repeating the PPK cooking in each backend.
> Any objection ?
>
> 5) The misunderstanding I make 2 days ago about PPK inspired me the
> following possible improvement. If the PPK file does not exist, the
> curl_easy_setopt() string is checked for being a PEM public key (direct
> data). In addition, the file data is checked for PEM format. Else it
> behaves has today (DER).

I don't think you can do both 4 and 5, the
read-der-file-into-memory-and-compare code is the same across
openssl/gnutls because the der format is basically just the raw format,
so if we only want to support der, it should be split into a separate
method shared across both backends. But if we are going to support PEM,
or hashes, or anything else in the future, that will have to be handled
with different crypto methods in each backend.

Also I think it'd be great to support the PEM format in addition to DER,
and I agree that the current option should be able to detect which
format the file is in, but I also agree with bagder that direct data
should be a different option entirely.

Thanks much for reviewing that code, looking forward to more
discussions/patches on it!
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2014-10-13