RTG-3686: Add WASM-compatible SCT validation with Chrome CT policy support

Adds sct_validator crate for validating Signed Certificate Timestamps (SCTs)
embedded in X.509 certificates, targeting WASM environments.

Key features:
- Chrome CT policy compliance (2-3 logs based on cert lifetime, 2 operators)
- ECDSA P-256 and RSA signature verification
- CT log list parsing from Google's JSON format
- Stale log list handling (auto-succeed after 70 days per Chrome policy)

Integration:
- New cron job fetches CT log list from Google
- Frontend validates SCTs when enable_sct_validation=true

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Author: 2 people

Cargo.lock

@@ -90,6 +90,13 @@ x509-verify = { version = "0.4.4", features = [
     "pem",
 ] }
 x509_util = { path = "crates/x509_util" }
+sct_validator = { path = "crates/sct_validator" }
+
+# sct_validator dependencies
+rsa = { version = "0.9", default-features = false, features = ["sha2"] }
+hashbrown = "0.15"
+spki = "0.7"
+const-oid = "0.9.6"
 
 [patch.crates-io]
 der = { git = "https://github.com/lukevalenta/formats", branch = "relative-oid-tag-v0.7.10" }

Cargo.toml

@@ -28,12 +28,11 @@ use std::cell::RefCell;
 use std::collections::btree_map::Entry;
 use std::collections::{BTreeMap, HashMap, VecDeque};
 use std::io::Write;
-use std::time::Duration;
 use tlog_tiles::{LookupKey, PendingLogEntry, SequenceMetadata};
 use tokio::sync::Mutex;
 use util::now_millis;
 use worker::{
-    js_sys, kv, kv::KvStore, wasm_bindgen, Bucket, Delay, Env, Error, HttpMetadata, Result, State,
+    js_sys, kv, kv::KvStore, wasm_bindgen, Bucket, Env, Error, HttpMetadata, Result, State,
     Storage, Stub,
 };
 
@@ -514,36 +513,6 @@ impl LockBackend for State {
     }
 }
 
-// R2 retry config: 3 retries with exponential backoff (100ms -> 200ms -> 400ms).
-pub const R2_MAX_RETRIES: u32 = 3;
-pub const R2_BASE_DELAY_MS: u64 = 100;
-
-/// Retries an async operation with exponential backoff.
-///
-/// # Errors
-///
-/// Returns the last error if all retry attempts fail.
-pub async fn with_retry<T, F, Fut>(max_retries: u32, base_delay_ms: u64, operation: F) -> Result<T>
-where
-    F: Fn() -> Fut,
-    Fut: std::future::Future<Output = Result<T>>,
-{
-    let mut last_error = None;
-    for attempt in 0..=max_retries {
-        match operation().await {
-            Ok(result) => return Ok(result),
-            Err(e) => {
-                last_error = Some(e);
-                if attempt < max_retries {
-                    let delay_ms = base_delay_ms * (1 << attempt);
-                    Delay::from(Duration::from_millis(delay_ms)).await;
-                }
-            }
-        }
-    }
-    Err(last_error.expect("with_retry: at least one attempt should have been made"))
-}
-
 pub trait ObjectBackend {
     /// Upload the object with the given key and data to the object backend,
     /// adding additional HTTP metadata headers based on the provided options.
@@ -592,39 +561,31 @@ impl ObjectBackend for ObjectBucket {
         opts: &UploadOptions,
     ) -> Result<()> {
         let start = now_millis();
-        let content_type = opts
-            .content_type
-            .clone()
-            .unwrap_or_else(|| "application/octet-stream".into());
-        let cache_control = if opts.immutable {
-            "public, max-age=604800, immutable"
+        let mut metadata = HttpMetadata::default();
+        if let Some(content_type) = &opts.content_type {
+            metadata.content_type = Some(content_type.to_string());
         } else {
-            "no-store"
-        };
+            metadata.content_type = Some("application/octet-stream".into());
+        }
+        if opts.immutable {
+            metadata.cache_control = Some("public, max-age=604800, immutable".into());
+        } else {
+            metadata.cache_control = Some("no-store".into());
+        }
         let value: Vec<u8> = data.into();
-        let key_str = key.as_ref();
         self.metrics
             .as_ref()
             .inspect(|&m| m.upload_size_bytes.observe(value.len().as_f64()));
-
-        with_retry(R2_MAX_RETRIES, R2_BASE_DELAY_MS, || async {
-            let metadata = HttpMetadata {
-                content_type: Some(content_type.clone()),
-                cache_control: Some(cache_control.into()),
-                ..Default::default()
-            };
-            self.bucket
-                .put(key_str, value.clone())
-                .http_metadata(metadata)
-                .execute()
-                .await
-        })
-        .await
-        .inspect_err(|_| {
-            self.metrics
-                .as_ref()
-                .inspect(|&m| m.errors.with_label_values(&["put"]).inc());
-        })?;
+        self.bucket
+            .put(key.as_ref(), value.clone())
+            .http_metadata(metadata)
+            .execute()
+            .await
+            .inspect_err(|_| {
+                self.metrics
+                    .as_ref()
+                    .inspect(|&m| m.errors.with_label_values(&["put"]).inc());
+            })?;
 
