├── .github └── workflows │ └── run-ct-honeybee.yml ├── README.md ├── COPYING └── ct-honeybee /.github/workflows/run-ct-honeybee.yml: -------------------------------------------------------------------------------- 1 | name: Run ct-honeybee 2 | permissions: 3 | contents: read 4 | on: 5 | workflow_dispatch: 6 | schedule: 7 | - cron: '41 * * * *' 8 | jobs: 9 | run-ct-honeybee: 10 | runs-on: ubuntu-latest 11 | steps: 12 | - name: Checkout repository 13 | uses: actions/checkout@v3 14 | - name: Run ct-honeybee script 15 | run: ./ct-honeybee 16 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Certificate Transparency Honeybee 2 | 3 | The Certificate Transparency Honeybee (ct-honeybee) is a lightweight program that retrieves signed tree heads (STHs) from Certificate Transparency logs and uploads them to auditors. 4 | 5 | You can help uphold the integrity of the Certificate Transparency ecosystem by running ct-honeybee on your workstation/server/toaster every hour or so (pick a random minute so that not everyone runs ct-honeybee at the same time). Running ct-honeybee from many different Internet vantage points increases the likelihood of detecting a misbehaving log which has presented a different view of the log to different clients. 6 | 7 | 8 | ## Installation 9 | 10 | Python 3 is required. 11 | 12 | Install ct-honeybee and put it in a cron job to run once an hour or so (pick a random minute so that not everyone runs ct-honeybee at the same time). 13 | 14 | ct-honeybee is stateless and won't write to your filesystem. 15 | 16 | 17 | ## Logs 18 | 19 | ct-honeybee retrieves the list of logs from `loglist.certspotter.org`, which is operated by SSLMate. At a minimum, the log list contains every log that is considered Qualified, Usable, or ReadOnly by Chrome or Apple. ct-honeybee supports both RFC6962 and static-ct-api logs. 20 | 21 | 22 | ## Auditors 23 | 24 | ct-honeybee uploads STHs to the following auditors: 25 | 26 | * `certspotter.com` (operated by SSLMate) 27 | 28 | If you run an auditor that implements the sth-pollination endpoint described in Section 8.2 of draft-ietf-trans-gossip-00, please get in touch at and we will add you to ct-honeybee. 29 | 30 | 31 | ## Technical Operation 32 | 33 | 1. Retrieve the log list. 34 | 35 | 2. For each RFC6962 log: fetch the latest STH and add it to the list of STHs. For simplicity, signatures are not checked; we leave this job to the auditors. 36 | 37 | 3. For each static-ct-api log: fetch the latest checkpoint, convert it to an RFC6962 STH, and add it to the list of STHs. For simplicity, signatures are not checked; we leave this job to the auditors. 38 | 39 | 4. Shuffle the list of auditors. 40 | 41 | 5. For each auditor: upload the list of STHs to the auditor using the protocol described in Section 8.2 of draft-ietf-trans-gossip-00. Add each returned STH to the list of STHs so they get pollinated to subsequent auditors. Since we shuffle the list of auditors, we will pollinate in a different order each time ct-honeybee is run. 42 | 43 | 44 | ## Legalese 45 | 46 | Written in 2017-2025 by Opsmate, Inc. d/b/a SSLMate 47 | 48 | To the extent possible under law, the author(s) have dedicated all copyright and related and neighboring rights to this software to the public domain worldwide. This software is distributed without any warranty. 49 | 50 | You should have received a copy of the CC0 Public Domain Dedication along with this software. If not, see . 51 | -------------------------------------------------------------------------------- /COPYING: -------------------------------------------------------------------------------- 1 | Creative Commons Legal Code 2 | 3 | CC0 1.0 Universal 4 | 5 | CREATIVE COMMONS CORPORATION IS NOT A LAW FIRM AND DOES NOT PROVIDE 6 | LEGAL SERVICES. DISTRIBUTION OF THIS DOCUMENT DOES NOT CREATE AN 7 | ATTORNEY-CLIENT RELATIONSHIP. CREATIVE COMMONS PROVIDES THIS 8 | INFORMATION ON AN "AS-IS" BASIS. CREATIVE COMMONS MAKES NO WARRANTIES 9 | REGARDING THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS 10 | PROVIDED HEREUNDER, AND DISCLAIMS LIABILITY FOR DAMAGES RESULTING FROM 11 | THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS PROVIDED 12 | HEREUNDER. 