stackoom
  简体   繁体   中英

How to verify signed certificate timestamps (SCTs) in Go

 原文  2020-08-21 17:33:44       http/ go/ ssl/ openssl/ ssl-certificate

Question

I am writing a Go HTTP client application and it needs to verify the SCTs in order to take advantage of Certificate Transparency. Is this automatically supported in the latest Go version? How do you achieve this?

1 answers

solution1
 1 ACCPTED  2020-08-21 17:40:53

There are two aspects here:

  1. retrieving SCTs from the TLS connection
  2. verifying the SCTs against CT logs

Retrieving SCTs is easily done in the standard library, with three different cases per RFC 6962 :

  • as an extension in the leaf certificate itself
  • as a TLS extension in the handshake
  • in the OCSP response

All of them are available through the tls.ConnectionState in their respective fields:

  • state.PeerCertificates[0].Extensions , under the extension with ID asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 11129, 2, 4, 2}
  • state.SignedCertificateTimestamps
  • state.OCSPResponse

Those still need to be parsed properly.

Verifying SCTs is trickier and is not part of the standard library. This involves the following:

  • having a list of trusted CT logs
  • finding the CT log whose public key was used to sign the SCT
  • verifying the signature
  • verifying inclusion of the certificate in the CT's merkle tree and checking timestamps

This can be cobbled together using the certificate-transparency-go utilities, but they have not included a quick and easy way to use it as a library.

One library that attempts to make all of this easier is available at github.com/mberhault/go-sct . It can be used as follows to verify the SCTs after a HTTPS GET:

Disclaimer : I am the author of github.com/mberhault/go-sct .

import "github.com/mberhault/go-sct"

// Verifying the SCTs after a HTTPS GET request.
resp, err := http.Get("https://www.certificate-transparency.org")
if err != nil {
    panic("get failed " + err.Error())
}

err = sct.CheckConnectionState(resp.TLS)
if err != nil {
    panic("SCT check failed " + err.Error())
}

The same can be done on the tls.ConnectionState obtained through other methods (on a tls.Conn , or in the tls.Config.VerifyConnection callback).

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question x509 certificate signed by unknown authority - go-pingdom How do I resolve a self signed certificate error? How to call the https get method on a self signed server and client certificate How to use a self-signed certificate through proxy server client HTTPS SSL Self-Signed Certificate with CA Certificate issue Nodejs Fetch API: unable to verify the first certificate Trust a self-signed certificate for a HTTPS connection Using Self-Signed SSL certificate converting http to https using self signed certificate Error: unable to verify the first certificate in Nestjs
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM