sct

package module
v0.1.7 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jun 30, 2021 License: Apache-2.0 Imports: 19 Imported by: 0

README

go-sct: Verifying Signed Certificate Timestamps in Go.

GoDoc

Verify Signed Certificate Timestamps as defined in RFC 6962.

Warning:

This is a prototype, no guarantees are provided regarding correctness.

Use:

Perform Signed Certificate Timestamp verification for TLS connections.

To install:

go get github.com/mberhault/go-sct

Using it to verify a simple https Get:

package main

import (
  "log"
  "net/http"

  "github.com/mberhault/go-sct"
)

func main() {
  resp, err := http.Get("https://www.certificate-transparency.org")
  if err != nil {
    log.Fatalf("get failed for %s: %v", url, err)
  }

  err = sct.CheckConnectionState(resp.TLS)
  if err != nil {
    log.Fatalf("failed SCT check: %v", err)
  }

  log.Printf("OK")
}

See the examples directory for various methods of verifying the tls.ConnectionState:

Signed Certificate Timestamp acceptance:

Two types of SCTs (Signed Certificate Timestamps) are examined:

  • embedded in a x509 certificate
  • included in the TLS handshake as a TLS extension

SCTs are verified using the following:

  • extract SCTs from x509 certificate or TLS extension
  • lookup corresponding log in the Chrome CT log list, specifically https://www.gstatic.com/ct/log_list/v2/log_list.json, log must be qualified (qualified, usable, or read-only)
  • verify SCT signature using the log's public key
  • check the log for inclusion

sct.CheckConnectionState returns success when the first valid SCT is encountered, skipping all others.

Caveats:

There are a few noteworthy caveats:

  • this is a prototype
  • SCTs included in the OCSP response are not examined
  • the log list is not refreshed after initialization
  • if the issuer certificate is missing, embedded SCTs cannot be verified and will fail
  • if the SCT is not included in the tree but its timestamp is before Maximum Merge Delay, the check passes
  • no configuration is currently possible
  • the set of dependencies is massive, pulling a large portion of certificate-transparency-go and its dependencies.
  • expect severely increased latency, no optimization or caching has been done

Documentation

Overview

Package sct verifies Signed Certificate Timestamp in TLS connections. See [RFC 6962](https://datatracker.ietf.org/doc/rfc6962/).

Index

Examples

Constants

This section is empty.

Variables

View Source 
var DomainValidationOIDs = map[string]interface{}{

	"1.3.6.1.4.1.4146.1.10.10": nil,

	"1.3.6.1.4.1.44947.1.1.1": nil,

	"1.3.6.1.4.1.6449.1.2.2.10": nil,

	"1.3.6.1.4.1.6449.1.2.2.15": nil,

	"1.3.6.1.4.1.6449.1.2.2.16": nil,

	"1.3.6.1.4.1.6449.1.2.2.17": nil,

	"1.3.6.1.4.1.6449.1.2.2.18": nil,

	"1.3.6.1.4.1.6449.1.2.2.19": nil,

	"1.3.6.1.4.1.6449.1.2.2.21": nil,

	"1.3.6.1.4.1.6449.1.2.2.22": nil,

	"1.3.6.1.4.1.6449.1.2.2.24": nil,

	"1.3.6.1.4.1.6449.1.2.2.25": nil,

	"1.3.6.1.4.1.6449.1.2.2.26": nil,

	"1.3.6.1.4.1.6449.1.2.2.27": nil,

	"1.3.6.1.4.1.6449.1.2.2.28": nil,

	"1.3.6.1.4.1.6449.1.2.2.29": nil,

	"1.3.6.1.4.1.6449.1.2.2.31": nil,

	"1.3.6.1.4.1.6449.1.2.2.35": nil,

	"1.3.6.1.4.1.6449.1.2.2.37": nil,

	"1.3.6.1.4.1.6449.1.2.2.38": nil,

	"1.3.6.1.4.1.6449.1.2.2.39": nil,

	"1.3.6.1.4.1.6449.1.2.2.40": nil,

	"1.3.6.1.4.1.6449.1.2.2.41": nil,

	"1.3.6.1.4.1.6449.1.2.2.42": nil,

	"1.3.6.1.4.1.6449.1.2.2.44": nil,

	"1.3.6.1.4.1.6449.1.2.2.45": nil,

	"1.3.6.1.4.1.6449.1.2.2.47": nil,

	"1.3.6.1.4.1.6449.1.2.2.49": nil,

	"1.3.6.1.4.1.6449.1.2.2.50": nil,

	"1.3.6.1.4.1.6449.1.2.2.51": nil,

	"1.3.6.1.4.1.6449.1.2.2.52": nil,

	"1.3.6.1.4.1.6449.1.2.2.53": nil,

	"1.3.6.1.4.1.6449.1.2.2.54": nil,

	"1.3.6.1.4.1.6449.1.2.2.7": nil,

	"1.3.6.1.4.1.6449.1.2.2.8": nil,

	"2.16.840.1.114412.1.2": nil,

	"2.16.840.1.114413.1.7.23.1": nil,

	"2.16.840.1.114414.1.7.23.1": nil,

	"2.23.140.1.2.1": nil,
}

DomainValidationOIDs contain OIDs that identify DV certs.