13 | 14 | Statement of Purpose 15 | 16 | The laws of most jurisdictions throughout the world automatically confer 17 | exclusive Copyright and Related Rights (defined below) upon the creator 18 | and subsequent owner(s) (each and all, an "owner") of an original work of 19 | authorship and/or a database (each, a "Work"). 20 | 21 | Certain owners wish to permanently relinquish those rights to a Work for 22 | the purpose of contributing to a commons of creative, cultural and 23 | scientific works ("Commons") that the public can reliably and without fear 24 | of later claims of infringement build upon, modify, incorporate in other 25 | works, reuse and redistribute as freely as possible in any form whatsoever 26 | and for any purposes, including without limitation commercial purposes. 27 | These owners may contribute to the Commons to promote the ideal of a free 28 | culture and the further production of creative, cultural and scientific 29 | works, or to gain reputation or greater distribution for their Work in 30 | part through the use and efforts of others. 31 | 32 | For these and/or other purposes and motivations, and without any 33 | expectation of additional consideration or compensation, the person 34 | associating CC0 with a Work (the "Affirmer"), to the extent that he or she 35 | is an owner of Copyright and Related Rights in the Work, voluntarily 36 | elects to apply CC0 to the Work and publicly distribute the Work under its 37 | terms, with knowledge of his or her Copyright and Related Rights in the 38 | Work and the meaning and intended legal effect of CC0 on those rights. 39 | 40 | 1. Copyright and Related Rights. A Work made available under CC0 may be 41 | protected by copyright and related or neighboring rights ("Copyright and 42 | Related Rights"). Copyright and Related Rights include, but are not 43 | limited to, the following: 44 | 45 | i. the right to reproduce, adapt, distribute, perform, display, 46 | communicate, and translate a Work; 47 | ii. moral rights retained by the original author(s) and/or performer(s); 48 | iii. publicity and privacy rights pertaining to a person's image or 49 | likeness depicted in a Work; 50 | iv. rights protecting against unfair competition in regards to a Work, 51 | subject to the limitations in paragraph 4(a), below; 52 | v. rights protecting the extraction, dissemination, use and reuse of data 53 | in a Work; 54 | vi. database rights (such as those arising under Directive 96/9/EC of the 55 | European Parliament and of the Council of 11 March 1996 on the legal 56 | protection of databases, and under any national implementation 57 | thereof, including any amended or successor version of such 58 | directive); and 59 | vii. other similar, equivalent or corresponding rights throughout the 60 | world based on applicable law or treaty, and any national 61 | implementations thereof. 62 | 63 | 2. Waiver. To the greatest extent permitted by, but not in contravention 64 | of, applicable law, Affirmer hereby overtly, fully, permanently, 65 | irrevocably and unconditionally waives, abandons, and surrenders all of 66 | Affirmer's Copyright and Related Rights and associated claims and causes 67 | of action, whether now known or unknown (including existing as well as 68 | future claims and causes of action), in the Work (i) in all territories 69 | worldwide, (ii) for the maximum duration provided by applicable law or 70 | treaty (including future time extensions), (iii) in any current or future 71 | medium and for any number of copies, and (iv) for any purpose whatsoever, 72 | including without limitation commercial, advertising or promotional 73 | purposes (the "Waiver"). Affirmer makes the Waiver for the benefit of each 74 | member of the public at large and to the detriment of Affirmer's heirs and 75 | successors, fully intending that such Waiver shall not be subject to 76 | revocation, rescission, cancellation, termination, or any other legal or 77 | equitable action to disrupt the quiet enjoyment of the Work by the public 78 | as contemplated by Affirmer's express Statement of Purpose. 