You'll need to have a VM running in the same GCP project that you can SSH to, with Go and terragrunt installed, and your favourite terminal multiplexer.
This config uses the gcp/test module to define a test environment to run the SCTFE, backed by Trillian Tessera.
At a high level, this environment consists of:
- One Spanner instance with two databases:
- one for Tessera
- one for deduplication
- A GCS Bucket
- Secret Manager
First authenticate via gcloud
as a principle with sufficient ACLs for
the project:
gcloud auth application-default login
Set the required environment variables:
export GOOGLE_PROJECT={VALUE}
export GOOGLE_REGION={VALUE} # e.g: us-central1
export TESSERA_BASE_NAME={VALUE} # e.g: test-static-ct
Terraforming the project can be done by:
cd
to the relevant directory for the environment to deploy/change (e.g.ci
)- Run
terragrunt apply
Store the Secret Manager resource ID of signer key pair into the environment variables:
export SCTFE_SIGNER_ECDSA_P256_PUBLIC_KEY_ID=$(terragrunt output -raw ecdsa_p256_public_key_id)
export SCTFE_SIGNER_ECDSA_P256_PRIVATE_KEY_ID=$(terragrunt output -raw ecdsa_p256_private_key_id)
On the VM, run the following command to bring up the SCTFE:
go run ./cmd/gcp/ \
--project_id=${GOOGLE_PROJECT} \
--bucket=${GOOGLE_PROJECT}-${TESSERA_BASE_NAME}-bucket \
--spanner_db_path=projects/${GOOGLE_PROJECT}/instances/${TESSERA_BASE_NAME}/databases/${TESSERA_BASE_NAME}-db \
--spanner_dedup_db_path=projects/${GOOGLE_PROJECT}/instances/${TESSERA_BASE_NAME}/databases/${TESSERA_BASE_NAME}-dedup-db \
--roots_pem_file=./testdata/fake-ca.cert \
--origin=${TESSERA_BASE_NAME} \
--signer_public_key_secret_name=${SCTFE_SIGNER_ECDSA_P256_PUBLIC_KEY_ID} \
--signer_private_key_secret_name=${SCTFE_SIGNER_ECDSA_P256_PRIVATE_KEY_ID}
In a different terminal you can either mint and submit certificates manually, or use the ct_hammer tool to do this.
Generate a chain manually. The password for the private key is gently
:
mkdir -p /tmp/httpschain
openssl genrsa -out /tmp/httpschain/cert.key 2048
openssl req -new -key /tmp/httpschain/cert.key -out /tmp/httpschain/cert.csr -config=testdata/fake-ca.cfg
openssl x509 -req -days 3650 -in /tmp/httpschain/cert.csr -CAkey testdata/fake-ca.privkey.pem -CA testdata/fake-ca.cert -outform pem -out /tmp/httpschain/chain.pem -provider legacy -provider default
cat testdata/fake-ca.cert >> /tmp/httpschain/chain.pem
Finally, submit the chain to the SCTFE:
go run github.com/google/certificate-transparency-go/client/ctclient@master upload --cert_chain=/tmp/httpschain/chain.pem --skip_https_verify --log_uri=http://localhost:6962/${TESSERA_BASE_NAME}
Save the SCTFE repo's path:
export SCTFE_REPO=$(pwd)
Clone the certificate-transparency-go repo, and from there run:
go run ./trillian/integration/ct_hammer/ \
--ct_http_servers=localhost:6962/${TESSERA_BASE_NAME} \
--max_retry=2m \
--invalid_chance=0 \
--get_sth=0 \
--get_sth_consistency=0 \
--get_proof_by_hash=0 \
--get_entries=0 \
--get_roots=0 \
--get_entry_and_proof=0 \
--max_parallel_chains=4 \
--skip_https_verify=true \
--operations=10000 \
--rate_limit=150 \
--log_config=${SCTFE_REPO}/testdata/hammer.cfg \
--testdata_dir=./trillian/testdata/
We'll run a SCTFE and copy certificates from an existing RFC6962 log to it. It uses the ct_hammer tool from certificate-transparency-go.
First, set a few environment variables:
export SCTFE_REPO=$(pwd)
export SRC_LOG_URI=https://ct.googleapis.com/logs/xenon2022
Then, get fetch the roots the source logs accepts, and edit configs accordingly. To do so, clone the certificate-transparency-go repo, and from there run:
export CTGO_REPO=$(pwd)
mkdir -p /tmp/hammercfg
cp ${SCTFE_REPO}/testdata/hammer.cfg /tmp/hammercfg
go run ./client/ctclient get-roots --log_uri=${SRC_LOG_URI} --text=false > /tmp/hammercfg/roots.pem
sed -i 's-""-"/tmp/hammercfg/roots.pem"-g' /tmp/hammercfg/hammer.cfg
Run the SCTFE with the same roots:
cd ${SCTFE_REPO}
go run ./cmd/gcp/ \
--project_id=${GOOGLE_PROJECT} \
--bucket=${GOOGLE_PROJECT}-${TESSERA_BASE_NAME}-bucket \
--spanner_db_path=projects/${GOOGLE_PROJECT}/instances/${TESSERA_BASE_NAME}/databases/${TESSERA_BASE_NAME}-db \
--roots_pem_file=/tmp/hammercfg/roots.pem \
--origin=${TESSERA_BASE_NAME} \
--spanner_dedup_db_path=projects/${GOOGLE_PROJECT}/instances/${TESSERA_BASE_NAME}/databases/${TESSERA_BASE_NAME}-dedup-db \
--signer_public_key_secret_name=${SCTFE_SIGNER_ECDSA_P256_PUBLIC_KEY_ID} \
--signer_private_key_secret_name=${SCTFE_SIGNER_ECDSA_P256_PRIVATE_KEY_ID} \
-v=3
Run ct_hammer
in a different terminal:
cd ${CTGO_REPO}
go run ./trillian/integration/ct_hammer/ \
--ct_http_servers=localhost:6962/${TESSERA_BASE_NAME} \
--max_retry=2m \
--invalid_chance=0 \
--get_sth=0 \
--get_sth_consistency=0 \
--get_proof_by_hash=0 \
--get_entries=0 \
--get_roots=0 \
--get_entry_and_proof=0 \
--max_parallel_chains=4 \
--skip_https_verify=true \
--operations=10000 \
--rate_limit=150 \
--log_config=/tmp/hammercfg/hammer.cfg \
--src_log_uri=${SRC_LOG_URI}