-
Notifications
You must be signed in to change notification settings - Fork 2
Expand file tree
/
Copy pathsct.go
More file actions
56 lines (47 loc) · 1.57 KB
/
sct.go
File metadata and controls
56 lines (47 loc) · 1.57 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
package ctlint
import (
"crypto/sha256"
"fmt"
"github.com/crtsh/ctloglists"
ctgo "github.com/google/certificate-transparency-go"
)
func verifySCT(tbsCert []byte, sha256IssuerSPKI *[sha256.Size]byte, sct *ctgo.SignedCertificateTimestamp) []string {
if sct.SCTVersion != ctgo.V1 {
return []string{"E: SCT version is not V1"}
}
merkleTreeLeaf := ctgo.MerkleTreeLeaf{
Version: ctgo.V1,
LeafType: ctgo.TimestampedEntryLeafType,
TimestampedEntry: &ctgo.TimestampedEntry{
EntryType: ctgo.PrecertLogEntryType,
Timestamp: sct.Timestamp,
PrecertEntry: &ctgo.PreCert{
IssuerKeyHash: *sha256IssuerSPKI,
TBSCertificate: tbsCert,
},
Extensions: sct.Extensions,
},
}
sv := ctloglists.LogSignatureVerifierMap[([sha256.Size]byte)(sct.LogID.KeyID)]
if sv == nil {
return []string{"N: SCT is from an unknown log"}
}
// Get the log description, for display purposes. The crt.sh and gstatic log lists should cover all known logs between them.
log, _, _ := findLogByKeyHash(sct.LogID.KeyID, ctloglists.CrtshV3All)
if log == nil {
log, _, _ = findLogByKeyHash(sct.LogID.KeyID, ctloglists.GstaticV3All)
}
err := sv.VerifySCTSignature(*sct, ctgo.LogEntry{Leaf: merkleTreeLeaf})
if err != nil {
if log != nil {
return []string{fmt.Sprintf("E: SCT has an invalid signature purporting to be from %s", log.Description)}
} else {
return []string{"E: SCT has an invalid signature"}
}
}
if log != nil {
return []string{fmt.Sprintf("I: SCT has a valid signature from %s", log.Description)}
} else {
return []string{"I: SCT has a valid signature"}
}
}