certificate-transparency/ctool
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
418e83a83f63776467a3480254baf730e7f30af6
ctool/docs/ctfetch.md

2.7 KiB
Raw Blame History

ctfetch

Fetch and decode entries from a Static CT log, outputting structured JSON.

Install

GOPRIVATE=git.ipng.ch go install git.ipng.ch/certificate-transparency/ctfetch/cmd/ctfetch@latest

The GOPRIVATE variable skips the Go checksum database and module proxy, which do not index modules on git.ipng.ch.

Modes

ctfetch operates in two modes depending on the arguments given.

Leaf-index mode

Fetch the entry at a specific leaf index:

ctfetch [flags] <log-url> <leaf-index> [+sct] [+issuer] [+ctlog] [+all]

Examples:

ctfetch https://halloumi2026h1.mon.ct.ipng.ch 629794635
ctfetch https://halloumi2026h1.mon.ct.ipng.ch 629794635 +all

Tile-dump mode

Fetch all entries from a tile URL or local file. Automatically detects data tiles (log entries) and hash tiles (Merkle tree hashes).

ctfetch [flags] <tile-url-or-file> [+sct] [+issuer] [+ctlog] [+all]

Examples:

ctfetch https://halloumi2026h1.mon.ct.ipng.ch/tile/data/x002/x460/135
ctfetch https://halloumi2026h1.mon.ct.ipng.ch/tile/data/x002/x460/135 +sct +ctlog
ctfetch https://halloumi2026h1.mon.ct.ipng.ch/tile/0/x100/999
ctfetch --monitoring-url https://halloumi2026h1.mon.ct.ipng.ch tile.bin +issuer

Output modifiers

Modifier Description
+sct Parse embedded Signed Certificate Timestamps from final (non-precert) certificates
+issuer Fetch issuer certificate details from the log's /issuer/<fp> endpoint
+ctlog Look up each SCT's log ID in the CT log list and include operator/state details
+all Enable all of +sct, +issuer, and +ctlog

Flags

Flag Default Description
--logs-list-url https://www.gstatic.com/ct/log_list/v3/all_logs_list.json CT log list URL for +ctlog lookups
--monitoring-url (none) Log root URL for issuer lookups when input is a local file

Hash tiles vs data tiles

Data tiles (/tile/data/...) contain DER-encoded certificates and precertificates with metadata (leaf index, timestamp, chain fingerprints). Output modifiers +sct, +issuer, +ctlog, and +all only apply here.

Hash tiles (/tile/N/..., N ≥ 0) contain raw 32-byte SHA-256 hashes — the internal nodes of the Merkle tree used for inclusion and consistency proofs. ctfetch outputs only the list of hashes; using output modifiers with a hash tile is an error.

Notes

  • With a tile URL, +issuer derives the log root by stripping the /tile/... path. With a local file, --monitoring-url must be provided.
  • Partial tiles (.p/N suffix) are tried first; on 404 the full tile is fetched automatically.
  • The CT log list and issuer certificates are cached in memory per invocation.
Reference in New Issue View Git Blame Copy Permalink