Re: [PATCH] Pinned public key hash support
Date: Mon, 01 Jun 2015 13:05:32 -0400
Attached is my second go at a patch for pinning public keys with a hash.
It now supports all backends public key pinning supported except for
GSKit, which simply needs a sha256 function (can someone help me out
here? By writing/testing preferably, or pointing me to docs?).
Here is the status of the backend support (all compiled/tested under
Linux, Ubuntu 14.04):
GSKit: No Support
Still waiting to hear back on this question:
On 05/29/2015 03:31 PM, moparisthebest wrote:
> 1. Is it safe to re-use the existing curlopt, the code treats it as a
> hash only if it starts with "sha256/" and nothing else, and then will
> not look on the filesystem for a file at all. I suppose this could
> break systems where a der/pem is in a folder named 'sha256/' with no
> leading path parts, but I feel like that's a safe bet? (And by 'break'
> I mean fail-closed, it'll fail to connect with 'curl: (90) SSL: public
> key does not match pinned public key!')
After which I can update documentation, write tests, and hopefully have
a final patch.
- text/x-patch attachment: stored