Skip to content

v1.1.0

Compare
Choose a tag to compare
@RJPercival RJPercival released this 14 Nov 15:22

CTFE

The reject_expired and reject_unexpired configuration fields for the CTFE have been changed so that their behaviour reflects their name:

  • reject_expired only rejects expired certificates (i.e. it now allows not-yet-valid certificates).
  • reject_unexpired only allows expired certificates (i.e. it now rejects not-yet-valid certificates).

A reject_extensions configuration field for the CTFE was added, this allows submissions to be rejected if they contain an extension with any of the specified OIDs.

A frozen_sth configuration field for the CTFE was added. This STH will be served permanently. It must be signed by the log's private key.

A /healthz URL has been added which responds with HTTP 200 OK and the string "ok" when the server is up.

Flags

The ct_server binary has these new flags:

  • mask_internal_errors - Removes error strings from HTTP 500 responses (Internal Server Error)

Removed default values for --metrics_endpoint and --log_rpc_server flags. This makes it easier to get the documented "unset" behaviour.

Metrics

The CTFE exports these new metrics:

  • is_mirror - set to 1 for mirror logs (copies of logs hosted elsewhere)
  • frozen_sth_timestamp - time of the frozen Signed Tree Head in milliseconds since the epoch

Kubernetes

Updated prometheus-to-sd to v0.5.2.

A dedicated node pool is no longer required by the Kubernetes manifests.

Log Lists

A new package has been created for parsing, searching and creating JSON log lists compatible with the v2 schema: github.com/google/certificate-transparency-go/loglist2.

Docker Images

Our Docker images have been updated to use Go 1.11 and Distroless base images.

The CTFE Docker image now sets ENTRYPOINT.

Utilities / Libraries

jsonclient

The jsonclient package now copes with empty HTTP responses. The user-agent header it sends can now be specified.

x509 and asn1 forks

Merged upstream changes from Go 1.12 into the asn1 and x509 packages.

Added a "lax" tag to asn1 that applies recursively and makes some checks more relaxed:

  • parsePrintableString() copes with invalid PrintableString contents, e.g. use of tagPrintableString when the string data is really ISO8859-1.
  • checkInteger() allows integers that are not minimally encoded (and so are not correct DER).
  • OIDs are allowed to be empty.

The following x509 functions will now return x509.NonFatalErrors if ASN.1 parsing fails in strict mode but succeeds in lax mode. Previously, they only attempted strict mode parsing.

  • x509.ParseTBSCertificate()
  • x509.ParseCertificate()
  • x509.ParseCertificates()

The x509 package will now treat a negative RSA modulus as a non-fatal error.

The x509 package now supports RSASES-OAEP and Ed25519 keys.

ctclient

The ctclient tool now defaults to using all_logs_list.json instead of log_list.json. This can be overridden using the --log_list flag.

It can now perform inclusion checks on pre-certificates.

It has these new commands:

  • bisect - Finds a log entry given a timestamp.

It has these new flags:

  • --chain - Displays the entire certificate chain
  • --dns_server - The DNS server to direct queries to (system resolver by default)
  • --skip_https_verify - Skips verification of the HTTPS connection
  • --timestamp - Timestamp to use for bisect and inclusion commands (for inclusion, only if --leaf_hash is not used)

It now accepts hex or base64-encoded strings for the --tree_hash, --prev_hash and --leaf_hash flags.

certcheck

The certcheck tool has these new flags:

  • --check_time - Check current validity of certificate (replaces --timecheck)
  • --check_name - Check validity of certificate name
  • --check_eku - Check validity of EKU nesting
  • --check_path_len - Check validity of path length constraint
  • --check_name_constraint - Check name constraints
  • --check_unknown_critical_exts - Check for unknown critical extensions (replaces --ignore_unknown_critical_exts)
  • --strict - Set non-zero exit code for non-fatal errors in parsing

sctcheck

The sctcheck tool has these new flags:

  • --check_inclusion - Checks that the SCT was honoured (i.e. the corresponding certificate was included in the issuing CT log)

ct_hammer

The ct_hammer tool has these new flags:

  • --duplicate_chance - Allows setting the probability of the hammer sending a duplicate submission.