From 93e450793ce289925dfd1d5e3b2d14e781f8dfd4 Mon Sep 17 00:00:00 2001 From: moparisthebest Date: Tue, 30 Sep 2014 22:31:17 -0400 Subject: SSL: implement public key pinning Option --pinnedpubkey takes a path to a public key in DER format and only connect if it matches (currently only implemented with OpenSSL). Provides CURLOPT_PINNEDPUBLICKEY for curl_easy_setopt(). Extract a public RSA key from a website like so: openssl s_client -connect google.com:443 2>&1 < /dev/null | \ sed -n '/-----BEGIN/,/-----END/p' | openssl x509 -noout -pubkey \ | openssl rsa -pubin -outform DER > google.com.der --- tests/data/test2034 | 57 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 57 insertions(+) create mode 100644 tests/data/test2034 (limited to 'tests/data/test2034') diff --git a/tests/data/test2034 b/tests/data/test2034 new file mode 100644 index 000000000..92f6085d1 --- /dev/null +++ b/tests/data/test2034 @@ -0,0 +1,57 @@ + + + +HTTPS +HTTP GET +PEM certificate + + + +# +# Server-side + + +HTTP/1.1 200 OK +Date: Thu, 09 Nov 2010 14:49:00 GMT +Server: test-server/fake +Content-Length: 7 + +MooMoo + + + +# +# Client-side + + +SSL + + +https Server-localhost-sv.pem + + +simple HTTPS GET with public key pinning + + +--cacert %SRCDIR/certs/EdelCurlRoot-ca.crt --pinnedpubkey %SRCDIR/certs/Server-localhost-sv.pub.der https://localhost:%HTTPSPORT/2034 + +# Ensure that we're running on localhost because we're checking the host name + +perl -e "print 'Test requires default test server host' if ( '%HOSTIP' ne '127.0.0.1' );" + + + +# +# Verify data after the test has been "shot" + + +^User-Agent:.* + + +GET /2034 HTTP/1.1 +Host: localhost:%HTTPSPORT +Accept: */* + + + + -- cgit v1.2.3