RTG-3686: Add WASM-compatible SCT validation with Chrome CT policy

support

- Add `sct_validator` crate for validating Signed Certificate Timestamps (SCTs) embedded in certificates
- Implement Chrome's Certificate Transparency policy requirements
- Integrate optional SCT validation into the mtc_worker submission flow
- Add cron job to fetch and cache Google's CT log list

A WASM-compatible SCT validation library that implements Chrome's CT policy:
- Certificates ≤ 180 days require 2 SCTs from unique logs
- Certificates > 180 days require 3 SCTs from unique logs
- Always requires SCTs from 2 different log operators
- Handles log states: Qualified, Usable, ReadOnly (rejects Pending/Retired)
- Auto-succeeds if log list is stale (> 70 days old)
(based on concert: https://gitlab.cfdata.org/cloudflare/crypto/concert)

- New `ct_logs_cron.rs`: Fetches Chrome's CT log list and caches in KV
- New config option `enable_sct_validation` (default: false)
- Frontend validates embedded SCTs before accepting certificates when enabled
- Added `ct_logs` KV namespace binding in wrangler.jsonc

- Replace unstable `is_multiple_of()` with `% 32 != 0` in generic_log_worker for stable Rust compatibility

Author: lbaquerofierro

Cargo.lock

@@ -90,6 +90,13 @@ x509-verify = { version = "0.4.4", features = [
     "pem",
 ] }
 x509_util = { path = "crates/x509_util" }
+sct_validator = { path = "crates/sct_validator" }
+
+# sct_validator dependencies
+rsa = { version = "0.9", default-features = false, features = ["sha2"] }
+hashbrown = "0.15"
+spki = "0.7"
+const-oid = "0.9.6"
 
 [patch.crates-io]
 der = { git = "https://github.com/lukevalenta/formats", branch = "relative-oid-tag-v0.7.10" }

Cargo.toml

@@ -64,6 +64,7 @@ worker.workspace = true
 x509-cert.workspace = true
 x509_util.workspace = true
 mtc_api.workspace = true
+sct_validator.workspace = true
 
 [lints.rust]
 unexpected_cfgs = { level = "warn", check-cfg = [

crates/mtc_worker/Cargo.toml

@@ -15,7 +15,8 @@
             "submission_url": "http://localhost:8787/logs/dev2/",
             "location_hint": "enam",
             "max_certificate_lifetime_secs": 100,
-            "landmark_interval_secs": 10
+            "landmark_interval_secs": 10,
+            "enable_sct_validation": true
         }
     }
 }

crates/mtc_worker/config.dev.json

@@ -99,6 +99,11 @@
                             "minimum": 1,
                             "default": 60,
                             "description": "How long to wait in between runs of the partial tile cleaner."
+                        },
+                        "enable_sct_validation": {
+                            "type": "boolean",
+                            "default": false,
+                            "description": "Enable SCT (Signed Certificate Timestamp) validation for bootstrap certificates. When enabled, submitted certificates must have valid embedded SCTs compliant with Chrome's CT policy."
                         }
                     },
                     "required": [

crates/mtc_worker/config.schema.json

@@ -37,6 +37,9 @@ pub struct LogParams {
     pub max_batch_entries: usize,
     #[serde(default = "default_u64::<60>")]
     pub clean_interval_secs: u64,
+    /// Enable SCT validation for bootstrap certificates
+    #[serde(default)]
+    pub enable_sct_validation: bool,
 }
 
 impl LogParams {

crates/mtc_worker/config/src/lib.rs

@@ -37,6 +37,23 @@ async fn main(_event: ScheduledEvent, env: Env, _ctx: ScheduleContext) {
     } else {
         log::info!("Successfully updated CCADB roots");
     }
+
+    // Update CT logs for SCT validation
+    log::info!("Updating CT logs");
+    let ct_kv = match env.kv(crate::ct_logs_cron::CT_LOGS_NAMESPACE) {
+        Ok(kv) => kv,
+        Err(e) => {
+            log::warn!(
+                "Failed to get KV namespace '{}': {e}",
+                crate::ct_logs_cron::CT_LOGS_NAMESPACE
+            );
+            return;
+        }
+    };
+    match crate::ct_logs_cron::update_ct_logs(&ct_kv).await {
+        Ok(_) => log::info!("Successfully updated CT logs"),
+        Err(e) => log::warn!("Failed to update CT logs: {e}"),
+    }
 }
 
