On Sat, Jul 7, 2012 at 4:02 PM, <pro...@secure-mail.biz> wrote: > <noloa...@gmail.com> wrote: >> You pin a certificate by whitelisting expected server certificates >> (possibly thumbprints). > > How to do that? My bad. You usually do it pragmatically in an "On Connect" callback or delegate. I don't have any OpenSSL code handy, but but below is some .Net/C# code. Cocoa/CocoaTouch and Objective C would do it in NSURLConnection and the NSURLConnectionDelegate (https://developer.apple.com/library/mac/#documentation/Foundation/Reference/NSURLConnectionDelegate_Protocol/Reference/Reference.html); and you would do it in Android with HttpsURLConnection and X509TrustManager (http://stackoverflow.com/questions/11337726/android-httpsurlconnection-and-pinset-example).
public static void Main(string[] args) { ServicePointManager.ServerCertificateValidationCallback = PinCertificate; // C1956DC8A7DFB2A5A56934DA09778E3A11023358 // WebRequest wr = WebRequest.Create("https://www.google.com/"); // 8FC079E814777F688BA4C807D9BD67D62AF71AEB WebRequest wr = WebRequest.Create("https://encrypted.google.com/"); wr.GetResponse(); } public static bool PinCertificate(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors) { if (certificate == null) return false; if (chain == null) return false; byte[] cb = certificate.GetCertHash(); StringBuilder sb = new StringBuilder(cb.Length * 2); foreach (byte b in cb) sb.AppendFormat("{0:X2}", b); // Verify against known SHA1 thumb print of the certificate String hash = sb.ToString(); if (hash != "C1956DC8A7DFB2A5A56934DA09778E3A11023358") return false; return true; } >> There's usually no need to sign another's key >> or certificate (I've never done it that way, and never seen it done >> that way). > > A little more background... Stories like the diginotar compromise [1] may > happen again, anytime. Yes, agreed. I have no love or trust for the public CA hierarchy, and I am still pissed off about what happened to the folks in Iran who were probably tortured and killed due to Diginotar's failure. > I am developing an anonymous operating system [2]. We use wget to download > Tor Browser from torproject.org and to access check.torproject.org. (Not > available over secure apt.) Wget does offer ca pinning, but does not support > certificate pinning [3]. Unfortunately, I'm not familiar with wget (other than executing what I'm told). > So my original question was how do I get wget to verify the torproject.org > fingerprint [4] without depending on root CA's? The only possible solution I > saw was downloading the torproject.org SSL public key, run a local CA, sign > the certificate and run wget with the --ca-certificate switch. That's why I > posted the question "Sign public key without having CSR or private key?" here. > > If there are any suggestions for this situation I am all ears. Perhaps wget needs to be modified so that it allows you to supply expected thumbrints of a server's certificate. Jeff ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org