cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: [PATCH] PEM support for Public Key Pinning

From: moparisthebest <admin_at_moparisthebest.com>
Date: Wed, 12 Nov 2014 08:43:55 -0500

Hello,

Thanks for the feedback, I have a few questions before I start hacking
away again. :)

On 11/12/2014 08:01 AM, Patrick Monnerat wrote:
> - PEM files may contain more than one element: the first "^-----BEGIN
> PUBLIC KEY-----$" line should mark our target element. Processing this
> will probably require to scan the (huge) file itself, chunk by chunk.

I've also seen BEGIN RSA PUBLIC KEY and BEGIN DSA PUBLIC KEY, maybe
there is one for ECDSA keys too? Do you think it'd be acceptable to
just match on something like:

"^-----BEGIN .* PUBLIC KEY-----$"

And then just grab the first one in the file and abort, because I
suppose PEM files can have multiple public keys?

> - The size factor 2 is arbitrary (I understand it's there to limit the
> allocated memory amount :-) and will probably be ok for most of the
> currently considered subset, but will surely fail for "extended" (see
> above) PEM files.

Yep, if we are going to support PEM files with more than the single
public key we are after then that size limit needs removed/changed.
Should I just remove the upper limit on size entirely? This isn't a
value supplied by a remote server so it's not like a remote attacker can
force us to run out of memory.

> Thus the subset should be documented if the full (unofficial) PEM spec
> is not supported (no real standard, but a "de-facto" one).

Do you happen to have any links to more in-depth documentation of the
PEM format? I couldn't find anything besides the obvious "they are
base64 encoded" and past experience with my own PEM files. :)

Thanks,
moparisthebest
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2014-11-12