1195771 – support "--pinnedpubkey" option (feature REQ)

Bug 1195771 - support "--pinnedpubkey" option (feature REQ)

Summary: support "--pinnedpubkey" option (feature REQ)

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	curl
Sub Component:
Version:	21
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Kamil Dudka
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2015-02-24 14:22 UTC by Richard Z.
Modified:	2015-06-24 15:59 UTC (History)
CC List:	3 users (show)
Fixed In Version:	curl-7.40.0-5.fc22
Clone Of:
Environment:
Last Closed:	2015-06-24 15:59:14 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Richard Z. 2015-02-24 14:22:46 UTC

curl 7.39.0 and later support --pinnedpubkey - if compiled to use OpenSSL library.

As far as I can see this is the only cli download utility which is capable of certificate pinning at all so it would be really good to have that functionality.

Comment 1 Richard Z. 2015-02-24 14:53:42 UTC

more details:
http://curl.haxx.se/libcurl/c/CURLOPT_PINNEDPUBLICKEY.html

<<This is currently only implemented in the OpenSSL, GnuTLS and GSKit backends.
  Added in libcurl 7.39.0 >>

Comment 2 Kamil Dudka 2015-02-24 14:54:30 UTC

I am not sure whether NSS API is ready for this.  I can see it is already implemented in Firefox:

https://bugzilla.mozilla.org/show_bug.cgi?id=744204
https://bugzilla.mozilla.org/show_bug.cgi?id=787133

... but curl might be too low-level of a tool to gain anything from the Firefox implementation.

Comment 3 Richard Z. 2015-02-24 18:54:26 UTC

Are we stuck with NSS?

Comment 4 Kamil Dudka 2015-02-25 09:09:04 UTC

(In reply to Richard Z. from comment #3)
> Are we stuck with NSS?

libcurl was ported to NSS as part of the Fedora Crypto Consolidation project:

http://fedoraproject.org/wiki/FedoraCryptoConsolidation

We have put a lot of effort to make it stable and feature-complete.  If there is a requirement for the public key pinning, it is a reason to write a patch, not a reason to switch the backend IMO.

But you are free to recompile libcurl against OpenSSL or GnuTLS on your own...

Comment 5 Kamil Dudka 2015-03-25 13:25:24 UTC

patch sent upstream:

http://article.gmane.org/gmane.comp.web.curl.library/45293

Comment 6 Kamil Dudka 2015-04-22 11:46:02 UTC

upstream commit:

https://github.com/bagder/curl/commit/b47c17d6

Comment 7 Kamil Dudka 2015-04-22 14:32:58 UTC

fixed in curl-7.42.0-1.fc23

Comment 8 Fedora Update System 2015-06-17 20:54:25 UTC

curl-7.40.0-5.fc22 has been submitted as an update for Fedora 22.
https://admin.fedoraproject.org/updates/curl-7.40.0-5.fc22

Comment 9 Fedora Update System 2015-06-21 00:05:51 UTC

Package curl-7.40.0-5.fc22:
* should fix your issue,
* was pushed to the Fedora 22 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing curl-7.40.0-5.fc22'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2015-10155/curl-7.40.0-5.fc22
then log in and leave karma (feedback).

Comment 10 Fedora Update System 2015-06-24 15:59:14 UTC

curl-7.40.0-5.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.