Tool to create an TLS extension with multiple SCTs ?

393 views
Skip to first unread message

Fabrice Gautier

unread,
Mar 4, 2015, 12:58:55 PM3/4/15
to certificate-...@googlegroups.com
Hi,

I'm looking at the code and tests and found the way to create a TLS extension that contain a single SCT, using the C ct client. e.g.:

$ ct extension_data --sct_token=cert.proof --tls_extension_data_out=cert.proof.pem


But this does not seem to allow creation of an extension containing multiples SCTs.

Is there another way to use the ct client tool, or another tool that does this ?

Thanks

-- Fabrice

Janusz Dziemidowicz

unread,
Mar 5, 2015, 4:15:20 PM3/5/15
to certificate-...@googlegroups.com
I've created a simple Python script that allows one to submit certificate to known public logs: https://gist.github.com/rraptorr/2efaaf21caaf6574e8ff
It can output raw TLS extension data, I've used this to implement CT support for haproxy: http://marc.info/?l=haproxy&m=142558691423296&w=2

Tom Ritter

unread,
Mar 5, 2015, 6:37:48 PM3/5/15
to certificate-transparency
On 5 March 2015 at 22:15, Janusz Dziemidowicz <rrap...@nails.eu.org> wrote:
> I've created a simple Python script that allows one to submit certificate to
> known public logs: https://gist.github.com/rraptorr/2efaaf21caaf6574e8ff
> It can output raw TLS extension data, I've used this to implement CT support
> for haproxy: http://marc.info/?l=haproxy&m=142558691423296&w=2

Ah! I wish I had seen this before, I did the same thing:
https://github.com/tomrittervg/ct-tools

I was able to deploy the CT TLS Extension in a simple manner (well,
relative to setting up the entire module settings) on Apache using
them: https://ritter.vg/blog-require_certificate_transparency.html

-tom

Rob Stradling

unread,
Mar 6, 2015, 4:17:12 AM3/6/15
to certificate-...@googlegroups.com
On 05/03/15 23:37, Tom Ritter wrote:
<snip>
> I was able to deploy the CT TLS Extension in a simple manner (well,
> relative to setting up the entire module settings) on Apache using
> them: https://ritter.vg/blog-require_certificate_transparency.html

Hi Tom. Thanks for that blog post. I'd been meaning to reply to your
websec post (that proposed HSTS "must staple") to propose HSTS "require
CT". :-)

> In reality, not so much. Certificate Authorities are gearing up to
> support CT, and if you work closely with one, you may even be able to
> purchase a cert with embedded SCTs. (DigiCert says all you have to do
> is contact them.) So depending on your choice of CA, you may be able
> to leverage this mechanism.

Comodo's CA system is capable of embedding SCTs in any cert we issue,
although we currently only do this by default for EV SSL certs.

> Getting an SCT into an OCSP response is probably trickier. Not only
> does this require the cooperation of the CA, but because most CAs
> purchase software and hardware to run their OCSP responders it also
> likely requires that vendor to do some development. I'm not aware of
> any CA that supports this mechanism of delivering SCTs, but I could
> be wrong.

We support this mechanism too, although I don't think any of our
customers are using it yet.

--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online

Eran Messeri

unread,
Mar 6, 2015, 8:29:11 AM3/6/15
to certificate-...@googlegroups.com
To highlight an underused feature in the CT's open-source Python code, there's a tls_message package to convert between Protocol Buffer objects and the right TLS representation for them.
For example, to create the SCTList (assuming proto_scts contains instances of ct.proto.client_pb2.SignedCertificateTimestamp):

scts_for_cert = [tls_message.encode(proto_sct) for proto_sct in proto_scts]
sct_list = ct.proto.client_pb2.SignedCertificateTimestampList()
sct_list.sct_list.extend(scts_for_cert)
sct_list_tls = tls_message.encode(sct_list)

Eran


--
You received this message because you are subscribed to the Google Groups "certificate-transparency" group.
To unsubscribe from this group and stop receiving emails from it, send an email to certificate-transp...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply all
Reply to author
Forward
0 new messages