New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

be more verbose about public-key pinning #410

Closed
wmark opened this Issue Sep 3, 2015 · 0 comments

Comments

Projects
None yet
2 participants
@wmark
Contributor

wmark commented Sep 3, 2015

Please print the public key hashes when using option -v, --verbose.

That option is obviously used when debugging, and displaying the SPKI could make pinning easier. It would avoid errors due to having pinned the wrong keys, too.


For example, this is hard to understand without more verbosity:

$ curl -fLO https://raw.githubusercontent.com/bagder/curl/44fe4b90290e8eab671aa2cf3d8d04b0ac6fd3e8/tests/certs/EdelCurlRoot-ca.crt

$ cat EdelCurlRoot-ca.crt \
                    | sed -n '/-----BEGIN/,/-----END/p' \
                    | openssl x509 -noout -pubkey \
                    | openssl pkey -pubin -outform der \
                    | openssl dgst -sha256 -binary \
                    | openssl enc -base64
CWraIMfWm/XROwKyeQSbBhONX5dnq6Nlyoo8zhnj55I=

# yet in this file, the correct hash is said to be…
https://github.com/bagder/curl/blob/ce1bf87a04e3d5e42c2709ed106d62e80669c63b/tests/data/test2041
sha256//pyh+fICi9M8MFEZvherIT0cs3MN+cXNGoU9Giwyx1so=

Or even this:

$ openssl s_client -connect s.blitznote.com:443 2>&1 < /dev/null \
                    | sed -n '/-----BEGIN/,/-----END/p' \
                    | openssl x509 -noout -pubkey \
                    | openssl pkey -pubin -outform der \
                    | openssl dgst -sha256 -binary \
                    | openssl enc -base64
$ curl --head --pinnedpubkey "sha256//fxBZ92Ul/3NOZJsiNJLhv5wHfywCe9PZvHWI6rd6frU=" https://s.blitznote.com/
# works
$ openssl s_client -connect community.scaleway.com:443 2>&1 < /dev/null \
                    | sed -n '/-----BEGIN/,/-----END/p' \
                    | openssl x509 -noout -pubkey \
                    | openssl pkey -pubin -outform der \
                    | openssl dgst -sha256 -binary \
                    | openssl enc -base64
daHR2E1iBqPT1X9qK/UISUZlkqW6MGJ7eBI+HDNtARs=

$ curl --head --pinnedpubkey "sha256//daHR2E1iBqPT1X9qK/UISUZlkqW6MGJ7eBI+HDNtARs=" https://community.scaleway.com/
curl: (90) SSL: public key does not match pinned public key!

@bagder bagder added the SSL/TLS label Sep 3, 2015

@bagder bagder closed this in 30c131f Sep 19, 2015

jgsogo added a commit to jgsogo/curl that referenced this issue Oct 19, 2015

ssl: add server cert's "sha256//" hash to verbose
Add a "pinnedpubkey" section to the "Server Certificate" verbose

Bug: curl#410
Reported-by: W. Mark Kubacki

Closes curl#430
Closes curl#410

@lock lock bot locked as resolved and limited conversation to collaborators May 7, 2018

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.