SSL: implement public key pinning

Option --pinnedpubkey takes a path to a public key in DER format and
only connect if it matches (currently only implemented with OpenSSL).

Provides CURLOPT_PINNEDPUBLICKEY for curl_easy_setopt().

Extract a public RSA key from a website like so:
openssl s_client -connect google.com:443 2>&1 < /dev/null | \
sed -n '/-----BEGIN/,/-----END/p' | openssl x509 -noout -pubkey \
| openssl rsa -pubin -outform DER > google.com.der
This commit is contained in:
moparisthebest 2014-09-30 22:31:17 -04:00 committed by Daniel Stenberg
parent d1b56d0043
commit 93e450793c
20 changed files with 311 additions and 2 deletions

View file

@ -521,6 +521,8 @@ typedef enum {
CURLE_CHUNK_FAILED, /* 88 - chunk callback reported error */
CURLE_NO_CONNECTION_AVAILABLE, /* 89 - No connection available, the
session will be queued */
CURLE_SSL_PINNEDPUBKEYNOTMATCH, /* 90 - specified pinned public key did not
match */
CURL_LAST /* never use! */
} CURLcode;
@ -1611,6 +1613,10 @@ typedef enum {
/* Pass in a bitmask of "header options" */
CINIT(HEADEROPT, LONG, 229),
/* The public key in DER form used to validate the peer public key
this option is used only if SSL_VERIFYPEER is true */
CINIT(PINNEDPUBLICKEY, OBJECTPOINT, 230),
CURLOPT_LASTENTRY /* the last unused */
} CURLoption;