/**
* Construct LogSignatureVerifiers for each of the trusted CT logs.
*
* @throws InvalidKeySpecException the CT log key isn't RSA or EC, the key is probably corrupt.
* @throws NoSuchAlgorithmException the crypto provider couldn't supply the hashing algorithm or
* the key algorithm. This probably means you are using an ancient or bad crypto provider.
*/
private void buildLogSignatureVerifiers()
{
MessageDigest hasher = MessageDigest.GetInstance(LOG_ID_HASH_ALGORITHM);
foreach (string trustedLogKey in TRUSTED_LOG_KEYS)
{
hasher.Reset();
byte[] keyBytes = Base64.Decode(trustedLogKey);
string logId = Base64.ToBase64String(hasher.Digest(keyBytes));
KeyFactory keyFactory = KeyFactory.GetInstance(determineKeyAlgorithm(keyBytes));
var publicKey = keyFactory.GeneratePublic(new X509EncodedKeySpec(keyBytes));
verifiers.Add(logId, new LogSignatureVerifier(new LogInfo(publicKey)));
}
}
/**
* Check if the certificates provided by a server contain Signed Certificate Timestamps from a
* trusted CT log.
*
* @param certificates the certificate chain provided by the server
* @return true if the certificates can be trusted, false otherwise.
*/
private bool isGood(Certificate[] certificates)
{
if (!(certificates[0] is X509Certificate))
{
c.WriteLine(" This test only supports SCTs carried in X509 certificates, of which there are none.");
return(false);
}
Certificate leafCertificate = certificates[0];
if (!CertificateInfo.HasEmbeddedSCT(leafCertificate))
{
c.WriteLine(" This certificate does not have any Signed Certificate Timestamps in it.");
return(false);
}
try
{
List <SignedCertificateTimestamp> sctsInCertificate = parseSCTsFromCert((X509Certificate)leafCertificate);
if (sctsInCertificate.Count < MIN_VALID_SCTS)
{
c.WriteLine(
" Too few SCTs are present, I want at least "
+ MIN_VALID_SCTS
+ " CT logs to vouch for this certificate.");
return(false);
}
List <X509Certificate> certificateList = certificates.OfType <X509Certificate>().ToList();// new List<X509Certificate>(certificates);
int validSctCount = 0;
foreach (SignedCertificateTimestamp sct in sctsInCertificate)
{
string logId = Base64.ToBase64String(sct.Id.KeyId.ToByteArray());
if (verifiers.ContainsKey(logId))
{
c.WriteLine(" SCT trusted log " + logId);
if (verifiers[logId].VerifySignature(sct, certificateList))
{
++validSctCount;
}
}
else
{
c.WriteLine(" SCT untrusted log " + logId);
}
}
if (validSctCount < MIN_VALID_SCTS)
{
c.WriteLine(
" Too few SCTs are present, I want at least "
+ MIN_VALID_SCTS
+ " CT logs to vouch for this certificate.");
}
return(validSctCount >= MIN_VALID_SCTS);
}
catch (IOException e)
{
if (VERBOSE)
{
e.PrintStackTrace();
}
return(false);
}
}
