Skip to content

More robust SCT creation for duplicate entries#886

Draft
phbnf wants to merge 2 commits into
transparency-dev:mainfrom
phbnf:dedup-retrieve-entry
Draft

More robust SCT creation for duplicate entries#886
phbnf wants to merge 2 commits into
transparency-dev:mainfrom
phbnf:dedup-retrieve-entry

Conversation

@phbnf

@phbnf phbnf commented Jun 26, 2026

Copy link
Copy Markdown
Collaborator

Towards #884

phbnf added 2 commits June 26, 2026 09:28
… entry

When handling duplicate submissions, retrieve the full stored ctonly.Entry from log storage rather than only extracting the timestamp. Validate that IsPrecert, Certificate, and IssuerKeyHash match the submitted entry to guard against deduplication collisions or antispam driver errors. Once validated, reassign the submitted entry to the stored entry so that all inputs to SCT generation come coherently from storage. Optimize bundle extraction via ExtractEntryFromBundle by skipping over non-target tiles and ignoring extensions and fingerprints while preserving field documentation comments.

TAG=agy
CONV=50366255-7cb8-46d8-b354-53839f838955
…leaves

Update SCT generation so that signSCT accepts rfc6962.CertificateTimestamp directly rather than relying on intermediate data structures. For non-duplicate submissions and signing unit tests, derive the SCT signing input by generating the MerkleTreeLeaf via Tessera (entry.MerkleTreeLeaf) and unmarshalling it using ExtractCertificateTimestampFromLeaf. This guarantees 100% coherence between the data Tessera integrates into the Merkle tree and the data signed in the SCT while eliminating duplicated extension marshalling logic.

TAG=agy
CONV=50366255-7cb8-46d8-b354-53839f838955
@phbnf phbnf force-pushed the dedup-retrieve-entry branch from 73d66a1 to 5500b24 Compare June 26, 2026 13:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant