cURL / Mailing Lists / curl-library / Single Mail


Re: [PATCH] Pinned public key hash support

From: Daniel Stenberg <>
Date: Mon, 29 Jun 2015 16:14:34 +0200 (CEST)

On Mon, 1 Jun 2015, moparisthebest wrote:

> Attached is my second go at a patch for pinning public keys with a hash.

Nice! Sorry for dropping the ball here, hopefully I'll be faster now.

>> 1. Is it safe to re-use the existing curlopt, the code treats it as a hash
>> only if it starts with "sha256/" and nothing else, and then will not look
>> on the filesystem for a file at all. I suppose this could break systems
>> where a der/pem is in a folder named 'sha256/' with no leading path parts,
>> but I feel like that's a safe bet?

First, your patch actually uses strstr() which scans for that substring. You
want plain memcmp() or strncmp().

Then, as we're introducing a new prefix to activate this magic we can probably
make it even less likely to be a subdir, by for example using double slashes
or something: "sha256//".

List admin:
Received on 2015-06-29