/**
* Check if the certificates provided by a server contain Signed Certificate Timestamps from a
* trusted CT log.
*
* @param certificates the certificate chain provided by the server
* @return true if the certificates can be trusted, false otherwise.
*/
private bool isGood(Certificate[] certificates)
{
if (!(certificates[0] is X509Certificate))
{
c.WriteLine(" This test only supports SCTs carried in X509 certificates, of which there are none.");
return(false);
}
Certificate leafCertificate = certificates[0];
if (!CertificateInfo.HasEmbeddedSCT(leafCertificate))
{
c.WriteLine(" This certificate does not have any Signed Certificate Timestamps in it.");
return(false);
}
try
{
List <SignedCertificateTimestamp> sctsInCertificate = parseSCTsFromCert((X509Certificate)leafCertificate);
if (sctsInCertificate.Count < MIN_VALID_SCTS)
{
c.WriteLine(
" Too few SCTs are present, I want at least "
+ MIN_VALID_SCTS
+ " CT logs to vouch for this certificate.");
return(false);
}
List <X509Certificate> certificateList = certificates.OfType <X509Certificate>().ToList();// new List<X509Certificate>(certificates);
int validSctCount = 0;
foreach (SignedCertificateTimestamp sct in sctsInCertificate)
{
string logId = Base64.ToBase64String(sct.Id.KeyId.ToByteArray());
if (verifiers.ContainsKey(logId))
{
c.WriteLine(" SCT trusted log " + logId);
if (verifiers[logId].VerifySignature(sct, certificateList))
{
++validSctCount;
}
}
else
{
c.WriteLine(" SCT untrusted log " + logId);
}
}
if (validSctCount < MIN_VALID_SCTS)
{
c.WriteLine(
" Too few SCTs are present, I want at least "
+ MIN_VALID_SCTS
+ " CT logs to vouch for this certificate.");
}
return(validSctCount >= MIN_VALID_SCTS);
}
catch (IOException e)
{
if (VERBOSE)
{
e.PrintStackTrace();
}
return(false);
}
}
