diff options
author | Patrick Monnerat <pm@datasphere.ch> | 2014-10-14 14:58:26 +0200 |
---|---|---|
committer | Patrick Monnerat <pm@datasphere.ch> | 2014-10-14 14:58:26 +0200 |
commit | 473322ec66a0969c3c59e8006f9ac72768b91adf (patch) | |
tree | 1964192f49e48045e13d4d97f247893ef7e22de5 /lib/vtls | |
parent | 89e543f3830bb8d821fedaa6ca4fb6d776e601b8 (diff) |
Implement pinned public key in GSKit backend
Diffstat (limited to 'lib/vtls')
-rw-r--r-- | lib/vtls/gskit.c | 20 |
1 files changed, 19 insertions, 1 deletions
diff --git a/lib/vtls/gskit.c b/lib/vtls/gskit.c index 0f8b08f2c..ae878c7bc 100644 --- a/lib/vtls/gskit.c +++ b/lib/vtls/gskit.c @@ -5,7 +5,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2013, Daniel Stenberg, <daniel@haxx.se>, et al. + * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms @@ -804,6 +804,7 @@ static CURLcode gskit_connect_step3(struct connectdata *conn, int sockindex) const gsk_cert_data_elem *p; const char *cert = (const char *) NULL; const char *certend; + const char *ptr; int i; CURLcode cc; @@ -857,6 +858,23 @@ static CURLcode gskit_connect_step3(struct connectdata *conn, int sockindex) } } + /* Check pinned public key. */ + ptr = data->set.str[STRING_SSL_PINNEDPUBLICKEY]; + if(cc == CURLE_OK && ptr) { + curl_X509certificate x509; + curl_asn1Element *p; + + if(!cert) + return CURLE_SSL_PINNEDPUBKEYNOTMATCH; + Curl_parseX509(&x509, cert, certend); + p = &x509.subjectPublicKeyInfo; + cc = Curl_pin_peer_pubkey(ptr, p->header, p->end - p->header); + if(cc != CURLE_OK) { + failf(data, "SSL: public key does not match pinned public key!"); + return cc; + } + } + connssl->connecting_state = ssl_connect_done; return CURLE_OK; } |