79 | 80 | 3. Public License Fallback. Should any part of the Waiver for any reason 81 | be judged legally invalid or ineffective under applicable law, then the 82 | Waiver shall be preserved to the maximum extent permitted taking into 83 | account Affirmer's express Statement of Purpose. In addition, to the 84 | extent the Waiver is so judged Affirmer hereby grants to each affected 85 | person a royalty-free, non transferable, non sublicensable, non exclusive, 86 | irrevocable and unconditional license to exercise Affirmer's Copyright and 87 | Related Rights in the Work (i) in all territories worldwide, (ii) for the 88 | maximum duration provided by applicable law or treaty (including future 89 | time extensions), (iii) in any current or future medium and for any number 90 | of copies, and (iv) for any purpose whatsoever, including without 91 | limitation commercial, advertising or promotional purposes (the 92 | "License"). The License shall be deemed effective as of the date CC0 was 93 | applied by Affirmer to the Work. Should any part of the License for any 94 | reason be judged legally invalid or ineffective under applicable law, such 95 | partial invalidity or ineffectiveness shall not invalidate the remainder 96 | of the License, and in such case Affirmer hereby affirms that he or she 97 | will not (i) exercise any of his or her remaining Copyright and Related 98 | Rights in the Work or (ii) assert any associated claims and causes of 99 | action with respect to the Work, in either case contrary to Affirmer's 100 | express Statement of Purpose. 101 | 102 | 4. Limitations and Disclaimers. 103 | 104 | a. No trademark or patent rights held by Affirmer are waived, abandoned, 105 | surrendered, licensed or otherwise affected by this document. 106 | b. Affirmer offers the Work as-is and makes no representations or 107 | warranties of any kind concerning the Work, express, implied, 108 | statutory or otherwise, including without limitation warranties of 109 | title, merchantability, fitness for a particular purpose, non 110 | infringement, or the absence of latent or other defects, accuracy, or 111 | the present or absence of errors, whether or not discoverable, all to 112 | the greatest extent permissible under applicable law. 113 | c. Affirmer disclaims responsibility for clearing rights of other persons 114 | that may apply to the Work or any use thereof, including without 115 | limitation any person's Copyright and Related Rights in the Work. 116 | Further, Affirmer disclaims responsibility for obtaining any necessary 117 | consents, permissions or other rights required for any use of the 118 | Work. 119 | d. Affirmer understands and acknowledges that Creative Commons is not a 120 | party to this document and has no duty or obligation with respect to 121 | this CC0 or use of the Work. 122 | -------------------------------------------------------------------------------- /ct-honeybee: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | # 4 | # The Certificate Transparency Honeybee (ct-honeybee) is a lightweight 5 | # program that retrieves signed tree heads (STHs) from Certificate 6 | # Transparency logs and uploads them to auditors. 7 | # 8 | # You can help strengthen the integrity of the Certificate Transparency 9 | # ecosystem by running ct-honeybee on your workstation/server/toaster every 10 | # hour or so (pick a random minute so that not everyone runs ct-honeybee 11 | # at the same time). Running ct-honeybee from many different Internet 12 | # vantage points increases the likelihood of detecting a misbehaving log 13 | # which has presented a different view of the log to different clients. 