CURLcode curl_easy_setopt(CURL *handle, CURLOPT_PINNEDPUBLICKEY, char *pinnedpubkey);
.SH DESCRIPTION
-Pass a pointer to a zero terminated string as parameter. The string can be the
-file name of your pinned public key. The file format expected is "PEM" or "DER".
-The string can also be any number of base64 encoded sha256 hashes preceded by
-"sha256//" and seperated by ";"
+Pass a pointer to a zero terminated string as parameter. The string should be
+the file name of your pinned public key. The format expected is "PEM" or "DER".
When negotiating a TLS or SSL connection, the server sends a certificate
indicating its identity. A public key is extracted from this certificate and
if(curl) {
curl_easy_setopt(curl, CURLOPT_URL, "https://example.com");
curl_easy_setopt(curl, CURLOPT_PINNEDPUBLICKEY, "/etc/publickey.der");
- /* OR
- curl_easy_setopt(curl, CURLOPT_PINNEDPUBLICKEY, "sha256//YhKJKSzoTt2b5FP18fvpHo7fJYqQCjAa3HWY3tvRMwE=;sha256//t62CeU2tQiqkexU74Gxa2eg7fRbEgoChTociMee9wno=");
- */
/* Perform the request */
curl_easy_perform(curl);
}
.fi
-.SH PUBLIC KEY EXTRACTION
-If you do not have the server's public key file you can extract it from the
-server's certificate.
-.nf
-# extract public key in pem format from certificate
-openssl x509 -in www.test.com.pem -pubkey -noout > www.test.com.pubkey.pem
-# convert public key from pem to der
-openssl asn1parse -noout -inform pem -in www.test.com.pubkey.pem -out www.test.com.pubkey.der
-# sha256 hash and base64 encode der to string for use
-openssl dgst -sha256 -binary www.test.com.pubkey.der | openssl base64
-.fi
-The public key in PEM format contains a header, base64 data and a
-footer:
-.nf
------BEGIN PUBLIC KEY-----
-[BASE 64 DATA]
------END PUBLIC KEY-----
-.fi
.SH AVAILABILITY
-Added in 7.39.0 for OpenSSL, GnuTLS and GSKit. Added in 7.43.0 for
-NSS and wolfSSL/CyaSSL. sha256 support added in 7.44.0 for OpenSSL,
-GnuTLS, NSS and wolfSSL/CyaSSL. Other SSL backends not supported.
+If built TLS enabled. This is currently only implemented in the OpenSSL,
+GnuTLS and GSKit backends.
+
+Added in libcurl 7.39.0
.SH RETURN VALUE
Returns CURLE_OK if TLS enabled, CURLE_UNKNOWN_OPTION if not, or
CURLE_OUT_OF_MEMORY if there was insufficient heap space.