RTG-3686: Add WASM-compatible SCT validation with Chrome CT policy support

Adds sct_validator crate for validating Signed Certificate Timestamps (SCTs)
embedded in X.509 certificates, targeting WASM environments.

Key features:
- Chrome CT policy compliance (2-3 logs based on cert lifetime, 2 operators)
- ECDSA P-256 and RSA signature verification
- CT log list parsing from Google's JSON format
- Stale log list handling (auto-succeed after 70 days per Chrome policy)

Integration:
- New cron job fetches CT log list from Google
- Frontend validates SCTs when enable_sct_validation=true

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Author: lbaquerofierro

Cargo.lock

@@ -90,6 +90,13 @@ x509-verify = { version = "0.4.4", features = [
     "pem",
 ] }
 x509_util = { path = "crates/x509_util" }
+sct_validator = { path = "crates/sct_validator" }
+
+# sct_validator dependencies
+rsa = { version = "0.9", default-features = false, features = ["sha2"] }
+hashbrown = "0.15"
+spki = "0.7"
+const-oid = "0.9.6"
 
 [patch.crates-io]
 der = { git = "https://github.com/lukevalenta/formats", branch = "relative-oid-tag-v0.7.10" }

Cargo.toml

@@ -64,6 +64,7 @@ worker.workspace = true
 x509-cert.workspace = true
 x509_util.workspace = true
 mtc_api.workspace = true
+sct_validator.workspace = true
 
 [lints.rust]
 unexpected_cfgs = { level = "warn", check-cfg = [

crates/mtc_worker/Cargo.toml

@@ -99,6 +99,11 @@
                             "minimum": 1,
                             "default": 60,
                             "description": "How long to wait in between runs of the partial tile cleaner."
+                        },
+                        "enable_sct_validation": {
+                            "type": "boolean",
+                            "default": false,
+                            "description": "Enable SCT (Signed Certificate Timestamp) validation for bootstrap certificates. When enabled, submitted certificates must have valid embedded SCTs compliant with Chrome's CT policy."
                         }
                     },
                     "required": [

crates/mtc_worker/config.schema.json

@@ -37,6 +37,9 @@ pub struct LogParams {
     pub max_batch_entries: usize,
     #[serde(default = "default_u64::<60>")]
     pub clean_interval_secs: u64,
+    /// Enable SCT validation for bootstrap certificates
+    #[serde(default)]
+    pub enable_sct_validation: bool,
 }
 
 impl LogParams {

crates/mtc_worker/config/src/lib.rs

@@ -24,18 +24,30 @@ pub(crate) const CCADB_ROOTS_FILENAME: &str = "mtc_bootstrap_roots.pem";
 
 #[event(scheduled)]
 async fn main(_event: ScheduledEvent, env: Env, _ctx: ScheduleContext) {
+    // Update CCADB roots
     log::info!("Updating CCADB roots");
-    let kv = match env.kv(CCADB_ROOTS_NAMESPACE) {
-        Ok(kv) => kv,
-        Err(e) => {
-            log::warn!("Failed to get KV namespace '{CCADB_ROOTS_NAMESPACE}': {e}");
-            return;
+    match env.kv(CCADB_ROOTS_NAMESPACE) {
+        Ok(kv) => {
+            if let Err(e) = update_ccadb_roots(&kv).await {
+                log::warn!("Failed to update CCADB roots: {e}");
+            } else {
+                log::info!("Successfully updated CCADB roots");
+            }
         }
-    };
-    if let Err(e) = update_ccadb_roots(&kv).await {
-        log::warn!("Failed to update CCADB roots: {e}");
-    } else {
-        log::info!("Successfully updated CCADB roots");
+        Err(e) => log::warn!("Failed to get KV namespace '{CCADB_ROOTS_NAMESPACE}': {e}"),
+    }
+
+    // Update CT logs for SCT validation
+    log::info!("Updating CT logs");
+    match env.kv(crate::ct_logs_cron::CT_LOGS_NAMESPACE) {
+        Ok(kv) => match crate::ct_logs_cron::update_ct_logs(&kv).await {
+            Ok(_) => log::info!("Successfully updated CT logs"),
+            Err(e) => log::warn!("Failed to update CT logs: {e}"),
+        },
+        Err(e) => log::warn!(
+            "Failed to get KV namespace '{}': {e}",
+            crate::ct_logs_cron::CT_LOGS_NAMESPACE
+        ),
     }
 }
 

