CCADB CSV report archive and Go parsing library.
The following CCADB CSV Reports are included in this repository:
-
AllCertificatePEMsCSVFormat_NotBeforeYear_YYYY, where YYYY is every year since 1994. -
AllCertificateRecordsCSVFormatV5.
The latest versions of the upstream CSV reports are fetched hourly by a GitHub Action. Any changes are automatically committed. If one or more CA certificates is newly disclosed to CCADB, a Release is tagged using a Scalable Calendar Versioning format (v1.YYYYMMDD.HHMMSS).
The parsing library provides lookup functions that assist:
- ctlint with verifying CT SCTs.
- ctsubmit with automatic certificate chain discovery and issuer identification.
- pkimetal with detecting certificate profiles.
Returns the CCADB-reported capabilities for a CA certificate identified by its SHA-256 fingerprint. The returned struct includes CertificateRecordType, TlsCapable, TlsEvCapable, SmimeCapable, CodeSigningCapable, and HasVMCAudit.
Loads the DER-encoded bytes for all CA certificates from the embedded PEM CSV data files. Must be called before using GetCACertificateBySHA256.
Returns the DER-encoded certificate bytes for the CA certificate identified by its SHA-256 fingerprint. Requires LoadAllCACertificates to have been called first. Used by ctsubmit for automatic certificate chain discovery.
Returns the merged capabilities across all CA certificates that share the given Base64-encoded Subject Key Identifier.
Returns the SHA-256 hash of the SubjectPublicKeyInfo for the issuer identified by the given Base64-encoded Subject Key Identifier. Used by ctsubmit and ctlint to verify CT SCTs.
For full documentation, see here.
-
The ski_spki tool produces ski_spkisha256.csv, which maps Subject Key Identifiers to the corresponding SHA-256(SubjectPublicKeyInfo) hashes needed for verifying CT SCTs.
-
The url_check tool performs a basic liveness check on URLs found in AllCertificateRecordsCSVFormatV5.