From 93e450793ce289925dfd1d5e3b2d14e781f8dfd4 Mon Sep 17 00:00:00 2001 From: moparisthebest Date: Tue, 30 Sep 2014 22:31:17 -0400 Subject: SSL: implement public key pinning Option --pinnedpubkey takes a path to a public key in DER format and only connect if it matches (currently only implemented with OpenSSL). Provides CURLOPT_PINNEDPUBLICKEY for curl_easy_setopt(). Extract a public RSA key from a website like so: openssl s_client -connect google.com:443 2>&1 < /dev/null | \ sed -n '/-----BEGIN/,/-----END/p' | openssl x509 -noout -pubkey \ | openssl rsa -pubin -outform DER > google.com.der --- include/curl/curl.h | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'include') diff --git a/include/curl/curl.h b/include/curl/curl.h index d40b2dbbf..ccd9c3bcb 100644 --- a/include/curl/curl.h +++ b/include/curl/curl.h @@ -521,6 +521,8 @@ typedef enum { CURLE_CHUNK_FAILED, /* 88 - chunk callback reported error */ CURLE_NO_CONNECTION_AVAILABLE, /* 89 - No connection available, the session will be queued */ + CURLE_SSL_PINNEDPUBKEYNOTMATCH, /* 90 - specified pinned public key did not + match */ CURL_LAST /* never use! */ } CURLcode; @@ -1611,6 +1613,10 @@ typedef enum { /* Pass in a bitmask of "header options" */ CINIT(HEADEROPT, LONG, 229), + /* The public key in DER form used to validate the peer public key + this option is used only if SSL_VERIFYPEER is true */ + CINIT(PINNEDPUBLICKEY, OBJECTPOINT, 230), + CURLOPT_LASTENTRY /* the last unused */ } CURLoption; -- cgit v1.2.3