Add dev-roots feature for MTC log

lukevalenta · lukevalenta · commit 685c5a857d20 · 2025-09-29T13:07:39.000-04:00
diff --git a/crates/mtc_api/src/lib.rs b/crates/mtc_api/src/lib.rs
@@ -123,6 +123,14 @@ pub struct AddEntryResponse {
     pub timestamp: UnixTimestamp,
 }
 
+/// Get-roots response.
+#[serde_as]
+#[derive(Serialize)]
+pub struct GetRootsResponse {
+    #[serde_as(as = "Vec<Base64>")]
+    pub certificates: Vec<Vec<u8>>,
+}
+
 /// A wrapper around `TlogTilesPendingLogEntry` that supports auxiliary bootstrap data.
 #[derive(Deserialize, Serialize, Debug, Clone, PartialEq)]
 pub struct BootstrapMtcPendingLogEntry {
diff --git a/crates/mtc_worker/Cargo.toml b/crates/mtc_worker/Cargo.toml
@@ -11,6 +11,9 @@ description = "An implementation of a Merkle Tree Certificates CA on Cloudflare
 categories = ["cryptography"]
 keywords = ["certificate", "transparency", "crypto", "pki"]
 
+[features]
+dev-bootstrap-roots = []
+
 [package.metadata.release]
 release = false
 
diff --git a/crates/mtc_worker/dev-bootstrap-roots.pem b/crates/mtc_worker/dev-bootstrap-roots.pem
diff --git a/crates/mtc_worker/src/frontend_worker.rs b/crates/mtc_worker/src/frontend_worker.rs
@@ -21,7 +21,7 @@ use generic_log_worker::{
 };
 use mtc_api::{
     serialize_signatureless_cert, AddEntryRequest, AddEntryResponse, BootstrapMtcLogEntry,
-    LandmarkSequence, ID_RDNA_TRUSTANCHOR_ID, LANDMARK_KEY,
+    GetRootsResponse, LandmarkSequence, ID_RDNA_TRUSTANCHOR_ID, LANDMARK_KEY,
 };
 use p256::pkcs8::EncodePublicKey;
 use serde::{Deserialize, Serialize};
@@ -104,6 +104,14 @@ async fn main(req: Request, env: Env, _ctx: Context) -> Result<Response> {
             // Now that we've validated the log name, use an inner router to
             // handle the request.
             Router::with_data(name)
+                .get_async("/logs/:log/ct/v1/get-roots", |_req, ctx| async move {
+                    Response::from_json(&GetRootsResponse {
+                        certificates: x509_util::certs_to_bytes(
+                            &load_roots(&ctx.env, ctx.data).await?.certs,
+                        )
+                        .unwrap(),
+                    })
+                })
                 .post_async("/logs/:log/add-entry", |req, ctx| async move {
                     add_entry(req, &ctx.env, ctx.data).await
                 })
diff --git a/crates/mtc_worker/src/lib.rs b/crates/mtc_worker/src/lib.rs
@@ -120,9 +120,40 @@ async fn load_roots(env: &Env, name: &str) -> Result<&'static CertPool> {
                     .await?
                     .ok_or(format!("{name}: '{CCADB_ROOTS_FILENAME}' not found in KV"))?
             };
+
             pool.append_certs_from_pem(pem.as_bytes())
                 .map_err(|e| format!("failed to add CCADB certs to pool: {e}"))?;
 
+            // Add additional roots when the 'dev-bootstrap-roots' feature is
+            // enabled.
+            //
+            // A note on the differences between how roots are handled for the
+            // MTC vs CT applications:
+            //
+            // The purpose of CT is to observe certificates but not police them.
+            // As long as it's not a spam vector, we're generally willing to
+            // accept any root certificates that have been trusted by at least
+            // one major root program during the log shard's lifetime. Roots
+            // aren't removed from the list once they're added in order to keep
+            // a better record. We have the ability to add in custom roots from
+            // a per-environment roots file too, in order to support test CAs.
+            //
+            // For bootstrap MTC, the roots are meant to ensure that the log
+            // only accepts bootstrap MTC chains that will be trusted by Chrome,
+            // since Chrome might reject an entire batch of MTCs if there's a
+            // single untrusted entry. Thus, we want to keep the trusted roots
+            // as a subset of Chrome's trust store. We're using Mozilla's CRLite
+            // filters to check for revocation, so we need to be a subset of
+            // Mozilla's trust store too. When either root program stops
+            // trusting a root, we also need to remove it from our trust store.
+            // Given that, we gate the ability to add in custom roots behind the
+            // 'dev-bootstrap-roots' feature flag.
+            #[cfg(feature = "dev-bootstrap-roots")]
+            {
+                pool.append_certs_from_pem(include_bytes!("../dev-bootstrap-roots.pem"))
+                    .map_err(|e| format!("failed to add dev certs to pool: {e}"))?;
+            }
+
             Ok(pool)
         })
         .await
diff --git a/crates/x509_util/src/lib.rs b/crates/x509_util/src/lib.rs
@@ -104,8 +104,12 @@ impl CertPool {
     ///
     /// Returns an error if there are DER encoding issues.
     pub fn append_certs_from_pem(&mut self, input: &[u8]) -> Result<(), DerError> {
-        for cert in Certificate::load_pem_chain(input)? {
-            self.add_cert(cert)?;
+        // Until next x509-cert release, load_pem_chain doesn't support an empty
+        // input: https://github.com/RustCrypto/formats/pull/1965
+        if !input.is_empty() {
+            for cert in Certificate::load_pem_chain(input)? {
+                self.add_cert(cert)?;
+            }
         }
         Ok(())
     }
