x509ext.go

Documentation: github.com/google/certificate-transparency-go/gossip/minimal/x509ext

     1  // Copyright 2018 Google LLC. All Rights Reserved.
     2  //
     3  // Licensed under the Apache License, Version 2.0 (the "License");
     4  // you may not use this file except in compliance with the License.
     5  // You may obtain a copy of the License at
     6  //
     7  //     http://www.apache.org/licenses/LICENSE-2.0
     8  //
     9  // Unless required by applicable law or agreed to in writing, software
    10  // distributed under the License is distributed on an "AS IS" BASIS,
    11  // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    12  // See the License for the specific language governing permissions and
    13  // limitations under the License.
    14  
    15  // Package x509ext holds extensions types and values for minimal gossip.
    16  package x509ext
    17  
    18  import (
    19  	"errors"
    20  	"fmt"
    21  
    22  	"github.com/google/certificate-transparency-go/asn1"
    23  	"github.com/google/certificate-transparency-go/tls"
    24  	"github.com/google/certificate-transparency-go/x509"
    25  
    26  	ct "github.com/google/certificate-transparency-go"
    27  )
    28  
    29  // OIDExtensionCTSTH is the OID value for an X.509 extension that holds
    30  // a log STH value.
    31  // TODO(drysdale): get an official OID value
    32  var OIDExtensionCTSTH = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 11129, 2, 4, 5}
    33  
    34  // OIDExtKeyUsageCTMinimalGossip is the OID value for an extended key usage
    35  // (EKU) that indicates a leaf certificate is used for the validation of STH
    36  // values from public CT logs.
    37  // TODO(drysdale): get an official OID value
    38  var OIDExtKeyUsageCTMinimalGossip = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 11129, 2, 4, 6}
    39  
    40  // LogSTHInfo is the structure that gets TLS-encoded into the X.509 extension
    41  // identified by OIDExtensionCTSTH.
    42  type LogSTHInfo struct {
    43  	LogURL            []byte   `tls:"maxlen:255"`
    44  	Version           tls.Enum `tls:"maxval:255"`
    45  	TreeSize          uint64
    46  	Timestamp         uint64
    47  	SHA256RootHash    ct.SHA256Hash
    48  	TreeHeadSignature ct.DigitallySigned
    49  }
    50  
    51  // LogSTHInfoFromCert retrieves the STH information embedded in a certificate.
    52  func LogSTHInfoFromCert(cert *x509.Certificate) (*LogSTHInfo, error) {
    53  	for _, ext := range cert.Extensions {
    54  		if ext.Id.Equal(OIDExtensionCTSTH) {
    55  			var sthInfo LogSTHInfo
    56  			rest, err := tls.Unmarshal(ext.Value, &sthInfo)
    57  			if err != nil {
    58  				return nil, fmt.Errorf("failed to unmarshal STH: %v", err)
    59  			} else if len(rest) > 0 {
    60  				return nil, fmt.Errorf("trailing data (%d bytes) after STH", len(rest))
    61  			}
    62  			return &sthInfo, nil
    63  		}
    64  	}
    65  	return nil, errors.New("no STH extension found")
    66  }
    67  
    68  // HasSTHInfo indicates whether a certificate has embedded STH information.
    69  func HasSTHInfo(cert *x509.Certificate) bool {
    70  	for _, ext := range cert.Extensions {
    71  		if ext.Id.Equal(OIDExtensionCTSTH) {
    72  			return true
    73  		}
    74  	}
    75  	return false
    76  }
    77  
    78  // STHFromCert retrieves the STH embedded in a certificate; note the returned STH
    79  // does not have the LogID field filled in.
    80  func STHFromCert(cert *x509.Certificate) (*ct.SignedTreeHead, error) {
    81  	sthInfo, err := LogSTHInfoFromCert(cert)
    82  	if err != nil {
    83  		return nil, err
    84  	}
    85  	return &ct.SignedTreeHead{
    86  		Version:           ct.Version(sthInfo.Version),
    87  		TreeSize:          sthInfo.TreeSize,
    88  		Timestamp:         sthInfo.Timestamp,
    89  		SHA256RootHash:    sthInfo.SHA256RootHash,
    90  		TreeHeadSignature: sthInfo.TreeHeadSignature,
    91  	}, nil
    92  }
    93
View as plain text