Hi,
My monitor's SCT feedback endpoint has received a certificate/SCT pair
(no idea who from - whoever it was deserves the credit!) with a valid
signature from WoSign's
https://ctlog.wosign.com log that, at the time
of writing, has not been included in the log. The SCT has a timestamp of
2016-09-21 17:46:58, so it's well over a year old.
The SCT is for a precert entry, which makes verifying the signature a
bit of a pain, but it is indeed valid. The leaf_input_hash is:
FjB8ur40yIP8ixl2JegRSsdxodT8UUPs1mW5E9g4I4Y=
I've confirmed the signature validation and leaf_input_hash with two
separate implementations (my own, and a quick script I hacked on top of
the reference Go library), so I'm fairly sure that I haven't made a
mistake. The script also works on Aviator/Rocketeer SCTs for the same
certificate, which do have valid inclusion proofs :)
At the time of writing, fetching
https://ctlog.wosign.com/ct/v1/get-proof-by-hash?hash=FjB8ur40yIP8ixl2JegRSsdxodT8UUPs1mW5E9g4I4Y%3D&tree_size=7770737
returns a "couldn't find hash" error. My monitor also keeps a copy of
all entries locally, and none of them have a matching leaf_input_hash -
so I don't think it's merely a problem with the get-proof-by-hash
endpoint.
I've attached the certificate chain and the SCT (in binary format) to
this message. I've also attached the current STH in case the entry is
subsequently added to the log. This should be sufficient to reproduce
the steps I took above.
Graham