search

google / certificate-transparency

Auditing for TLS certificates.
https://certificate.transparency.dev
Apache License 2.0
869 stars 283 forks source link

Google should provide log_list.json in it's various derived formats #1474

Open rickmark opened 4 years ago

rickmark commented 4 years ago

Certificate transparency adoption would rise if Google's GStatic hosted the OpenSSL, Java, and CPP versions along with the JSON.

Generating the OpenSSL version was long and complex (multiple toolchains, Python, Bazel, etc) and largely undocumented.

Moreover, OpenSSL should include the CT list in its distribution so that it can serve as a root of trust on other operating systems.

Derived version for OpenSSL: https://gist.github.com/rickmark/f56404d159687b9f20ec5cb5e55efd49

yan-foto commented 3 years ago

Its a pain to generate the OpenSSL compliant format (I know), but all you need is python 2.x and a bit of patching since the new JSON schema does not work with the code here!

python2.7 utilities/log_list/print_log_list.py \
  --log_list log_list.json \
  --skip_signature_check \
  --log_list_schema log_list_schema.json \
  --openssl_output known_logs.cnf

NOTE: I skipped signature verification.

By the way, I recommend to generate the openSSL file always using the latest files provided by CT to keep up to date with changes.