search

chromium / badssl.com

:lock: Memorable site for testing clients against bad SSL configs.
https://badssl.com
Apache License 2.0
2.83k stars 191 forks source link

Expired certificate for https://invalid-expected-sct.badssl.com/ #472

Open jojoschmitt opened 3 years ago

jojoschmitt commented 3 years ago

Hey,

The certificate for https://invalid-expected-sct.badssl.com/ is expired on Sunday, November 18, 2018 at 12:59:59 AM and prevents to use this domain for its actual purpose.

Is it possible to renew the certificate? Or is there any other possibility to test a certificate transparency implementation against invalid SCT signatures?

Thanks!

christhompson commented 3 years ago

invalid-expected-sct is unfortunately defunct now because getting a new cert would effectively require a CA to violate requirements. For testing CT enforcement we do have https://no-sct.badssl.com which just omits SCT information entirely -- are you looking to broadly test CT enforcement in user agents, or are you looking to test specific validation logic?

jojoschmitt commented 3 years ago

I guess it would be more towards a specific validation logic. It revolves around a CT client implementation inside the Android Open Source Project. The implementation adopts Certificate Transparency Android (CTA) (https://github.com/babylonhealth/certificate-transparency-android) where possible but is generally self-made. I want to test that my implementation really denies certificates that either violate my policy (which is feasible for me) or fail in SCT verification (which is currently not feasible for me). Given https://no-sct.badssl.com also helps with testing my policy enforcement but does not help towards testing SCT verification.

For a concrete example (and because Babylon no longer maintains CTA), I want to test the functionality of an implementation of the SignatureVerifier (https://github.com/appmattus/certificatetransparency/blob/main/certificatetransparency/src/main/kotlin/com/babylon/certificatetransparency/internal/verifier/LogSignatureVerifier.kt)

jojoschmitt commented 3 years ago

If there is no other possibility there should also be a workaround to write a test app that overrides the Android TrustManager to allow expired certificates in order to reach the CT enforcement. It would be nice, however, to test the whole certificate.