14 | # 15 | # Written in 2017 by Opsmate, Inc. d/b/a SSLMate 16 | # 17 | # To the extent possible under law, the author(s) have dedicated all 18 | # copyright and related and neighboring rights to this software to the 19 | # public domain worldwide. This software is distributed without any 20 | # warranty. 21 | # 22 | # You should have received a copy of the CC0 Public 23 | # Domain Dedication along with this software. If not, see 24 | # . 25 | # 26 | 27 | import base64 28 | import hashlib 29 | import json 30 | import random 31 | import re 32 | import socket 33 | import ssl 34 | import struct 35 | import sys 36 | import time 37 | import urllib.request 38 | 39 | version = "2025-08-07" 40 | 41 | log_lists = [ 42 | "https://loglist.certspotter.org/honeybee.json", 43 | ] 44 | 45 | auditors = [ 46 | "certspotter.com", 47 | ] 48 | 49 | user_agent = "ct-honeybee/" + version + " (+https://github.com/SSLMate/ct-honeybee/)" 50 | log_list_timeout = 60 51 | log_timeout = 15 52 | auditor_timeout = 60 53 | 54 | time_format = '%Y-%m-%d %H:%M:%S %z' 55 | base64_re = re.compile('^([A-Za-z0-9+/]{4})*([A-Za-z0-9+/]{4}|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{2}==)$') 56 | 57 | def is_base64(obj): 58 | return isinstance(obj, str) and base64_re.search(obj) is not None 59 | 60 | def is_sth(obj): 61 | return isinstance(obj, dict) \ 62 | and "sth_version" in obj and isinstance(obj["sth_version"], int) \ 63 | and "tree_size" in obj and isinstance(obj["tree_size"], int) \ 64 | and "timestamp" in obj and isinstance(obj["timestamp"], int) \ 65 | and "sha256_root_hash" in obj and is_base64(obj["sha256_root_hash"]) \ 66 | and "tree_head_signature" in obj and is_base64(obj["tree_head_signature"]) \ 67 | and "log_id" in obj and is_base64(obj["log_id"]) 68 | 69 | def is_pollen(obj): 70 | return isinstance(obj, dict) \ 71 | and "sths" in obj and isinstance(obj["sths"], list) 72 | 73 | def is_known_log(arg): 74 | for _, log_id in logs: 75 | if arg == log_id: 76 | return True 77 | for _, log_id in tiled_logs: 78 | if arg == log_id: 79 | return True 80 | return False 81 | 82 | def is_same_sth(a, b): 83 | return a["log_id"] == b["log_id"] \ 84 | and a["tree_size"] == b["tree_size"] \ 85 | and a["timestamp"] == b["timestamp"] \ 86 | and a["sha256_root_hash"] == b["sha256_root_hash"] 87 | 88 | def has_sth(sths, target_sth): 89 | return any(sth for sth in sths if is_same_sth(sth, target_sth)) 90 | 91 | def chomp_line(data): 92 | idx = data.find(b'\n') 93 | if idx == -1: 94 | return "", b"", False 95 | return data[:idx].decode('utf-8'), data[idx+1:], True 96 | 97 | def make_checkpoint_key_id(origin, log_id): 98 | h = hashlib.sha256() 99 | h.update(origin.encode('utf-8')) 100 | h.update(b'\n\x05') 101 | h.update(log_id) 102 | return h.digest()[:4] 103 | 104 | def parse_checkpoint(data, log_id): 105 | origin, data, _ = chomp_line(data) 106 | size_line, data, _ = chomp_line(data) 107 | try: 108 | tree_size = int(size_line) 109 | except ValueError as e: 110 | raise ValueError(f"malformed tree size: {e}") from e 111 | root_hash, data, _ = chomp_line(data) 112 | while True: 113 | line, rest, ok = chomp_line(data) 114 | if not ok: 115 | raise ValueError("signed note ended prematurely") 116 | data = rest 117 | if line == "": 118 | break 119 | signature_prefix = f"\u2014 {origin} " 120 | key_id = make_checkpoint_key_id(origin, log_id) 121 | while True: 122 | signature_line, rest, ok = chomp_line(data) 123 | if not ok: 124 | raise ValueError("signed note is missing signature from the log") 125 | data = rest 126 | if not signature_line.startswith(signature_prefix): 127 | continue 128 | try: 129 | sig_bytes = base64.b64decode(signature_line[len(signature_prefix):]) 130 | except Exception