Add WASM-compatible SCT validation with Chrome CT policy #170
Conversation
lbaquerofierro
changed the title
lbaquerofierro
force-pushed
the
lina/sct-validation
branch
from
803b361 to
df05af3
Compare
lbaquerofierro
force-pushed
the
lina/sct-validation
branch
7 times, most recently
from
0f5eb70 to
6db3196
Compare
| )); | ||
| } | ||
|
|
||
| let lifetime_secs = not_after_secs - not_before_secs; |
There was a problem hiding this comment.
If notBefore = notAfter, then the certificate is valid at that instant, so one second? So should we add a +1? What does Chrome do?
There was a problem hiding this comment.
Per RFC 5280 validity is "notBefore through notAfter, inclusive", so strictly speaking a cert where notBefore == notAfter is valid for one instant, meaning we should technically add +1. However, concert uses a simple not_after - not_before difference without +1, matching https://googlechrome.github.io/CertificateTransparency/ct_policy.html behavior. Keeping it consistent with that
There was a problem hiding this comment.
Where does the policy say that the lifetime is computed like that?
|
We should add tests with existing certificates. |
|
|
||
| // Get leaf and issuer DER for SCT validation | ||
| let leaf_der = req.chain.first().ok_or("Chain is empty")?; | ||
| let issuer_der = req.chain.get(1).ok_or("Chain must have at least 2 certificates")?; |
There was a problem hiding this comment.
Quoting validate_chain:
/// * `raw_chain` - The 'bootstrap' chain of certificates submitted to the
/// `add-entry` endpoint. Each entry must sign the previous entry, and the
/// chain must start with a leaf certificate and end with a certificate that
/// is a trusted root or is signed by a trusted root.
This means that the trusted root certificate need not be part of the chain. If the root directly signs the leaf, then the chain is of length one. Obviously today this is rare, but that might change in the future.
lbaquerofierro
force-pushed
the
lina/sct-validation
branch
2 times, most recently
from
cd62c57 to
dfabc17
Compare
bwesterb
left a comment
bwesterb
left a comment
There was a problem hiding this comment.
Great work, thanks. Before merging, we should really test with some actual certificates.
…pport Adds sct_validator crate for validating Signed Certificate Timestamps (SCTs) embedded in X.509 certificates, targeting WASM environments. Key features: - Chrome CT policy compliance (2-3 logs based on cert lifetime, 2 operators) - ECDSA P-256 and RSA signature verification - CT log list parsing from Google's JSON format - Stale log list handling (auto-succeed after 70 days per Chrome policy) Integration: - New cron job fetches CT log list from Google - Frontend validates SCTs when enable_sct_validation=true 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <[email protected]>
lbaquerofierro
force-pushed
the
lina/sct-validation
branch
from
c575d17 to
20b8dd8
Compare
6 participants
Summary
sct_validatorcrate for validating Signed Certificate Timestamps (SCTs) embedded in certificatesChanges
New
sct_validatorcrateA WASM-compatible SCT validation library that implements Chrome's CT policy:
mtc_worker integration
ct_logs_cron.rs: Fetches Chrome's CT log list and caches in KVenable_sct_validation(default: false)ct_logsKV namespace binding in wrangler.jsonc