On Sat, Jul 7, 2012 at 4:02 PM, <pro...@secure-mail.biz> wrote:
> <noloa...@gmail.com> wrote:
>> You pin a certificate by whitelisting expected server certificates
>> (possibly thumbprints).
>
> How to do that?
My bad. You usually do it pragmatically in an "On Connect" callback or
delegate. I don't have any OpenSSL code handy, but but below is some
.Net/C# code. Cocoa/CocoaTouch and Objective C would do it in
NSURLConnection and the NSURLConnectionDelegate
(https://developer.apple.com/library/mac/#documentation/Foundation/Reference/NSURLConnectionDelegate_Protocol/Reference/Reference.html);
and you would do it in Android with HttpsURLConnection and
X509TrustManager
(http://stackoverflow.com/questions/11337726/android-httpsurlconnection-and-pinset-example).
public static void Main(string[] args)
{
ServicePointManager.ServerCertificateValidationCallback = PinCertificate;
// C1956DC8A7DFB2A5A56934DA09778E3A11023358
// WebRequest wr = WebRequest.Create("https://www.google.com/";);
// 8FC079E814777F688BA4C807D9BD67D62AF71AEB
WebRequest wr = WebRequest.Create("https://encrypted.google.com/";);
wr.GetResponse();
}
public static bool PinCertificate(object sender, X509Certificate certificate,
X509Chain chain, SslPolicyErrors sslPolicyErrors)
{
if (certificate == null)
return false;
if (chain == null)
return false;
byte[] cb = certificate.GetCertHash();
StringBuilder sb = new StringBuilder(cb.Length * 2);
foreach (byte b in cb)
sb.AppendFormat("{0:X2}", b);
// Verify against known SHA1 thumb print of the certificate
String hash = sb.ToString();
if (hash != "C1956DC8A7DFB2A5A56934DA09778E3A11023358")
return false;
return true;
}
>> There's usually no need to sign another's key
>> or certificate (I've never done it that way, and never seen it done
>> that way).
>
> A little more background... Stories like the diginotar compromise [1] may
> happen again, anytime.
Yes, agreed. I have no love or trust for the public CA hierarchy, and
I am still pissed off about what happened to the folks in Iran who
were probably tortured and killed due to Diginotar's failure.
> I am developing an anonymous operating system [2]. We use wget to download
> Tor Browser from torproject.org and to access check.torproject.org. (Not
> available over secure apt.) Wget does offer ca pinning, but does not support
> certificate pinning [3].
Unfortunately, I'm not familiar with wget (other than executing what I'm told).
> So my original question was how do I get wget to verify the torproject.org
> fingerprint [4] without depending on root CA's? The only possible solution I
> saw was downloading the torproject.org SSL public key, run a local CA, sign
> the certificate and run wget with the --ca-certificate switch. That's why I
> posted the question "Sign public key without having CSR or private key?" here.
>
> If there are any suggestions for this situation I am all ears.
Perhaps wget needs to be modified so that it allows you to supply
expected thumbrints of a server's certificate.
Jeff
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
