ctlint

ctlint

CT compliance linter

Intended uses

• Certification Authorities: Pre-issuance linting of precertificates and certificates.

• Interested Parties: Post-issuance conformance checking.

Features

• Determines, using crtsh/ctloglists, which CT logs are currently or once approved for each CT Policy.

• Audits certificates against the requirements of each applicable CT Policy, to ensure that embedded SCT lists contain a sufficient quantity and variety of SCTs from approved CT logs:

  • For Server Authentication Certificates:
    • the Chrome CT Policy
    • the Apple CT Policy
    • the Mozilla CT Policy
  • For Mark Certificates:
    • the CT requirements of the Mark Certificate Guidelines

• Identifies precertificate issuance from a Precertificate Signing CA beyond the sunset date in the TLS BRs.

• Checks that certificates expire within the temporal intervals of the logs that supplied the precertificate SCTs embedded in those certificates.

• Verifies signatures on precertificate SCTs embedded in certificates, using bundled CCADB data to determine each SCT's issuer_key_hash field.

• Validates syntax and usage of RFC6962 X.509 extensions appearing in certificates and precertificates.

Why you need ctlint

Here are some real-world examples of CT-related mishaps that ctlint can detect:

• Precertificate included an SCT list

• SCTs signed using the wrong key

• Insufficient log operator diversity amongst SCTs embedded in a certificate

• SCTs corrupted and then embedded in certificates

• Invalid SCTs returned by a log and then embedded in certificates

• Certificates expire outside the temporal interval of a log that supplied SCTs embedded in those certificates

• SCTs obtained from logs that are not yet Usable and then embedded in certificates

• SCTs stripped of extensions and then embedded in certificates

• SCT extensions not base64 decoded and then embedded in certificates

• Delayed issuance of a certificate containing embedded SCTs

Caveats

• ctlint can only audit CT Policy compliance of SCTs embedded in certificates that have not yet expired, because the various log lists do not preserve details of historic log state transitions that may be relevant.