cURL / Mailing Lists / curl-library / Single Mail

curl-library

[PATCH] Pinned public key hash support

From: moparisthebest <admin_at_moparisthebest.com>
Date: Fri, 29 May 2015 15:31:04 -0400

Hello all,

The patch attached is a first go at supporting pinning public keys with
sha256 hashes, continuing on the road to RFC-7469 [1] support.
Currently this only works for OpenSSL (others are trivial, I'll probably
only be able to test GnuTLS though) and I haven't updated documentation
or tests until I get confirmation that I am going in the right direction.

I am re-using the current option/curlopt for pinnedpubkey, which
currently supports a file path to a der or pem encoded public key, this
adds support for a list of sha256 hashes formatted like so:

sha256/rVYsrz3N5qYAwyCH110Ph/c4PxbH+ChdaGEuh81+lPI=
or
sha256/rVYsrz3N5qYAwyCH110Ph/c4PxbH+ChdaGEuh81+lPI=;sha256/t62CeU2tQiqkexU74Gxa2eg7fRbEgoChTociMee9wno=

And so on, any number of them. They are base64 encoded sha256 digests,
which is what the RFC supports.

To test this, get the sha256 hash of a public key by looking in the
Public-Key-Pins header sent by the server, or this openssl command:

Then send it in to curl for example like this:

curl https://www.google.com --pinnedpubkey
'sha256/rVYsrz3N5qYAwyCH110Ph/c4PxbH+ChdaGEuh81+lPI='

Basically my questions are these:

1. Is it safe to re-use the existing curlopt, the code treats it as a
hash only if it starts with "sha256/" and nothing else, and then will
not look on the filesystem for a file at all. I suppose this could
break systems where a der/pem is in a folder named 'sha256/' with no
leading path parts, but I feel like that's a safe bet? (And by 'break'
I mean fail-closed, it'll fail to connect with 'curl: (90) SSL: public
key does not match pinned public key!')
2. General code questions, does this look like a decent way to handle
the string etc?

Thanks for any comments I can get!
Travis Burtrum

[1]: https://www.rfc-editor.org/rfc/rfc7469.txt

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html

text/x-patch attachment: stored

Received on 2015-05-29

This message: [ Message body ]
Next message: Ray Satiro via curl-library: "Re: Support for openssl trusted_first flag"
Previous message: Daniel Stenberg: "Re: Connecting to multiple hosts that have the same hostname"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]