Details
-
Type:
Improvement
-
Status: Closed
-
Priority:
Minor
-
Resolution: Fixed
-
Affects Version/s: EJBCA 6.13.0
-
Fix Version/s: EJBCA 6.14.0
-
Component/s: None
-
Issue discovered during:Customer
-
Sprint:EJBCA Sprint 14, EJBCA Sprint 15
Description
Decided not to make a pull request with HttpPostTimeoutInvoker.java. I think it's better to have this code in EJBCA if we want to change it later.
Tomas has implemented verification of SCTs in Google's CT lib. Protobuf dependency has also been updated (there was a CVE in the old one). We should clone the new code from GitHub, build a jar file and include it into EJBCA.
Instead of building directly from google/certificate-transparency-java I used my own fork.
> git clone git@github.com:Realiserad/certificate-transparency-java.git Cloning into 'certificate-transparency-java'... remote: Counting objects: 673, done. remote: Compressing objects: 100% (15/15), done. remote: Total 673 (delta 0), reused 13 (delta 0), pack-reused 654 Receiving objects: 100% (673/673), 10.20 MiB | 955.00 KiB/s, done. Resolving deltas: 100% (281/281), done. Checking connectivity... done. [realiserad] => [/tmp] > cd certificate-transparency-java/ [realiserad] => [/tmp/certificate-transparency-java] > git remote add upstream git@github.com:google/certificate-transparency-java.git [realiserad] => [/tmp/certificate-transparency-java] > git fetch upstream remote: Counting objects: 31, done. remote: Compressing objects: 100% (17/17), done. remote: Total 31 (delta 14), reused 24 (delta 9), pack-reused 0 Unpacking objects: 100% (31/31), done. From github.com:google/certificate-transparency-java * [new branch] master -> upstream/master [realiserad] => [/tmp/certificate-transparency-java] > git pull upstream master Warning: Permanently added the RSA host key for IP address '192.30.253.112' to the list of known hosts. From github.com:google/certificate-transparency-java * branch master -> FETCH_HEAD Updating 8ca5e52..429c7b1 Fast-forward pom.xml | 4 +- .../java/org/certificatetransparency/ctlog/CertificateInfo.java | 7 ++ src/main/java/org/certificatetransparency/ctlog/LogInfo.java | 2 +- .../org/certificatetransparency/ctlog/LogSignatureVerifier.java | 93 +++++++++-------- .../certificatetransparency/ctlog/serialization/CTConstants.java | 1 + .../org/certificatetransparency/ctlog/utils/VerifySignature.java | 161 ++++++++++++++++++++++++++---- .../certificatetransparency/ctlog/LogSignatureVerifierTest.java | 73 ++++++++++++-- src/test/java/org/certificatetransparency/ctlog/TestData.java | 10 ++ src/test/resources/testdata/digicert-ct-server-key-public.pem | 4 + src/test/resources/testdata/github-chain.pem | 69 +++++++++++++ .../resources/testdata/google-ct-skydiver-server-key-public.pem | 4 + 11 files changed, 348 insertions(+), 80 deletions(-) create mode 100644 src/test/resources/testdata/digicert-ct-server-key-public.pem create mode 100644 src/test/resources/testdata/github-chain.pem create mode 100644 src/test/resources/testdata/google-ct-skydiver-server-key-public.pem
We should also add code to EJBCA for actually verifying the SCTs in the final certificate.