From e55e893c94622f238f7f67bb9a329b9d06032f6b Mon Sep 17 00:00:00 2001 From: James Houlahan Date: Wed, 2 Nov 2022 10:43:49 +0100 Subject: [PATCH] Other: Bump new badssl public key pin badssl got a new TLS cert last week. We need to bump the pinned key. This was generated by exporting the TLS cert at rsa4096.badssl.com with the Chromium browser and running the following program on it: ``` b, err := os.ReadFile("badssl.pem") if err != nil { panic(err) } block, rest := pem.Decode(b) if len(rest) > 0 { panic("unexpected rest") } cert, err := x509.ParseCertificate(block.Bytes) if err != nil { panic(err) } hash := sha256.New() if _, err := hash.Write(cert.RawSubjectPublicKeyInfo); err != nil { panic(err) } fmt.Println(base64.StdEncoding.EncodeToString(hash.Sum(nil))) ``` --- pkg/pmapi/dialer_pinning_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/pmapi/dialer_pinning_test.go b/pkg/pmapi/dialer_pinning_test.go index 9ca033a0..c61ef9eb 100644 --- a/pkg/pmapi/dialer_pinning_test.go +++ b/pkg/pmapi/dialer_pinning_test.go @@ -88,7 +88,7 @@ func TestTLSSignedCertTrustedPublicKey(t *testing.T) { _, dialer, _ := createClientWithPinningDialer("") copyTrustedPins(dialer.pinChecker) - dialer.pinChecker.trustedPins = append(dialer.pinChecker.trustedPins, `pin-sha256="SA4v9d2YY4vX5YQOQ1qZHYTBMCTSD/sxPvyj+JL6+vI="`) + dialer.pinChecker.trustedPins = append(dialer.pinChecker.trustedPins, `pin-sha256="LwnIKjNLV3z243ap8y0yXNPghsqE76J08Eq3COvUt2E="`) _, err := dialer.DialTLS("tcp", "rsa4096.badssl.com:443") r.NoError(t, err, "expected dial to succeed because public key is known and cert is signed by CA") }