# ctfetch Fetch and decode entries from a Static CT log, outputting structured JSON. ## Modes `ctool fetch` operates in two modes depending on the arguments given. ### Leaf-index mode Fetch the entry at a specific leaf index: ```bash ctool fetch [flags] [+sct] [+issuer] [+ctlog] [+all] ``` Examples: ```bash ctool fetch https://halloumi2026h1.mon.ct.ipng.ch 629794635 ctool fetch https://halloumi2026h1.mon.ct.ipng.ch 629794635 +all ``` ### Tile-dump mode Fetch all entries from a tile URL or local file. Automatically detects data tiles (log entries) and hash tiles (Merkle tree hashes). ```bash ctool fetch [flags] [+sct] [+issuer] [+ctlog] [+all] ``` Examples: ```bash ctool fetch https://halloumi2026h1.mon.ct.ipng.ch/tile/data/x002/x460/135 ctool fetch https://halloumi2026h1.mon.ct.ipng.ch/tile/data/x002/x460/135 +sct +ctlog ctool fetch https://halloumi2026h1.mon.ct.ipng.ch/tile/0/x100/999 ctool fetch --monitoring-url https://halloumi2026h1.mon.ct.ipng.ch tile.bin +issuer ``` ## Output modifiers | Modifier | Description | |---|---| | `+sct` | Parse embedded Signed Certificate Timestamps from final (non-precert) certificates | | `+issuer` | Fetch issuer certificate details from the log's `/issuer/` endpoint | | `+ctlog` | Look up each SCT's log ID in the CT log list and include operator/state details | | `+all` | Enable all of `+sct`, `+issuer`, and `+ctlog` | ## Flags | Flag | Default | Description | |---|---|---| | `--logs-list-url` | `https://www.gstatic.com/ct/log_list/v3/all_logs_list.json` | CT log list URL for `+ctlog` lookups | | `--monitoring-url` | _(none)_ | Log root URL for issuer lookups when input is a local file | ## Hash tiles vs data tiles **Data tiles** (`/tile/data/...`) contain DER-encoded certificates and precertificates with metadata (leaf index, timestamp, chain fingerprints). Output modifiers `+sct`, `+issuer`, `+ctlog`, and `+all` only apply here. **Hash tiles** (`/tile/N/...`, N ≥ 0) contain raw 32-byte SHA-256 hashes — the internal nodes of the Merkle tree used for inclusion and consistency proofs. `ctfetch` outputs only the list of hashes; using output modifiers with a hash tile is an error. ## Notes - With a tile URL, `+issuer` derives the log root by stripping the `/tile/...` path. With a local file, `--monitoring-url` must be provided. - Partial tiles (`.p/N` suffix) are tried first; on 404 the full tile is fetched automatically. - The CT log list and issuer certificates are cached in memory per invocation.