Last active
May 6, 2021 14:36
-
-
Save robstradling/17cedbd6ea3c452676b23ef3faab4df8 to your computer and use it in GitHub Desktop.
Rough analysis of CAs embedding too few SCTs to comply with the 2021-04-21 update to the Apple CT Policy
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
-- Step 1: Find the lowest/earliest certificate ID affected by the updated Apple CT Policy. | |
-- (Assumptions: (i) Certificate notBefore dates are never forward-dated and (ii) Log entry timestamps are always accurate). | |
certwatch@certwatch=> SELECT min(c.ID) | |
FROM certificate c | |
WHERE x509_notBefore(c.CERTIFICATE) >= '2021-04-21'::timestamp | |
AND c.ID IN ( | |
SELECT ctle.CERTIFICATE_ID | |
FROM ct_log_entry_2021 ctle | |
WHERE ctle.ENTRY_TIMESTAMP >= '2021-04-21'::timestamp | |
ORDER BY ctle.ENTRY_TIMESTAMP | |
LIMIT 10000 | |
); | |
┌────────────┐ | |
│ min │ | |
├────────────┤ | |
│ 4407299627 │ | |
└────────────┘ | |
(1 row) | |
Time: 216.808 ms | |
-- Step 2: Look for precertificates affected by the updated Apple CT Policy for which crt.sh has observed less than 3 SCTs. | |
certwatch@certwatch=> CREATE TABLE temp_insufficient_scts AS | |
[more] - > SELECT ctle.CERTIFICATE_ID | |
[more] - > FROM certificate c, ct_log_entry ctle | |
[more] - > WHERE c.ID >= 4407299627 | |
[more] - > AND c.ID = ctle.CERTIFICATE_ID | |
[more] - > -- Precertificates only. | |
[more] - > AND x509_hasExtension(c.CERTIFICATE, '1.3.6.1.4.1.11129.2.4.3', TRUE) | |
[more] - > -- Affected by the updated Apple CT Policy. | |
[more] - > AND x509_notBefore(c.CERTIFICATE) >= '2021-04-21'::timestamp | |
[more] - > AND x509_notAfter(c.CERTIFICATE) - x509_notBefore(c.CERTIFICATE) >= interval '180 days' | |
[more] - > -- Optimization: Avoid checking pre-2021 partitions of the "certificate" and "ct_log_entry" tables. | |
[more] - > AND coalesce(x509_notAfter(c.CERTIFICATE), 'infinity'::timestamp) >= '2021-01-01'::timestamp AT TIME ZONE 'UTC' | |
[more] - > AND ctle.ENTRY_TIMESTAMP >= '2021-01-01'::timestamp | |
[more] - > GROUP BY ctle.CERTIFICATE_ID | |
[more] - > HAVING count(DISTINCT ctle.CT_LOG_ID) < 3 | |
[more] - > -- To avoid false positives, only consider log entries older than the MMD. | |
[more] - > AND min(ctle.ENTRY_TIMESTAMP) < (now() AT TIME ZONE 'UTC' - interval '24 hours'); | |
SELECT 78766 | |
Time: 2739550.028 ms (45:39.550) | |
-- Step 3: Filter out CAs that aren't in the Apple Root Certificate Program, and output a CSV summary. | |
\COPY ( SELECT count(*), ca.ID, ca.NAME, min(c.ID) EXAMPLE_ID_1, max(c.ID) EXAMPLE_ID_2 FROM temp_insufficient_scts tis, certificate c, ca WHERE tis.CERTIFICATE_ID = c.ID AND c.ISSUER_CA_ID = ca.ID AND EXISTS ( SELECT 1 FROM ca_trust_purpose ctp WHERE ctp.CA_ID = c.ISSUER_CA_ID AND ctp.TRUST_CONTEXT_ID = 12 AND ctp.TRUST_PURPOSE_ID = 1 ) GROUP BY ca.ID, ca.NAME ORDER BY count(*) DESC) to 'apple_insufficient_scts.csv' (FORMAT CSV); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
PRECERTIFICATE COUNT | CA ID | CA NAME | EXAMPLE CRT.SH ID 1 | EXAMPLE CRT.SH ID 2 | |
---|---|---|---|---|---|
69154 | 904 | C=US, ST=Arizona, L=Scottsdale, O="GoDaddy.com, Inc.", OU=http://certs.godaddy.com/repository/, CN=Go Daddy Secure Certificate Authority - G2 | 4407302840 | 4433228458 | |
7222 | 797 | C=US, ST=Arizona, L=Scottsdale, O="Starfield Technologies, Inc.", OU=http://certs.starfieldtech.com/repository/, CN=Starfield Secure Certificate Authority - G2 | 4407314236 | 4433224759 | |
180 | 179890 | C=BE, O=GlobalSign nv-sa, CN=GlobalSign Atlas R3 DV TLS CA 2020 | 4408588972 | 4433133506 | |
10 | 11279 | C=FR, O=DHIMYOTIS, OU=0002 48146308100036, organizationIdentifier=NTRFR-48146308100036, CN=Certigna Services CA | 4413733298 | 4432435544 | |
5 | 171937 | C=US, O=WidePoint, OU=Certification Authorities, CN=WidePoint ORC NFI 4 | 4422328099 | 4422767796 | |
5 | 10879 | C=FR, O=DHIMYOTIS, OU=0002 48146308100036, organizationIdentifier=NTRFR-48146308100036, CN=Certigna Wild CA | 4413761460 | 4419321957 | |
1 | 179901 | C=US, O=ATT Services Inc, CN=ATT Atlas R3 OV TLS CA 2020 | 4420524645 | 4420524645 | |
1 | 73378 | C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validated CA - SHA256 - G4 | 4420641949 | 4420641949 | |
1 | 73379 | C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validated ECC CA - SHA256 - G4 | 4414273953 | 4414273953 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment