be more verbose about public-key pinning #410
Description
Please print the public key hashes when using option -v, --verbose.
That option is obviously used when debugging, and displaying the SPKI could make pinning easier. It would avoid errors due to having pinned the wrong keys, too.
For example, this is hard to understand without more verbosity:
$ curl -fLO https://raw.githubusercontent.com/bagder/curl/44fe4b90290e8eab671aa2cf3d8d04b0ac6fd3e8/tests/certs/EdelCurlRoot-ca.crt
$ cat EdelCurlRoot-ca.crt \
| sed -n '/-----BEGIN/,/-----END/p' \
| openssl x509 -noout -pubkey \
| openssl pkey -pubin -outform der \
| openssl dgst -sha256 -binary \
| openssl enc -base64
CWraIMfWm/XROwKyeQSbBhONX5dnq6Nlyoo8zhnj55I=
# yet in this file, the correct hash is said to be…
https://github.com/bagder/curl/blob/ce1bf87a04e3d5e42c2709ed106d62e80669c63b/tests/data/test2041
sha256//pyh+fICi9M8MFEZvherIT0cs3MN+cXNGoU9Giwyx1so=Or even this:
$ openssl s_client -connect s.blitznote.com:443 2>&1 < /dev/null \
| sed -n '/-----BEGIN/,/-----END/p' \
| openssl x509 -noout -pubkey \
| openssl pkey -pubin -outform der \
| openssl dgst -sha256 -binary \
| openssl enc -base64
$ curl --head --pinnedpubkey "sha256//fxBZ92Ul/3NOZJsiNJLhv5wHfywCe9PZvHWI6rd6frU=" https://s.blitznote.com/
# works$ openssl s_client -connect community.scaleway.com:443 2>&1 < /dev/null \
| sed -n '/-----BEGIN/,/-----END/p' \
| openssl x509 -noout -pubkey \
| openssl pkey -pubin -outform der \
| openssl dgst -sha256 -binary \
| openssl enc -base64
daHR2E1iBqPT1X9qK/UISUZlkqW6MGJ7eBI+HDNtARs=
$ curl --head --pinnedpubkey "sha256//daHR2E1iBqPT1X9qK/UISUZlkqW6MGJ7eBI+HDNtARs=" https://community.scaleway.com/
curl: (90) SSL: public key does not match pinned public key!