0

Hello I implemented this library (https://github.com/babylonhealth/certificate-transparency-android) with okhttp/certificate pinning (using TrustKit) the problem is that i received an error even tho the hostname has the logs checking in Google report and there is a CT's log im using the following config:

certificateTransparencyInterceptor {
        +"*.myhostname.io"
        failOnError = false
        logger = BasicAndroidCTLogger(BuildConfig.DEBUG)
    }

but I receive from logcat CertificateTransparency: domain.myhostname.io Failure: No certificates the okHttp is like this:

okHttpBuilder.addInterceptor(authInterceptor)
        .sslSocketFactory(OkHttp3Helper.getSSLSocketFactory(), OkHttp3Helper.getTrustManager())
        .addInterceptor(OkHttp3Helper.getPinningInterceptor())
        .addNetworkInterceptor(getCertificateTransparencyInterceptor())
        .sslSocketFactory(certificatePinning.getSSLSocketFactory(),
            certificatePinning.getTrustManager())
        .followRedirects(false)
        .followSslRedirects(false)
        .build()

im adding the intereptor in .addNetworkInterceptor the certificate is logged by google_xenon2021and cloudflare_nimbus2021 and they are in the default list https://www.gstatic.com/ct/log_list/log_list.json

I'm trying to figure out what the problem is but I have no idea,

Javier
  • 1,469
  • 2
  • 20
  • 38

1 Answers1

0

At the moment the CT library (now hosted at https://github.com/appmattus/certificatetransparency/) only supports retrieving SCTs (Signed Certificate Timestamp) that are embedded in the certificate as an X.509v3 extension.

So if your domain is providing them through a TLS extension then the library will unfortunately not work.

You should be able to check by looking at your certificates details in your web browser and looking for an Embedded Signed Certificate Timestamp List entry:

Embedded Signed Certificate Timestamp List

appmattus
  • 2,788
  • 25
  • 16