New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
mbedtls: Implement CURLOPT_PINNEDPUBLICKEY #589
Conversation
By analyzing the blame information on this pull request, we identified @moparisthebest, @sasq64 and @bagder to be potential reviewers |
Lovely, is there a particular mbedtls version required? |
It looks like Curl_pin_peer_pubkey is used correctly, and curlssl_sha256sum is defined so sha256 pins should work. My only concern is due to 'unsigned char pubkey[1024];' in mbedtls_verify_pinned_crt it looks like there is a hard-coded upper limit to the number of bits in a public key? Does it work with 4096 or 8192 bit RSA keys? The other backends malloc a char* with the exact size needed. Edit: You can use moparisthebest.com for testing against a 4096-bit RSA key, and any site with cloudflare TLS enabled (like cloudflare.com) for a 256-bit EC key. |
Hello @bagder, Hello @moparisthebest, Cheers, |
I was unable to determine the exact size necessary for the buffer and will ask the mbedtls people to tell me how to determine the size of the buffer. Once I have an answer, I'll complete my patch and push it. |
…at for public pinning verification
Manuel answered:
I calculated the worst case size. Please review. If you're ready to pull let me know if you want to keep the whole history or if I should make a small single patch ready that you're pulling. Cheers, |
Seems like an odd API that will write something to a buffer for you, yet not be able to tell you how to size the buffer. Anyhow your code looks like the best that can be done given the circumstances, good work! I think they generally like a single patch/commit per feature like this, but bagder is the final word on that. :) |
Yes please, unless the history has some special significance, we prefer to merge a single logic change in a single commit. |
Hello Daniel, Cheers, |
Hello,
this implements CURLOPT_PINNEDPUBLICKEY for mbedtls. I tested it with sha256// on mingw-win32 and Linux. I have it in production for 20 users since one week. Please review and merge. I'm happy to work in any improvements.
Cheers,
Thomas