Bug 1195771

Summary: support "--pinnedpubkey" option (feature REQ)
Product: [Fedora] Fedora Reporter: Richard Z. <rz>
Component: curlAssignee: Kamil Dudka <kdudka>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 21CC: kdudka, paul, rz
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: curl-7.40.0-5.fc22 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-06-24 15:59:14 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Richard Z. 2015-02-24 14:22:46 UTC 
curl 7.39.0 and later support --pinnedpubkey - if compiled to use OpenSSL library.

As far as I can see this is the only cli download utility which is capable of certificate pinning at all so it would be really good to have that functionality.
Comment 1 Richard Z. 2015-02-24 14:53:42 UTC 
more details:
http://curl.haxx.se/libcurl/c/CURLOPT_PINNEDPUBLICKEY.html

<<This is currently only implemented in the OpenSSL, GnuTLS and GSKit backends.
  Added in libcurl 7.39.0 >>
Comment 2 Kamil Dudka 2015-02-24 14:54:30 UTC 
I am not sure whether NSS API is ready for this.  I can see it is already implemented in Firefox:

https://bugzilla.mozilla.org/show_bug.cgi?id=744204
https://bugzilla.mozilla.org/show_bug.cgi?id=787133

... but curl might be too low-level of a tool to gain anything from the Firefox implementation.
Comment 3 Richard Z. 2015-02-24 18:54:26 UTC 
Are we stuck with NSS?
Comment 4 Kamil Dudka 2015-02-25 09:09:04 UTC 
(In reply to Richard Z. from comment #3)
> Are we stuck with NSS?

libcurl was ported to NSS as part of the Fedora Crypto Consolidation project:

http://fedoraproject.org/wiki/FedoraCryptoConsolidation

We have put a lot of effort to make it stable and feature-complete.  If there is a requirement for the public key pinning, it is a reason to write a patch, not a reason to switch the backend IMO.

But you are free to recompile libcurl against OpenSSL or GnuTLS on your own...
Comment 5 Kamil Dudka 2015-03-25 13:25:24 UTC 
patch sent upstream:

http://article.gmane.org/gmane.comp.web.curl.library/45293
Comment 6 Kamil Dudka 2015-04-22 11:46:02 UTC 
upstream commit:

https://github.com/bagder/curl/commit/b47c17d6
Comment 7 Kamil Dudka 2015-04-22 14:32:58 UTC 
fixed in curl-7.42.0-1.fc23
Comment 8 Fedora Update System 2015-06-17 20:54:25 UTC 
curl-7.40.0-5.fc22 has been submitted as an update for Fedora 22.
https://admin.fedoraproject.org/updates/curl-7.40.0-5.fc22
Comment 9 Fedora Update System 2015-06-21 00:05:51 UTC 
Package curl-7.40.0-5.fc22:
* should fix your issue,
* was pushed to the Fedora 22 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing curl-7.40.0-5.fc22'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2015-10155/curl-7.40.0-5.fc22
then log in and leave karma (feedback).
Comment 10 Fedora Update System 2015-06-24 15:59:14 UTC 
curl-7.40.0-5.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.