Uploaded image for project: 'EJBCA'
  1. EJBCA
  2. ECA-6977

Certificate Transparency, add verification of embedded SCTs and upgrade version of google/certificate-transparency-java

        Details

        • Stakeholder:
          R&D
        • Issue discovered during:
          Customer
        • Sprint:
          EJBCA Sprint 14, EJBCA Sprint 15

          Description

          Decided not to make a pull request with HttpPostTimeoutInvoker.java. I think it's better to have this code in EJBCA if we want to change it later.

          Tomas has implemented verification of SCTs in Google's CT lib. Protobuf dependency has also been updated (there was a CVE in the old one). We should clone the new code from GitHub, build a jar file and include it into EJBCA.

          Instead of building directly from google/certificate-transparency-java I used my own fork.

          > git clone git@github.com:Realiserad/certificate-transparency-java.git
Cloning into 'certificate-transparency-java'...
remote: Counting objects: 673, done.
remote: Compressing objects: 100% (15/15), done.
remote: Total 673 (delta 0), reused 13 (delta 0), pack-reused 654
Receiving objects: 100% (673/673), 10.20 MiB | 955.00 KiB/s, done.
Resolving deltas: 100% (281/281), done.
Checking connectivity... done.
[realiserad] => [/tmp]
> cd certificate-transparency-java/
[realiserad] => [/tmp/certificate-transparency-java]
> git remote add upstream git@github.com:google/certificate-transparency-java.git
[realiserad] => [/tmp/certificate-transparency-java]
> git fetch upstream
remote: Counting objects: 31, done.
remote: Compressing objects: 100% (17/17), done.
remote: Total 31 (delta 14), reused 24 (delta 9), pack-reused 0
Unpacking objects: 100% (31/31), done.
From github.com:google/certificate-transparency-java
 * [new branch]      master     -> upstream/master
[realiserad] => [/tmp/certificate-transparency-java]
> git pull upstream master
Warning: Permanently added the RSA host key for IP address '192.30.253.112' to the list of known hosts.
From github.com:google/certificate-transparency-java
 * branch            master     -> FETCH_HEAD
Updating 8ca5e52..429c7b1
Fast-forward
 pom.xml                                                            |   4 +-
 .../java/org/certificatetransparency/ctlog/CertificateInfo.java    |   7 ++
 src/main/java/org/certificatetransparency/ctlog/LogInfo.java       |   2 +-
 .../org/certificatetransparency/ctlog/LogSignatureVerifier.java    |  93 +++++++++--------
 .../certificatetransparency/ctlog/serialization/CTConstants.java   |   1 +
 .../org/certificatetransparency/ctlog/utils/VerifySignature.java   | 161 ++++++++++++++++++++++++++----
 .../certificatetransparency/ctlog/LogSignatureVerifierTest.java    |  73 ++++++++++++--
 src/test/java/org/certificatetransparency/ctlog/TestData.java      |  10 ++
 src/test/resources/testdata/digicert-ct-server-key-public.pem      |   4 +
 src/test/resources/testdata/github-chain.pem                       |  69 +++++++++++++
 .../resources/testdata/google-ct-skydiver-server-key-public.pem    |   4 +
 11 files changed, 348 insertions(+), 80 deletions(-)
 create mode 100644 src/test/resources/testdata/digicert-ct-server-key-public.pem
 create mode 100644 src/test/resources/testdata/github-chain.pem
 create mode 100644 src/test/resources/testdata/google-ct-skydiver-server-key-public.pem

          We should also add code to EJBCA for actually verifying the SCTs in the final certificate.

            Attachments

              Issue Links

              is related to

              Improvement - An improvement or enhancement to an existing feature or task. ECA-6940 CT: Verify embedded SCTs in the final certificate before completing issuance

              • Minor - Minor loss of function, or other problem where easy workaround is present.
              • Closed
              split to

              Improvement - An improvement or enhancement to an existing feature or task. ECA-6162 CT log request - optional full hierarchy, full Json request in debug log

              • Minor - Minor loss of function, or other problem where easy workaround is present.
              • Closed

                Activity

                  People

                  • Assignee:
                    realiserad Bastian Fredriksson
                    Reporter:
                    realiserad Bastian Fredriksson
                    Verified by:
                    Tomas Gustavsson
                  • Votes:
                    0 Vote for this issue
                    Watchers:
                    2 Start watching this issue

                    Dates

                    • Created:
                      Updated:
                      Resolved:

                      Time Tracking

                      Estimated:
                      Original Estimate - 3 days
                      3d
                      Remaining:
                      Time Spent - 2 days, 1 hour, 22 minutes Remaining Estimate - 6 hours, 38 minutes
                      6h 38m
                      Logged:
                      Time Spent - 2 days, 1 hour, 22 minutes Remaining Estimate - 6 hours, 38 minutes
                      2d 1h 22m