SSL: implement public key pinning

Option --pinnedpubkey takes a path to a public key in DER format and only connect if it matches (currently only implemented with OpenSSL). Provides CURLOPT_PINNEDPUBLICKEY for curl_easy_setopt(). Extract a public RSA key from a website like so: openssl s_client -connect google.com:443 2>&1 < /dev/null | \ sed -n '/-----BEGIN/,/-----END/p' | openssl x509 -noout -pubkey \ | openssl rsa -pubin -outform DER > google.com.der
author: moparisthebest <admin@moparisthebest.com> 2014-09-30 22:31:17 -0400
committer: Daniel Stenberg <daniel@haxx.se> 2014-10-07 14:44:19 +0200
commit: 93e450793ce289925dfd1d5e3b2d14e781f8dfd4 (patch)
tree: 3ceea898922e067a4a692204f6388ab633deebef /src/tool_operate.c
parent: d1b56d00439ab26d7fc43e37ab18ae331ddc400d (diff)
1 files changed, 3 insertions, 0 deletions
diff --git a/src/tool_operate.c b/src/tool_operate.c
index fd2fd6ddd..488fb08c4 100644
--- a/src/tool_operate.c
+++ b/src/tool_operate.c
@@ -1025,6 +1025,9 @@ static CURLcode operate_do(struct GlobalConfig *global,
         if(config->crlfile)
           my_setopt_str(curl, CURLOPT_CRLFILE, config->crlfile);
 
+        if(config->pinnedpubkey)
+          my_setopt_str(curl, CURLOPT_PINNEDPUBLICKEY, config->pinnedpubkey);
+
         if(curlinfo->features & CURL_VERSION_SSL) {
           if(config->insecure_ok) {
             my_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0L);
author	moparisthebest <admin@moparisthebest.com>	2014-09-30 22:31:17 -0400
committer	Daniel Stenberg <daniel@haxx.se>	2014-10-07 14:44:19 +0200
commit	93e450793ce289925dfd1d5e3b2d14e781f8dfd4 (patch)
tree	3ceea898922e067a4a692204f6388ab633deebef /src/tool_operate.c
parent	d1b56d00439ab26d7fc43e37ab18ae331ddc400d (diff)