as e: 131 | raise ValueError(f"malformed signature: {e}") from e 132 | if not sig_bytes.startswith(key_id): 133 | continue 134 | if len(sig_bytes) < 12: 135 | raise ValueError("malformed signature: too short") 136 | timestamp = struct.unpack(">Q", sig_bytes[4:12])[0] 137 | signature = sig_bytes[12:] 138 | return { 139 | "tree_size": tree_size, 140 | "timestamp": timestamp, 141 | "sha256_root_hash": root_hash, 142 | "tree_head_signature": base64.b64encode(signature).decode('utf-8'), 143 | "log_id": base64.b64encode(log_id).decode('utf-8'), 144 | "sth_version": 0, 145 | } 146 | 147 | pollen = { "sths": [] } 148 | logs = [] 149 | tiled_logs = [] 150 | 151 | for log_list_url in log_lists: 152 | try: 153 | req = urllib.request.Request(log_list_url, headers={"User-Agent": user_agent}) 154 | with urllib.request.urlopen(req, timeout=log_list_timeout) as response: 155 | log_list = json.loads(response.read().decode("utf-8")) 156 | for operator in log_list["operators"]: 157 | for log in operator["logs"]: 158 | logs.append([ log["url"], log["log_id"] ]) 159 | for log in operator["tiled_logs"]: 160 | tiled_logs.append([ log["monitoring_url"], log["log_id"] ]) 161 | except Exception as err: 162 | print("[%s] ct-honeybee: log list error: %s: %s: %s" % (time.strftime(time_format), log_list_url, type(err).__name__, err), file=sys.stderr) 163 | 164 | # Disable certificate validation. Unfortunately, there is no guarantee 165 | # that logs use a certificate from a widely-trusted CA. Fortunately, 166 | # all responses are signed by logs and verified by auditors, so there 167 | # is technically no need for certificate validation. 168 | try: 169 | _create_unverified_https_context = ssl._create_unverified_context 170 | except AttributeError: 171 | pass 172 | else: 173 | ssl._create_default_https_context = _create_unverified_https_context 174 | 175 | for log_url, log_id in logs: 176 | try: 177 | req = urllib.request.Request(log_url + "ct/v1/get-sth", 178 | data=None, headers={"User-Agent": ""}) 179 | with urllib.request.urlopen(req, timeout=log_timeout) as response: 180 | sth = json.loads(response.read().decode("utf-8")) 181 | if isinstance(sth, dict): 182 | sth["sth_version"] = 0 183 | sth["log_id"] = log_id 184 | if is_sth(sth): 185 | pollen["sths"].append(sth) 186 | except Exception as err: 187 | print("[%s] ct-honeybee: Log error: %s: %s: %s" % (time.strftime(time_format), log_url, type(err).__name__, err), file=sys.stderr) 188 | 189 | for log_url, log_id in tiled_logs: 190 | try: 191 | req = urllib.request.Request(log_url + "checkpoint", 192 | data=None, headers={"User-Agent": ""}) 193 | with urllib.request.urlopen(req, timeout=log_timeout) as response: 194 | sth = parse_checkpoint(response.read(), base64.b64decode(log_id)) 195 | pollen["sths"].append(sth) 196 | except Exception as err: 197 | print("[%s] ct-honeybee: Log error: %s: %s: %s" % (time.strftime(time_format), log_url, type(err).__name__, err), file=sys.stderr) 198 | 199 | random.shuffle(auditors) 200 | 201 | for auditor_domain in auditors: 202 | try: 203 | req = urllib.request.Request("https://" + auditor_domain + "/.well-known/ct/v1/sth-pollination", 204 | data=json.dumps(pollen).encode("utf8"), 205 | headers={"Content-Type": "application/json", "User-Agent": user_agent}) 206 | with urllib.request.urlopen(req, timeout=auditor_timeout) as response: 207 | more_pollen = json.loads(response.read().decode("utf-8")) 208 | if is_pollen(more_pollen): 209 | for sth in more_pollen["sths"]: 210 | if is_sth(sth) and is_known_log(sth["log_id"]) and not has_sth(pollen["sths"], sth): 211 | pollen["sths"].append(sth) 212 | except Exception as err: 213 | print("[%s] ct-honeybee: Auditor error: %s: %s: %s" % (time.strftime(time_format), auditor_domain, type(err).__name__, err), file=sys.stderr) 214 | 215 | #print(json.dumps(pollen)) 216 | --------------------------------------------------------------------------------