TykTechnologies / tyk

57%

master: %

LAST BUILD ON BRANCH public-key-pinning

branch: public-key-pinning

CHANGE BRANCH

x

Reset

• public-key-pinning
• 1.3
• 1.3.0.1
• 1.4
• 1.5
• 1.5.1
• 1194-upstream-cache-control-response-header
• 2.7
• 2.9.3-old-go
• 2.9.3.1
• 713-correlation-id
• Add_RSA_Request_Signing_Validation
• Extend_Cert_tests
• Luan-edit-tyk-conf-1
• Luan-update-tyk.conf.example
• LuanvP-typo-fix
• access-rights-limit-reset
• add-js-req-proto
• add-router-locks
• add_create_time_to_token
• always-decode-jwt-source-1388
• analytics-record-path-fix
• api-level-rl
• api-limit-fix
• apply-new-policy-from-jwt-to-curr-session
• apply-policy-to-key-on-create
• as-images
• as/pc-r29
• as/plugincompiler-r2.9
• as/rpmsign
• asoorm-log-fields
• asoorm-mw_basis_auth_test
• asyncupdatepool
• ba-auth-fix
• ba-getkey-fix
• batchssl
• benchmark-default-version-profiling
• benchmarking
• benchmarking-instrumentation
• bigcache
• block-invalid-policies-in-jwt
• bug-allow-remote-config
• bug-fix-dns-for-testing
• bug-version-path
• bug/1222-fix-key-update
• bug/2061-fix-method-transform
• bug/2069-fix-method-transform
• bug/2072-fix-url-match-trailing-slash
• bug/2080-fix-apiloader-race
• bug/2195-fix-looping-bug
• bug/2211-fix-strip-path
• bug/2313-fix-rewrite-path-issue
• bug/fix_URLRewrite_Issues
• bugfix/fix-custom-auth
• bugfix/uptime-checks-nodes
• bugfix/uses-api-level-config-instead-of-global
• bump_version
• cache-etag
• cacheoptions
• cautious-reload
• change-cli-package
• check-encoded-jwks
• cherry-temp
• chunked-quota-limiter
• circuit-breaker-improvement
• circuit-leakage-fix
• client-closing
• client-context-close
• codecleanup
• conf-example-edit
• config-global-races-fix
• config-loglevel
• configurable-jsvm-timeout
• configurable_default_proxy_timeout
• configured-http-client
• configured_clock_skew
• context-jwt-header-claims
• context-var-number-support
• coprocess_config_data
• coprocess_jsvm_consitency
• coprocess_vendor
• create-custom-key
• create-oauth-app-fix
• create-oauth-client-endpoint-change
• custom-coprocess-error-messages
• custom-healtcheck-name
• default-murmur64
• deregisterpanic
• devenv-fix
• disable-travis-notifications
• disablekeepalives
• dns-ttl-tests
• doc/js-samples
• dont-use-servemux
• dq-cherrypick
• dq-squash
• drl-server-does-not-exists-fix
• endpointpath
• enhancement/decr-quota
• errors-in-log-fix
• event-debug-log
• experiment/coprocess
• experiment/hash
• experiment/rpc-reconnect
• extend_looping_test
• extended-rewrites
• feature/1855-basic-auth-body-extraction
• feature/2045-custom-signature-validation
• feature/2055-update-key-with-hash
• feature/2066-hmac-alt-signature-support
• feature/2120-loop-another-api
• feature/216-dashboard-gateway-mutual-tls
• feature/2234_Add_HMAC_middleware
• feature/add-support-of-wsdl
• feature/api-def-create
• feature/api-healthcheck
• feature/api-latency-check
• feature/blueprint
• feature/cache
• feature/dynamic-api-certificates
• feature/issue-495-Cache_DNS
• feature/issue-495-wss-fix
• feature/issues/640-body_transforms
• feature/ldap
• feature/method-path-ignore
• feature/middleware-headers
• feature/middleware-wlker
• feature/multi_policy_addon
• feature/naive-cache
• feature/organisation-middleware
• feature/plugins
• feature/rate-data
• feature/return_key_hash
• feature/rolling-rate-limit
• feature/tcp-proxy
• feature/template-middleware
• feature/unified-reload
• feature/urlrewrite-request-context
• fix-1924
• fix-api-level-rl
• fix-browser-cert-window
• fix-buddy-works-versioning
• fix-cert-pinning-crash
• fix-concurrent-session-writting-release2.9
• fix-conflicting-paths
• fix-control-api-empty-spec
• fix-coprocess-auth-empty-token
• fix-dashboard-api-reloads
• fix-default-version
• fix-empty-reloads
• fix-emty-body-transform
• fix-gw-reloads
• fix-hmac-timezone-issue
• fix-host-header
• fix-hostchecker
• fix-http-connection-leak
• fix-json-transform
• fix-jsvm-load-err
• fix-jsvm-log-tests
• fix-jsvm-rawlog
• fix-jwt-url
• fix-key-logging
• fix-keyapi-quota-calculation
• fix-license-upgrade
• fix-looping-rate-quota
• fix-max-conn-time
• fix-min-char-only
• fix-mutex-2.9.4.4
• fix-org-monitor-panic
• fix-panic-when-track-endpoint
• fix-pinned-domain-dot
• fix-proxy-certificate-pinning
• fix-python-tests
• fix-rcp-reload
• fix-response-transform-encoding
• fix-rpc-backup
• fix-rpc-keyspace-updates
• fix-spec-domain-loader
• fix-test-redis-port
• fix-uptime-reverse-logic
• fix-uptime-test-wait-time-default
• fix-url-parsing
• fix-url-rewrite-context
• fix-url-versioning-bug
• fix-vendoring
• fix-virtual-path-caching
• fix/1222-fix-key-update
• fix/1470-limits-and-quotas-per-multiple-policy
• fix/1479-fix-multi-policy-quota-reset
• fix/1483-fix-drl-ratelimit-update
• fix/1855-basic-auth-body
• fix/2.8-leak
• fix/2064-fix-plugins-after-url-rewrite
• fix/2067-listen-path-match-conflict
• fix/2105-fix-grpc
• fix/2108-fix-key-removal
• fix/2158-hash-oauth-access-tokens
• fix/2158-hash-oauth-tokens
• fix/2184-cache-org-key-failed-attempts
