certificate-transparency/ctool
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
80fcac77d8c330931b3033fb7898332c1cbbc85b
ctool/README.md

2.3 KiB
Raw Blame History

ctfetch

Tools for working with Certificate Transparency log tiles.

Install

go install ./cmd/ctfetch

Usage

ctfetch operates in two modes depending on the arguments given.

Leaf-index mode

Fetch a specific entry (or all entries in its tile) by leaf index:

ctfetch [flags] <log-url> <leaf-index> [+sct] [+issuer] [+ctlog]

Examples:

Dump a specific entry:

ctfetch https://halloumi2026h1.mon.ct.ipng.ch 629794635

Dump with SCTs, issuer chain, and CT log details:

ctfetch https://halloumi2026h1.mon.ct.ipng.ch 629794635 +sct +issuer +ctlog

Tile-dump mode

Fetch all entries from a tile URL or a local file. Automatically detects data tiles (log entries) and hash tiles (Merkle tree hashes).

ctfetch [flags] <tile-url-or-file> [+sct] [+issuer] [+ctlog]

Examples:

Data tile from a URL:

ctfetch https://halloumi2026h1.mon.ct.ipng.ch/tile/data/x002/x460/135

Data tile with SCTs and CT log details:

ctfetch https://halloumi2026h1.mon.ct.ipng.ch/tile/data/x002/x460/135 +sct +ctlog

Hash tile from a URL:

ctfetch https://halloumi2026h1.mon.ct.ipng.ch/tile/0/x100/999

Data tile from a local file (with issuer resolution):

ctfetch --monitoring-url https://halloumi2026h1.mon.ct.ipng.ch tile.bin +issuer

Output modifiers

Modifier Description
+sct Parse and include embedded Signed Certificate Timestamps from final (non-precert) certificates
+issuer Fetch and include issuer certificate details from the log's /issuer/<fp> endpoint
+ctlog Look up each SCT's log ID in the CT log list and include operator/state details

Flags

Flag Default Description
--logs-list-url https://www.gstatic.com/ct/log_list/v3/all_logs_list.json URL of the CT log list JSON used for +ctlog lookups
--monitoring-url (none) Log root URL for issuer lookups when input is a local file

Notes

  • In tile-dump mode with a tile URL, +issuer automatically derives the log root by stripping the /tile/... path. With a local file, --monitoring-url must be provided.
  • Partial tiles (.p/N suffix) are tried first; on 404 the full tile is fetched automatically.
  • The CT log list and issuer certificates are cached in memory, so each unique resource is fetched only once per invocation.
Reference in New Issue View Git Blame Copy Permalink