Skip to content
/ go-sct Public
forked from mberhault/go-sct

Verifying Signed Certificate Timestamps in Go.

License

Notifications You must be signed in to change notification settings

addigy/go-sct

 
 

Repository files navigation

go-sct: Verifying Signed Certificate Timestamps in Go.

GoDoc

Verify Signed Certificate Timestamps as defined in RFC 6962.

Warning:

This is a prototype, no guarantees are provided regarding correctness.

Use:

Perform Signed Certificate Timestamp verification for TLS connections.

To install:

go get github.com/addigy/go-sct

Using it to verify a simple https Get:

package main

import (
  "log"
  "net/http"

  "github.com/addigy/go-sct"
)

func main() {
  resp, err := http.Get("https://www.certificate-transparency.org")
  if err != nil {
    log.Fatalf("get failed for %s: %v", url, err)
  }

  err = sct.CheckConnectionState(resp.TLS)
  if err != nil {
    log.Fatalf("failed SCT check: %v", err)
  }

  log.Printf("OK")
}

See the examples directory for various methods of verifying the tls.ConnectionState:

Signed Certificate Timestamp acceptance:

Two types of SCTs (Signed Certificate Timestamps) are examined:

  • embedded in a x509 certificate
  • included in the TLS handshake as a TLS extension

SCTs are verified using the following:

  • extract SCTs from x509 certificate or TLS extension
  • lookup corresponding log in the Chrome CT log list, specifically https://www.gstatic.com/ct/log_list/v2/log_list.json, log must be qualified (qualified, usable, or read-only)
  • verify SCT signature using the log's public key
  • check the log for inclusion

sct.CheckConnectionState returns success when the first valid SCT is encountered, skipping all others.

Caveats:

There are a few noteworthy caveats:

  • this is a prototype
  • SCTs included in the OCSP response are not examined
  • the log list is not refreshed after initialization
  • if the issuer certificate is missing, embedded SCTs cannot be verified and will fail
  • if the SCT is not included in the tree but its timestamp is before Maximum Merge Delay, the check passes
  • no configuration is currently possible
  • the set of dependencies is massive, pulling a large portion of certificate-transparency-go and its dependencies.
  • expect severely increased latency, no optimization or caching has been done

About

Verifying Signed Certificate Timestamps in Go.

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Languages

  • Go 100.0%