#certificate-transparency #client #log #tree #monitoring #validation #quick

ctclient

Certificate Transparency Log client suitable for monitoring, quick SCT validation, gossiping, etc

16 unstable releases (3 breaking)

0.4.5 Jul 11, 2020
0.4.4 Jul 11, 2020
0.4.2 May 24, 2020
0.3.5 May 23, 2020
0.1.0 May 12, 2020

#1424 in Cryptography

Download history 25/week @ 2024-04-04

52 downloads per month

MIT license

5MB
2K SLoC

🔒 Certificate Transparency Log client library

live stream domain video demo

Crates.io Crates.io doc link

Certificate Transparency Log client suitable for monitoring, quick SCT validation, gossiping, etc.

(Not a full-fledged client with UI and everything - will work on that later. This is just a library to make your own client with.)

Build requirement

OpenSSL >= 1.1.0

Features

  • Monitor tree head update
  • Verify consistency and inclusion proof
  • Verify Signed Tree Head (STH) and Signed Certificate Timestamp (SCT)
  • Construct leaf hash from SCT and check inclusion
  • Low and high level API
  • Extract SCT from certificate
  • Lots of comment in code intended as reference for other hackers!

TODOs

  • Implement gossiping protocols
  • Use async IO (currently all API requests are blocking)
  • A helper to monitor multiple logs simultaneously
  • Certificate submission
  • More test coverage

Examples & DEMOs

Note that you can run those by cargo run --example name

  • examples/parse_sct_list_from_cert.rs: Parse a certificate with a "CT Precertificate SCTs" extension and print out the SCTs. Also check that the logs can provide an inclusion proof for those leafs based on the latest tree head.

    screenshot

  • examples/live_stream_domains.rs: Read out certificates as they are published by a log and print out the CA and domain names.

    DEMO at the top of this README.

  • examples/simple_client/simple_client.rs: A simple SQLite-backed CT log client monitoring a single log.

    • Check that the tree is consistent (extend-only) each time a new tree head is received.
    • Download and inspect all certificates searching for a hard-coded domain name.
    • Store tree heads and matched certificates in SQLite database.
    • Intended to be a base on which more sophisticated clients can be built.

    screenshot

Dependencies

~5–10MB
~222K SLoC