mirror of
https://github.com/curl/curl.git
synced 2026-07-08 07:27:20 +03:00
SSL: implement public key pinning
Option --pinnedpubkey takes a path to a public key in DER format and only connect if it matches (currently only implemented with OpenSSL). Provides CURLOPT_PINNEDPUBLICKEY for curl_easy_setopt(). Extract a public RSA key from a website like so: openssl s_client -connect google.com:443 2>&1 < /dev/null | \ sed -n '/-----BEGIN/,/-----END/p' | openssl x509 -noout -pubkey \ | openssl rsa -pubin -outform DER > google.com.der
This commit is contained in:
parent
d1b56d0043
commit
93e450793c
20 changed files with 311 additions and 2 deletions
|
|
@ -521,6 +521,8 @@ typedef enum {
|
|||
CURLE_CHUNK_FAILED, /* 88 - chunk callback reported error */
|
||||
CURLE_NO_CONNECTION_AVAILABLE, /* 89 - No connection available, the
|
||||
session will be queued */
|
||||
CURLE_SSL_PINNEDPUBKEYNOTMATCH, /* 90 - specified pinned public key did not
|
||||
match */
|
||||
CURL_LAST /* never use! */
|
||||
} CURLcode;
|
||||
|
||||
|
|
@ -1611,6 +1613,10 @@ typedef enum {
|
|||
/* Pass in a bitmask of "header options" */
|
||||
CINIT(HEADEROPT, LONG, 229),
|
||||
|
||||
/* The public key in DER form used to validate the peer public key
|
||||
this option is used only if SSL_VERIFYPEER is true */
|
||||
CINIT(PINNEDPUBLICKEY, OBJECTPOINT, 230),
|
||||
|
||||
CURLOPT_LASTENTRY /* the last unused */
|
||||
} CURLoption;
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue