Re: [Bug-wget] Implement --pinnedpubkey option to pin public keys

bug-wget

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Bug-wget] Implement --pinnedpubkey option to pin public keys

From:	moparisthebest
Subject:	Re: [Bug-wget] Implement --pinnedpubkey option to pin public keys
Date:	Mon, 29 Feb 2016 14:55:43 -0500

Hi Tim,

So here are some examples on how to get/create keys in various formats
(for my website, moparisthebest.com):

# pem format
openssl s_client -connect www.moparisthebest.com:443 2>&1 < /dev/null |
sed -n '/-----BEGIN/,/-----END/p' | openssl x509 -noout -pubkey >
www.moparisthebest.com.pem

# der format
openssl s_client -connect www.moparisthebest.com:443 2>&1 < /dev/null |
sed -n '/-----BEGIN/,/-----END/p' | openssl x509 -noout -pubkey |
openssl asn1parse -noout -inform pem -out /dev/stdout >
www.moparisthebest.com.der

# sha256 HPKP pin format
openssl s_client -connect www.moparisthebest.com:443 2>&1 < /dev/null |
sed -n '/-----BEGIN/,/-----END/p' | openssl x509 -noout -pubkey |
openssl asn1parse -noout -inform pem -out /dev/stdout | openssl dgst
-sha256 -binary | openssl base64

I'm not sure where or if this should be documented for wget anywhere?

And yes, a flat-file type system that is updated when receiving a
Public-Key-Pins header is an ultimate end-goal, I just viewed it as kind
of a next step to this.  You want manual-pinning for some use-cases,
like scripts and such.  Automatic pinning would increase security in the
generic case like web scraping, or maybe even a crowd-sourced list could
be gathered and shared?

Thanks,
Travis

On 02/29/2016 02:24 PM, Tim Rühsen wrote:
> Hi Travis,
> 
> just a few thoughts about your patch resp. HPKP in general.
> 
> How do I create a pinnedpubkey file in the first place ? IMO, some examples 
> using GnuTLS and OpenSSL tools should be documented.
> 
> Could you name a few sites that send a Public-Key-Pins HTTP header ?
> 
> Just as improvement... Wouldn't it be a good user experience when a HPKP 
> database (e.g. a flat file) is created and maintained automatically, like 
> with 
> HSTS ? I guess max-age and includeSubdomains are relevant here, maybe report-
> uri.
> 
> Regards, Tim
> 
> Am Dienstag, 23. Februar 2016, 16:10:40 schrieb moparisthebest:
>> Hi Tim,
>>
>> I attempted to implement your suggestions and formatting everywhere,
>> though it's entirely possible I missed a place or two. :) I also added
>> an entry in wget.texi.  Attached is the latest patch and it's also
>> pushed up to my github repo.
>>
>> Let me know when you have future comments about it, until then I'll
>> await instructions about the FSF copyright assignment.
>>
>> Thanks much,
>> Travis
>>
>> On 02/23/2016 03:23 PM, Tim Rühsen wrote:
>>> Hi Travis,
>>>
>>> thank you for your contribution to wget !
>>>
>>> We'll take a closer look at the functionality the next days and will think
>>> about automated tests.
>>>
>>> Just a few comments from the first glimpse
>>> - the wget options are documented in doc/wget.texi, please add an entry
>>> for
>>> the new option
>>> - xmalloc() won't return if allocation fails, so no need for checking the
>>> return value
>>> - xfree() also accepts NULL values, so no need for a prior check.
>>> - please use xfree() instead of free(), e.g. 'free(base64data)'.
>>> - some parts of the code are 'if(expr)', please amend to 'if (expr)'
>>> - we have a space between function name and (. (GNU style)
>>>
>>>
>>> In order to accept your contribution, you have to sign the FSF copyrigth
>>> assignment. We'll send you information on how to proceed via PM.
>>>
>>> Thanks again for your work - it is highly appreciated.
>>>
>>> Regards, Tim
>>>
>>> Am Dienstag, 23. Februar 2016, 13:17:14 schrieb moparisthebest:
>>>> Hello wget team,
>>>>
>>>> The attached patch implements a --pinnedpubkey option to pin public keys
>>>> for TLS/SSL.  I also pushed this to github [1].  I implemented and
>>>> tested this for both the openssl and gnutls backends, and they share
>>>> code which I put in util.c.
>>>>
>>>> It supports a path to a single .der or .pem file public key file, or any
>>>> number of base64 encoded sha256 hashes in the format of
>>>> 'sha256//hashhere;sha256//secondhashhere' etc (like the HTTP HPKP
>>>> standard).  This makes it behave identically to curl's option of the
>>>> same name [2], which I also contributed.
>>>>
>>>> I'm not sure if automated tests can be added for this functionality, or
>>>> if any additional documentation needs updated or anything else? If you
>>>> can point me to anything else that needs done that would make this
>>>> easier to accept I'd appreciate it.
>>>>
>>>> Thanks for the great tool,
>>>> Travis Burtrum
>>>>
>>>> [1]: https://github.com/moparisthebest/wget
>>>> [2]: https://curl.haxx.se/docs/manpage.html#--pinnedpubkey

signature.asc
Description: OpenPGP digital signature

[Prev in Thread]

Current Thread

[Next in Thread]

[Bug-wget] Implement --pinnedpubkey option to pin public keys, moparisthebest, 2016/02/23
- Re: [Bug-wget] Implement --pinnedpubkey option to pin public keys, Tim Rühsen, 2016/02/23
  - Re: [Bug-wget] Implement --pinnedpubkey option to pin public keys, moparisthebest, 2016/02/23
    - Re: [Bug-wget] Implement --pinnedpubkey option to pin public keys, Tim Rühsen, 2016/02/29
    - Re: [Bug-wget] Implement --pinnedpubkey option to pin public keys, moparisthebest <=

Prev by Date: Re: [Bug-wget] Implement --pinnedpubkey option to pin public keys
Next by Date: [Bug-wget] Patch for understanding srcset= on img tags.
Previous by thread: Re: [Bug-wget] Implement --pinnedpubkey option to pin public keys
Next by thread: [Bug-wget] [bug #47281] WARC URI Headers Improperly Quoted
Index(es):
- Date
- Thread