View Source 
var ExtendedValidationOIDs = map[string]interface{}{

	"2.23.140.1.1": nil,

	"2.23.140.1.3": nil,

	"2.23.140.1.31": nil,

	"1.3.6.1.4.1.17326.10.14.2.1.2": nil,
	"1.3.6.1.4.1.17326.10.14.2.2.2": nil,

	"1.3.6.1.4.1.17326.10.8.12.1.2": nil,
	"1.3.6.1.4.1.17326.10.8.12.2.2": nil,

	"1.3.159.1.17.1": nil,

	"1.3.6.1.4.1.34697.2.1": nil,

	"1.3.6.1.4.1.34697.2.2": nil,

	"1.3.6.1.4.1.34697.2.3": nil,

	"1.3.6.1.4.1.34697.2.4": nil,

	"1.3.6.1.4.1.13177.10.1.3.10": nil,

	"2.16.578.1.26.1.3.3": nil,

	"1.3.6.1.4.1.36305.2": nil,

	"1.3.6.1.4.1.22234.2.5.2.3.1": nil,

	"1.2.616.1.113527.2.5.1.1": nil,

	"1.3.6.1.4.1.29836.1.10": nil,

	"1.3.6.1.4.1.6449.1.2.1.5.1": nil,

	"1.3.6.1.4.1.6334.1.100.1": nil,

	"2.16.840.1.114412.2.1": nil,

	"1.3.6.1.4.1.4788.2.202.1": nil,

	"2.16.840.1.114028.10.1.2": nil,

	"2.16.792.3.0.4.1.1.4": nil,

	"1.3.6.1.4.1.14370.1.6": nil,

	"1.3.6.1.4.1.4146.1.1": nil,

	"2.16.840.1.114413.1.7.23.3": nil,

	"1.3.6.1.4.1.14777.6.1.1": nil,
	"1.3.6.1.4.1.14777.6.1.2": nil,

	"1.3.6.1.4.1.782.1.2.1.8.1": nil,

	"1.3.6.1.4.1.8024.0.2.100.1.2": nil,

	"2.16.840.1.114404.1.1.2.4.1": nil,

	"1.2.392.200091.100.721.1": nil,

	"2.16.528.1.1003.1.2.7": nil,

	"1.3.6.1.4.1.23223.1.1.1": nil,

	"2.16.840.1.114414.1.7.23.3": nil,

	"2.16.840.1.114414.1.7.24.3": nil,

	"2.16.756.1.89.1.2.1.1": nil,

	"2.16.756.1.83.21.0": nil,

	"2.16.840.1.113733.1.7.48.1": nil,

	"1.3.6.1.4.1.40869.1.1.22.3": nil,

	"1.3.6.1.4.1.7879.13.24.1": nil,

	"2.16.840.1.113733.1.7.23.6": nil,

	"2.16.840.1.114171.500.9": nil,

	"2.16.156.112554.3": nil,

	"2.16.756.5.14.7.4.8": nil,

	"2.16.792.3.0.3.1.1.5": nil,
}

ExtendedValidationOIDs contains the UNION of Chromium (https://chromium.googlesource.com/chromium/src/net/+/master/cert/ev_root_ca_metadata.cc) and Firefox (http://hg.mozilla.org/mozilla-central/file/tip/security/certverifier/ExtendedValidation.cpp) EV OID lists

View Source 
var OrganizationValidationOIDs = map[string]interface{}{

	"2.23.140.1.2.2": nil,

	"2.23.140.1.2.3": nil,

	"2.16.840.1.114412.1.1": nil,

	"1.3.6.1.4.1.4788.2.200.1": nil,

	"2.16.840.1.114413.1.7.23.2": nil,

	"2.16.528.1.1003.1.2.5.6": nil,

	"1.3.6.1.4.1.8024.0.2.100.1.1": nil,

	"2.16.840.1.114414.1.7.23.2": nil,

	"2.16.792.3.0.3.1.1.2": nil,
}

OrganizationValidationOIDs contains CA specific OV OIDs from https://cabforum.org/object-registry/

Functions

func BuildCertificateChain added in v0.1.6 

func BuildCertificateChain(certs []*x509.Certificate) ([]*ctx509.Certificate, error)

func CheckConnectionState 

func CheckConnectionState(state *tls.ConnectionState) error

CheckConnectionState examines SCTs (both embedded and in the TLS extension) and returns nil if at least one of them is valid.

Example 
// Verifying the SCTs after a HTTPS GET request.
resp, err := http.Get("https://www.certificate-transparency.org")
if err != nil {
	panic("get failed " + err.Error())
}

err = sct.CheckConnectionState(resp.TLS)
if err != nil {
	panic("SCT check failed " + err.Error())
} else {
	fmt.Println("sct verify ok")
}

Output:

func GetDefaultChecker added in v0.1.5 

func GetDefaultChecker() *checker

getDefaultChecker returns the default Checker, initializing it if needed.

func ValidationLevel added in v0.1.5 

func ValidationLevel(out *ctx509.Certificate) string

Types

type CertValidationLevel 

type CertValidationLevel int
const (
	UnknownValidationLevel CertValidationLevel = 0
	DV                     CertValidationLevel = 1
	OV                     CertValidationLevel = 2
	EV                     CertValidationLevel = 3
)

func (CertValidationLevel) String 

func (i CertValidationLevel) String() string

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.