• fix/2236-fix-async-session-update-leak
• fix/2238-fix-basic-auth-cache
• fix/2250-fix-logstash-panic
• fix/2289-instrumentation-overhead
• fix/2304-jwt-expiration
• fix/2314-oauth-multiple-apis
• fix/2390-certificate-hybrid
• fix/2448-json-validation-messages
• fix/2538-2.9-hybrid-compatibility
• fix/2831/reload-leaks-memory
• fix/chain-leak
• fix/go-jose-rollback
• fix/improve-api-limit-tests
• fix/redis-timeout
• fix/sse-streaming-support
• fix_SD_panic
• fix_build
• fix_coprocess_test
• fix_schema_json
• fix_user_regexp_panic
• fix_webhook
• fixheartbeat
• fixracyratetest
• fmtchange
• gatewaystartversion
• gatewaytlsclient
• gh_tempaltes
• git_hub_templates
• gitignore
• global-cache-fix
• go-native-plugins
• go-plugins
• goja
• grpc-proxy
• handle-api-decode-failure
• header-based-tagging
• hello
• hot_reload_panic
• http2
• id-extractor-refactoring
• improve-error-messages
• improve-rpc-relogin
• improvement/dlpython-build-tags
• improvement/pkg-options
• integration_tests
• invalidate-tokens-delete-oauthclient
• jq-transformations
• json-validation
• json-validation-ahm
• jsurlschemeexpose
• jsvm_insecure_skip_verify
• jwtrespectexpire
• keepalive-fix
• key-00000000-fix
• key-hashing-v2
• key-without-api
• keycreatemdcb
• keyexpiredhook
• keylengtherror
• keyspace-log-warning-spell-fix
• letzya-patch-1
• letzya_branch
• links-back-to-website
• lintexit
• list-oauth-client-tokens-endpoint
• listen-0
• logstash-reconnect
• looping
• lower-log-verbosity
• make-rpc-pool-configurable
• mark-edits
• mark-update-policy
• marksou-patch-1
• marksou-patch-2
• master
• master-memory-fix
• matiasinsaurralde-patch-1
• matiasinsaurralde-proto-add-request-uri
• max-conn-time
• mdcb_register_refactoring
• mdcb_ssl
• merge-fix-rpc-return
• meta-data-resp
• metanokey
• middlewareload
• min-char-fix
• minor-typos
• missing_cors_invalid_token
• modify-headers-preceding-slash
• mongos-pubsub
• more-logging-when-apply-policies
• move_api_schema
• multiple-acl-partitions
• mutual_tls
• mutual_tls-mvdan
• new-tags-in-analytics-record
• no-logging-for-tokens
• oas-api-versionning
• oauth_add_security_cache_headers
• obfuscatekey
• oidcpolicychange
• only-load-active-apis
• only-one-api-deactivating-fix
• open-conns
• openid401
• optional-le
• org-keys-enpoint-fix
• org-level-rate-limiting
• orgmap-syncmap
• package-change-cli
• port-strip-auth
• pr/1260
• profile-benchmark-context-vars-middleware
• profile-benchmark-copy-request-response
• profile-benchmark-url-replacer
• proxy-per-api
• proxy-transport-tls-config
• query-hashed-keys
• quota-counter-fix
• quota-limiter-experiment
• real-ips
• redistls
• regexp-init-fix
• release-2.3.4-backport
• release-2.4
• release-2.5
• release-2.6
• release-2.7
• release-2.8
• release-2.8-common-name-fix
• release-2.8-debug
• release-2.8.1
• release-2.9
• release-2.9-old-go
• release-2.9.3.2
• reload-integration-tests
• reload-when-only-one-api-deactivated
• remove-ratelimit-session-update
• remove-vendored-context
• removing-manager-poller-conf
• rename-sample-middleware-files
• response-overrides
• revert-1176-only-load-active-apis
• revert-2114-feature/1838-cache-post-requests
• revert-drl-fix
• rewriting
• rpc-emit-eventkv-fix
• rpc-package
• rpc-transport-package
• rpchandleevents
• schema-null-support
• scope-policy-mapping
• scopes-changes
• session-update-panic-fix
• sessionbench
• sessiontags
• set-tls-certificate-ws-fix
• skip-inactive-apis
• skip-kid-1551
• skip-path-escaping-option
• slavepurgepanic
• statsd-logging-for-rpc-events
• stripauthheader
• stripurlversion
• swagger-annotations
• swagger-tracked-urls
• switch-policy-if-changed-in-claim
• switch-to-msgpack-v4
• switch-to-tyktechnologies-gorpc
• targeturlstripslash
• tcf-pubsub
• test-framework-improvements
• testing/coverage
• testing/more-tests
• tests-fix-2.9
• tlsciphers
• tlsrenegotiation
• tracing
• travis_11
• tyk-conf-skip-escaping
• tyk-crash-fix
• typo_fix
• typofix
• update-default-uptime-config
• update-key-reset-quota-fix
• update-key-reset-ratelimit-fix
• update-session-fix
• url-rewrite-api-loader-fix
• url-rewrite-panic-fix
• url-rewrite-regexp-group
• url-rewrite-response-transform-url-match
• url-rewrites-negative-logic
• urlrewrite-refactoring
• use-session-cache-for-org
• v1.5.1
• v2.3.11
• v2.3.12
• v2.3.5
• v2.3.6
• v2.4.0
• v2.4.1
• v2.4.2
• v2.4.3
• v2.5.0
• v2.5.1
• v2.5.2
• v2.5.3
• v2.5.4
• v2.5.5
• v2.6.0
• v2.6.1
• v2.6.2
• v2.6.3
• v2.6.4
• v2.7.0
• v2.7.1
• v2.7.2
• v2.7.3
• v2.7.4
• v2.7.5
• v2.7.6
• v2.7.7
• v2.8.1
• v2.8.2
• v2.8.3
• v2.8.4
• v2.8.5
• v2.8.6
• v2.8.7
• v2.9.0
• v2.9.3
• v2.9.3-rc1
• v2.9.3.2
• v2.9.4.1
• v2.9.4.2
• v2.9.4.3
• v2.9.4.4
• v2.9.4.5
• v2.9.4.6
• v2.9.4.7
• v2.9.4.8
• version-default
• version_bump
• version_update
• virtual-endpoint-error-fix
• virtual-endpoint-timeout
• wait-for-redis-before-proxying
• webhooktemplate
• websockets-connection-fix
• whitelistfix
• whitelistfix-leon
• worker-process-model-experiment
• ws-endpoint-fix
• x-ratelimit-remaining-fix
• yaara-test

