Include certificate extension with PHP

[Manuel_dev]

I obtain the SCTs but I have some problems to include the data into X.509v3 extension. Anyone knows PHP functions to include this extension or to send openssl to include this extension correctly?

I have tried to serialize with PHP the SCTs responses from logs servers into X.509v3 extension in hexadecimal format.

[Pierre Phaneuf]

I might be mistaken, but by the time the PHP code on your server runs,
the SSL connection has already been negotiated, so it would be too
late? There are some modules for Apache and Nginx to add the SCT to
the SSL negotiation, those are probably your best bet.

Or are you trying to embed the SCT as an extension into the
certificate? I think that extension is signed by your CA, so you
wouldn't be able to do that, only your CA would?

[Manuel_dev]

I try to include the SCT as an extension in my certificate because I generate all certificates as a CA.

My problem is that I serialize SCTs that I receive from log servers but it is not recognized by Google Chrome.

I need to concrete PHP code to include plain text SCTs into certificate extension.

[Manuel_dev]

Any idea about this issue?

[Eran Messeri]

If I understand correctly you're after PHP code to encode individual SCTs (received as JSON) into TLS encoding, then encode all of them together into  a SignedCertificateTimestampList structure (again encoded using TLS encoding), to be embedded in a certificate (inside an ASN.1 OCTET STRING).

I don't know of such code. However, you may find the following slides useful:

http://www.certificate-transparency.org/hackday/Certificate%20Transparency%20workshop%20presentation.pdf

They are from a workshop on integrating with CT, which sounds exactly like what you're trying to do.

Eran

--
You received this message because you are subscribed to the Google Groups "certificate-transparency" group.
To unsubscribe from this group and stop receiving emails from it, send an email to certificate-transp...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Manuel_dev]

Thank you for your response. Efectively, I need to encode individual SCTs into TLS encoding, and I tried to encode SCT into TLS with PHP but it was impossible. I don't know how to convert the SCT JSON String into TLS encoded binary.

Manuel

To unsubscribe from this group and stop receiving emails from it, send an email to certificate-transparency+unsub...@googlegroups.com.

[Matt Palmer]

On Sun, Jun 21, 2015 at 03:21:59AM -0700, Manuel_dev wrote:
> Thank you for your response. Efectively, I need to encode individual SCTs
> into TLS encoding, and I tried to encode SCT into TLS with PHP but it was
> impossible. I don't know how to convert the SCT JSON String into TLS
> encoded binary.

You're probably more-or-less on your own in writing such code -- you'll need
to read and understand the various intricacies of the different data
structures in RFC6962 (for the JSON) and RFC5246 (for the TLS extension),
and write the PHP code to transmogrify one into the other.

If you have specific questions about the meaning of individual parts of the
spec, I'm sure a question here will get you an answer. However, without a
better idea of what exactly you're getting stuck on, I doubt you'll get the
help you need. Claiming that it is "impossible" isn't giving us much to go
on (unless, perhaps, you're hoping that someone will prove you wrong and
then give you the code as proof...)

Perhaps, as a first step, you could share the code you've written, and the
intermediate steps you've gotten (for instance, for a given JSON SCT, what
does your SignedCertificateTimestamp look like? Then what does your
SignedCertificateTimestampList look like? And the TLS extension?

- Matt

--
My favourite was some time ago, and involved a female customer thanking "Mr.
Daemon" for his effort trying to deliver her mail, and offering him a "good
time" if he ever visited Sydney.
-- Matt McLeod

[Peter Bowen]

On Sun, Jun 21, 2015 at 3:21 AM, Manuel_dev <manolo...@gmail.com> wrote:
> Thank you for your response. Efectively, I need to encode individual SCTs
> into TLS encoding, and I tried to encode SCT into TLS with PHP but it was
> impossible. I don't know how to convert the SCT JSON String into TLS encoded
> binary.

Are you trying to deliver SCTs to the browser using a TLS Extension,
as described in http://www.certificate-transparency.org/how-ct-works?

If so, and if you are using mod_php or similar with Apache, Ngnix, or
IIS, it isn't going to work. This is because the TLS handshake has
completed before your PHP code is run. All three modes of SCT
delivery happen before any HTTP request is received, so you cannot
have an application return them independently.

Does this help?

Thanks,
Peter

[Pierre Phaneuf]

On Sun, Jun 21, 2015 at 4:58 PM, Peter Bowen <pzb...@gmail.com> wrote:

> Are you trying to deliver SCTs to the browser using a TLS Extension,
> as described in http://www.certificate-transparency.org/how-ct-works?

That's what I thought it was at the beginning of the thread (and gave
him a similar answer), but it appears that he's running a CA on a
PHP-based platform, and this is more about how to integrate the SCTs
into the certificates?