[Feature] Support for SSL pinning

[niklasweimann]

Problem to solve

I want to check that after rotating a certificate the intermediate certificate and the root certificate still pass the SSL pinning check in third party tools.

Proposal

Hurl already supports certain properties about the certificate. I would like to check that the intermediate and root certificate have the same public key. Curl supports this by the option --pinnedpubkey

Tasks to complete

???

[0scvr]

I'm interested in this issue. Any suggestion on how the option would be called (an example would be great) ?

[jcamiel]

Hi @0scvr

You're welcome to work on it.

The aim of the feature is to be able to call this command:

$ hurl --pinnedpubkey /etc/publickey.der test.hurl

Like curl, multiple invocations should be possible:

$ hurl --pinnedpubkey /etc/publickey.der \
       --pinnedpubkey "sha256//YhKJKSzoTt2b5FP18fvpHo7fJYqQCjAa3HWY3tvRMwE=;sha256//t62CeU2tQiqkexU74Gxa2eg7fRbEgoChTociMee9wno=" \
       test.hurl

Regarding implementation, you should look at packages/hurl/src/http/client.rs.

You can take inspiration from the CliOptions struct and the connects_to fields. Our aim is to add a field in this structure that will be populated from command line:

pub struct CliOptions {
    pub aws_sigv4: Option<String>,
    pub cacert_file: Option<String>,
    pub client_cert_file: Option<String>,
    // ...
    // The new field
    pub pinned_public_key: Vec<String>,
    // ...
}

When dealing with a new option, there are generated source code to modify, you can find more information here README.md

And of course the CONTRIBUTING.md guide