Skip to content

mberhault/go-sct

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

22 Commits

examples

examples

 
 

testdata

testdata

 
 

.gitignore

.gitignore

 
 

LICENSE

LICENSE

 
 

README.md

README.md

 
 

go.mod

go.mod

 
 

go.sum

go.sum

 
 

loglist.go

loglist.go

 
 

loglist_test.go

loglist_test.go

 
 

sct.go

sct.go

 
 

sct_test.go

sct_test.go

 
 

x509.go

x509.go

 
 

Repository files navigation

go-sct: Verifying Signed Certificate Timestamps in Go.

GoDoc

Verify Signed Certificate Timestamps as defined in RFC 6962.

Warning:

This is a prototype, no guarantees are provided regarding correctness.

Use:

Perform Signed Certificate Timestamp verification for TLS connections.

To install:

go get github.com/mberhault/go-sct

Using it to verify a simple https Get:

package main

import (
  "log"
  "net/http"

  "github.com/mberhault/go-sct"
)

func main() {
  resp, err := http.Get("https://www.certificate-transparency.org")
  if err != nil {
    log.Fatalf("get failed for %s: %v", url, err)
  }

  err = sct.CheckConnectionState(resp.TLS)
  if err != nil {
    log.Fatalf("failed SCT check: %v", err)
  }

  log.Printf("OK")
}

See the examples directory for various methods of verifying the tls.ConnectionState:

Signed Certificate Timestamp acceptance:

Two types of SCTs (Signed Certificate Timestamps) are examined:

  • embedded in a x509 certificate
  • included in the TLS handshake as a TLS extension

SCTs are verified using the following:

  • extract SCTs from x509 certificate or TLS extension
  • lookup corresponding log in the Chrome CT log list, specifically https://www.gstatic.com/ct/log_list/v2/log_list.json, log must be qualified (qualified, usable, or read-only)
  • verify SCT signature using the log's public key
  • check the log for inclusion

sct.CheckConnectionState returns success when the first valid SCT is encountered, skipping all others.

Caveats:

There are a few noteworthy caveats:

  • this is a prototype
  • SCTs included in the OCSP response are not examined
  • the log list is not refreshed after initialization
  • if the issuer certificate is missing, embedded SCTs cannot be verified and will fail
  • if the SCT is not included in the tree but its timestamp is before Maximum Merge Delay, the check passes
  • no configuration is currently possible
  • the set of dependencies is massive, pulling a large portion of certificate-transparency-go and its dependencies.
  • expect severely increased latency, no optimization or caching has been done

About

Verifying Signed Certificate Timestamps in Go.

Resources

Readme

License

Apache-2.0 license
Activity

Stars

7 stars

Watchers

3 watching

Forks

3 forks
Report repository

Releases

1 tags

Packages

No packages published

Languages