Skip to content

transparency-dev/tesseract

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

362 Commits
.github
.github
Β 
Β 
cmd
cmd
Β 
Β 
deployment
deployment
Β 
Β 
docs
docs
Β 
Β 
internal
internal
Β 
Β 
storage
storage
Β 
Β 
testdata
testdata
Β 
Β 
.gitignore
.gitignore
Β 
Β 
AUTHORS
AUTHORS
Β 
Β 
CONTRIBUTING.md
CONTRIBUTING.md
Β 
Β 
CONTRIBUTORS
CONTRIBUTORS
Β 
Β 
LICENSE
LICENSE
Β 
Β 
README.md
README.md
Β 
Β 
SECURITY.md
SECURITY.md
Β 
Β 
ctlog.go
ctlog.go
Β 
Β 
ctlog_test.go
ctlog_test.go
Β 
Β 
go.mod
go.mod
Β 
Β 
go.sum
go.sum
Β 
Β 

Repository files navigation

🌳 TesseraCT

Go Report Card OpenSSF Scorecard Slack Status

TesseraCT is a Certificate Transparency (CT) log implementation. It implements static-ct-api using the Tessera library to store data, and is aimed at running production-grade CT logs.

At the moment, TesseraCT can be deployed on GCP and AWS. There is also an experimental binary which uses Tessera's POSIX storage backend.

Table of contents

πŸ“£ Status
πŸ›£οΈ Roadmap
πŸ•ΉοΈ Usage
πŸ§ͺ Public test instances
πŸ—‚οΈ Repository structure
πŸ™‹ FAQ
🧌 History
πŸ”§ Contributing
πŸ“„ License
πŸ‘‹ Contact

πŸ“£ Status

TesseraCT is under active development, and will soon reach alpha πŸš€.

At the moment, TesseraCT supports Amazon Web Service and Google Cloud Platform. Read the FAQ to understand why we chose these platforms, or if you're interested in others.

Public test instances run on GCP.

πŸ›£οΈ Roadmap

TODO

πŸ•ΉοΈ Usage

Getting Started

The most hands-on place to start is with the GCP or AWS codelab. These codelabs will guide you through bringing up your own test TesseraCT deployment.

We also run public test instances that you can interact with using the static-ct-api API.

You can also have a look at the main.go files under /cmd/tesseract/ to understand how to build a TesseraCT server.

Last, you can explore our documentation.

Running on a different platform

TesseraCT can theoretically run on any platform Tessera supports. We've already experimented with platforms other than GCP and AWS, have a look at the FAQ for more information.

If you'd still like to run TesseraCT on a different platform that Tessera supports, have a look at Tessera's Getting Started guide, TesseraCT's main.go files under /cmd/tesseract/ and their respective architecture docs.

For any other request, please come and talk to us!

πŸ§ͺ Public test instances

TODO

πŸ—‚οΈ Repository structure

This repository contains:

  1. Binaries: TesseraCT and auxiliary tools
  2. Deployment configs: purely informative, DO NOT depend on them
  3. Libraries: enabling the building of static-ct-api logs with Tessera: ctlog, storage, (internal)
  4. Documentation

πŸ™‹ FAQ

TesseraWhat?

TesseraCT is the concatenation of Tessera and CT (Certificate Transparency), which also happens to be a 4-dimensional hypercube.

What's the difference between Tessera and TesseraCT?

Tessera is a Go library for building tile-based transparency logs (tlogs) on various deployment backends. TesseraCT is a service using the Tessera library with CT specific settings to implement Certificate Transparency logs complying with static-ct-api. TesseraCT supports a subset of Tessera's backends. A TesseraCT serving stack is composed of:

  • one or multiple instances of a TesseraCT binary using the Tessera library
  • Tessera's backend infrastructure
  • a minor additional storage system for chain issuers

Why these platforms?

After chatting with various CT log operators, we decided to focus on GCP and AWS to begin with in an effort address current needs of log operators. We're welcoming contributions and requests for additional backend implementations. If you're interested, come and talk to us!

Can I run TesseraCT outside GCP or AWS?

At the moment, this is not officially supported. If you're interested in running outside GCP or AWS, read this and get in touch!

There is an experimental POSIX binary which uses Tessera's POSIX backend for storing the log on local filesystems. At the moment this is not ready for production use, but questions and bug reports are very welcome!

🧌 History

TesseraCT is the successor to Trillian's CTFE. It was built upon its codebase, and introduces these main changes:

  • API: TesseraCT implements static-ct-api rather than RFC6962.
  • Backend implementation: TesseraCT uses Tessera rather than Trillian. This means that TesseraCT integrates entries faster, is cheaper to maintain, requires running a single binary rather than 3, and does not need additional services for leader election.
  • Single tenancy: One TesseraCT instance serves a single CT log, as opposed to the CTFE which could serve multiple logs per instance. To run multiple logs, simply bring up multiple independent TesseraCT stacks. For reliability, each log can still be served by multiple TesseraCT instances.
  • Configuration: TesseraCT is fully configured using flags, and does not need a proto config anymore.
  • Chain parsing: TesseraCT uses internal/lax509 to validate certificate chains. It is built on top of Go's standard crypto/x509 library, with a minimal set of CT specific enhancements. It does not use the full crypto/x509 fork that the CTFE was using. This means that TesseraCT can benefit from the good care and attention given to crypto/x509. As a result, a very small number of chains do not validate anymore, head over to internal/lax509's README for additional details.

πŸ”§ Contributing

See CONTRIBUTING.md for details.

πŸ“„ License

This repo is licensed under the Apache 2.0 license, see LICENSE for details.

πŸ‘‹ Contact

Are you interested in running a TesseraCT instance? Do you have a feature request? you can find us here:

About

An implementation of the Static CT API based on Tessera.

Resources

Readme

License

Apache-2.0 license

Code of conduct

Code of conduct

Security policy

Security policy
Activity
Custom properties

Stars

4 stars

Watchers

5 watching

Forks

8 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 6

Languages