/** * Construct LogSignatureVerifiers for each of the trusted CT logs. * * @throws InvalidKeySpecException the CT log key isn't RSA or EC, the key is probably corrupt. * @throws NoSuchAlgorithmException the crypto provider couldn't supply the hashing algorithm or * the key algorithm. This probably means you are using an ancient or bad crypto provider. */ private void buildLogSignatureVerifiers() { MessageDigest hasher = MessageDigest.GetInstance(LOG_ID_HASH_ALGORITHM); foreach (string trustedLogKey in TRUSTED_LOG_KEYS) { hasher.Reset(); byte[] keyBytes = Base64.Decode(trustedLogKey); string logId = Base64.ToBase64String(hasher.Digest(keyBytes)); KeyFactory keyFactory = KeyFactory.GetInstance(determineKeyAlgorithm(keyBytes)); var publicKey = keyFactory.GeneratePublic(new X509EncodedKeySpec(keyBytes)); verifiers.Add(logId, new LogSignatureVerifier(new LogInfo(publicKey))); } }
/** * Check if the certificates provided by a server contain Signed Certificate Timestamps from a * trusted CT log. * * @param certificates the certificate chain provided by the server * @return true if the certificates can be trusted, false otherwise. */ private bool isGood(Certificate[] certificates) { if (!(certificates[0] is X509Certificate)) { c.WriteLine(" This test only supports SCTs carried in X509 certificates, of which there are none."); return(false); } Certificate leafCertificate = certificates[0]; if (!CertificateInfo.HasEmbeddedSCT(leafCertificate)) { c.WriteLine(" This certificate does not have any Signed Certificate Timestamps in it."); return(false); } try { List <SignedCertificateTimestamp> sctsInCertificate = parseSCTsFromCert((X509Certificate)leafCertificate); if (sctsInCertificate.Count < MIN_VALID_SCTS) { c.WriteLine( " Too few SCTs are present, I want at least " + MIN_VALID_SCTS + " CT logs to vouch for this certificate."); return(false); } List <X509Certificate> certificateList = certificates.OfType <X509Certificate>().ToList();// new List<X509Certificate>(certificates); int validSctCount = 0; foreach (SignedCertificateTimestamp sct in sctsInCertificate) { string logId = Base64.ToBase64String(sct.Id.KeyId.ToByteArray()); if (verifiers.ContainsKey(logId)) { c.WriteLine(" SCT trusted log " + logId); if (verifiers[logId].VerifySignature(sct, certificateList)) { ++validSctCount; } } else { c.WriteLine(" SCT untrusted log " + logId); } } if (validSctCount < MIN_VALID_SCTS) { c.WriteLine( " Too few SCTs are present, I want at least " + MIN_VALID_SCTS + " CT logs to vouch for this certificate."); } return(validSctCount >= MIN_VALID_SCTS); } catch (IOException e) { if (VERBOSE) { e.PrintStackTrace(); } return(false); } }