[Feature] Support for SSL pinning

[niklasweimann]

Problem to solve

I want to check that after rotating a certificate the intermediate certificate and the root certificate still pass the SSL pinning check in third party tools.

Proposal

Hurl already supports certain properties about the certificate. I would like to check that the intermediate and root certificate have the same public key. Curl supports this by the option --pinnedpubkey

Tasks to complete

???

[0scvr]

I'm interested in this issue. Any suggestion on how the option would be called (an example would be great) ?

[jcamiel]

Hi @0scvr

You're welcome to work on it.

The aim of the feature is to be able to call this command:

$ hurl --pinnedpubkey /etc/publickey.der test.hurl

Like curl, multiple invocations should be possible:

$ hurl --pinnedpubkey /etc/publickey.der \
       --pinnedpubkey "sha256//YhKJKSzoTt2b5FP18fvpHo7fJYqQCjAa3HWY3tvRMwE=;sha256//t62CeU2tQiqkexU74Gxa2eg7fRbEgoChTociMee9wno=" \
       test.hurl

Regarding implementation, you should look at packages/hurl/src/http/client.rs.

You can take inspiration from the CliOptions struct and the connects_to fields. Our aim is to add a field in this structure that will be populated from command line:

pub struct CliOptions {
    pub aws_sigv4: Option<String>,
    pub cacert_file: Option<String>,
    pub client_cert_file: Option<String>,
    // ...
    // The new field
    pub pinned_public_key: Vec<String>,
    // ...
}

When dealing with a new option, there are generated source code to modify, you can find more information here README.md

And of course the CONTRIBUTING.md guide

[ashishajr]

Hey @jcamiel, I'd like to take this up next.

A bit on how to implement it, curl checks if the string starts with sha256// and if it does it considers it a hash or series of hashes and if it doesn't start with sha256// then the string is considered to be a file and it extracts the key from the file.

https://github.com/curl/curl/blob/e785e898a6a32fc63b35615b55a147d309082f3d/lib/vtls/vtls.c#L731-L838

I wanted to know how and what error to show, if the string starts with sha256// do we pass the whole string as it is to curl? And if it doesn't contain sha256// we check the file path and if there is no file we show the error that such a file doesn't exist and if does we pass the filepath to curl, is that correct?

Essentially the only error we would ever show is the "`Input file <FILE_PATH> does not exist" error, right?

[jcamiel]

Hi @ashishajr

The idea is to defer to libcurl the maximum of things. Hurl uses curl rust for the binding to libcurl, so we're going to use https://docs.rs/curl/latest/curl/easy/struct.Easy.html#method.pinned_public_key

For the moment, we can use a String to create the cli option and passes it "as it" to libcurl (without any test). The "sha256//" vs file logic will be managed by curl and if there are errors, libcurl will raise it and will be convert to Hurl runtime errors in the call chain.

In a next PR, we'll make some adaptations to support pub pinned key per request:

GET https://foo.com
[Options]
pinnedpubkey: {{my_pub_key}}
HTTP 200

[ashishajr]

Sounds good, thanks for the feedback @jcamiel, I'll get started on this

[jcamiel]

Hi @niklasweimann the opetion --pinnedpubkey will be available for the next Hirl version 7.0.0, we'll maybe add the option configurable per request (thanks @ashishajr)