rev sct support

ctz · ctz · commit aa66e1cb5450 · 2026-01-11T15:04:20.000Z
diff --git a/src/end_entity.rs b/src/end_entity.rs
@@ -176,11 +176,9 @@ impl EndEntityCert<'_> {
     /// iterator.
     pub fn sct_log_timestamps<'a>(
         &'a self,
-    ) -> Result<
-        impl Iterator<Item = Result<(sct::LogId, sct::Timestamp), sct::Error>> + 'a,
-        sct::Error,
-    > {
-        Ok(sct::SctParser::new(self.scts)?.map(|sct| sct.map(|sct| (sct.log_id, sct.timestamp))))
+    ) -> Result<impl Iterator<Item = Result<sct::LogIdAndTimestamp, sct::Error>> + 'a, sct::Error>
+    {
+        Ok(sct::SctParser::new(self.scts)?.map(|sct| sct.map(|sct| sct.log_id_and_timestamp())))
     }
 }
 
diff --git a/src/lib.rs b/src/lib.rs
@@ -66,7 +66,7 @@ mod error;
 #[cfg(feature = "ring")]
 mod ring_algs;
 mod rpk_entity;
-#[allow(missing_docs, dead_code)]
+/// Processing of certificate transparency SCTs.
 pub mod sct;
 mod signed_data;
 mod subject_name;
diff --git a/src/sct.rs b/src/sct.rs
@@ -1,21 +1,5 @@
 use core::marker::PhantomData;
 
-/// Reads a `SignedCertificateTimestampList` encoding, yielding each `SignedCertificateTimestamp`.
-pub(crate) fn iter_scts<'a>(
-    bytes: untrusted::Input<'a>,
-) -> Result<impl Iterator<Item = Result<SignedCertificateTimestamp<'a>, Error>> + 'a, Error> {
-    let items_body = bytes.read_all(Error::MalformedSct, |rd| read_field(rd, non_zero_u16_len))?;
-
-    let mut reader = untrusted::Reader::new(items_body);
-
-    Ok(core::iter::from_fn(move || {
-        let item = read_field(&mut reader, non_zero_u16_len).ok()?;
-        Some(SignedCertificateTimestamp::try_from(
-            item.as_slice_less_safe(),
-        ))
-    }))
-}
-
 pub(crate) struct SctParser<'a> {
     reader: untrusted::Reader<'a>,
 }
@@ -53,11 +37,20 @@ impl<'a> Iterator for SctParser<'a> {
 /// [RFC6962]: https://www.rfc-editor.org/rfc/rfc6962.html#section-3.2
 #[derive(Debug)]
 pub(crate) struct SignedCertificateTimestamp<'a> {
-    pub(crate) log_id: LogId,
-    pub(crate) timestamp: Timestamp,
+    log_id: LogId,
+    timestamp: Timestamp,
     _future_lifetime_for_signature: PhantomData<&'a ()>,
 }
 
+impl SignedCertificateTimestamp<'_> {
+    pub(crate) fn log_id_and_timestamp(&self) -> LogIdAndTimestamp {
+        LogIdAndTimestamp {
+            log_id: self.log_id.0,
+            timestamp: self.timestamp.0,
+        }
+    }
+}
+
 impl<'a> TryFrom<&'a [u8]> for SignedCertificateTimestamp<'a> {
     type Error = Error;
 
@@ -84,11 +77,20 @@ impl<'a> TryFrom<&'a [u8]> for SignedCertificateTimestamp<'a> {
     }
 }
 
+/// The certificate transparency log ID and associated inclusion timestamp.
+#[derive(Debug, PartialEq)]
+pub struct LogIdAndTimestamp {
+    /// Log ID
+    pub log_id: [u8; 32],
+    /// Inclusion timestamp
+    pub timestamp: u64,
+}
+
 #[derive(Debug)]
-pub struct LogId(pub [u8; 32]);
+struct LogId([u8; 32]);
 
 #[derive(Debug)]
-pub struct Timestamp(pub u64);
+struct Timestamp(u64);
 
 /// Read a length-prefixed field from `rd`.
 ///
@@ -126,7 +128,9 @@ fn non_zero_u16_len(bytes: [u8; 2]) -> Result<usize, Error> {
     Ok(len)
 }
 
+/// Possible errors from SCT parsing and processing
 #[derive(Clone, Debug, PartialEq, Eq)]
+#[non_exhaustive]
 pub enum Error {
     /// The SCT was somehow misencoded, truncated or otherwise corrupt.
     MalformedSct,
diff --git a/src/verify_cert.rs b/src/verify_cert.rs
@@ -26,7 +26,6 @@ use crate::crl::RevocationOptions;
 use crate::der::{self, FromDer};
 use crate::end_entity::EndEntityCert;
 use crate::error::Error;
-use crate::sct::{self, LogId, SctParser, Timestamp};
 use crate::{public_values_eq, subject_name};
 
