why curl certificate pinning test not work using sha1 digest?

0

I have a problem using sha1 digest on certificate pinning test. Using sha256 works fine, but if I use sha1 it does not work. Why?

version of curl:
 
➜  src ./curl -V
curl 7.55.1 (x86_64-apple-darwin16.0.0) libcurl/7.55.1 SecureTransport zlib/1.2.8
Release-Date: 2017-08-14
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp smb smbs smtp smtps telnet tftp
Features: AsynchDNS IPv6 Largefile NTLM NTLM_WB SSL libz UnixSockets


TEST 1 using sha256
 
➜  src openssl s_client -connect uol.com.br:443 | openssl x509 -pubkey -noout | openssl rsa -pubin -outform der | openssl dgst sha256 -binary | openssl enc -base64
depth=2 /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
verify error:num=19:self signed certificate in certificate chain
verify return:0
writing RSA key
d9W9zyq64Gw8JEA/siAixfvoRRwZVpSgbYJV//0CeKM=



➜  src ./curl --head --verbose --pinnedpubkey "sha256//d9W9zyq64Gw8JEA/siAixfvoRRwZVpSgbYJV//0CeKM=" https://uol.com.br
*   Trying 200.147.67.142...
* TCP_NODELAY set
* Connected to uol.com.br (200.147.67.142) port 443 (#0)
*   public key hash: sha256//d9W9zyq64Gw8JEA/siAixfvoRRwZVpSgbYJV//0CeKM=
* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate: www.uol.com.br
* Server certificate: RapidSSL SHA256 CA
* Server certificate: GeoTrust Global CA
> HEAD / HTTP/1.1
> Host: uol.com.br
> User-Agent: curl/7.55.1
> Accept: /
>
< HTTP/1.1 302 Found
HTTP/1.1 302 Found
< Date: Fri, 29 Sep 2017 19:32:18 GMT
Date: Fri, 29 Sep 2017 19:32:18 GMT
< Server: Apache
Server: Apache
< Connection: close
Connection: close
< Content-Type: text/html; charset=iso-8859-1
Content-Type: text/html; charset=iso-8859-1
 
<
* Closing connection 0



TEST 2 using sha1
 
➜  src openssl s_client -connect uol.com.br:443 | openssl x509 -pubkey -noout | openssl rsa -pubin -outform der | openssl dgst -sha1 -binary | openssl enc -base64
depth=2 /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
verify error:num=19:self signed certificate in certificate chain
verify return:0
writing RSA key
BQr5oEtKUmTzlcelRcWvGvMnQzk=



➜  src ./curl --head --verbose --pinnedpubkey "sha1//BQr5oEtKUmTzlcelRcWvGvMnQzk=" https://uol.com.br
*   Trying 200.221.2.45...
* TCP_NODELAY set
* Connected to uol.com.br (200.221.2.45) port 443 (#0)
* SSL: public key does not match pinned public key!
* Closing connection 0
curl: (90) SSL: public key does not match pinned public key!

Rafael F.

Posted 2017-09-29T19:50:23.597

Reputation: 3

Answers

0

Because curl only checks SHA256 hashes; not SHA1 hashes.

From the man page:

--pinnedpubkey <pinned public key (hashes)>

          (SSL) Tells curl to  use  the  specified  public  key  file  (or
          hashes)  to  verify the peer. This can be a path to a file which
          contains a single public key in PEM or DER format, or any number
          of base64 encoded sha256 hashes preceded by ´sha256//´ and sepa‐
          rated by ´;´

garethTheRed

Posted 2017-09-29T19:50:23.597

Reputation: 2 520

Asked: 2017-09-29T19:50:23.597

Viewed: 700 times

Active: 2017-09-30T10:42:46.620