diff options
| -rw-r--r-- | docs/curl.1 | 5 | ||||
| -rw-r--r-- | docs/libcurl/opts/CURLOPT_PINNEDPUBLICKEY.3 | 19 | ||||
| -rw-r--r-- | lib/vtls/cyassl.c | 39 | ||||
| -rw-r--r-- | lib/x509asn1.c | 5 | ||||
| -rw-r--r-- | lib/x509asn1.h | 5 | ||||
| -rw-r--r-- | src/tool_help.c | 2 | ||||
| -rwxr-xr-x | tests/runtests.pl | 1 |
7 files changed, 64 insertions, 12 deletions
diff --git a/docs/curl.1 b/docs/curl.1 index cd29d087e..21d85c931 100644 --- a/docs/curl.1 +++ b/docs/curl.1 @@ -548,11 +548,10 @@ indicating its identity. A public key is extracted from this certificate and if it does not exactly match the public key provided to this option, curl will abort the connection before sending or receiving any data. -This is currently only implemented in the OpenSSL, GnuTLS, NSS and GSKit -backends. +Added in 7.39.0 for OpenSSL, GnuTLS and GSKit. Added in 7.43.0 for NSS and +wolfSSL/CyaSSL. Other SSL backends not supported. If this option is used several times, the last one will be used. -(Added in 7.39.0) .IP "--cert-status" (SSL) Tells curl to verify the status of the server certificate by using the Certificate Status Request (aka. OCSP stapling) TLS extension. diff --git a/docs/libcurl/opts/CURLOPT_PINNEDPUBLICKEY.3 b/docs/libcurl/opts/CURLOPT_PINNEDPUBLICKEY.3 index 4cc68b1d3..94cad31f0 100644 --- a/docs/libcurl/opts/CURLOPT_PINNEDPUBLICKEY.3 +++ b/docs/libcurl/opts/CURLOPT_PINNEDPUBLICKEY.3 @@ -50,11 +50,22 @@ if(curl) { curl_easy_perform(curl); } .fi +.SH PUBLIC KEY EXTRACTION +If you do not have the server's public key file you can extract it from the +server's certificate. +.nf +openssl x509 -in www.test.com.pem -pubkey -noout > www.test.com.pubkey.pem +.fi +The public key is output in PEM format and contains a header, base64 data and a +footer: +.nf +-----BEGIN PUBLIC KEY----- +[BASE 64 DATA] +-----END PUBLIC KEY----- +.fi .SH AVAILABILITY -If built TLS enabled. This is currently only implemented in the OpenSSL, -GnuTLS, NSS and GSKit backends. - -Added in libcurl 7.39.0 +Added in 7.39.0 for OpenSSL, GnuTLS and GSKit. Added in 7.43.0 for +NSS and wolfSSL/CyaSSL. Other SSL backends not supported. .SH RETURN VALUE Returns CURLE_OK if TLS enabled, CURLE_UNKNOWN_OPTION if not, or CURLE_OUT_OF_MEMORY if there was insufficient heap space. diff --git a/lib/vtls/cyassl.c b/lib/vtls/cyassl.c index 4d0a23f23..40dbbe134 100644 --- a/lib/vtls/cyassl.c +++ b/lib/vtls/cyassl.c @@ -57,6 +57,7 @@ and that's a problem since options.h hasn't been included yet. */ #include "connect.h" /* for the connect timeout */ #include "select.h" #include "rawstr.h" +#include "x509asn1.h" #include "curl_printf.h" #include <cyassl/ssl.h> @@ -403,6 +404,44 @@ cyassl_connect_step2(struct connectdata *conn, } } + if(data->set.str[STRING_SSL_PINNEDPUBLICKEY]) { + X509 *x509; + const char *x509_der; + int x509_der_len; + curl_X509certificate x509_parsed; + curl_asn1Element *pubkey; + CURLcode result; + + x509 = SSL_get_peer_certificate(conssl->handle); + if(!x509) { + failf(data, "SSL: failed retrieving server certificate"); + return