Skip to content

CTPolicy: always try to get SCTs from a tiled log first #8676

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
beautifulentropy merged 2 commits into from
Mar 23, 2026
Merged

CTPolicy: always try to get SCTs from a tiled log first #8676

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
b9c88cb
CTPolicy: always try to get SCTs from a tiled log first
aarongable Mar 12, 2026
a78c324
Ensure one of each
aarongable Mar 13, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion ctpolicy/ctpolicy.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -111,7 +111,7 @@ func (ctp *CTPolicy) GetSCTs(ctx context.Context, cert core.CertDER, expiration
// Identify the set of candidate logs whose temporal interval includes this
// cert's expiry. Randomize the order of the logs so that we're not always
// trying to submit to the same two.
logs := ctp.sctLogs.ForTime(expiration).Permute()
logs := ctp.sctLogs.ForTime(expiration).Shuffle()
if len(logs) < 2 {
return nil, berrors.MissingSCTsError("Insufficient CT logs available (%d)", len(logs))
}
Expand Down
18 changes: 15 additions & 3 deletions ctpolicy/loglist/loglist.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -226,13 +226,25 @@ func (ll List) ForTime(expiry time.Time) List {
return res
}

// Permute returns a new log list containing the exact same logs, but in a
// randomly-shuffled order.
func (ll List) Permute() List {
// Shuffle returns a new log list containing the exact same logs, but in a
// nearly-randomly-shuffled order. If possible, it ensures that the first two
// logs consist of one tiled log and one non-tiled log, to boost the percentage
// of certs which include an SCT from a static log.
func (ll List) Shuffle() List {
res := slices.Clone(ll)
rand.Shuffle(len(res), func(i int, j int) {
res[i], res[j] = res[j], res[i]
})
if len(res) > 2 && res[0].Tiled == res[1].Tiled {
// If we have more than two logs, and both are either tiled or not,
// try to bring another log to the front of the list.
for i := 2; i < len(res); i++ {
if res[0].Tiled != res[i].Tiled {
res[0], res[i] = res[i], res[0]
break
}
}
}
return res
}

Expand Down
28 changes: 26 additions & 2 deletions ctpolicy/loglist/loglist_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -160,7 +160,7 @@ func TestForTime(t *testing.T) {
test.AssertDeepEquals(t, actual, expected)
}

func TestPermute(t *testing.T) {
func TestShuffle(t *testing.T) {
input := List{
Log{Name: "Log A1"},
Log{Name: "Log A2"},
Expand All @@ -176,7 +176,7 @@ func TestPermute(t *testing.T) {
}

for range 100 {
actual := input.Permute()
actual := input.Shuffle()
for index, log := range actual {
foundIndices[log.Name][index]++
}
Expand All @@ -191,6 +191,30 @@ func TestPermute(t *testing.T) {
}
}

func TestShufflePrefersTiled(t *testing.T) {
input := List{
Log{Name: "Log A1"},
Log{Name: "Log A2"},
Log{Name: "Log T1", Tiled: true},
}

foundIndices := make(map[string]map[int]int)
for _, log := range input {
foundIndices[log.Name] = make(map[int]int)
}

for range 100 {
actual := input.Shuffle()
for index, log := range actual {
foundIndices[log.Name][index]++
}
}

if foundIndices["Log T1"][2] != 0 {
t.Errorf("Tiled log should have always been pulled into first two indices")
}
}

func TestGetByID(t *testing.T) {
input := List{
Log{Name: "Log A1", Id: "ID A1"},
Expand Down
Loading