Re: Getting pubkey fingerprint in libcurl
On 3/12/2021 7:13 AM, Morten Minde Neergaard wrote: At 01:02, Tue 2021-03-02, Ray Satiro via curl-library wrote: On 2/26/2021 4:10 PM, Morten Minde Neergaard via curl-library wrote: [...] It would be a lot more elegant if there were an option to get the pubkey fingerprint directly, using the same pattern as CURLOPT_CERTINFO / CURLINFO_CERTINFO. Suggesting this addition to the curl APIs: CURLOPT(CURLOPT_PUBKEY_FINGERPRINT, CURLOPTTYPE_LONG, 309), [...] Is this not provided by certinfo already? If not I think it would be easier to add it there in a separate line, pubkey:asdf It isn't provided, no. It might be easier, but I guess my opinion about adding it to CURLOPT_CERTINFO is colored by my dislike of populating such a large amount of data and sifting through it running a bunch of string compares. The current implementation populates ~20k over 72 different strings for some random, somewhat representative pages. That feels like a lot more than what I need. But if we want to keep the implementation simple, sure, I can try to add it to CURLINFO_CERTINFO =) It would be good to know if anyone else has an opinion about this. --- Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.html
Re: Getting pubkey fingerprint in libcurl
On 2/26/2021 4:10 PM, Morten Minde Neergaard via curl-library wrote: I'm making an app that's using public key pinning, and it would be very helpful to have programmatic access to the pubkey fingerprint. The app currently has a huge and horrible mountain of platform- and backend-specific code that extracts the public key fingerprint from the TLS backend before calculating the exact same fingerprint as curl does in Curl_pin_peer_pubkey. It would be a lot more elegant if there were an option to get the pubkey fingerprint directly, using the same pattern as CURLOPT_CERTINFO / CURLINFO_CERTINFO. Suggesting this addition to the curl APIs: CURLOPT(CURLOPT_PUBKEY_FINGERPRINT, CURLOPTTYPE_LONG, 309), CURLINFO_PUBKEY_FINGERPRINT = CURLINFO_STRING + 60, After refactoring all the TLS backends to extract the code that calculates the pubkey fingerprint, this implementation should be fairly trivial. Comments? Patches accepted? Is this not provided by certinfo already? If not I think it would be easier to add it there in a separate line, pubkey:asdf --- Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.html