1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
|
// Copyright 2018 Google LLC. All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
// Package ctutil contains utilities for Certificate Transparency.
package ctutil
import (
"bytes"
"crypto"
"crypto/sha256"
"encoding/base64"
"errors"
"fmt"
ct "github.com/google/certificate-transparency-go"
"github.com/google/certificate-transparency-go/tls"
"github.com/google/certificate-transparency-go/x509"
)
var emptyHash = [sha256.Size]byte{}
// LeafHashB64 does as LeafHash does, but returns the leaf hash base64-encoded.
// The base64-encoded leaf hash returned by B64LeafHash can be used with the
// get-proof-by-hash API endpoint of Certificate Transparency Logs.
func LeafHashB64(chain []*x509.Certificate, sct *ct.SignedCertificateTimestamp, embedded bool) (string, error) {
hash, err := LeafHash(chain, sct, embedded)
if err != nil {
return "", err
}
return base64.StdEncoding.EncodeToString(hash[:]), nil
}
// LeafHash calculates the leaf hash of the certificate or precertificate at
// chain[0] that sct was issued for.
//
// sct is required because the SCT timestamp is used to calculate the leaf hash.
// Leaf hashes are unique to (pre)certificate-SCT pairs.
//
// This function can be used with three different types of leaf certificate:
// - X.509 Certificate:
// If using this function to calculate the leaf hash for a normal X.509
// certificate then it is enough to just provide the end entity
// certificate in chain. This case assumes that the SCT being provided is
// not embedded within the leaf certificate provided, i.e. the certificate
// is what was submitted to the Certificate Transparency Log in order to
// obtain the SCT. For this case, set embedded to false.
// - Precertificate:
// If using this function to calculate the leaf hash for a precertificate
// then the issuing certificate must also be provided in chain. The
// precertificate should be at chain[0], and its issuer at chain[1]. For
// this case, set embedded to false.
// - X.509 Certificate containing the SCT embedded within it:
// If using this function to calculate the leaf hash for a certificate
// where the SCT provided is embedded within the certificate you
// are providing at chain[0], set embedded to true. LeafHash will
// calculate the leaf hash by building the corresponding precertificate.
// LeafHash will return an error if the provided SCT cannot be found
// embedded within chain[0]. As with the precertificate case, the issuing
// certificate must also be provided in chain. The certificate containing
// the embedded SCT should be at chain[0], and its issuer at chain[1].
//
// Note: LeafHash doesn't check that the provided SCT verifies for the given
// chain. It simply calculates what the leaf hash would be for the given
// (pre)certificate-SCT pair.
func LeafHash(chain []*x509.Certificate, sct *ct.SignedCertificateTimestamp, embedded bool) ([sha256.Size]byte, error) {
leaf, err := createLeaf(chain, sct, embedded)
if err != nil {
return emptyHash, err
}
return ct.LeafHashForLeaf(leaf)
}
// VerifySCT takes the public key of a Certificate Transparency Log, a
// certificate chain, and an SCT and verifies whether the SCT is a valid SCT for
// the certificate at chain[0], signed by the Log that the public key belongs
// to. If the SCT does not verify, an error will be returned.
//
// This function can be used with three different types of leaf certificate:
// - X.509 Certificate:
// If using this function to verify an SCT for a normal X.509 certificate
// then it is enough to just provide the end entity certificate in chain.
// This case assumes that the SCT being provided is not embedded within
// the leaf certificate provided, i.e. the certificate is what was
// submitted to the Certificate Transparency Log in order to obtain the
// SCT. For this case, set embedded to false.
// - Precertificate:
// If using this function to verify an SCT for a precertificate then the
// issuing certificate must also be provided in chain. The precertificate
// should be at chain[0], and its issuer at chain[1]. For this case, set
// embedded to false.
// - X.509 Certificate containing the SCT embedded within it:
// If the SCT you wish to verify is embedded within the certificate you
// are providing at chain[0], set embedded to true. VerifySCT will
// verify the provided SCT by building the corresponding precertificate.
