Extract SCT from X509Certificate

501 views
Skip to first unread message

Ankish Agarwal

unread,
May 8, 2018, 2:07:31 AM5/8/18
to certificate-...@googlegroups.com

Hello Team,

 

We have implemented the Java API to get proof by hash. I understand that the hash here is a Base64 encoded sha256 hash of MerkleTreeLeaf (POJO).

 

We are struggling to create MerkelTreeLeaf because for that we would have to fetch SCT embedded as X509 v3 extensions.

 

I am unable to parse extension value (DER encoded octet String) of OID 1.3.6.1.4.1.11129.2.4.2. The support is not present in sun.security.x509 package.

 

Any help would be appreciated.

 

Regards,

Ankish

Tomas Gustavsson

unread,
May 13, 2018, 5:35:35 PM5/13/18
to certificate-transparency

Here is some Java code that uses the BouncyCastle API, and the Google CT Java API to extract SCTs from a certificate extension into an array of Google CT API Ct.SignedCertificateTimestamp objects.

Regards,
Tomas

        byte[] bytes = leafCert.getExtensionValue(CTConstants.SCT_CERTIFICATE_OID);
        ASN1Primitive p =
            ASN1Primitive.fromByteArray(ASN1OctetString.getInstance(bytes).getOctets());
        DEROctetString o = (DEROctetString) p;
        // These are serialized SCTs, we must de-serialize them into an array
        Ct.SignedCertificateTimestamp[] scts = parseSCTsFromCert(o.getOctets());

  private static Ct.SignedCertificateTimestamp[] parseSCTsFromCert(byte[] extensionvalue)
      throws IOException {
    List<Ct.SignedCertificateTimestamp> sctList = new ArrayList<Ct.SignedCertificateTimestamp>();
    ByteArrayInputStream bis = new ByteArrayInputStream(extensionvalue);
    final int i =
        TlsUtils.readUint16(
            bis); // first one is the length of all SCTs concatenated, we don't actually need this
    while (bis.available() > 2) {
      byte[] sctBytes = TlsUtils.readOpaque16(bis);
      // System.out.println("Read SCT bytes (excluding length): " + sctBytes.length);
      sctList.add(Deserializer.parseSCTFromBinary(new ByteArrayInputStream(sctBytes)));
    }
    return sctList.toArray(new Ct.SignedCertificateTimestamp[sctList.size()]);

Ankish Agarwal

unread,
May 14, 2018, 12:41:27 AM5/14/18
to certificate-...@googlegroups.com

Thanks Tomas

 

Regards,

Ankish

--
You received this message because you are subscribed to the Google Groups "certificate-transparency" group.
To unsubscribe from this group and stop receiving emails from it, send an email to certificate-transp...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/certificate-transparency/91f3c125-b92a-40af-afa2-49f57baf9077%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply all
Reply to author
Forward
0 new messages