crates/mtc_worker/src/ccadb_roots_cron.rs

@@ -0,0 +1,60 @@
+// Copyright (c) 2025 Cloudflare, Inc.
+// Licensed under the BSD-3-Clause license found in the LICENSE file or at https://opensource.org/licenses/BSD-3-Clause
+
+//! Cron job to fetch CT log list from Google. Same pattern as ccadb_roots_cron.
+
+use sct_validator::CtLogList;
+use worker::{kv::KvStore, Env, Fetch, Headers, Method, Request, RequestInit, Result};
+
+pub(crate) const CT_LOGS_NAMESPACE: &str = "ct_logs";
+pub(crate) const CT_LOGS_FILENAME: &str = "ct_log_list.json";
+const CT_LOG_LIST_URL: &str = "https://www.gstatic.com/ct/log_list/v3/log_list.json";
+
+pub(crate) async fn update_ct_logs(kv: &KvStore) -> Result<()> {
+    log::info!("Fetching CT log list from Google");
+
+    let headers = Headers::new();
+    headers.set("User-Agent", "Cloudflare MTCA (ct-logs@cloudflare.com)")?;
+
+    let req = Request::new_with_init(
+        CT_LOG_LIST_URL,
+        &RequestInit {
+            method: Method::Get,
+            headers,
+            ..Default::default()
+        },
+    )?;
+
+    let resp_bytes = Fetch::Request(req).send().await?.bytes().await?;
+
+    // Validate before storing
+    let log_list = CtLogList::from_chrome_log_list(&resp_bytes)
+        .map_err(|e| format!("Failed to parse CT log list: {e}"))?;
+
+    log::info!(
+        "Parsed {} CT logs (timestamp: {})",
+        log_list.logs.len(),
+        log_list.log_list_timestamp
+    );
+
+    kv.put_bytes(CT_LOGS_FILENAME, &resp_bytes)?.execute().await?;
+    Ok(())
+}
+
+pub(crate) async fn load_ct_logs(env: &Env) -> Result<CtLogList> {
+    let kv = env.kv(CT_LOGS_NAMESPACE)?;
+
+    let json_bytes = if let Some(bytes) = kv.get(CT_LOGS_FILENAME).bytes().await? {
+        bytes
+    } else {
+        log::info!("CT log list not found in KV, fetching...");
+        update_ct_logs(&kv).await?;
+        kv.get(CT_LOGS_FILENAME)
+            .bytes()
+            .await?
+            .ok_or("CT log list not found after update")?
+    };
+
+    CtLogList::from_chrome_log_list(&json_bytes)
+        .map_err(|e| format!("Failed to parse CT log list from KV: {e}").into())
+}

crates/mtc_worker/src/ct_logs_cron.rs

@@ -12,9 +12,10 @@ use generic_log_worker::{
     batcher_id_from_lookup_key, deserialize, get_durable_object_stub, init_logging,
     load_public_bucket,
     log_ops::{prove_subtree_inclusion, read_leaf, ProofError, CHECKPOINT_KEY},
+    obs::Wshim,
     serialize,
     util::now_millis,
-    ObjectBackend, ObjectBucket, ENTRY_ENDPOINT, METRICS_ENDPOINT,
+    ObjectBackend, ObjectBucket, ENTRY_ENDPOINT,
 };
 use mtc_api::{
     serialize_signatureless_cert, AddEntryRequest, AddEntryResponse, BootstrapMtcLogEntry,
@@ -86,9 +87,10 @@ fn start() {
 ///
 /// Panics if there are issues parsing route parameters, which should never happen.
 #[event(fetch, respond_with_errors)]
-async fn main(req: Request, env: Env, _ctx: Context) -> Result<Response> {
+async fn main(req: Request, env: Env, ctx: Context) -> Result<Response> {
+    let wshim = Wshim::from_env(&env);
     // Use an outer router as middleware to check that the log name is valid.
-    Router::new()
+    let response = Router::new()
         .or_else_any_method_async("/logs/:log/*route", |req, ctx| async move {
             let name = if let Some(name) = ctx.param("log") {
                 if CONFIG.logs.contains_key(name) {
@@ -216,18 +218,6 @@ async fn main(req: Request, env: Env, _ctx: Context) -> Result<Response> {
                         },
                     })
                 })
-                .get_async("/logs/:log/metrics", |_req, ctx| async move {
-                    let name = ctx.data;
-                    let stub = get_durable_object_stub(
-                        &ctx.env,
-                        name,
-                        None,
-                        "SEQUENCER",
-                        CONFIG.logs[name].location_hint.as_deref(),
-                    )?;
-                    stub.fetch_with_str(&format!("http://fake_url.com{METRICS_ENDPOINT}"))
-                        .await
-                })
                 .get("/logs/:log/sequencer_id", |_req, ctx| {
                     // Print out the Durable Object ID of the sequencer to allow
                     // looking it up in internal Cloudflare dashboards. This
@@ -280,7 +270,11 @@ async fn main(req: Request, env: Env, _ctx: Context) -> Result<Response> {
                 log::warn!("Internal error: {e}");
                 Response::error("Internal error", 500)
             }
-        })
+        });
+    if let Ok(wshim) = wshim {
+        ctx.wait_until(async move { wshim.flush(&generic_log_worker::obs::logs::LOGGER).await });
+    }
+    response
 }
 
