Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

be more verbose about public-key pinning #410

Closed
mark-kubacki opened this issue Sep 3, 2015 · 0 comments
Closed

be more verbose about public-key pinning #410

mark-kubacki opened this issue Sep 3, 2015 · 0 comments
Labels

Comments

@mark-kubacki
Copy link
Contributor

Please print the public key hashes when using option -v, --verbose.

That option is obviously used when debugging, and displaying the SPKI could make pinning easier. It would avoid errors due to having pinned the wrong keys, too.


For example, this is hard to understand without more verbosity:

$ curl -fLO https://raw.githubusercontent.com/bagder/curl/44fe4b90290e8eab671aa2cf3d8d04b0ac6fd3e8/tests/certs/EdelCurlRoot-ca.crt

$ cat EdelCurlRoot-ca.crt \
                    | sed -n '/-----BEGIN/,/-----END/p' \
                    | openssl x509 -noout -pubkey \
                    | openssl pkey -pubin -outform der \
                    | openssl dgst -sha256 -binary \
                    | openssl enc -base64
CWraIMfWm/XROwKyeQSbBhONX5dnq6Nlyoo8zhnj55I=

# yet in this file, the correct hash is said to be…
https://github.com/bagder/curl/blob/ce1bf87a04e3d5e42c2709ed106d62e80669c63b/tests/data/test2041
sha256//pyh+fICi9M8MFEZvherIT0cs3MN+cXNGoU9Giwyx1so=

Or even this:

$ openssl s_client -connect s.blitznote.com:443 2>&1 < /dev/null \
                    | sed -n '/-----BEGIN/,/-----END/p' \
                    | openssl x509 -noout -pubkey \
                    | openssl pkey -pubin -outform der \
                    | openssl dgst -sha256 -binary \
                    | openssl enc -base64
$ curl --head --pinnedpubkey "sha256//fxBZ92Ul/3NOZJsiNJLhv5wHfywCe9PZvHWI6rd6frU=" https://s.blitznote.com/
# works
$ openssl s_client -connect community.scaleway.com:443 2>&1 < /dev/null \
                    | sed -n '/-----BEGIN/,/-----END/p' \
                    | openssl x509 -noout -pubkey \
                    | openssl pkey -pubin -outform der \
                    | openssl dgst -sha256 -binary \
                    | openssl enc -base64
daHR2E1iBqPT1X9qK/UISUZlkqW6MGJ7eBI+HDNtARs=

$ curl --head --pinnedpubkey "sha256//daHR2E1iBqPT1X9qK/UISUZlkqW6MGJ7eBI+HDNtARs=" https://community.scaleway.com/
curl: (90) SSL: public key does not match pinned public key!
@bagder bagder added the TLS label Sep 3, 2015
@bagder bagder closed this as completed in 30c131f Sep 19, 2015
jgsogo pushed a commit to jgsogo/curl that referenced this issue Oct 19, 2015
Add a "pinnedpubkey" section to the "Server Certificate" verbose

Bug: curl#410
Reported-by: W. Mark Kubacki

Closes curl#430
Closes curl#410
@lock lock bot locked as resolved and limited conversation to collaborators May 7, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
Development

No branches or pull requests

2 participants