This repository holds Go code related to Certificate Transparency (CT). The repository requires Go version 1.20.
- Repository Structure
- Trillian CT Personality
- Working on the Code
The main parts of the repository are:
- Encoding libraries:
x509/are forks of the upstream Go
crypto/x509libraries. We maintain separate forks of these packages because CT is intended to act as an observatory of certificates across the ecosystem; as such, we need to be able to process somewhat-malformed certificates that the stricter upstream code would (correctly) reject. Our
x509fork also includes code for working with the pre-certificates defined in RFC 6962.
tlsholds a library for processing TLS-encoded data as described in RFC 5246.
x509util/provides additional utilities for dealing with
- CT client libraries:
- The top-level
.) holds types and utilities for working with CT data structures defined in RFC 6962.
jsonclient/hold libraries that allow access to CT Logs via HTTP entrypoints described in section 4 of RFC 6962.
dnsclient/has a library that allows access to CT Logs over DNS.
scanner/holds a library for scanning the entire contents of an existing CT Log.
- The top-level
- CT Personality for Trillian:
trillian/holds code that allows a Certificate Transparency Log to be run using a Trillian Log as its back-end -- see below.
- Command line tools:
./client/ctclientallows interaction with a CT Log.
./ctutil/sctcheckallows SCTs (signed certificate timestamps) from a CT Log to be verified.
./scanner/scanlogallows an existing CT Log to be scanned for certificates of interest; please be polite when running this tool against a Log.
./x509util/certcheckallows display and verification of certificates
./x509util/crlcheckallows display and verification of certificate revocation lists (CRLs).
- Other libraries related to CT:
ctutil/holds utility functions for validating and verifying CT data structures.
loglist3/has a library for reading v3 JSON lists of CT Logs.
Developers who want to make changes to the codebase need some additional dependencies and tools, described in the following sections.
scripts/presubmit.sh script runs various tools
and tests over the codebase; please ensure this script passes before sending
pull requests for review.
# Install golangci-lint go install firstname.lastname@example.org # Run code generation, build, test and linters ./scripts/presubmit.sh # Run build, test and linters but skip code generation ./scripts/presubmit.sh --no-generate # Or just run the linters alone: golangci-lint run
Some of the CT Go code is autogenerated from other files:
- Protocol buffer message
definitions are converted to
- A mock implementation of the Trillian gRPC API (in
trillian/mockclient) is created with GoMock.
Re-generating mock or protobuffer files is only needed if you're changing the original files; if you do, you'll need to install the prerequisites:
- tools written in
gocan be installed with a single run of
go install(courtesy of
protoctool: you'll need version 3.20.1 installed, and
PATHupdated to include its
With tools installed, run the following:
go generate -x ./... # hunts for //go:generate comments and runs them