[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Bug-wget] Implement --pinnedpubkey option to pin public keys
|
From: |
Tim Rühsen |
|
Subject: |
Re: [Bug-wget] Implement --pinnedpubkey option to pin public keys |
|
Date: |
Mon, 29 Feb 2016 20:24:43 +0100 |
|
User-agent: |
KMail/4.14.10 (Linux/4.4.0-1-amd64; KDE/4.14.14; x86_64; ; ) |
Hi Travis,
just a few thoughts about your patch resp. HPKP in general.
How do I create a pinnedpubkey file in the first place ? IMO, some examples
using GnuTLS and OpenSSL tools should be documented.
Could you name a few sites that send a Public-Key-Pins HTTP header ?
Just as improvement... Wouldn't it be a good user experience when a HPKP
database (e.g. a flat file) is created and maintained automatically, like with
HSTS ? I guess max-age and includeSubdomains are relevant here, maybe report-
uri.
Regards, Tim
Am Dienstag, 23. Februar 2016, 16:10:40 schrieb moparisthebest:
> Hi Tim,
>
> I attempted to implement your suggestions and formatting everywhere,
> though it's entirely possible I missed a place or two. :) I also added
> an entry in wget.texi. Attached is the latest patch and it's also
> pushed up to my github repo.
>
> Let me know when you have future comments about it, until then I'll
> await instructions about the FSF copyright assignment.
>
> Thanks much,
> Travis
>
> On 02/23/2016 03:23 PM, Tim Rühsen wrote:
> > Hi Travis,
> >
> > thank you for your contribution to wget !
> >
> > We'll take a closer look at the functionality the next days and will think
> > about automated tests.
> >
> > Just a few comments from the first glimpse
> > - the wget options are documented in doc/wget.texi, please add an entry
> > for
> > the new option
> > - xmalloc() won't return if allocation fails, so no need for checking the
> > return value
> > - xfree() also accepts NULL values, so no need for a prior check.
> > - please use xfree() instead of free(), e.g. 'free(base64data)'.
> > - some parts of the code are 'if(expr)', please amend to 'if (expr)'
> > - we have a space between function name and (. (GNU style)
> >
> >
> > In order to accept your contribution, you have to sign the FSF copyrigth
> > assignment. We'll send you information on how to proceed via PM.
> >
> > Thanks again for your work - it is highly appreciated.
> >
> > Regards, Tim
> >
> > Am Dienstag, 23. Februar 2016, 13:17:14 schrieb moparisthebest:
> >> Hello wget team,
> >>
> >> The attached patch implements a --pinnedpubkey option to pin public keys
> >> for TLS/SSL. I also pushed this to github [1]. I implemented and
> >> tested this for both the openssl and gnutls backends, and they share
> >> code which I put in util.c.
> >>
> >> It supports a path to a single .der or .pem file public key file, or any
> >> number of base64 encoded sha256 hashes in the format of
> >> 'sha256//hashhere;sha256//secondhashhere' etc (like the HTTP HPKP
> >> standard). This makes it behave identically to curl's option of the
> >> same name [2], which I also contributed.
> >>
> >> I'm not sure if automated tests can be added for this functionality, or
> >> if any additional documentation needs updated or anything else? If you
> >> can point me to anything else that needs done that would make this
> >> easier to accept I'd appreciate it.
> >>
> >> Thanks for the great tool,
> >> Travis Burtrum
> >>
> >> [1]: https://github.com/moparisthebest/wget
> >> [2]: https://curl.haxx.se/docs/manpage.html#--pinnedpubkey
signature.asc
Description: This is a digitally signed message part.