Install Google Certificate Transparency Go /archive

Environment

• Debian 9.7 x64
• GVM 0.2.0
• Go 1.12.5

Excerpt

• https://www.certificate-transparency.org
• http://www.certificate-transparency.org/known-logs
• https://github.com/google/trillian
• https://github.com/google/certificate-transparency-go
• https://tools.ietf.org/html/rfc6962

Pre-requisite Install Go

Log 2019 / 05

1. GOROOT env

root@athos:~# env | grep GO
GOROOT=/root/.gvm/versions/go1.12.5.linux.amd64

2. Pre

root@athos:~# apt-get update && apt-get -y upgrade && apt-get -y dist-upgrade

root@athos:~# go get github.com/google/trillian

root@athos:~# cd ~/go/src/github.com/google/trillian

root@athos:~/go/src/github.com/google/trillian# go get -t -u -v ./...
github.com/google/trillian (download)
github.com/golang/protobuf (download)
github.com/grpc-ecosystem/grpc-gateway (download)
(truncated)

3. ./ctclient

3.1. Build ctclient.go

git clone \
  https://github.com/google/certificate-transparency-go.git

root@athos:~# git clone \
>   https://github.com/google/certificate-transparency-go.git
Cloning into 'certificate-transparency-go'...
remote: Enumerating objects: 45, done.
remote: Counting objects: 100% (45/45), done.
remote: Compressing objects: 100% (29/29), done.
remote: Total 11296 (delta 14), reused 27 (delta 13), pack-reused 11251
Receiving objects: 100% (11296/11296), 8.43 MiB | 2.91 MiB/s, done.
Resolving deltas: 100% (6063/6063), done.

go build \
  certificate-transparency-go/client/ctclient/ctclient.go ; \
  chmod a+x ctclient

root@athos:~# go build \
>   certificate-transparency-go/client/ctclient/ctclient.go ; \
>   chmod a+x ctclient

3.2. ./ctclient --help

root@athos:~# ./ctclient
Need command argument
Usage: ctclient [options] <cmd>
where cmd is one of:
   sth           retrieve signed tree head
   upload        upload cert chain and show SCT (needs -cert_chain)
   getroots      show accepted roots
   getentries    get log entries (needs -first and -last)
   inclusion     get inclusion proof (needs -leaf_hash and optionally -size)
   consistency   get consistency proof (needs -size and -prev_size, optionally 
                 -tree_hash and -prev_hash)
   bisect        find log entry by timestamp (needs -timestamp)



root@athos:~# ./ctclient --help

3.3. Basic Usage

3.3.1. Retrieve Signed Tree Head

./ctclient --log_uri https://ct.googleapis.com/testtube sth

root@athos:~# ./ctclient --log_uri https://ct.googleapis.com/testtube sth
2019-05-16 17:52:49.551 +0200 CEST (timestamp 1558021969551): 
  Got STH for V1 log (size=70927307) at https://ct.googleapis.com/testtube, 
  hash ba8d3199f0eadee93f272b66ed985d5063bc5fdd1d00a71ddfd49c6d089b16db
Signature: Hash=SHA256 Sign=ECDSA
  Value=3046022100ead894184b024f409c6e861820b69a834e8a1f088ab85fb082ce8d90285f31
  0a022100b1f9059fc31a54decfeaf8911cf7ac73f7eac57c422a8a9f2989c1f404f1f75d

3.3.2. Show Accepted Roots

./ctclient --log_uri  \
  https://ct.googleapis.com/testtube getroots

root@athos:~# ./ctclient --log_uri  \
>   https://ct.googleapis.com/testtube getroots

3.3.3. Get Log Entries

./ctclient --log_uri https://ct.googleapis.com/testtube \
  -first 15887722 -last 15887722 getentries 

root@athos:~# ./ctclient --log_uri https://ct.googleapis.com/testtube \
>   -first 15887722 -last 15887722 getentries
Index=15887722 Timestamp=1522197062400 (2018-03-28 02:31:02.4 +0200 CEST) 
  pre-certificate from issuer with keyhash 
  25ec31d428b56d5f8d9b09432ad80276097501a242e17ec6ea5c95810c712c02:
Certificate:
(truncated)

4. ./scanlog

4.1. Build scanlog.go

git clone \
  https://github.com/google/certificate-transparency-go.git

root@athos:~# git clone \
>   https://github.com/google/certificate-transparency-go.git
Cloning into 'certificate-transparency-go'...
remote: Enumerating objects: 45, done.
remote: Counting objects: 100% (45/45), done.
remote: Compressing objects: 100% (29/29), done.
remote: Total 11296 (delta 14), reused 27 (delta 13), pack-reused 11251
Receiving objects: 100% (11296/11296), 8.43 MiB | 3.00 MiB/s, done.
Resolving deltas: 100% (6063/6063), done.

go build \
  certificate-transparency-go/scanner/scanlog/scanlog.go ; \
  chmod a+x scanlog

root@athos:~# go build \
>   certificate-transparency-go/scanner/scanlog/scanlog.go ; \
>   chmod a+x scanlog

4.2. ./scanlog --help

root@athos:~# ./scanlog --help
Usage of ./scanlog:
  -alsologtostderr
        log to standard error as well as files
  -batch_size int
        Max number of entries to request at per call to get-entries (default 1000)
  -dump_dir string
        Directory to store matched certificates in
(truncated)

4.3. Basic Usage

./ctclient --log_uri https://ct.googleapis.com/testtube \
  -first 15887722 -last 15887722 getentries | \
  grep -e "Serial Number:" -e "Subject:"

root@athos:~# ./ctclient --log_uri https://ct.googleapis.com/testtube \
>   -first 15887722 -last 15887722 getentries | \
>   grep -e "Serial Number:" -e "Subject:"
        Serial Number: 21859471173912533165521148950917689069833966 
          (0xfaef36523b1412678db2f938645642148eee)
        Subject: CN=beta.aplussites.org

./scanlog -log_uri https://ct.googleapis.com/testtube \
  -start_index 15000000 \
  -num_workers 10000 \
  -parallel_fetch 10 \
  -serial_number 21859471173912533165521148950917689069833966

root@athos:~# ./scanlog -log_uri https://ct.googleapis.com/testtube \
>   -start_index 15000000 \
>   -num_workers 10000 \
>   -parallel_fetch 10 \
>   -serial_number 21859471173912533165521148950917689069833966
2019/05/17 16:03:53 Using SerialNumber matcher on 
  21859471173912533165521148950917689069833966
2019/05/17 16:18:05 Process precert at index 15887722: CN: 'beta.aplussites.org' 
  Issuer: Fake LE Intermediate X1
^C