Uploaded image for project: 'EJBCA'
  1. EJBCA
  2. ECA-6940

CT: Verify embedded SCTs in the final certificate before completing issuance

    Details

    • Type: Improvement
    • Status: Close Issue
    • Priority: Minor
    • Resolution: Duplicate
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: PKI core
    • Labels:

      Description

      When using Certificate Transparency and embedding SCTs retrieved by submitting pre-certificates to CT logs (which is the normal use case for CT).

      We had one corner case where the SCTs in the final certificate could not properly be verified because of altName ordering causing a different TBSCertificate encoding in the pre-certificate and the final certificate. To ensure that issued certificates are correct we should verify the SCTs in the final certificate before completing the issuance. Just as we verify the certificate signature today.

      If my pull request gets accepted the git version of certificate-transparency-java will be able to verify SCTs in the final certificate. My fork can be used in the meantime, but we should probably wait until it's reviewed and merged so the API is stable.

      https://github.com/google/certificate-transparency-java/pull/20

       

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned
              Reporter:
              tomas Tomas Gustavsson
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: