Categorygithub.com/mberhault/go-sct
modulepackage
0.0.1
Repository: https://github.com/mberhault/go-sct.git
Documentation: pkg.go.dev
Overview
Versions
1
Dependencies
16
Dependents
3
Files
248 SLOC

# README

go-sct: Verifying Signed Certificate Timestamps in Go.

GoDoc

Warning:

This is a prototype, no guarantees are provided regarding correctness.

Use:

Perform Signed Certificate Timestamp verification for TLS connections.

To install:

go get github.com/mberhault/go-sct

Using it to verify a simple https Get:

package main

import (
  "log"
  "net/http"

  "github.com/mberhault/go-sct"
)

func main() {
  resp, err := http.Get("https://www.certificate-transparency.org")
  if err != nil {
    log.Fatalf("get failed for %s: %v", url, err)
  }

  err = sct.CheckConnectionState(resp.TLS)
  if err != nil {
    log.Fatalf("failed SCT check: %v", err)
  }

  log.Printf("OK")
}

See the examples directory for various methods of verifying the tls.ConnectionState:

Signed Certificate Timestamp acceptance:

Two types of SCTs (Signed Certificate Timestamps) are examined:

  • embedded in a x509 certificate
  • included in the TLS handshake as a TLS extension

SCTs are verified using the following:

  • extract SCTs from x509 certificate or TLS extension
  • lookup corresponding log in the Chrome CT log list, specifically https://www.gstatic.com/ct/log_list/v2/log_list.json
  • verify SCT signature using the log's public key
  • check the log for inclusion

sct.CheckConnectionState returns success when the first valid SCT is encountered, skipping all others.

Caveats:

There are a few noteworthy caveats:

  • this is a prototype
  • SCTs included in the OCSP response are not examined
  • the log list is not refreshed after initialization
  • if the issuer certificate is missing, embedded SCTs cannot be verified and will fail
  • if the SCT is not included in the tree but its timestamp is before Maximum Merge Delay, the check passes
  • no configuration is currently possible
  • the set of dependencies is massive, pulling a large portion of certificate-transparency-go and its dependencies.

Performance:

This is a prototype for validation only, many aspects remain unoptimized. Expect severely increased latency.

# Packages

No description provided by the author

# Functions

CheckConnectionState examines SCTs (both embedded and in the TLS extension) and returns nil if at least one of them is valid.