cURL / Mailing Lists / curl-library / Single Mail

curl-library

RE: [PATCH] PEM support for Public Key Pinning

From: Patrick Monnerat <Patrick.Monnerat_at_datasphere.ch>
Date: Fri, 14 Nov 2014 14:52:00 +0100

 
Moparisthebest wrote:
> I went ahead and implemented Patrick's suggestions, the patch is
attached and also pushed to my github here:
>
https://github.com/moparisthebest/curl/commit/004d731d5e86d899baf78ece56
e9bba2b0c30d3b

- "stripped_pem[pem_len + 1] = '\0';" off by one. Should be
"stripped_pem[pem_len] = '\0';"
In all cases, terminating the string in the caller would be better since
it'll avoid initial copying.

- Scanning from the beginning for the -----END line can be replaced by a
scan from begin pos: it'll be faster and guarantee the result is greater
than begin_pos.

- Beware: armor lines may also be terminated with \r\n. And they should
be either at start of data or after a \n.

- Security, security: since you do not scan the file by chunks, you
should keep a reasonable limit to its size (maybe something like 1M...
just a suggestion).

> I've also seen BEGIN RSA PUBLIC KEY and BEGIN DSA PUBLIC KEY, maybe
there is one for ECDSA keys too?
Yes, these armor exist: the encapsulated data contains the numeric part
of a key, without the encryption type OID. The armor is then specialized
to specify the encryption type info. If you also want to process these,
you'll have to rebuild the private key ASN.1 structure yourself... I
think this will drive us in a very far and complicated country... And
curl is not an SSL backend ;-)

For info, I've found this page:
http://stackoverflow.com/questions/5355046/where-is-the-pem-file-format-
specified
Hint: to determine the ASN.1 structure specific to each armor when
lacking doc I search such a PEM file and use:
        openssl asn1parse -in <thepemfile>
And start reverse engineering on it :-(
RFCs may also help you.

Cheers,
Patrick

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2014-11-14