Refuse the +sct +issuer +ctlog flags when fetching hash tiles
This commit is contained in:
10
README.md
10
README.md
@@ -62,6 +62,16 @@ Data tile from a local file (with issuer resolution):
|
||||
ctfetch --monitoring-url https://halloumi2026h1.mon.ct.ipng.ch tile.bin +issuer
|
||||
```
|
||||
|
||||
## Hash tiles vs data tiles
|
||||
|
||||
A Static CT log stores two kinds of tiles:
|
||||
|
||||
**Data tiles** (`/tile/data/...`) contain the actual log entries — DER-encoded certificates and precertificates along with their metadata (leaf index, timestamp, chain fingerprints, etc.). These are what `ctfetch` parses into structured JSON. The output modifiers `+sct`, `+issuer`, and `+ctlog` all operate on data tiles.
|
||||
|
||||
**Hash tiles** (`/tile/N/...`, where N is a tree level ≥ 0) contain the internal nodes of the Merkle tree — rows of raw 32-byte SHA-256 hashes used for inclusion and consistency proofs. There are no certificates in a hash tile; `ctfetch` outputs only the list of hashes. Using `+sct`, `+issuer`, or `+ctlog` with a hash tile is an error.
|
||||
|
||||
The tree is organised so that level 0 hashes cover individual leaves (each is `SHA-256(0x00 || MerkleTreeLeaf)`), and each higher level hashes pairs of nodes from the level below. The tile URL encodes the level: `/tile/0/...` is level 0, `/tile/1/...` is level 1, and so on.
|
||||
|
||||
## Output modifiers
|
||||
|
||||
| Modifier | Description |
|
||||
|
||||
Reference in New Issue
Block a user