 /// Update CCADB roots at each of the provided keys. Roots are pruned to match

crates/mtc_worker/src/ccadb_roots_cron.rs

@@ -0,0 +1,73 @@
+// Copyright (c) 2025 Cloudflare, Inc.
+// Licensed under the BSD-3-Clause license found in the LICENSE file or at https://opensource.org/licenses/BSD-3-Clause
+
+//! Cron job to fetch CT log list from Google. Same pattern as ccadb_roots_cron.
+
+use sct_validator::CtLogList;
+use worker::{kv::KvStore, Env, Fetch, Headers, Method, Request, RequestInit, Result};
+
+/// KV namespace binding for CT logs.
+/// Must be configured in wrangler.jsonc.
+pub(crate) const CT_LOGS_NAMESPACE: &str = "ct_logs";
+
+/// Key for the CT log list in KV.
+pub(crate) const CT_LOGS_FILENAME: &str = "ct_log_list.json";
+
+/// URL for Chrome's CT log list.
+const CT_LOG_LIST_URL: &str = "https://www.gstatic.com/ct/log_list/v3/log_list.json";
+
+/// Fetches and stores the CT log list in KV.
+pub(crate) async fn update_ct_logs(kv: &KvStore) -> Result<()> {
+    log::info!("Fetching CT log list from Google");
+
+    let headers = Headers::new();
+    headers.set("User-Agent", "Cloudflare MTCA (ct-logs@cloudflare.com)")?;
+
+    let req = Request::new_with_init(
+        CT_LOG_LIST_URL,
+        &RequestInit {
+            method: Method::Get,
+            headers,
+            ..Default::default()
+        },
+    )?;
+
+    let resp_bytes = Fetch::Request(req).send().await?.bytes().await?;
+
+    // Validate that we can parse the log list before storing
+    let log_list = CtLogList::from_chrome_log_list(&resp_bytes)
+        .map_err(|e| format!("Failed to parse CT log list: {e}"))?;
+
+    log::info!(
+        "Parsed {} CT logs from log list (timestamp: {})",
+        log_list.logs.len(),
+        log_list.log_list_timestamp
+    );
+
+    // Store the raw JSON bytes (we'll parse them again on load for freshness check)
+    kv.put_bytes(CT_LOGS_FILENAME, &resp_bytes)?.execute().await?;
+
+    log::info!("Successfully stored CT log list in KV");
+
+    Ok(())
+}
+
+/// Loads CT log list from KV, fetching if not present.
+pub(crate) async fn load_ct_logs(env: &Env) -> Result<CtLogList> {
+    let kv = env.kv(CT_LOGS_NAMESPACE)?;
+
+    let json_bytes = if let Some(bytes) = kv.get(CT_LOGS_FILENAME).bytes().await? {
+        bytes
+    } else {
+        // Log list doesn't exist, fetch it now
+        log::info!("CT log list not found in KV, fetching...");
+        update_ct_logs(&kv).await?;
+        kv.get(CT_LOGS_FILENAME)
+            .bytes()
+            .await?
+            .ok_or("CT log list not found after update")?
+    };
+
+    CtLogList::from_chrome_log_list(&json_bytes)
+        .map_err(|e| format!("Failed to parse CT log list from KV: {e}").into())
+}

crates/mtc_worker/src/ct_logs_cron.rs

@@ -317,6 +317,41 @@ async fn add_entry(mut req: Request, env: &Env, name: &str) -> Result<Response>
             }
         };
 
+    // SCT validation (if enabled for this log shard)
+    if params.enable_sct_validation {
+        use crate::ct_logs_cron::load_ct_logs;
+        use sct_validator::{SctValidationResult, SctValidator};
+
+        // Load the CT log list from KV
+        let ct_logs = load_ct_logs(env).await?;
+        let validator = SctValidator::new(ct_logs);
+
+        // Get leaf and issuer DER for SCT validation
+        let leaf_der = &req.chain[0];
+        let issuer_der = req.chain.get(1).ok_or("Chain must have at least 2 certificates for SCT validation")?;
+
+        let validation_time_secs = now_millis() / 1000;
+
+        match validator.validate_embedded_scts(leaf_der, issuer_der, validation_time_secs) {
+            Ok(SctValidationResult::Valid) => {
+                log::info!("{name}: SCT validation passed");
+            }
+            Ok(SctValidationResult::ValidWithWarnings(warnings)) => {
+                log::info!("{name}: SCT validation passed with {} warnings", warnings.len());
+                for warning in &warnings {
+                    log::debug!("{name}: SCT warning: {:?}", warning);
+                }
+            }
+            Ok(SctValidationResult::StaleLogList) => {
+                log::warn!("{name}: SCT validation skipped (stale log list)");
+            }
+            Err(e) => {
+                log::warn!("{name}: SCT validation failed: {e}");
+                return Response::error(format!("SCT validation failed: {e}"), 400);
+            }
+        }
+    }
+
     // Retrieve the sequenced entry for this pending log entry by sending a request to the DO to
     // sequence the entry.
     let lookup_key = pending_entry.lookup_key();

crates/mtc_worker/src/frontend_worker.rs

@@ -21,6 +21,7 @@ use x509_util::CertPool;
 mod batcher_do;
 mod ccadb_roots_cron;
 mod cleaner_do;
+mod ct_logs_cron;
 mod frontend_worker;
 mod sequencer_do;