Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CA: Add lint/check that SCTs validate before issuing final cert #6964

Open
aarongable opened this issue Jun 28, 2023 · 0 comments
Open

CA: Add lint/check that SCTs validate before issuing final cert #6964

aarongable opened this issue Jun 28, 2023 · 0 comments
Milestone
Sprint 2023-09-26

Comments

@aarongable
Copy link
Contributor

This idea came out of remediation for https://bugzilla.mozilla.org/show_bug.cgi?id=1838667

Recently we've seen two reasons that the SCTs included in a final cert might not actually validate:

  • A GTS incident where they used the SCTs from the wrong precert
  • Our incident where the SCT signatures were calculated over different bytes (because the precert didn't match the final cert)

However, we have no lint that checks this. The certificate-transparency-go library checks that the SCTs returned by CT logs actually validate over the precert contents, but we don't have a check that they also validate over the final cert contents.

We should add a lint-like check which confirms this. It will need the CT log public keys in order to successfully validate the SCT signatures. zmap/zlint#728 may handle this for us, in which case this bug should track updating and enabling that lint.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
Sprint 2023-09-26
Development

No branches or pull requests
2 participants
@jsha @aarongable