I am writing a Go HTTP client application and it needs to verify the SCTs in order to take advantage of Certificate Transparency. Is this automatically supported in the latest Go version? How do you achieve this?
There are two aspects here:
Retrieving SCTs is easily done in the standard library, with three different cases per RFC 6962 :
All of them are available through the tls.ConnectionState in their respective fields:
state.PeerCertificates[0].Extensions
, under the extension with ID asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 11129, 2, 4, 2}
state.SignedCertificateTimestamps
state.OCSPResponse
Those still need to be parsed properly.
Verifying SCTs is trickier and is not part of the standard library. This involves the following:
This can be cobbled together using the certificate-transparency-go utilities, but they have not included a quick and easy way to use it as a library.
One library that attempts to make all of this easier is available at github.com/mberhault/go-sct . It can be used as follows to verify the SCTs after a HTTPS GET:
Disclaimer : I am the author of github.com/mberhault/go-sct
.
import "github.com/mberhault/go-sct"
// Verifying the SCTs after a HTTPS GET request.
resp, err := http.Get("https://www.certificate-transparency.org")
if err != nil {
panic("get failed " + err.Error())
}
err = sct.CheckConnectionState(resp.TLS)
if err != nil {
panic("SCT check failed " + err.Error())
}
The same can be done on the tls.ConnectionState obtained through other methods (on a tls.Conn
, or in the tls.Config.VerifyConnection
callback).
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.