Add functions to verify SCTs

This commit is contained in:
Andrew Ayer 2017-12-17 09:51:38 -08:00
parent bf676f06be
commit bc255f43d5
2 changed files with 47 additions and 14 deletions

View File

@ -113,20 +113,7 @@ func (ctlog *Log) SubmitChain(chain Chain) (*ct.SignedCertificateTimestamp, erro
return nil, err
}
entry := ct.LogEntry{
Leaf: ct.MerkleTreeLeaf{
Version: 0,
LeafType: ct.TimestampedEntryLeafType,
TimestampedEntry: ct.TimestampedEntry{
Timestamp: sct.Timestamp,
EntryType: ct.X509LogEntryType,
X509Entry: rawCerts[0],
Extensions: sct.Extensions,
},
},
}
if err := ctlog.verify.VerifySCTSignature(*sct, entry); err != nil {
if err := certspotter.VerifyX509SCT(sct, rawCerts[0], ctlog.verify); err != nil {
return nil, fmt.Errorf("Bad SCT signature: %s", err)
}
return sct, nil

46
sct.go Normal file
View File

@ -0,0 +1,46 @@
// Copyright (C) 2017 Opsmate, Inc.
//
// This Source Code Form is subject to the terms of the Mozilla
// Public License, v. 2.0. If a copy of the MPL was not distributed
// with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
//
// This software is distributed WITHOUT A WARRANTY OF ANY KIND.
// See the Mozilla Public License for details.
package certspotter
import (
"software.sslmate.com/src/certspotter/ct"
)
func VerifyX509SCT(sct *ct.SignedCertificateTimestamp, cert []byte, verify *ct.SignatureVerifier) error {
entry := ct.LogEntry{
Leaf: ct.MerkleTreeLeaf{
Version: 0,
LeafType: ct.TimestampedEntryLeafType,
TimestampedEntry: ct.TimestampedEntry{
Timestamp: sct.Timestamp,
EntryType: ct.X509LogEntryType,
X509Entry: cert,
Extensions: sct.Extensions,
},
},
}
return verify.VerifySCTSignature(*sct, entry)
}
func VerifyPrecertSCT(sct *ct.SignedCertificateTimestamp, precert ct.PreCert, verify *ct.SignatureVerifier) error {
entry := ct.LogEntry{
Leaf: ct.MerkleTreeLeaf{
Version: 0,
LeafType: ct.TimestampedEntryLeafType,
TimestampedEntry: ct.TimestampedEntry{
Timestamp: sct.Timestamp,
EntryType: ct.PrecertLogEntryType,
PrecertEntry: precert,
Extensions: sct.Extensions,
},
},
}
return verify.VerifySCTSignature(*sct, entry)
}