Uploaded image for project: 'EJBCA'
  1. EJBCA
  2. ECA-6977

Certificate Transparency, add verification of embedded SCTs and upgrade version of google/certificate-transparency-java

    Details

    • Stakeholder:
      R&D
    • Issue discovered during:
      Customer
    • Sprint:
      EJBCA Sprint 14, EJBCA Sprint 15

      Description

      Decided not to make a pull request with HttpPostTimeoutInvoker.java. I think it's better to have this code in EJBCA if we want to change it later.

      Tomas has implemented verification of SCTs in Google's CT lib. Protobuf dependency has also been updated (there was a CVE in the old one). We should clone the new code from GitHub, build a jar file and include it into EJBCA.

      Instead of building directly from google/certificate-transparency-java I used my own fork.

      > git clone git@github.com:Realiserad/certificate-transparency-java.git
      Cloning into 'certificate-transparency-java'...
      remote: Counting objects: 673, done.
      remote: Compressing objects: 100% (15/15), done.
      remote: Total 673 (delta 0), reused 13 (delta 0), pack-reused 654
      Receiving objects: 100% (673/673), 10.20 MiB | 955.00 KiB/s, done.
      Resolving deltas: 100% (281/281), done.
      Checking connectivity... done.
      [realiserad] => [/tmp]
      > cd certificate-transparency-java/
      [realiserad] => [/tmp/certificate-transparency-java]
      > git remote add upstream git@github.com:google/certificate-transparency-java.git
      [realiserad] => [/tmp/certificate-transparency-java]
      > git fetch upstream
      remote: Counting objects: 31, done.
      remote: Compressing objects: 100% (17/17), done.
      remote: Total 31 (delta 14), reused 24 (delta 9), pack-reused 0
      Unpacking objects: 100% (31/31), done.
      From github.com:google/certificate-transparency-java
       * [new branch]      master     -> upstream/master
      [realiserad] => [/tmp/certificate-transparency-java]
      > git pull upstream master
      Warning: Permanently added the RSA host key for IP address '192.30.253.112' to the list of known hosts.
      From github.com:google/certificate-transparency-java
       * branch            master     -> FETCH_HEAD
      Updating 8ca5e52..429c7b1
      Fast-forward
       pom.xml                                                            |   4 +-
       .../java/org/certificatetransparency/ctlog/CertificateInfo.java    |   7 ++
       src/main/java/org/certificatetransparency/ctlog/LogInfo.java       |   2 +-
       .../org/certificatetransparency/ctlog/LogSignatureVerifier.java    |  93 +++++++++--------
       .../certificatetransparency/ctlog/serialization/CTConstants.java   |   1 +
       .../org/certificatetransparency/ctlog/utils/VerifySignature.java   | 161 ++++++++++++++++++++++++++----
       .../certificatetransparency/ctlog/LogSignatureVerifierTest.java    |  73 ++++++++++++--
       src/test/java/org/certificatetransparency/ctlog/TestData.java      |  10 ++
       src/test/resources/testdata/digicert-ct-server-key-public.pem      |   4 +
       src/test/resources/testdata/github-chain.pem                       |  69 +++++++++++++
       .../resources/testdata/google-ct-skydiver-server-key-public.pem    |   4 +
       11 files changed, 348 insertions(+), 80 deletions(-)
       create mode 100644 src/test/resources/testdata/digicert-ct-server-key-public.pem
       create mode 100644 src/test/resources/testdata/github-chain.pem
       create mode 100644 src/test/resources/testdata/google-ct-skydiver-server-key-public.pem
      

      We should also add code to EJBCA for actually verifying the SCTs in the final certificate.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                realiserad Bastian Fredriksson
                Reporter:
                realiserad Bastian Fredriksson
                Verified by:
                Tomas Gustavsson
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - 3 days
                  3d
                  Remaining:
                  Time Spent - 2 days, 1 hour, 22 minutes Remaining Estimate - 6 hours, 38 minutes
                  6h 38m
                  Logged:
                  Time Spent - 2 days, 1 hour, 22 minutes Remaining Estimate - 6 hours, 38 minutes
                  2d 1h 22m