 // Use `'a` for lifetimes that we don't care about, `'p` for lifetimes that become a part of
@@ -198,21 +197,6 @@ impl<'p> VerifiedPath<'p> {
         }
     }
 
-    /// Returns the SCT logs that contributed to the SCTs included in the certificate.
-    ///
-    /// Note this method does not verify the SCTs themselves, but does require that
-    /// the certificate chain was previously verified by the caller.  This is demonstrated
-    /// by the `verified_path` parameter.
-    ///
-    /// If the certificate does not contain an SCT extension, this method returns
-    /// `Ok(Vec::new())`.
-    pub fn sct_log_timestamps(
-        &self,
-    ) -> Result<impl Iterator<Item = Result<(LogId, Timestamp), sct::Error>> + 'p, sct::Error> {
-        Ok(SctParser::new(self.end_entity.scts)?
-            .map(|sct| sct.map(|sct| (sct.log_id, sct.timestamp))))
-    }
-
     /// Yields a (double-ended) iterator over the intermediate certificates in this path.
     pub fn intermediate_certificates(&'p self) -> IntermediateIterator<'p> {
         IntermediateIterator {
diff --git a/tests/integration.rs b/tests/integration.rs
@@ -19,6 +19,7 @@ use core::slice;
 use core::time::Duration;
 
 use pki_types::{CertificateDer, UnixTime};
+use webpki::sct::LogIdAndTimestamp;
 use webpki::{ExtendedKeyUsage, anchor_from_trusted_cert};
 
 /* Checks we can verify netflix's cert chain.  This is notable
@@ -463,3 +464,52 @@ fn cert_time_validity() {
         })
     );
 }
+
+#[test]
+fn with_scts() {
+    let ee: &[u8] = include_bytes!("cloudflare_dns/ee.der");
+    let ee = CertificateDer::from(ee);
+    let cert = webpki::EndEntityCert::try_from(&ee).unwrap();
+
+    let expect_scts = vec![
+        LogIdAndTimestamp {
+            log_id: [
+                41, 121, 190, 240, 158, 57, 57, 33, 240, 86, 115, 159, 99, 165, 119, 229, 190, 87,
+                125, 156, 96, 10, 248, 249, 77, 93, 38, 92, 37, 93, 199, 132,
+            ],
+            timestamp: 1635197764079,
+        },
+        LogIdAndTimestamp {
+            log_id: [
+                81, 163, 176, 245, 253, 1, 121, 156, 86, 109, 184, 55, 120, 143, 12, 164, 122, 204,
+                27, 39, 203, 247, 158, 136, 66, 154, 13, 254, 212, 139, 5, 229,
+            ],
+            timestamp: 1635197764090,
+        },
+        LogIdAndTimestamp {
+            log_id: [
+                65, 200, 202, 177, 223, 34, 70, 74, 16, 198, 161, 58, 9, 66, 135, 94, 78, 49, 139,
+                27, 3, 235, 235, 75, 199, 104, 240, 144, 98, 150, 6, 246,
+            ],
+            timestamp: 1635197764024,
+        },
+    ];
+    assert_eq!(
+        Ok(expect_scts),
+        cert.sct_log_timestamps()
+            .unwrap()
+            .collect::<Result<Vec<_>, _>>()
+    );
+}
+
+#[test]
+fn no_scts() {
+    let der = CertificateDer::from(&include_bytes!("misc/uri_san_ee.der")[..]);
+    let cert = webpki::EndEntityCert::try_from(&der).unwrap();
+    assert_eq!(
+        Ok(vec![]),
+        cert.sct_log_timestamps()
+            .unwrap()
+            .collect::<Result<Vec<_>, _>>()
+    );
+}

Original file line number	Diff line number	Diff line change
`@@ -176,11 +176,9 @@ impl EndEntityCert<'_> {`
`176`	`176`	`/// iterator.`
`177`	`177`	`pub fn sct_log_timestamps<'a>(`
`178`	`178`	`&'a self,`
`179`		`- ) -> Result<`
`180`		`- impl Iterator<Item = Result<(sct::LogId, sct::Timestamp), sct::Error>> + 'a,`
`181`		`- sct::Error,`
`182`		`- > {`
`183`		`- Ok(sct::SctParser::new(self.scts)?.map(\|sct\| sct.map(\|sct\| (sct.log_id, sct.timestamp))))`
	`179`	`+ ) -> Result<impl Iterator<Item = Result<sct::LogIdAndTimestamp, sct::Error>> + 'a, sct::Error>`
	`180`	`+ {`
	`181`	`+ Ok(sct::SctParser::new(self.scts)?.map(\|sct\| sct.map(\|sct\| sct.log_id_and_timestamp())))`
`184`	`182`	`}`
`185`	`183`	`}`
`186`	`184`