feat: add Certificate Transparency (SCT) checking to connect command

## Summary

Add Certificate Transparency verification to `certkit connect`. Currently, certkit does not check SCT (Signed Certificate Timestamp) validity — only chain verification, OCSP, and CRL.

## Background

Observed while testing against `invalid-expected-sct.badssl.com`: Chrome reports `net::ERR_CERT_AUTHORITY_INVALID` and flags the SCT as "from unknown log". certkit correctly identifies the untrusted intermediate but has no CT awareness.

## Scope

- Parse SCTs embedded in the certificate (X.509v3 extension)
- Parse SCTs delivered via TLS extension (ServerHello)
- Validate SCTs against known CT logs (Google, Cloudflare, etc.)
- Add diagnostics for missing/invalid SCTs
- Add CT fields to `--json` output

## References

- [RFC 6962 - Certificate Transparency](https://www.rfc-editor.org/rfc/rfc6962)
- [Chrome CT Policy](https://googlechrome.github.io/CertificateTransparency/ct_policy.html)
- badssl test endpoint: `invalid-expected-sct.badssl.com`

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feat: add Certificate Transparency (SCT) checking to connect command #83

Summary

Background

Scope

References

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

feat: add Certificate Transparency (SCT) checking to connect command #83

Description

Summary

Background

Scope

References

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions