Install Google Certificate Transparency Go

Environment

• Debian 9.5 x64
• GVM2 v0.10.6
• Go 1.9.7

Excerpt

• https://www.certificate-transparency.org
• http://www.certificate-transparency.org/known-logs
• https://github.com/google/trillian
• https://github.com/google/certificate-transparency-go
• https://tools.ietf.org/html/rfc6962

Pre-requisite Install Go

Log 2018 / 11

1. GO* env

root@athos:~# env | grep GO
GOPATH=/root/.gvm/pkgsets/go1.9.7/global
GOROOT=/root/.gvm/gos/go1.9.7

2. Pre

root@athos:~# apt-get update && apt-get -y upgrade && apt-get -y dist-upgrade

root@athos:~# go get github.com/google/trillian

root@athos:~# cd $GOPATH/src/github.com/google/trillian

root@athos:~/.gvm/pkgsets/go1.9.7/global/src/github.com/google/trillian# \
> go get -t -u -v ./...
github.com/google/trillian (download)
github.com/golang/protobuf (download)
github.com/grpc-ecosystem/grpc-gateway (download)
(truncated)

3. ./ctclient

3.1. Build ctclient.go

git clone \
  https://github.com/google/certificate-transparency-go.git

root@athos:~# git clone \
>   https://github.com/google/certificate-transparency-go.git
Cloning into 'certificate-transparency-go'...
remote: Enumerating objects: 32, done.
remote: Counting objects: 100% (32/32), done.
remote: Compressing objects: 100% (27/27), done.
remote: Total 10009 (delta 6), reused 15 (delta 5), pack-reused 9977
Receiving objects: 100% (10009/10009), 7.88 MiB | 3.24 MiB/s, done.
Resolving deltas: 100% (5208/5208), done.

go build \
  certificate-transparency-go/client/ctclient/ctclient.go ; \
  chmod a+x ctclient

root@athos:~# go build \
>   certificate-transparency-go/client/ctclient/ctclient.go ; \
>   chmod a+x ctclient

3.2. ./ctclient --help

root@athos:~# ./ctclient
Need command argument
Usage: ctclient [options] <cmd>
where cmd is one of:
   sth           retrieve signed tree head
   upload        upload cert chain and show SCT (needs -cert_chain)
   getroots      show accepted roots
   getentries    get log entries (needs -first and -last)
   inclusion     get inclusion proof (needs -leaf_hash and optionally -size)
   consistency   get consistency proof (needs -size and -prev_size, optionally 
                 -tree_hash and -prev_hash)

root@athos:~# ./ctclient --help

3.3. Basic Usage

3.3.1. Retrieve Signed Tree Head

./ctclient --log_uri https://ct.googleapis.com/testtube sth

root@athos:~# ./ctclient --log_uri https://ct.googleapis.com/testtube sth
2018-11-04 11:52:36.484 +0000 UTC (timestamp 1541332356484): 
  Got STH for V1 log (size=38093049) at https://ct.googleapis.com/testtube, 
  hash 85fdc3b37f71c70719ffad8b73e9ed300e3e364bd9ed6b7be38336bc354e33f1
Signature: Hash=SHA256 Sign=ECDSA 
  Value=30460221009befc1d8c9082c41f6895aeff1f88ebe810a3dfd3938e05233f1f0dae7d0e8
  60022100f6647d29631910cfa65c856df8167919654108850a121a8339c37732960f6cc7

3.3.2. Show Accepted Roots

./ctclient --log_uri  \
  https://ct.googleapis.com/testtube getroots

root@athos:~# ./ctclient --log_uri  \
>   https://ct.googleapis.com/testtube getroots

3.3.3. Get Log Entries

./ctclient --log_uri https://ct.googleapis.com/testtube \
  -first 15887722 -last 15887722 getentries 

root@athos:~# ./ctclient --log_uri https://ct.googleapis.com/testtube \
>   -first 15887722 -last 15887722 getentries
Index=15887722 Timestamp=1522197062400 (2018-03-28 00:31:02.4 +0000 UTC) 
  pre-certificate from issuer with keyhash 
  25ec31d428b56d5f8d9b09432ad80276097501a242e17ec6ea5c95810c712c02:
Certificate:
(truncated)

4. ./scanlog

4.1. Build scanlog.go

git clone \
  https://github.com/google/certificate-transparency-go.git

root@athos:~# git clone \
>   https://github.com/google/certificate-transparency-go.git
Cloning into 'certificate-transparency-go'...
remote: Enumerating objects: 41, done.
remote: Counting objects: 100% (41/41), done.
remote: Compressing objects: 100% (33/33), done.
remote: Total 10021 (delta 9), reused 24 (delta 8), pack-reused 9980
Receiving objects: 100% (10021/10021), 7.89 MiB | 2.36 MiB/s, done.
Resolving deltas: 100% (5214/5214), done.

go build \
  certificate-transparency-go/scanner/scanlog/scanlog.go ; \
  chmod a+x scanlog

root@athos:~# go build \
>   certificate-transparency-go/scanner/scanlog/scanlog.go ; \
>   chmod a+x scanlog

4.2. ./scanlog --help

root@athos:~# ./scanlog --help
Usage of ./scanlog:
  -alsologtostderr
        log to standard error as well as files
  -batch_size int
        Max number of entries to request at per call to get-entries (default 1000)
  -dump_dir string
        Directory to store matched certificates in
(truncated)

4.3. Basic Usage

./ctclient --log_uri https://ct.googleapis.com/testtube \
  -first 15887722 -last 15887722 getentries | \
  grep -e "Serial Number:" -e "Subject:"

root@athos:~# ./ctclient --log_uri https://ct.googleapis.com/testtube \
>   -first 15887722 -last 15887722 getentries | \
>   grep -e "Serial Number:" -e "Subject:"
        Serial Number: 21859471173912533165521148950917689069833966 
          (0xfaef36523b1412678db2f938645642148eee)
        Subject: CN=beta.aplussites.org

./scanlog -log_uri https://ct.googleapis.com/testtube \
  -start_index 15000000 \
  -num_workers 10000 \
  -parallel_fetch 10 \
  -serial_number 21859471173912533165521148950917689069833966

root@athos:~# ./scanlog -log_uri https://ct.googleapis.com/testtube \
>   -start_index 15000000 \
>   -num_workers 10000 \
>   -parallel_fetch 10 \
>   -serial_number 21859471173912533165521148950917689069833966
2018/11/06 03:47:11 Using SerialNumber matcher on 
  21859471173912533165521148950917689069833966
2018/11/06 03:57:53 Process precert at index 15887722: CN: 'beta.aplussites.org' 
  Issuer: Fake LE Intermediate X1
^C