be more verbose about public-key pinning #410

Closed
wmark opened this Issue Sep 3, 2015 · 0 comments

Projects

None yet

2 participants

@wmark
wmark commented Sep 3, 2015

Please print the public key hashes when using option -v, --verbose.

That option is obviously used when debugging, and displaying the SPKI could make pinning easier. It would avoid errors due to having pinned the wrong keys, too.


For example, this is hard to understand without more verbosity:

$ curl -fLO https://raw.githubusercontent.com/bagder/curl/44fe4b90290e8eab671aa2cf3d8d04b0ac6fd3e8/tests/certs/EdelCurlRoot-ca.crt

$ cat EdelCurlRoot-ca.crt \
                    | sed -n '/-----BEGIN/,/-----END/p' \
                    | openssl x509 -noout -pubkey \
                    | openssl pkey -pubin -outform der \
                    | openssl dgst -sha256 -binary \
                    | openssl enc -base64
CWraIMfWm/XROwKyeQSbBhONX5dnq6Nlyoo8zhnj55I=

# yet in this file, the correct hash is said to be…
https://github.com/bagder/curl/blob/ce1bf87a04e3d5e42c2709ed106d62e80669c63b/tests/data/test2041
sha256//pyh+fICi9M8MFEZvherIT0cs3MN+cXNGoU9Giwyx1so=

Or even this:

$ openssl s_client -connect s.blitznote.com:443 2>&1 < /dev/null \
                    | sed -n '/-----BEGIN/,/-----END/p' \
                    | openssl x509 -noout -pubkey \
                    | openssl pkey -pubin -outform der \
                    | openssl dgst -sha256 -binary \
                    | openssl enc -base64
$ curl --head --pinnedpubkey "sha256//fxBZ92Ul/3NOZJsiNJLhv5wHfywCe9PZvHWI6rd6frU=" https://s.blitznote.com/
# works
$ openssl s_client -connect community.scaleway.com:443 2>&1 < /dev/null \
                    | sed -n '/-----BEGIN/,/-----END/p' \
                    | openssl x509 -noout -pubkey \
                    | openssl pkey -pubin -outform der \
                    | openssl dgst -sha256 -binary \
                    | openssl enc -base64
daHR2E1iBqPT1X9qK/UISUZlkqW6MGJ7eBI+HDNtARs=

$ curl --head --pinnedpubkey "sha256//daHR2E1iBqPT1X9qK/UISUZlkqW6MGJ7eBI+HDNtARs=" https://community.scaleway.com/
curl: (90) SSL: public key does not match pinned public key!
@bagder bagder added the SSL/TLS label Sep 3, 2015
@bagder bagder added a commit that referenced this issue Sep 19, 2015
@gnawhleinad @bagder gnawhleinad + bagder ssl: add server cert's "sha256//" hash to verbose
Add a "pinnedpubkey" section to the "Server Certificate" verbose

Bug: #410
Reported-by: W. Mark Kubacki

Closes #430
Closes #410
30c131f
@bagder bagder added a commit that closed this issue Sep 19, 2015
@gnawhleinad @bagder gnawhleinad + bagder ssl: add server cert's "sha256//" hash to verbose
Add a "pinnedpubkey" section to the "Server Certificate" verbose

Bug: #410
Reported-by: W. Mark Kubacki

Closes #430
Closes #410
30c131f
@bagder bagder closed this in 30c131f Sep 19, 2015
@jgsogo jgsogo added a commit to jgsogo/curl that referenced this issue Oct 19, 2015
@gnawhleinad @jgsogo gnawhleinad + jgsogo ssl: add server cert's "sha256//" hash to verbose
Add a "pinnedpubkey" section to the "Server Certificate" verbose

Bug: curl#410
Reported-by: W. Mark Kubacki

Closes #430
Closes #410
51f2a45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment