Add functions to verify SCTs

2017-12-17 09:51:38 -08:00 · 2017-12-17 09:51:38 -08:00 · bc255f43d5
parent bf676f06be
commit bc255f43d5
2 changed files with 47 additions and 14 deletions
--- a/cmd/submitct/main.go
+++ b/cmd/submitct/main.go
@ -113,20 +113,7 @@ func (ctlog *Log) SubmitChain(chain Chain) (*ct.SignedCertificateTimestamp, erro
 		return nil, err
 	}

-	entry := ct.LogEntry{
-		Leaf: ct.MerkleTreeLeaf{
-			Version:  0,
-			LeafType: ct.TimestampedEntryLeafType,
-			TimestampedEntry: ct.TimestampedEntry{
-				Timestamp:  sct.Timestamp,
-				EntryType:  ct.X509LogEntryType,
-				X509Entry:  rawCerts[0],
-				Extensions: sct.Extensions,
-			},
-		},
-	}
-
-	if err := ctlog.verify.VerifySCTSignature(*sct, entry); err != nil {
+	if err := certspotter.VerifyX509SCT(sct, rawCerts[0], ctlog.verify); err != nil {
 		return nil, fmt.Errorf("Bad SCT signature: %s", err)
 	}
 	return sct, nil
--- a/sct.go
+++ b/sct.go
@ -0,0 +1,46 @@
+// Copyright (C) 2017 Opsmate, Inc.
+//
+// This Source Code Form is subject to the terms of the Mozilla
+// Public License, v. 2.0. If a copy of the MPL was not distributed
+// with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
+//
+// This software is distributed WITHOUT A WARRANTY OF ANY KIND.
+// See the Mozilla Public License for details.
+
+package certspotter
+
+import (
+	"software.sslmate.com/src/certspotter/ct"
+)
+
+func VerifyX509SCT(sct *ct.SignedCertificateTimestamp, cert []byte, verify *ct.SignatureVerifier) error {
+	entry := ct.LogEntry{
+		Leaf: ct.MerkleTreeLeaf{
+			Version:  0,
+			LeafType: ct.TimestampedEntryLeafType,
+			TimestampedEntry: ct.TimestampedEntry{
+				Timestamp:  sct.Timestamp,
+				EntryType:  ct.X509LogEntryType,
+				X509Entry:  cert,
+				Extensions: sct.Extensions,
+			},
+		},
+	}
+	return verify.VerifySCTSignature(*sct, entry)
+}
+
+func VerifyPrecertSCT(sct *ct.SignedCertificateTimestamp, precert ct.PreCert, verify *ct.SignatureVerifier) error {
+	entry := ct.LogEntry{
+		Leaf: ct.MerkleTreeLeaf{
+			Version:  0,
+			LeafType: ct.TimestampedEntryLeafType,
+			TimestampedEntry: ct.TimestampedEntry{
+				Timestamp:  sct.Timestamp,
+				EntryType:  ct.PrecertLogEntryType,
+				PrecertEntry:  precert,
+				Extensions: sct.Extensions,
+			},
+		},
+	}
+	return verify.VerifySCTSignature(*sct, entry)
+}