CT compliance linter
-
Certification Authorities: Pre-issuance linting of precertificates and certificates.
-
Interested Parties: Post-issuance conformance checking.
-
Determines which CT logs are currently or once approved for each CT Policy by bundling and parsing the Chrome all_logs_list.json, Apple current_log_list.json, and Mozilla Known CT Logs log lists.
-
Audits certificates against the requirements of the Chrome CT Policy, the Apple CT Policy, and the Mozilla CT Policy, to ensure that embedded SCT lists contain a sufficient quantity and variety of SCTs from approved CT logs.
-
Identifies precertificate issuance from a Precertificate Signing CA beyond the sunset date in the TLS BRs.
-
Checks that certificates expire within the temporal intervals of the logs that supplied the precertificate SCTs embedded in those certificates.
-
Verifies signatures on precertificate SCTs embedded in certificates, using bundled CCADB data to determine each SCT's issuer_key_hash field.
-
Validates syntax and usage of RFC6962 X.509 extensions appearing in certificates and precertificates.
Here are some real-world examples of CT-related mishaps that ctlint can detect:
-
Insufficient log operator diversity amongst SCTs embedded in a certificate
-
Invalid SCTs returned by a log and then embedded in certificates
-
SCTs obtained from logs that are not yet Usable and then embedded in certificates
-
SCTs stripped of extensions and then embedded in certificates
-
SCT extensions not base64 decoded and then embedded in certificates
- After a log's temporal interval expires, the log is removed from the various log lists. Consequently,
ctlintcan only audit CT Policy compliance of SCTs embedded in certificates that have not yet expired.