Class CTVerifier

java.lang.Object
org.conscrypt.ct.CTVerifier

@Internal public class CTVerifier extends Object
  • Field Details

  • Constructor Details

    • CTVerifier

      public CTVerifier(CTLogStore store)
  • Method Details

    • verifySignedCertificateTimestamps

      public CTVerificationResult verifySignedCertificateTimestamps(List<X509Certificate> chain, byte[] tlsData, byte[] ocspData) throws CertificateEncodingException
      Throws:
      CertificateEncodingException
    • verifySignedCertificateTimestamps

      public CTVerificationResult verifySignedCertificateTimestamps(OpenSSLX509Certificate[] chain, byte[] tlsData, byte[] ocspData) throws CertificateEncodingException
      Verify a certificate chain for transparency. Signed timestamps are extracted from the leaf certificate, TLS extension, and stapled ocsp response, and verified against the list of known logs.
      Throws:
      IllegalArgumentException - if the chain is empty
      CertificateEncodingException
    • verifyEmbeddedSCTs

      private void verifyEmbeddedSCTs(List<SignedCertificateTimestamp> scts, OpenSSLX509Certificate[] chain, CTVerificationResult result)
      Verify a list of SCTs which were embedded from an X509 certificate. The result of the verification for each sct is added to result.
    • verifyExternalSCTs

      private void verifyExternalSCTs(List<SignedCertificateTimestamp> scts, OpenSSLX509Certificate leaf, CTVerificationResult result)
      Verify a list of SCTs which were not embedded in an X509 certificate, that is received through the TLS or OCSP extensions. The result of the verification for each sct is added to result.
    • verifySingleSCT

      private VerifiedSCT.Status verifySingleSCT(SignedCertificateTimestamp sct, CertificateEntry certEntry)
      Verify a single SCT for the given Certificate Entry
    • markSCTsAsInvalid

      private void markSCTsAsInvalid(List<SignedCertificateTimestamp> scts, CTVerificationResult result)
      Add every SCT in scts to result with INVALID_SCT as status
    • getSCTsFromSCTList

      private static List<SignedCertificateTimestamp> getSCTsFromSCTList(byte[] data, SignedCertificateTimestamp.Origin origin)
      Parse an encoded SignedCertificateTimestampList into a list of SignedCertificateTimestamp instances, as described by RFC6962. Individual SCTs which fail to be parsed are skipped. If the data is null, or the encompassing list fails to be parsed, an empty list is returned.
      Parameters:
      origin - used to create the SignedCertificateTimestamp instances.
    • getSCTsFromTLSExtension

      private List<SignedCertificateTimestamp> getSCTsFromTLSExtension(byte[] data)
      Extract a list of SignedCertificateTimestamp from a TLS "signed_certificate_timestamp" extension as described by RFC6962. Individual SCTs which fail to be parsed are skipped. If the data is null, or the encompassing list fails to be parsed, an empty list is returned.
      Parameters:
      data - contents of the TLS extension to be decoded
    • getSCTsFromOCSPResponse

      private List<SignedCertificateTimestamp> getSCTsFromOCSPResponse(byte[] data, OpenSSLX509Certificate[] chain)
      Extract a list of SignedCertificateTimestamp contained in an OCSP response. If the data is null, or parsing the OCSP response fails, an empty list is returned. Individual SCTs which fail to be parsed are skipped.
      Parameters:
      data - contents of the OCSP response
      chain - certificate chain for which to get SCTs. Must contain at least the leaf and it's issuer in order to identify the relevant SingleResponse from the OCSP response, or an empty list is returned
    • getSCTsFromX509Extension

      private List<SignedCertificateTimestamp> getSCTsFromX509Extension(OpenSSLX509Certificate leaf)
      Extract a list of SignedCertificateTimestamp embedded in an X509 certificate. If the certificate does not contain any SCT extension, or the encompassing encoded list fails to be parsed, an empty list is returned. Individual SCTs which fail to be parsed are ignored.