// VerifySCT will return an error if the provided SCT cannot be found
// embedded within chain[0]. As with the precertificate case, the issuing
// certificate must also be provided in chain. The certificate containing
// the embedded SCT should be at chain[0], and its issuer at chain[1].
func VerifySCT(pubKey crypto.PublicKey, chain []*x509.Certificate, sct *ct.SignedCertificateTimestamp, embedded bool) error {
s, err := ct.NewSignatureVerifier(pubKey)
if err != nil {
return fmt.Errorf("error creating signature verifier: %s", err)
}
return VerifySCTWithVerifier(s, chain, sct, embedded)
}
// VerifySCTWithVerifier takes a ct.SignatureVerifier, a certificate chain, and
// an SCT and verifies whether the SCT is a valid SCT for the certificate at
// chain[0], signed by the Log whose public key was used to set up the
// ct.SignatureVerifier. If the SCT does not verify, an error will be returned.
//
// This function can be used with three different types of leaf certificate:
// - X.509 Certificate:
// If using this function to verify an SCT for a normal X.509 certificate
// then it is enough to just provide the end entity certificate in chain.
// This case assumes that the SCT being provided is not embedded within
// the leaf certificate provided, i.e. the certificate is what was
// submitted to the Certificate Transparency Log in order to obtain the
// SCT. For this case, set embedded to false.
// - Precertificate:
// If using this function to verify an SCT for a precertificate then the
// issuing certificate must also be provided in chain. The precertificate
// should be at chain[0], and its issuer at chain[1]. For this case, set
// embedded to false.
// - X.509 Certificate containing the SCT embedded within it:
// If the SCT you wish to verify is embedded within the certificate you
// are providing at chain[0], set embedded to true. VerifySCT will
// verify the provided SCT by building the corresponding precertificate.
// VerifySCT will return an error if the provided SCT cannot be found
// embedded within chain[0]. As with the precertificate case, the issuing
// certificate must also be provided in chain. The certificate containing
// the embedded SCT should be at chain[0], and its issuer at chain[1].
func VerifySCTWithVerifier(sv *ct.SignatureVerifier, chain []*x509.Certificate, sct *ct.SignedCertificateTimestamp, embedded bool) error {
if sv == nil {
return errors.New("ct.SignatureVerifier is nil")
}
leaf, err := createLeaf(chain, sct, embedded)
if err != nil {
return err
}
return sv.VerifySCTSignature(*sct, ct.LogEntry{Leaf: *leaf})
}
func createLeaf(chain []*x509.Certificate, sct *ct.SignedCertificateTimestamp, embedded bool) (*ct.MerkleTreeLeaf, error) {
if len(chain) == 0 {
return nil, errors.New("chain is empty")
}
if sct == nil {
return nil, errors.New("sct is nil")
}
if embedded {
sctPresent, err := ContainsSCT(chain[0], sct)
if err != nil {
return nil, fmt.Errorf("error checking for SCT in leaf certificate: %s", err)
}
if !sctPresent {
return nil, errors.New("SCT provided is not embedded within leaf certificate")
}
}
certType := ct.X509LogEntryType
if chain[0].IsPrecertificate() || embedded {
certType = ct.PrecertLogEntryType
}
var leaf *ct.MerkleTreeLeaf
var err error
if embedded {
leaf, err = ct.MerkleTreeLeafForEmbeddedSCT(chain, sct.Timestamp)
} else {
leaf, err = ct.MerkleTreeLeafFromChain(chain, certType, sct.Timestamp)
}
if err != nil {
return nil, fmt.Errorf("error creating MerkleTreeLeaf: %s", err)
}
return leaf, nil
}
// ContainsSCT checks to see whether the given SCT is embedded within the given
// certificate.
func ContainsSCT(cert *x509.Certificate, sct *ct.SignedCertificateTimestamp) (bool, error) {
if cert == nil || sct == nil {
return false, nil
}
sctBytes, err := tls.Marshal(*sct)
if err != nil {
return false, fmt.Errorf("error tls.Marshalling SCT: %s", err)
}
for _, s := range cert.SCTList.SCTList {
if bytes.Equal(sctBytes, s.Val) {
return true, nil
}
}
return false, nil
}
|
