How to retrieve certificate information from Google Testtube CT log
500 views
Skip to first unread message
Xian Lin
Jul 7, 2017, 5:08:34 AM7/7/17
to certificate-transparency
Hi I have a test cert submitted to the google CT log "testtube" at ct.googleapis.com/testtube but how to retrieve this cert from the log server to prove that it is submitted?
But problem is that I don't know the range of the cert when run "getentries". Is there any simple way to retrieve the cert if I know the cert PEM file (full information etc.)?
I tried to use a tool "ctclient"
./ctclient
Need command argumentUsage: ctclient [options] <cmd>
where cmd is one of:
sth retrieve signed tree head
upload upload cert chain and show SCT (needs -cert_chain)
getroots show accepted roots
getentries get log entries (needs -first and -last)
./ctclient --help
Usage of ./ctclient:
-allow_verification_with_non_compliant_keys
Allow a SignatureVerifier to use keys which are technically non-compliant with RFC6962.
-cert_chain string
Name of file containing certificate chain as concatenated PEM files
-first int
First entry to get (default -1)
-last int
Last entry to get (default -1)
-log_uri string
CT log base URI (default "http://ct.googleapis.com/aviator")
-pub_key string
Name of file containing log's public key
-text
Display certificates as text (default true)
But problem is that I don't know the range of the cert when run "getentries". Is there any simple way to retrieve the cert if I know the cert PEM file (full information etc.)?
Thanks
Rob Percival
Jul 7, 2017, 5:36:27 AM7/7/17
to certificate-...@googlegroups.com
The SCT you get back when submitting the cert is proof of submission. If you're looking for proof that the certificate was actually incorporated into the log, you'll need an inclusion/audit proof. Unfortunately, the ctclient tool doesn't support retrieving or checking those yet. The relevant API endpoint is /ct/v1/get-proof-by-hash, if you'd like to implement it yourself. However, there are other tools that can do what you want, e.g. https://github.com/google/certificate-transparency/blob/master/python/ct/client/tools/verify_single_proof.py
I hope that's helpful,
Rob
--
You received this message because you are subscribed to the Google Groups "certificate-transparency" group.
To unsubscribe from this group and stop receiving emails from it, send an email to certificate-transp...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages