def _get_precertificate_issuer(chain):
try:
issuer = chain[1]
except IndexError:
raise error.IncompleteChainError(
"Chain with PreCertificate must contain issuer.")
if not issuer.extended_key_usage(oid.CT_PRECERTIFICATE_SIGNING):
return issuer
else:
try:
return chain[2]
except IndexError:
raise error.IncompleteChainError(
"Chain with PreCertificate signed by PreCertificate "
"Signing Cert must contain issuer.")
def verify_embedded_scts(self, chain):
"""Extract and verify SCTs embedded in an X.509 certificate.
Args:
chain: list of cert.Certificate instances.
Returns:
List of (SignedCertificateTimestamp, bool) pairs, one for each SCT
present in the certificate. The boolean is True if the
corresponding SCT is valid, False otherwise.
Raises:
ct.crypto.error.EncodingError: failed to encode signature input,
or decode the signature.
ct.crypto.error.IncompleteChainError: the chain is empty.
"""
try:
leaf_cert = chain[0]
except IndexError:
raise error.IncompleteChainError(
"Chain must contain leaf certificate.")
scts_blob = leaf_cert.embedded_sct_list()
if scts_blob is None:
return []
scts = client_pb2.SignedCertificateTimestampList()
tls_message.decode(scts_blob, scts)
result = []
for sct_blob in scts.sct_list:
sct = client_pb2.SignedCertificateTimestamp()
tls_message.decode(sct_blob, sct)
try:
self.verify_sct(sct, chain)
result.append((sct, True))
except error.VerifyError:
result.append((sct, False))
return result
def _create_dst_entry(sct, chain):
"""Create a Digitally Signed Timestamped Entry to be validated
Args:
sct: client_pb2.SignedCertificateTimestamp instance.
chain: list of Certificate instances.
Returns:
client_pb2.DigitallySignedTimestampedEntry instance with all
fields set.
Raises:
ct.crypto.error.IncompleteChainError: a certificate is missing
from the chain.
"""
try:
leaf_cert = chain[0]
except IndexError:
raise error.IncompleteChainError(
"Chain must contain leaf certificate.")
entry = client_pb2.DigitallySignedTimestampedEntry()
entry.sct_version = ct_pb2.V1
entry.signature_type = client_pb2.CERTIFICATE_TIMESTAMP
entry.timestamp = sct.timestamp
entry.ct_extensions = sct.extensions
if _is_precertificate(leaf_cert):
issuer = _get_precertificate_issuer(chain)
entry.entry_type = client_pb2.PRECERT_ENTRY
entry.pre_cert.issuer_key_hash = issuer.key_hash('sha256')
entry.pre_cert.tbs_certificate = (
_encode_tbs_certificate_for_validation(leaf_cert, issuer))
else:
entry.entry_type = client_pb2.X509_ENTRY
entry.asn1_cert = leaf_cert.to_der()
return entry