CURLE_SSL_PINNEDPUBKEYNOTMATCH; + } + + x509_der = (const char *)CyaSSL_X509_get_der(x509, &x509_der_len); + if(!x509_der) { + failf(data, "SSL: failed retrieving ASN.1 server certificate"); + return CURLE_SSL_PINNEDPUBKEYNOTMATCH; + } + + memset(&x509_parsed, 0, sizeof x509_parsed); + Curl_parseX509(&x509_parsed, x509_der, x509_der + x509_der_len); + + pubkey = &x509_parsed.subjectPublicKeyInfo; + if(!pubkey->header || pubkey->end <= pubkey->header) { + failf(data, "SSL: failed retrieving public key from server certificate"); + return CURLE_SSL_PINNEDPUBKEYNOTMATCH; + } + + result = Curl_pin_peer_pubkey(data->set.str[STRING_SSL_PINNEDPUBLICKEY], + (const unsigned char *)pubkey->header, + (size_t)(pubkey->end - pubkey->header)); + if(result) { + failf(data, "SSL: public key does not match pinned public key!"); + return result; + } + } + conssl->connecting_state = ssl_connect_3; infof(data, "SSL connected\n"); diff --git a/lib/x509asn1.c b/lib/x509asn1.c index a163568ed..a3dfd646b 100644 --- a/lib/x509asn1.c +++ b/lib/x509asn1.c @@ -22,7 +22,8 @@ #include "curl_setup.h" -#if defined(USE_GSKIT) || defined(USE_NSS) || defined(USE_GNUTLS) +#if defined(USE_GSKIT) || defined(USE_NSS) || defined(USE_GNUTLS) || \ + defined(USE_CYASSL) #include <curl/curl.h> #include "urldata.h" @@ -1023,7 +1024,7 @@ CURLcode Curl_extract_certinfo(struct connectdata * conn, return CURLE_OK; } -#endif /* USE_GSKIT or USE_NSS or USE_GNUTLS */ +#endif /* USE_GSKIT or USE_NSS or USE_GNUTLS or USE_CYASSL */ #if defined(USE_GSKIT) diff --git a/lib/x509asn1.h b/lib/x509asn1.h index caa5f6f33..eb23e506a 100644 --- a/lib/x509asn1.h +++ b/lib/x509asn1.h @@ -25,7 +25,8 @@ #include "curl_setup.h" -#if defined(USE_GSKIT) || defined(USE_NSS) || defined(USE_GNUTLS) +#if defined(USE_GSKIT) || defined(USE_NSS) || defined(USE_GNUTLS) || \ + defined(USE_CYASSL) #include "urldata.h" @@ -127,5 +128,5 @@ CURLcode Curl_extract_certinfo(struct connectdata * conn, int certnum, CURLcode Curl_verifyhost(struct connectdata * conn, const char * beg, const char * end); -#endif /* USE_GSKIT or USE_NSS or USE_GNUTLS */ +#endif /* USE_GSKIT or USE_NSS or USE_GNUTLS or USE_CYASSL */ #endif /* HEADER_CURL_X509ASN1_H */ diff --git a/src/tool_help.c b/src/tool_help.c index 27638ef16..2f7fefd97 100644 --- a/src/tool_help.c +++ b/src/tool_help.c @@ -156,7 +156,7 @@ static const char *const helptext[] = { " --pass PASS Pass phrase for the private key (SSL/SSH)", " --path-as-is Do not squash .. sequences in URL path", " --pinnedpubkey FILE Public key (PEM/DER) to verify peer against " - "(OpenSSL/GnuTLS/NSS/GSKit only)", + "(OpenSSL/GnuTLS/NSS/wolfSSL/CyaSSL/GSKit only)", " --post301 " "Do not switch to GET after following a 301 redirect (H)", " --post302 " diff --git a/tests/runtests.pl b/tests/runtests.pl index b64c42373..65c093c33 100755 --- a/tests/runtests.pl +++ b/tests/runtests.pl @@ -2351,6 +2351,7 @@ sub checksystem { } elsif ($libcurl =~ /(yassl|wolfssl)/i) { $has_yassl=1; + $has_sslpinning=1; $ssllib="yassl"; } elsif ($libcurl =~ /polarssl/i) { |