Struct ctclient::CTClient

pub struct CTClient { /* fields omitted */ }

A stateful CT monitor.

It remembers a last checked tree root, so that it only checks the newly added certificates. It's state can be load from / stored as a [u8], which you can then e.g. store in a file / database.

Implementations

impl CTClient

pub fn new_from_latest_th(base_url: &str, pub_key: &[u8]) -> Result<Self, Error>

Construct a new CTClient instance, and fetch the latest tree root.

Previous certificates in this log will not be checked. Useful for testing but could result in missing some important stuff. Not recommended for production. Use from_bytes and as_bytes to store state instead.

Errors

• If base_url does not ends with /.

Example

use ctclient::CTClient;
use base64::decode;
// URL and public key copy-pasted from https://www.gstatic.com/ct/log_list/v2/all_logs_list.json .
let public_key = decode("MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE01EAhx4o0zPQrXTcYjgCt4MVFsT0Pwjzb1RwrM0lhWDlxAYPP6/gyMCXNkOn/7KFsjL7rwk78tHMpY8rXn8AYg==").unwrap();
let client = CTClient::new_from_latest_th("https://ct.cloudflare.com/logs/nimbus2020/", &public_key).unwrap();

pub fn new_from_perv_tree_hash(
    base_url: &str,
    pub_key: &[u8],
    tree_hash: [u8; 32],
    tree_size: u64
) -> Result<Self, Error>

Construct a new CTClient that will check all certificates included after the given tree state.

Previous certificates in this log before the provided tree hash will not be checked, so make sure to check them manually (i.e. with crt.sh). For production, from_bytes and as_bytes is recommended to avoid duplicate work (e.g. checking those which has already been checked in previous run).

Example

use ctclient::{CTClient, utils};
use base64::decode;
// URL and public key copy-pasted from https://www.gstatic.com/ct/log_list/v2/all_logs_list.json .
let public_key = decode("MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE01EAhx4o0zPQrXTcYjgCt4MVFsT0Pwjzb1RwrM0lhWDlxAYPP6/gyMCXNkOn/7KFsjL7rwk78tHMpY8rXn8AYg==").unwrap();
use std::convert::TryInto;
// Tree captured on 2020-05-12 15:34:11 UTC
let th: [u8; 32] = (&utils::hex_to_u8("63875e88a3e37dc5b6cdbe213fe1df490d40193e4777f79467958ee157de70d6")[..]).try_into().unwrap();
let client = CTClient::new_from_perv_tree_hash("https://ct.cloudflare.com/logs/nimbus2020/", &public_key, th, 299304276).unwrap();

pub fn get_checked_tree_head(&self) -> (u64, [u8; 32])

Get the last checked tree head. Returns (tree_size, root_hash).

pub fn get_reqwest_client(&self) -> &Client

Get the underlying http client used to call CT APIs.

pub fn light_update(&mut self) -> SthResult

Calls self.update() with None as cert_handler.

pub fn update<H>(&mut self, cert_handler: Option<H>) -> SthResult where
    H: FnMut(&[X509]), 

Fetch the latest tree root, check all the new certificates if cert_handler is a Some, and update our internal "last checked tree root".

This function should never panic, no matter what the server does to us.

Return the latest Signed Tree Head (STH) returned by the server, even if it is the same as last time, or if it rolled back (new tree_size < current tree_size).

To log the behavior of CT logs, store the returned tree head and signature in some kind of database (even when error). This can be used to prove a misconduct (such as a non-extending-only tree) in the future.

pub fn check_leaf<H>(
    &self,
    leaf: &Leaf,
    cert_handler: &mut Option<H>
) -> Result<(), Error> where
    H: FnMut(&[X509]), 

Called by Self::update for each leaf received to check the certificates. Usually no need to call yourself.

pub fn as_bytes(&self) -> Result<Vec<u8>, Error>

Serialize the state of this client into bytes

pub fn from_bytes(bytes: &[u8]) -> Result<Self, Error>

Parse a byte string returned by [Self::as_bytes].

Trait Implementations

impl Debug for CTClient

fn fmt(&self, f: &mut Formatter) -> Result

Formats the value using the given formatter.