chifflier
commented
1 year ago Indeed, rfc9162 describes the structure of TransItem and SignedCertificateTimestampDataV2 and even if they look mostly compatible with v1, this may require changes to make it easier to support multiple versions. As this may need some refactoring, I'm planning it to the next feature release.
Note: if someone has example data please add or link them to this issue, thanks!
NOT A CONTRIBUTION
The
SignedCertificateTimestampvalue parses the whole thing regardless of the version number. RFC 6962 only defines what V1 looks like. The comparable OpenSSL struct has a field that contains the raw encoded SCT in the event that the version is not V1, and only fills in the other fields for V1.Given that we don't know what V2 would look like, OpenSSL's approach of assuming that the only field we know will exist in V2 is the version field seems like the right approach. With the way x509-parser is doing it, if a V2 SCT ever shows up and cannot be decoded the way V1 is (which seems likely, otherwise why change the version), the entire list of SCTs will fail to parse.