crypto/tls: add support for Certificate Transparency

This change adds support for serving and receiving Signed Certificate Timestamps as described in RFC 6962. The server is now capable of serving SCTs listed in the Certificate structure. The client now asks for SCTs and, if any are received, they are exposed in the ConnectionState structure. Fixes #10201 Change-Id: Ib3adae98cb4f173bc85cec04d2bdd3aa0fec70bb Reviewed-on: https://go-review.googlesource.com/8988 Reviewed-by: Adam Langley <agl@golang.org> Run-TryBot: Adam Langley <agl@golang.org> Reviewed-by: Jonathan Rudenberg <jonathan@titanous.com>
2025-04-03 20:17:36 +03:00 · 2015-04-16 14:59:22 -04:00 · 2015-04-16 14:59:22 -04:00 · cf04082452
commit cf04082452
parent 06b29738e8
31 changed files with 1106 additions and 779 deletions
--- a/handshake_client.go
+++ b/handshake_client.go
@ -54,6 +54,7 @@ func (c *Conn) clientHandshake() error {
 		compressionMethods:  []uint8{compressionNone},
 		random:              make([]byte, 32),
 		ocspStapling:        true,
+		scts:                true,
 		serverName:          c.config.ServerName,
 		supportedCurves:     c.config.curvePreferences(),
 		supportedPoints:     []uint8{pointFormatUncompressed},
@ -522,6 +523,7 @@ func (hs *clientHandshakeState) processServerHello() (bool, error) {
 		c.clientProtocol = hs.serverHello.alpnProtocol
 		c.clientProtocolFallback = false
 	}
+	c.scts = hs.serverHello.scts

 	if hs.serverResumedSession() {
 		// Restore masterSecret and peerCerts from previous state