 #[allow(clippy::too_many_lines)]
@@ -323,6 +317,42 @@ async fn add_entry(mut req: Request, env: &Env, name: &str) -> Result<Response>
             }
         };
 
+    // SCT validation (if enabled for this log shard)
+    if params.enable_sct_validation {
+        use crate::ct_logs_cron::load_ct_logs;
+        use sct_validator::{SctValidationResult, SctValidator};
+
+        // Load the CT log list from KV
+        let ct_logs = load_ct_logs(env).await?;
+        let validator = SctValidator::new(ct_logs);
+
+        // Get leaf and issuer DER for SCT validation
+        // TODO: Handle single-cert chains where root directly signs leaf (issuer not in chain)
+        let leaf_der = req.chain.first().ok_or("Chain is empty")?;
+        let issuer_der = req.chain.get(1).ok_or("Chain must have at least 2 certificates")?;
+
+        let validation_time_secs = now_millis() / 1000;
+
+        match validator.validate_embedded_scts(leaf_der, issuer_der, validation_time_secs) {
+            Ok(SctValidationResult::Valid) => {
+                log::info!("{name}: SCT validation passed");
+            }
+            Ok(SctValidationResult::ValidWithWarnings(warnings)) => {
+                log::info!("{name}: SCT validation passed with {} warnings", warnings.len());
+                for warning in &warnings {
+                    log::debug!("{name}: SCT warning: {:?}", warning);
+                }
+            }
+            Ok(SctValidationResult::StaleLogList) => {
+                log::warn!("{name}: SCT validation skipped (stale log list)");
+            }
+            Err(e) => {
+                log::warn!("{name}: SCT validation failed: {e}");
+                return Response::error(format!("SCT validation failed: {e}"), 400);
+            }
+        }
+    }
+
     // Retrieve the sequenced entry for this pending log entry by sending a request to the DO to
     // sequence the entry.
     let lookup_key = pending_entry.lookup_key();

crates/mtc_worker/src/frontend_worker.rs

@@ -21,6 +21,7 @@ use x509_util::CertPool;
 mod batcher_do;
 mod ccadb_roots_cron;
 mod cleaner_do;
+mod ct_logs_cron;
 mod frontend_worker;
 mod sequencer_do;
 

crates/mtc_worker/src/lib.rs

@@ -0,0 +1,27 @@
+# Copyright (c) 2025 Cloudflare, Inc. All rights reserved.
+# SPDX-License-Identifier: BSD-3-Clause
+
+[package]
+name = "sct_validator"
+version.workspace = true
+authors.workspace = true
+edition.workspace = true
+license.workspace = true
+description = "WASM-compatible SCT (Signed Certificate Timestamp) validation for CT compliance"
+
+[dependencies]
+base64.workspace = true
+chrono.workspace = true
+const-oid = "0.9.6"
+der.workspace = true
+hashbrown = "0.15"
+log.workspace = true
+p256.workspace = true
+rsa = { version = "0.9", default-features = false, features = ["sha2"] }
+serde.workspace = true
+serde_json.workspace = true
+sha2.workspace = true
+signature.workspace = true
+spki = "0.7"
+thiserror.workspace = true
+x509-cert = { version = "0.2.5", features = ["sct"] }