Skip to content

Automatically fetch roots from ccadb #657

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
phbnf wants to merge 4 commits into
base: main
Choose a base branch
from
Open

Automatically fetch roots from ccadb #657

phbnf wants to merge 4 commits into from

Conversation

@phbnf
Copy link
Collaborator

@phbnf phbnf commented Dec 15, 2025
edited
Loading

Towards #212

This PR makes it possible for TesseraCT to fetch roots from CCADB.

This PR does two things:

  • makes it possible to update roots on the fly
  • calls the ccadb library at startup and on a clock to fetch new roots

A followup PR will make it possible to save these roots.

@phbnf phbnf requested a review from AlCutter December 15, 2025 17:28
@phbnf phbnf marked this pull request as ready for review December 15, 2025 17:34
@phbnf phbnf requested a review from a team as a code owner December 15, 2025 17:34
AlCutter
AlCutter reviewed Dec 15, 2025
View reviewed changes
internal/x509util/pem_cert_pool.go

// CertPool returns the underlying CertPool.
func (p *PEMCertPool) CertPool() *lax509.CertPool {
p.mu.Lock()
Copy link
Collaborator

@AlCutter AlCutter Dec 15, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks like it might be dangerous - you've protected against concurrent updates to the underlying certPool, but when this func returns mu will be unlocked and there will be nothing stopping a call to AddCert() from modifying the underlying certPool.

If someone is using the pointer returned by CertPool at the same time this happens, (e.g. https://github.com/transparency-dev/tesseract/blob/main/internal/ct/chain_validation.go#L251-L266), then I think there's a risk of a panic caused by concurrent reads and writes of the two maps in lax509.CertPool (https://github.com/transparency-dev/tesseract/blob/main/internal/lax509/cert_pool.go#L187-L192)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@AlCutter AlCutter AlCutter left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@AlCutter AlCutter

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@phbnf @AlCutter