Annotation of embedaddon/curl/docs/libcurl/opts/CURLOPT_PINNEDPUBLICKEY.3, revision 1.1.1.1
1.1 misho 1: .\" **************************************************************************
2: .\" * _ _ ____ _
3: .\" * Project ___| | | | _ \| |
4: .\" * / __| | | | |_) | |
5: .\" * | (__| |_| | _ <| |___
6: .\" * \___|\___/|_| \_\_____|
7: .\" *
8: .\" * Copyright (C) 1998 - 2019, Daniel Stenberg, <daniel@haxx.se>, et al.
9: .\" *
10: .\" * This software is licensed as described in the file COPYING, which
11: .\" * you should have received as part of this distribution. The terms
12: .\" * are also available at https://curl.haxx.se/docs/copyright.html.
13: .\" *
14: .\" * You may opt to use, copy, modify, merge, publish, distribute and/or sell
15: .\" * copies of the Software, and permit persons to whom the Software is
16: .\" * furnished to do so, under the terms of the COPYING file.
17: .\" *
18: .\" * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
19: .\" * KIND, either express or implied.
20: .\" *
21: .\" **************************************************************************
22: .\"
23: .TH CURLOPT_PINNEDPUBLICKEY 3 "June 02, 2019" "libcurl 7.70.0" "curl_easy_setopt options"
24:
25: .SH NAME
26: CURLOPT_PINNEDPUBLICKEY \- set pinned public key
27: .SH SYNOPSIS
28: #include <curl/curl.h>
29:
30: CURLcode curl_easy_setopt(CURL *handle, CURLOPT_PINNEDPUBLICKEY, char *pinnedpubkey);
31: .SH DESCRIPTION
32: Pass a pointer to a zero terminated string as parameter. The string can be the
33: file name of your pinned public key. The file format expected is "PEM" or "DER".
34: The string can also be any number of base64 encoded sha256 hashes preceded by
35: "sha256//" and separated by ";"
36:
37: When negotiating a TLS or SSL connection, the server sends a certificate
38: indicating its identity. A public key is extracted from this certificate and
39: if it does not exactly match the public key provided to this option, curl will
40: abort the connection before sending or receiving any data.
41:
42: On mismatch, \fICURLE_SSL_PINNEDPUBKEYNOTMATCH\fP is returned.
43:
44: The application does not have to keep the string around after setting this
45: option.
46: .SH DEFAULT
47: NULL
48: .SH PROTOCOLS
49: All TLS based protocols: HTTPS, FTPS, IMAPS, POP3S, SMTPS etc.
50: .SH EXAMPLE
51: .nf
52: CURL *curl = curl_easy_init();
53: if(curl) {
54: curl_easy_setopt(curl, CURLOPT_URL, "https://example.com");
55: curl_easy_setopt(curl, CURLOPT_PINNEDPUBLICKEY, "/etc/publickey.der");
56: /* OR
57: curl_easy_setopt(curl, CURLOPT_PINNEDPUBLICKEY, "sha256//YhKJKSzoTt2b5FP18fvpHo7fJYqQCjAa3HWY3tvRMwE=;sha256//t62CeU2tQiqkexU74Gxa2eg7fRbEgoChTociMee9wno=");
58: */
59:
60: /* Perform the request */
61: curl_easy_perform(curl);
62: }
63: .fi
64: .SH PUBLIC KEY EXTRACTION
65: If you do not have the server's public key file you can extract it from the
66: server's certificate.
67: .nf
68: # retrieve the server's certificate if you don't already have it
69: #
70: # be sure to examine the certificate to see if it is what you expected
71: #
72: # Windows-specific:
73: # - Use NUL instead of /dev/null.
74: # - OpenSSL may wait for input instead of disconnecting. Hit enter.
75: # - If you don't have sed, then just copy the certificate into a file:
76: # Lines from -----BEGIN CERTIFICATE----- to -----END CERTIFICATE-----.
77: #
78: openssl s_client -servername www.example.com -connect www.example.com:443 < /dev/null | sed -n "/-----BEGIN/,/-----END/p" > www.example.com.pem
79:
80: # extract public key in pem format from certificate
81: openssl x509 -in www.example.com.pem -pubkey -noout > www.example.com.pubkey.pem
82:
83: # convert public key from pem to der
84: openssl asn1parse -noout -inform pem -in www.example.com.pubkey.pem -out www.example.com.pubkey.der
85:
86: # sha256 hash and base64 encode der to string for use
87: openssl dgst -sha256 -binary www.example.com.pubkey.der | openssl base64
88: .fi
89: The public key in PEM format contains a header, base64 data and a
90: footer:
91: .nf
92: -----BEGIN PUBLIC KEY-----
93: [BASE 64 DATA]
94: -----END PUBLIC KEY-----
95: .fi
96: .SH AVAILABILITY
97: PEM/DER support:
98:
99: 7.39.0: OpenSSL, GnuTLS
100:
101: 7.39.0-7.48.0,7.58.1+: GSKit
102:
103: 7.43.0: NSS and wolfSSL
104:
105: 7.47.0: mbedtls
106:
107: 7.54.1: SecureTransport on macOS 10.7+/iOS 10+
108:
109: 7.58.1: SChannel
110:
111: sha256 support:
112:
113: 7.44.0: OpenSSL, GnuTLS, NSS and wolfSSL
114:
115: 7.47.0: mbedtls
116:
117: 7.54.1: SecureTransport on macOS 10.7+/iOS 10+
118:
119: 7.58.1: SChannel Windows XP SP3+
120:
121: Other SSL backends not supported.
122: .SH RETURN VALUE
123: Returns CURLE_OK if TLS enabled, CURLE_UNKNOWN_OPTION if not, or
124: CURLE_OUT_OF_MEMORY if there was insufficient heap space.
125: .SH "SEE ALSO"
126: .BR CURLOPT_SSL_VERIFYPEER "(3), "
127: .BR CURLOPT_SSL_VERIFYHOST "(3), "
128: .BR CURLOPT_CAINFO "(3), "
129: .BR CURLOPT_CAPATH "(3), "
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>