ct-fetch is failing to sync logs that contain a malformed certificate

[jschanck]

Some CT logs include a certificate that our parser rejects as malformed, even though we use the lax certificate-transparency-go/x509 parser. In particular, we're not able to sync logs that include https://crt.sh/?id=6039677462&opt=zlint, which has a non-zero padding bit in its keyUsage extension (03 02 01 81 instead of 03 02 01 80 or even better 03 02 07 80).

I have a patch on certificate-transparency-go which we could use in the short term. Ideally they'll take it upstream.

Steps to reproduce

1. Create config.ini with contents

ctLogMetadata='[{ "key": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEEXu8iQwSCRSf2CbITGpUpBtFVt8+I0IU0d1C36Lfe1+fbwdaI0Z5FktfM2fBoI1bXBd18k2ggKGYGgdZBgLKTg==", "mmd": 86400, "url": "https://nessie2023.ct.digicert.com/log/", "logID": "s3N3B+GEUPhjhtYFqdwRCUp5LbFnDAuH3PADDnk2pZo=", "description": "DigiCert Nessie2023 Log", "crlite_enrolled": true }]'

2. Start a redis instance

docker run -p 6379:7000 redis:4 --port 7000

3. Tweak the log's redis entry so we start downloading at the bad index

$ redis-cli
127.0.0.1:6379> set log::nessie2023.ct.digicert.com/log "{\"LogID\":\"s3N3B+GEUPhjhtYFqdwRCUp5LbFnDAuH3PADDnk2pZo=\",\"MMD\":86400,\"ShortURL\":\"nessie2023.ct.digicert.com/log\",\"MinEntry\":0,\"MaxEntry\":10532120,\"MinTimestamp\":0,\"MaxTimestamp\":0,\"LastUpdateTime\":\"2022-10-04T11:58:46.220299413-07:00\"}"

4. Run ct-fetch

$ ct-fetch -config ./config.ini  -logtostderr
        I1004 12:01:35.658996  157486 config.go:168] Loaded config file from ./config.ini
        I1004 12:01:35.660379  157486 engine.go:67] ct-fetch is starting. Local statistics will emit every: 10m0s
        I1004 12:01:35.660447  157486 ct-fetch.go:305] Starting 1 threads...
        I1004 12:01:35.660491  157486 ct-fetch.go:386] Thread health status period: 15s + 11262 = 26.262s
        I1004 12:01:35.660535  157486 ct-fetch.go:1010] [https://nessie2023.ct.digicert.com/log/] Starting download.
        I1004 12:01:35.661183  157486 ct-fetch.go:480] [https://nessie2023.ct.digicert.com/log/] Fetching signed tree head... 
        I1004 12:01:36.304637  157486 ct-fetch.go:483] [https://nessie2023.ct.digicert.com/log/] 113699410 total entries as of Mon Oct  3 23:57:32 2022
        I1004 12:01:36.304664  157486 ct-fetch.go:555] [https://nessie2023.ct.digicert.com/log/] Running Update job 10532121 10536216
        I1004 12:01:36.304670  157486 ct-fetch.go:580] [https://nessie2023.ct.digicert.com/log/] Downloading entries 10532121 through 10536216
        W1004 12:01:36.824374  157486 ct-fetch.go:790] Erroneous certificate: log=https://nessie2023.ct.digicert.com/log/ index=10532121 err=failed to parse certificate: asn1: syntax error: invalid padding bits in BIT STRING
        E1004 12:01:36.824425  157486 ct-fetch.go:673] [https://nessie2023.ct.digicert.com/log/] downloadCTRangeToChannel could not verify entries 10532121-10532121: CtLogSubtreeVerifier: Consumed 0 leaves but needed 1.
        E1004 12:01:36.824435  157486 ct-fetch.go:332] [https://nessie2023.ct.digicert.com/log/] Could not sync log: CtLogSubtreeVerifier: Consumed 0 leaves but needed 1.
        I1004 12:01:36.824463  157486 ct-fetch.go:375] Waiting on database writes to complete: 0 remaining