diff options
| author | moparisthebest <admin@moparisthebest.com> | 2014-09-30 22:31:17 -0400 |
|---|---|---|
| committer | Daniel Stenberg <daniel@haxx.se> | 2014-10-07 14:44:19 +0200 |
| commit | 93e450793ce289925dfd1d5e3b2d14e781f8dfd4 (patch) | |
| tree | 3ceea898922e067a4a692204f6388ab633deebef /tests/data | |
| parent | d1b56d00439ab26d7fc43e37ab18ae331ddc400d (diff) | |
SSL: implement public key pinning
Option --pinnedpubkey takes a path to a public key in DER format and
only connect if it matches (currently only implemented with OpenSSL).
Provides CURLOPT_PINNEDPUBLICKEY for curl_easy_setopt().
Extract a public RSA key from a website like so:
openssl s_client -connect google.com:443 2>&1 < /dev/null | \
sed -n '/-----BEGIN/,/-----END/p' | openssl x509 -noout -pubkey \
| openssl rsa -pubin -outform DER > google.com.der
Diffstat (limited to 'tests/data')
| -rw-r--r-- | tests/data/Makefile.am | 2 | ||||
| -rw-r--r-- | tests/data/test2034 | 57 | ||||
| -rw-r--r-- | tests/data/test2035 | 43 |
3 files changed, 101 insertions, 1 deletions
diff --git a/tests/data/Makefile.am b/tests/data/Makefile.am index 252c8d55e..662ab8c69 100644 --- a/tests/data/Makefile.am +++ b/tests/data/Makefile.am @@ -138,7 +138,7 @@ test2000 test2001 test2002 test2003 test2004 test2005 test2006 test2007 \ test2008 test2009 test2010 test2011 test2012 test2013 test2014 test2015 \ test2016 test2017 test2018 test2019 test2020 test2021 test2022 test2023 \ test2024 test2025 test2026 test2027 test2028 test2029 test2030 test2031 \ -test2032 test2033 +test2032 test2033 test2034 test2035 EXTRA_DIST = $(TESTCASES) DISABLED diff --git a/tests/data/test2034 b/tests/data/test2034 new file mode 100644 index 000000000..92f6085d1 --- /dev/null +++ b/tests/data/test2034 @@ -0,0 +1,57 @@ +<testcase> +<info> +<keywords> +HTTPS +HTTP GET +PEM certificate +</keywords> +</info> + +# +# Server-side +<reply> +<data> +HTTP/1.1 200 OK +Date: Thu, 09 Nov 2010 14:49:00 GMT +Server: test-server/fake +Content-Length: 7 + +MooMoo +</data> +</reply> + +# +# Client-side +<client> +<features> +SSL +</features> +<server> +https Server-localhost-sv.pem +</server> + <name> +simple HTTPS GET with public key pinning + </name> + <command> +--cacert %SRCDIR/certs/EdelCurlRoot-ca.crt --pinnedpubkey %SRCDIR/certs/Server-localhost-sv.pub.der https://localhost:%HTTPSPORT/2034 +</command> +# Ensure that we're running on localhost because we're checking the host name +<precheck> +perl -e "print 'Test requires default test server host' if ( '%HOSTIP' ne '127.0.0.1' );" +</precheck> +</client> + +# +# Verify data after the test has been "shot" +<verify> +<strip> +^User-Agent:.* +</strip> +<protocol> +GET /2034 HTTP/1.1
+Host: localhost:%HTTPSPORT
+Accept: */*
+
+</protocol> +</verify> +</testcase> diff --git a/tests/data/test2035 b/tests/data/test2035 new file mode 100644 index 000000000..8591be271 --- /dev/null +++ b/tests/data/test2035 @@ -0,0 +1,43 @@ +<testcase> +<info> +<keywords> +HTTPS +HTTP GET +PEM certificate +</keywords> +</info> + +# +# Server-side +<reply> +</reply> + +# +# Client-side +<client> +<features> +SSL +</features> +<server> +https Server-localhost-sv.pem +</server> + <name> +HTTPS wrong pinnedpubkey but right CN + </name> + <command> +--cacert %SRCDIR/certs/EdelCurlRoot-ca.crt --pinnedpubkey %SRCDIR/certs/Server-localhost-sv.der https://localhost:%HTTPSPORT/2035 +</command> +# Ensure that we're running on localhost because we're checking the host name +<precheck> +perl -e "print 'Test requires default test server host' if ( '%HOSTIP' ne '127.0.0.1' );" +</precheck> +</client> + +# +# Verify data after the test has been "shot" +<verify> +<errorcode> +90 +</errorcode> +</verify> +</testcase> |