Class CTVerifier


  • @Internal
    public class CTVerifier
    extends java.lang.Object
    • Constructor Detail

      • CTVerifier

        public CTVerifier​(CTLogStore store)
    • Method Detail

      • verifySignedCertificateTimestamps

        public CTVerificationResult verifySignedCertificateTimestamps​(java.util.List<java.security.cert.X509Certificate> chain,
                                                                      byte[] tlsData,
                                                                      byte[] ocspData)
                                                               throws java.security.cert.CertificateEncodingException
        Throws:
        java.security.cert.CertificateEncodingException
      • verifySignedCertificateTimestamps

        public CTVerificationResult verifySignedCertificateTimestamps​(OpenSSLX509Certificate[] chain,
                                                                      byte[] tlsData,
                                                                      byte[] ocspData)
                                                               throws java.security.cert.CertificateEncodingException
        Verify a certificate chain for transparency. Signed timestamps are extracted from the leaf certificate, TLS extension, and stapled ocsp response, and verified against the list of known logs.
        Throws:
        java.lang.IllegalArgumentException - if the chain is empty
        java.security.cert.CertificateEncodingException
      • verifyExternalSCTs

        private void verifyExternalSCTs​(java.util.List<SignedCertificateTimestamp> scts,
                                        OpenSSLX509Certificate leaf,
                                        CTVerificationResult result)
        Verify a list of SCTs which were not embedded in an X509 certificate, that is received through the TLS or OCSP extensions. The result of the verification for each sct is added to result.
      • getSCTsFromSCTList

        private static java.util.List<SignedCertificateTimestamp> getSCTsFromSCTList​(byte[] data,
                                                                                     SignedCertificateTimestamp.Origin origin)
        Parse an encoded SignedCertificateTimestampList into a list of SignedCertificateTimestamp instances, as described by RFC6962. Individual SCTs which fail to be parsed are skipped. If the data is null, or the encompassing list fails to be parsed, an empty list is returned.
        Parameters:
        origin - used to create the SignedCertificateTimestamp instances.
      • getSCTsFromTLSExtension

        private java.util.List<SignedCertificateTimestamp> getSCTsFromTLSExtension​(byte[] data)
        Extract a list of SignedCertificateTimestamp from a TLS "signed_certificate_timestamp" extension as described by RFC6962. Individual SCTs which fail to be parsed are skipped. If the data is null, or the encompassing list fails to be parsed, an empty list is returned.
        Parameters:
        data - contents of the TLS extension to be decoded
      • getSCTsFromOCSPResponse

        private java.util.List<SignedCertificateTimestamp> getSCTsFromOCSPResponse​(byte[] data,
                                                                                   OpenSSLX509Certificate[] chain)
        Extract a list of SignedCertificateTimestamp contained in an OCSP response. If the data is null, or parsing the OCSP response fails, an empty list is returned. Individual SCTs which fail to be parsed are skipped.
        Parameters:
        data - contents of the OCSP response
        chain - certificate chain for which to get SCTs. Must contain at least the leaf and it's issuer in order to identify the relevant SingleResponse from the OCSP response, or an empty list is returned
      • getSCTsFromX509Extension

        private java.util.List<SignedCertificateTimestamp> getSCTsFromX509Extension​(OpenSSLX509Certificate leaf)
        Extract a list of SignedCertificateTimestamp embedded in an X509 certificate. If the certificate does not contain any SCT extension, or the encompassing encoded list fails to be parsed, an empty list is returned. Individual SCTs which fail to be parsed are ignored.