From 0675abbc7572ff6d711a1f325d9b812f98bce78f Mon Sep 17 00:00:00 2001 From: Jay Satiro Date: Sun, 5 Apr 2015 01:48:16 -0400 Subject: cyassl: Implement public key pinning Also add public key extraction example to CURLOPT_PINNEDPUBLICKEY doc. --- docs/curl.1 | 5 ++--- docs/libcurl/opts/CURLOPT_PINNEDPUBLICKEY.3 | 19 +++++++++++++++---- 2 files changed, 17 insertions(+), 7 deletions(-) (limited to 'docs') diff --git a/docs/curl.1 b/docs/curl.1 index cd29d087e..21d85c931 100644 --- a/docs/curl.1 +++ b/docs/curl.1 @@ -548,11 +548,10 @@ indicating its identity. A public key is extracted from this certificate and if it does not exactly match the public key provided to this option, curl will abort the connection before sending or receiving any data. -This is currently only implemented in the OpenSSL, GnuTLS, NSS and GSKit -backends. +Added in 7.39.0 for OpenSSL, GnuTLS and GSKit. Added in 7.43.0 for NSS and +wolfSSL/CyaSSL. Other SSL backends not supported. If this option is used several times, the last one will be used. -(Added in 7.39.0) .IP "--cert-status" (SSL) Tells curl to verify the status of the server certificate by using the Certificate Status Request (aka. OCSP stapling) TLS extension. diff --git a/docs/libcurl/opts/CURLOPT_PINNEDPUBLICKEY.3 b/docs/libcurl/opts/CURLOPT_PINNEDPUBLICKEY.3 index 4cc68b1d3..94cad31f0 100644 --- a/docs/libcurl/opts/CURLOPT_PINNEDPUBLICKEY.3 +++ b/docs/libcurl/opts/CURLOPT_PINNEDPUBLICKEY.3 @@ -50,11 +50,22 @@ if(curl) { curl_easy_perform(curl); } .fi +.SH PUBLIC KEY EXTRACTION +If you do not have the server's public key file you can extract it from the +server's certificate. +.nf +openssl x509 -in www.test.com.pem -pubkey -noout > www.test.com.pubkey.pem +.fi +The public key is output in PEM format and contains a header, base64 data and a +footer: +.nf +-----BEGIN PUBLIC KEY----- +[BASE 64 DATA] +-----END PUBLIC KEY----- +.fi .SH AVAILABILITY -If built TLS enabled. This is currently only implemented in the OpenSSL, -GnuTLS, NSS and GSKit backends. - -Added in libcurl 7.39.0 +Added in 7.39.0 for OpenSSL, GnuTLS and GSKit. Added in 7.43.0 for +NSS and wolfSSL/CyaSSL. Other SSL backends not supported. .SH RETURN VALUE Returns CURLE_OK if TLS enabled, CURLE_UNKNOWN_OPTION if not, or CURLE_OUT_OF_MEMORY if there was insufficient heap space. -- cgit v1.2.3