Build # 4518

Build Type

push

travis-ci

Committed by buger

Commit Message

Added public key pinning feature

Certificate pinning is a feature which allows you to white list public
keys used to generated certificates, so you will be protected in cases
when upstream certificate is compromised.

Using Tyk you can white-list one or multiple public keys per domain.
Wild card domains also supported.

Public keys stored inside Tyk certificate storage, so you can use
Certificate API to manage them.

You can define them globally, using Tyk configuration file and
`security.pinned_public_keys` option, or via API definition
`pinned_public_keys` field, using the following format:
```
{
    “example.com”: “<key-id>”,
    “foo.com”: “/path/to/pub.pem”,
    “*.wild.com”: “<key-id>,<key-id-2>”
}
```

As `key-id` you should set ID returned after you uploaded public key
using Certificate API. Additionally you can just set path to public
key, located on your server. You can specify multiple public keys by
separating their IDs by comma.

Note that only public keys in PEM format are supported.

If public keys are not provided by your upstream, you can extract them
by yourself using following command:
> openssl s_client -connect the.host.name:443 | openssl x509 -pubkey
-noout

If you already have certificate, and just need to get its public key,
you can do it using following command:
> openssl x509 -pubkey -noout -in cert.pem

PS. Upstream certificates now also has wildcard domain support

Run Details

8532 of 14868 relevant lines covered (57.38%)

0.63 hits per line