yesBad/proton-bridge
1
0
Fork 0
forked from Silverfish/proton-bridge
Code Actions Activity

Other: Bump new badssl public key pin

Browse Source 
badssl got a new TLS cert last week. We need to bump the pinned key.

This was generated by exporting the TLS cert at rsa4096.badssl.com with
the Chromium browser and running the following program on it:

```
	b, err := os.ReadFile("badssl.pem")
	if err != nil {
		panic(err)
	}

	block, rest := pem.Decode(b)
	if len(rest) > 0 {
		panic("unexpected rest")
	}

	cert, err := x509.ParseCertificate(block.Bytes)
	if err != nil {
		panic(err)
	}

	hash := sha256.New()

	if _, err := hash.Write(cert.RawSubjectPublicKeyInfo); err != nil {
		panic(err)
	}

	fmt.Println(base64.StdEncoding.EncodeToString(hash.Sum(nil)))
```
This commit is contained in:
James Houlahan
2022-11-02 10:43:49 +01:00
parent 5ab63a290e
commit e55e893c94
1 changed files with 1 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
pkg/pmapi/dialer_pinning_test.go
View File

@ -88,7 +88,7 @@ func TestTLSSignedCertTrustedPublicKey(t *testing.T) {
_, dialer, _ := createClientWithPinningDialer("")
copyTrustedPins(dialer.pinChecker)
dialer.pinChecker.trustedPins = append(dialer.pinChecker.trustedPins, `pin-sha256="SA4v9d2YY4vX5YQOQ1qZHYTBMCTSD/sxPvyj+JL6+vI="`)
dialer.pinChecker.trustedPins = append(dialer.pinChecker.trustedPins, `pin-sha256="LwnIKjNLV3z243ap8y0yXNPghsqE76J08Eq3COvUt2E="`)
_, err := dialer.DialTLS("tcp", "rsa4096.badssl.com:443")
r.NoError(t, err, "expected dial to succeed because public key is known and cert is signed by CA")
}