lints: count embedded SCTs, warn for Apple CT policy.#278
Merged
zakird merged 1 commit intozmap:masterfrom Apr 9, 2019
Merged
Conversation
A new `ct_sct_policy_count_unsatisfied` lint is added that checks if subscriber certificates issued after October 15th 2018 have embedded SCTs from a sufficient number of unique CT logs to meet Apple's CT log policy[0]. The number of required SCTs from different logs is calculated based on the Certificate's lifetime. If the number of required SCTs are not embedded in the certificate a Notice level LintResult is returned. | Certificate lifetime | # of SCTs from separate logs | ------------------------------------------------------- | Less than 15 months | 2 | | 15 to 27 months | 3 | | 27 to 39 months | 4 | | More than 39 months | 5 | ------------------------------------------------------ Important note 1: We can't know whether additional SCTs were presented alongside the certificate via OCSP stapling. The new linter assumes only embedded SCTs are used and ignores the portion of the Apple policy related to SCTs delivered via OCSP. This is one limitation that restricts the linter's findings to Notice level. See more background discussion in Issue 226[1]. Important note 2: The linter doesn't maintain a list of Apple's trusted logs. The SCTs embedded in the certificate may not be from log's Apple actually trusts. Similarly the embedded SCT signatures are not validated in any way. [0]: https://support.apple.com/en-us/HT205280 [1]: zmap#226
dadrian
approved these changes
Apr 8, 2019
Member
dadrian
left a comment
dadrian
left a comment
There was a problem hiding this comment.
LGTM, I agree this should be a notice on subscriber certs.
Member
Author
zakird
approved these changes
Apr 9, 2019
Member
|
Whoops, sorry about missing this. In general, if it's not a major change, I think it's fine to merge with one reviewer. |
Member
Author
@zakird No apologies needed :-) Thanks for the guidance. I'll merge future small scale PRs on one review. |
aaomidi
pushed a commit
to aaomidi/zlint
that referenced
this pull request
Nov 29, 2022
deps: update weppos/publicsuffix-go for 2021-04-14T12:48:43 UTC
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
A new
ct_sct_policy_count_unsatisfiedlint is added that checks if subscriber certificates issued after October 15th 2018 have embedded SCTs from a sufficient number of unique CT logs to meet Apple's CT log policy.The number of required SCTs from different logs is calculated based on the Certificate's lifetime. If the number of required SCTs are not present a
NoticelevelLintResultis returned.Lint note 1: We can't know whether additional SCTs were presented alongside the certificate in some out of band manner. The new linter assumes only embedded SCTs are used and ignores the portion of the Apple policy related to SCTs delivered via OCSP or anywhere other than embedded in the certificate. This is one limitation that restricts the linter's findings to Notice level. See more background discussion in #226.
Lint note 2: The linter doesn't maintain a list of Apple's trusted logs. The SCTs embedded in the certificate may not be from logs Apple actually trusts. Similarly the embedded SCT signatures are not validated in any way.
Note to reviewers:
To generate the PEM encoded test certificates I used in the unit tests I wrote a small stand-alone Go program: https://gist.github.com/cpu/6d26b2718f29e184ff88a90f02d7cbcb I think providing that in a Gist and linking to it in the testcase comments is better than putting it in-tree and should still be a fairly durable way to make sure the testcases are reproduceable. If you'd rather see a different approach taken I'm open to suggestions.
It's possible to take this work & develop it further by building out a pipeline similar to the one used in
zlint-gtld-updatethat would process Apple and Chromium's CT policy JSON. That's likely to be a fair amount of work and I think should be sketched out in some follow-up issues.Updates #226