2.5 KiB
ctfetch
Fetch and decode entries from a Static CT log, outputting structured JSON.
Modes
ctool fetch operates in two modes depending on the arguments given.
Leaf-index mode
Fetch the entry at a specific leaf index:
ctool fetch [flags] <log-url> <leaf-index> [+sct] [+issuer] [+ctlog] [+all]
Examples:
ctool fetch https://halloumi2026h1.mon.ct.ipng.ch 629794635
ctool fetch https://halloumi2026h1.mon.ct.ipng.ch 629794635 +all
Tile-dump mode
Fetch all entries from a tile URL or local file. Automatically detects data tiles (log entries) and hash tiles (Merkle tree hashes).
ctool fetch [flags] <tile-url-or-file> [+sct] [+issuer] [+ctlog] [+all]
Examples:
ctool fetch https://halloumi2026h1.mon.ct.ipng.ch/tile/data/x002/x460/135
ctool fetch https://halloumi2026h1.mon.ct.ipng.ch/tile/data/x002/x460/135 +sct +ctlog
ctool fetch https://halloumi2026h1.mon.ct.ipng.ch/tile/0/x100/999
ctool fetch --monitoring-url https://halloumi2026h1.mon.ct.ipng.ch tile.bin +issuer
Output modifiers
| Modifier | Description |
|---|---|
+sct |
Parse embedded Signed Certificate Timestamps from final (non-precert) certificates |
+issuer |
Fetch issuer certificate details from the log's /issuer/<fp> endpoint |
+ctlog |
Look up each SCT's log ID in the CT log list and include operator/state details |
+all |
Enable all of +sct, +issuer, and +ctlog |
Flags
| Flag | Default | Description |
|---|---|---|
--logs-list-url |
https://www.gstatic.com/ct/log_list/v3/all_logs_list.json |
CT log list URL for +ctlog lookups |
--monitoring-url |
(none) | Log root URL for issuer lookups when input is a local file |
Hash tiles vs data tiles
Data tiles (/tile/data/...) contain DER-encoded certificates and precertificates with metadata (leaf index, timestamp, chain fingerprints). Output modifiers +sct, +issuer, +ctlog, and +all only apply here.
Hash tiles (/tile/N/..., N ≥ 0) contain raw 32-byte SHA-256 hashes — the internal nodes of the Merkle tree used for inclusion and consistency proofs. ctfetch outputs only the list of hashes; using output modifiers with a hash tile is an error.
Notes
- With a tile URL,
+issuerderives the log root by stripping the/tile/...path. With a local file,--monitoring-urlmust be provided. - Partial tiles (
.p/Nsuffix) are tried first; on 404 the full tile is fetched automatically. - The CT log list and issuer certificates are cached in memory per invocation.