Blog Posts

Python-based Precertificate Signed Certificate Timestamp decoder and lookup tool

05-15-2023

Github Page: https://github.com/pkiscape/ct-decoder

The Python script mentioned will decode the Precertificate Signed Certificate Timestamps (SCT) of a given x509 certificate. An SCT is a proof that a certificate has been logged in certificate transparency (CT) which means that its issuance was public. More information about this is noted here.

For a given X509 certificate, like the public-issued certificate for pkiscape.com, it contains SCTs embedded in the certificate. Here is an example of one.



                      Signed Certificate Timestamp:

                          Version   : v1 (0x0)

                          Log ID    : 76:FF:88:3F:0A:B6:FB:95:51:C2:61:CC:F5:87:BA:34:

                                      B4:A4:CD:BB:29:DC:68:42:0A:9F:E6:67:4C:5A:3A:74

                          Timestamp : Apr 30 19:05:22.870 2023 GMT

                          Extensions: none

                          Signature : ecdsa-with-SHA256

                                      30:44:02:20:0C:2A:BF:D2:B3:57:10:2F:91:0A:0C:44:

                                      79:9B:64:F5:D4:04:69:EE:81:73:A5:D6:C2:A7:42:1E:

                                      09:B5:54:31:02:20:1B:AF:DB:DF:DA:5B:FF:6D:39:44:

                                      E1:CA:29:BD:4E:A3:23:D0:63:B8:D5:92:C9:F8:04:5E:

                                      26:79:EF:80:9D:2C

The log ID identifies a CT logger. You can use the list here to identify which log ID matches. However, it is important to note that the log id in the SCT is in hexadecimal, while the log id in the json file is in base64. In the python script, I convert the base64 to hexadecimal. dv+IPwq2+5VRwmHM9Ye6NLSkzbsp3GhCCp/mZ0xaOnQ= to 76ff883f0ab6fb9551c261ccf587ba34b4a4cdbb29dc68420a9fe6674c5a3a74.

This tool can be helpful if you would like to take the embedded SCTs and compare them to the JSON list of all CT loggers.