Uploaded image for project: 'EJBCA'
  1. EJBCA
  2. ECA-6397

Filter CT logs based on expiration date of certificate

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: EJBCA 6.10.1
    • Component/s: None
    • Labels:

      Description

      Customer says:

      Another complication with using EJBCA with Certificate Transparency is the new approach some log operators are taking. They have different logs for each year certificates expire (one for certs expiring in 2018, a different one for 2019, etc.). Trying to set up all the profiles with different logs and keeping them up to date will be overly complex. Both Google and CloudFlare have taken this approach and we expect others to follow [...]
      
      Can you support the proper selection of CT logs based on certificate expiration date?
      

      There are already some logs pending inclusion in Chrome which only accepts certificates with an expiration date in a certain range, e.g. ct.googleapis.com/logs/argon2018 only accepting certificates expiring in 2018.

      We should anticipate and prepare for other types of constraints which may be specified in the future so we don't risk having to deprecate additional variables in CTLogInfo.

      I suggest we implement this as follows:

      1. Create a package certificatetransparency.acceptancerules
      2. Create an interface in this package as follows
        interface CtLogAcceptanceRule {
            public boolean accepts(X509Certificate certificate);
        }
        
      3. Create a class ExpirationDateAcceptanceRule implementing CtLogAcceptanceRule
        public class ExpirationDateAcceptanceRule implements CtLogcceptanceRule {
            public ExpirationDateAcceptanceRule(Date from, Date to) {
                // TODO
            }
            
            @Override
            public boolean accepts(X509Certificate certificate) {
                // return true iff from <= certificate.getExpirationDate() < to
            }
        }
        
      4. Associate a List<CtLogAcceptanceRule> with each CTLogInfo object. We should publish the certificate C to the CT log L iff logAcceptsCertificate(L, C) returns true
        private boolean logAcceptsCertificate(CTLogInfo ctLog, X509Certificate certificate) {
            for (CtLogAcceptanceRule acceptanceRule : ctLog.getAcceptanceRules()) {
                if (!acceptanceRule.accepts(certificate)) {
                    return false;
                }
            }
            return true;
        }
        
      5. Add GUI code to editctlog.jsp which allows the user to enable an expiration date acceptance rule based on a start and end date.

      NOTE: No upgrade procedure needed. If nothing has been specified, a log will hold an empty list (null) of rules, and will always be contacted.

      We should also mention this feature in the documentation (adminguide.xml).

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              bastianf Bastian Fredriksson
              Reporter:
              bastianf Bastian Fredriksson
              Verified by:
              Samuel Lidén Borell
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - 1 day Original Estimate - 1 day
                  1d
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 1 day, 1 hour
                  1d 1h