         self.metrics.as_ref().inspect(|&m| {
             m.duration
@@ -637,25 +598,20 @@ impl ObjectBackend for ObjectBucket {
 
     async fn fetch<S: AsRef<str>>(&self, key: S) -> Result<Option<Vec<u8>>> {
         let start = now_millis();
-        let key_str = key.as_ref();
-        let res = with_retry(R2_MAX_RETRIES, R2_BASE_DELAY_MS, || async {
-            match self.bucket.get(key_str).execute().await? {
-                Some(obj) => {
-                    let body = obj
-                        .body()
-                        .ok_or_else(|| format!("missing object body: {}", key_str))?;
-                    let bytes = body.bytes().await?;
-                    Ok(Some(bytes))
-                }
-                None => Ok(None),
+        let res = match self.bucket.get(key.as_ref()).execute().await? {
+            Some(obj) => {
+                let body = obj
+                    .body()
+                    .ok_or_else(|| format!("missing object body: {}", key.as_ref()))?;
+                let bytes = body.bytes().await.inspect_err(|_| {
+                    self.metrics.as_ref().inspect(|&m| {
+                        m.errors.with_label_values(&["get"]).inc();
+                    });
+                })?;
+                Ok(Some(bytes))
             }
-        })
-        .await
-        .inspect_err(|_| {
-            self.metrics
-                .as_ref()
-                .inspect(|&m| m.errors.with_label_values(&["get"]).inc());
-        });
+            None => Ok(None),
+        };
         self.metrics.as_ref().inspect(|&m| {
             m.duration
                 .with_label_values(&["get"])

crates/generic_log_worker/src/lib.rs

@@ -64,6 +64,7 @@ worker.workspace = true
 x509-cert.workspace = true
 x509_util.workspace = true
 mtc_api.workspace = true
+sct_validator.workspace = true
 
 [lints.rust]
 unexpected_cfgs = { level = "warn", check-cfg = [

crates/mtc_worker/Cargo.toml

@@ -99,6 +99,11 @@
                             "minimum": 1,
                             "default": 60,
                             "description": "How long to wait in between runs of the partial tile cleaner."
+                        },
+                        "enable_sct_validation": {
+                            "type": "boolean",
+                            "default": false,
+                            "description": "Enable SCT (Signed Certificate Timestamp) validation for bootstrap certificates. When enabled, submitted certificates must have valid embedded SCTs compliant with Chrome's CT policy."
                         }
                     },
                     "required": [

crates/mtc_worker/config.schema.json

@@ -37,6 +37,9 @@ pub struct LogParams {
     pub max_batch_entries: usize,
     #[serde(default = "default_u64::<60>")]
     pub clean_interval_secs: u64,
+    /// Enable SCT validation for bootstrap certificates
+    #[serde(default)]
+    pub enable_sct_validation: bool,
 }
 
 impl LogParams {

crates/mtc_worker/config/src/lib.rs

@@ -24,18 +24,30 @@ pub(crate) const CCADB_ROOTS_FILENAME: &str = "mtc_bootstrap_roots.pem";
 
 #[event(scheduled)]
 async fn main(_event: ScheduledEvent, env: Env, _ctx: ScheduleContext) {
+    // Update CCADB roots
     log::info!("Updating CCADB roots");
-    let kv = match env.kv(CCADB_ROOTS_NAMESPACE) {
-        Ok(kv) => kv,
-        Err(e) => {
-            log::warn!("Failed to get KV namespace '{CCADB_ROOTS_NAMESPACE}': {e}");
-            return;
+    match env.kv(CCADB_ROOTS_NAMESPACE) {
+        Ok(kv) => {
+            if let Err(e) = update_ccadb_roots(&kv).await {
+                log::warn!("Failed to update CCADB roots: {e}");
+            } else {
+                log::info!("Successfully updated CCADB roots");
+            }
         }
-    };
-    if let Err(e) = update_ccadb_roots(&kv).await {
-        log::warn!("Failed to update CCADB roots: {e}");
-    } else {
-        log::info!("Successfully updated CCADB roots");
+        Err(e) => log::warn!("Failed to get KV namespace '{CCADB_ROOTS_NAMESPACE}': {e}"),
+    }
+
+    // Update CT logs for SCT validation
+    log::info!("Updating CT logs");
+    match env.kv(crate::ct_logs_cron::CT_LOGS_NAMESPACE) {
+        Ok(kv) => match crate::ct_logs_cron::update_ct_logs(&kv).await {
+            Ok(_) => log::info!("Successfully updated CT logs"),
+            Err(e) => log::warn!("Failed to update CT logs: {e}"),
+        },
+        Err(e) => log::warn!(
+            "Failed to get KV namespace '{}': {e}",
+            crate::ct_logs_cron::CT_LOGS_NAMESPACE
+        ),
     }
 }