From 0675abbc7572ff6d711a1f325d9b812f98bce78f Mon Sep 17 00:00:00 2001 From: Jay Satiro Date: Sun, 5 Apr 2015 01:48:16 -0400 Subject: cyassl: Implement public key pinning Also add public key extraction example to CURLOPT_PINNEDPUBLICKEY doc. --- lib/vtls/cyassl.c | 39 +++++++++++++++++++++++++++++++++++++++ lib/x509asn1.c | 5 +++-- lib/x509asn1.h | 5 +++-- 3 files changed, 45 insertions(+), 4 deletions(-) (limited to 'lib') diff --git a/lib/vtls/cyassl.c b/lib/vtls/cyassl.c index 4d0a23f23..40dbbe134 100644 --- a/lib/vtls/cyassl.c +++ b/lib/vtls/cyassl.c @@ -57,6 +57,7 @@ and that's a problem since options.h hasn't been included yet. */ #include "connect.h" /* for the connect timeout */ #include "select.h" #include "rawstr.h" +#include "x509asn1.h" #include "curl_printf.h" #include @@ -403,6 +404,44 @@ cyassl_connect_step2(struct connectdata *conn, } } + if(data->set.str[STRING_SSL_PINNEDPUBLICKEY]) { + X509 *x509; + const char *x509_der; + int x509_der_len; + curl_X509certificate x509_parsed; + curl_asn1Element *pubkey; + CURLcode result; + + x509 = SSL_get_peer_certificate(conssl->handle); + if(!x509) { + failf(data, "SSL: failed retrieving server certificate"); + return CURLE_SSL_PINNEDPUBKEYNOTMATCH; + } + + x509_der = (const char *)CyaSSL_X509_get_der(x509, &x509_der_len); + if(!x509_der) { + failf(data, "SSL: failed retrieving ASN.1 server certificate"); + return CURLE_SSL_PINNEDPUBKEYNOTMATCH; + } + + memset(&x509_parsed, 0, sizeof x509_parsed); + Curl_parseX509(&x509_parsed, x509_der, x509_der + x509_der_len); + + pubkey = &x509_parsed.subjectPublicKeyInfo; + if(!pubkey->header || pubkey->end <= pubkey->header) { + failf(data, "SSL: failed retrieving public key from server certificate"); + return CURLE_SSL_PINNEDPUBKEYNOTMATCH; + } + + result = Curl_pin_peer_pubkey(data->set.str[STRING_SSL_PINNEDPUBLICKEY], + (const unsigned char *)pubkey->header, + (size_t)(pubkey->end - pubkey->header)); + if(result) { + failf(data, "SSL: public key does not match pinned public key!"); + return result; + } + } + conssl->connecting_state = ssl_connect_3; infof(data, "SSL connected\n"); diff --git a/lib/x509asn1.c b/lib/x509asn1.c index a163568ed..a3dfd646b 100644 --- a/lib/x509asn1.c +++ b/lib/x509asn1.c @@ -22,7 +22,8 @@ #include "curl_setup.h" -#if defined(USE_GSKIT) || defined(USE_NSS) || defined(USE_GNUTLS) +#if defined(USE_GSKIT) || defined(USE_NSS) || defined(USE_GNUTLS) || \ + defined(USE_CYASSL) #include #include "urldata.h" @@ -1023,7 +1024,7 @@ CURLcode Curl_extract_certinfo(struct connectdata * conn, return CURLE_OK; } -#endif /* USE_GSKIT or USE_NSS or USE_GNUTLS */ +#endif /* USE_GSKIT or USE_NSS or USE_GNUTLS or USE_CYASSL */ #if defined(USE_GSKIT) diff --git a/lib/x509asn1.h b/lib/x509asn1.h index caa5f6f33..eb23e506a 100644 --- a/lib/x509asn1.h +++ b/lib/x509asn1.h @@ -25,7 +25,8 @@ #include "curl_setup.h" -#if defined(USE_GSKIT) || defined(USE_NSS) || defined(USE_GNUTLS) +#if defined(USE_GSKIT) || defined(USE_NSS) || defined(USE_GNUTLS) || \ + defined(USE_CYASSL) #include "urldata.h" @@ -127,5 +128,5 @@ CURLcode Curl_extract_certinfo(struct connectdata * conn, int certnum, CURLcode Curl_verifyhost(struct connectdata * conn, const char * beg, const char * end); -#endif /* USE_GSKIT or USE_NSS or USE_GNUTLS */ +#endif /* USE_GSKIT or USE_NSS or USE_GNUTLS or USE_CYASSL */ #endif /* HEADER_CURL_X509ASN1_H */ -- cgit v1.2.3