sunlight: support fetching from local or archived logs

Author: FiloSottile

client.go

@@ -17,6 +17,7 @@ import (
 	"iter"
 	"log/slog"
 	"net/http"
+	"os"
 	"runtime/debug"
 	"strings"
 	"time"
@@ -41,12 +42,30 @@ type Client struct {
 // ClientConfig is the configuration for a [Client].
 type ClientConfig struct {
 	// MonitoringPrefix is the c2sp.org/static-ct-api monitoring prefix.
+	//
+	// If the MonitoringPrefix has schema "file://", Client will read tiles from
+	// the local filesystem, and most other settings will be ignored.
+	//
+	// If it has schema "gzip+file://", the data tiles are expected to be
+	// gzip-compressed.
+	//
+	// If it has schema "archive+file://", Client will read tiles from a set of
+	// [archival zip files] in the specified directory.
+	//
+	// [archival zip files]:
+	// https://github.com/geomys/ct-archive/blob/main/README.md#archival-format
 	MonitoringPrefix string
 
 	// PublicKey is the public key of the log, used to verify checkpoints in
 	// [Client.Checkpoint] and SCTs in [Client.CheckInclusion].
 	PublicKey crypto.PublicKey
 
+	// AllowRFC6962ArchivalLeafs indicates whether to accept leafs archived from
+	// RFC 6962 logs, which lack the LeafIndex extension.
+	//
+	// See [LogEntry.RFC6962ArchivalLeaf] for details.
+	AllowRFC6962ArchivalLeafs bool
+
 	// HTTPClient is the HTTP client used to fetch tiles. If nil, a client is
 	// created with default timeouts and settings.
 	//
@@ -84,7 +103,35 @@ type ClientConfig struct {
 
 // NewClient creates a new [Client].
 func NewClient(config *ClientConfig) (*Client, error) {
-	if config == nil || config.UserAgent == "" {
+	if schema, path, ok := strings.Cut(config.MonitoringPrefix, "://"); ok &&
+		(schema == "file" || schema == "archive+file" || schema == "gzip+file") {
+		if config.Cache != "" {
+			return nil, errors.New("sunlight: permanent cache cannot be used with file://")
+		}
+		root, err := os.OpenRoot(path)
+		if err != nil {
+			return nil, fmt.Errorf("sunlight: failed to open file:// monitoring prefix: %w", err)
+		}
+		tileFS := root.FS()
+		if schema == "archive+file" {
+			tileFS = torchwood.NewTileArchiveFS(root.FS())
+		}
+		options := []torchwood.TileFSOption{torchwood.WithTileFSTilePath(TilePath)}
+		if schema == "gzip+file" {
+			options = append(options, torchwood.WithGzipDataTiles())
+		}
+		tileReader, err := torchwood.NewTileFS(tileFS, options...)
+		if err != nil {
+			return nil, fmt.Errorf("sunlight: failed to create file:// tile reader: %w", err)
+		}
+		client, err := torchwood.NewClient(tileReader, torchwood.WithCutEntry(cutEntry))
+		if err != nil {
+			return nil, fmt.Errorf("sunlight: failed to create file:// client: %w", err)
+		}
+		return &Client{c: client, r: tileReader, cc: config}, nil
+	}
+
+	if config.UserAgent == "" {
 		return nil, errors.New("sunlight: missing UserAgent")
 	}
 	if !strings.Contains(config.UserAgent, "@") &&
@@ -142,7 +189,7 @@ func cutEntry(tile []byte) (entry []byte, rh tlog.Hash, rest []byte, err error)
 	// This implementation is terribly inefficient, parsing the whole entry just
 	// to re-serialize and throw it away. If this function shows up in profiles,
 	// let me know and I'll improve it.
-	e, rest, err := ReadTileLeaf(tile)
+	e, rest, err := ReadTileLeafMaybeArchival(tile)
 	if err != nil {
 		return nil, tlog.Hash{}, nil, err
 	}
@@ -179,7 +226,16 @@ func (c *Client) Entries(ctx context.Context, tree tlog.Tree, start int64) iter.
 	c.err = nil
 	return func(yield func(int64, *LogEntry) bool) {
 		for i, e := range c.c.Entries(ctx, tree, start) {
-			entry, rest, err := ReadTileLeaf(e)
+			var (
+				entry *LogEntry
+				rest  []byte
+				err   error
+			)
+			if c.cc.AllowRFC6962ArchivalLeafs {
+				entry, rest, err = ReadTileLeafMaybeArchival(e)
+			} else {
+				entry, rest, err = ReadTileLeaf(e)
+			}
 			if err != nil {
 				c.err = err
 				return
@@ -204,14 +260,22 @@ func (c *Client) Entry(ctx context.Context, tree tlog.Tree, index int64) (*LogEn
 	if err != nil {
 		return nil, nil, err
 	}
-	entry, rest, err := ReadTileLeaf(e)
+	var (
+		entry *LogEntry
+		rest  []byte
+	)
+	if c.cc.AllowRFC6962ArchivalLeafs {
+		entry, rest, err = ReadTileLeafMaybeArchival(e)
+	} else {
+		entry, rest, err = ReadTileLeaf(e)
+	}
 	if err != nil {
 		return nil, nil, fmt.Errorf("sunlight: failed to parse log entry %d: %w", index, err)
 	}
 	if len(rest) > 0 {
 		return nil, nil, fmt.Errorf("sunlight: unexpected trailing data in entry %d", index)
 	}
-	if entry.LeafIndex != index {
+	if !entry.RFC6962ArchivalLeaf && entry.LeafIndex != index {
 		return nil, nil, fmt.Errorf("sunlight: log entry index %d does not match requested index %d", entry.LeafIndex, index)
 	}
 	return entry, proof, nil

example_test.go

@@ -2,14 +2,15 @@ package sunlight_test
 
 import (
 	"context"
+	"crypto/x509"
 	"encoding/pem"
 	"errors"
 	"fmt"
 	"strconv"
 	"strings"
 
 	"filippo.io/sunlight"
-	"github.com/google/certificate-transparency-go/x509"
+	x509ct "github.com/google/certificate-transparency-go/x509"
 	"golang.org/x/mod/sumdb/tlog"
 )
 
@@ -100,7 +101,7 @@ ybky1bC4rbimZJIjvhnqMcMkf/I=
 		panic(err)
 	}
 
-	cert, err := x509.ParseCertificate(certificate.Bytes)
+	cert, err := x509ct.ParseCertificate(certificate.Bytes)
 	if err != nil {
 		panic(err)
 	}
@@ -161,3 +162,32 @@ func ExampleClient_UnauthenticatedTrimmedEntries() {
 		}
 	}
 }
+
+func ExampleClient_localFilesystem() {
+	block, _ := pem.Decode([]byte(`-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE4i7AmqGoGHsorn/eyclTMjrAnM0J
+UUbyGJUxXqq1AjQ4qBC77wXkWt7s/HA8An2vrEBKIGQzqTjV8QIHrmpd4w==
+-----END PUBLIC KEY-----`))
+	key, err := x509.ParsePKIXPublicKey(block.Bytes)
+	if err != nil {
+		panic(err)
+	}
+
+	client, err := sunlight.NewClient(&sunlight.ClientConfig{
+		MonitoringPrefix: "gzip+file:///tank/logs/navigli2025h2/data/",
+		PublicKey:        key,
+	})
+	if err != nil {
+		panic(err)
+	}
+
+	checkpoint, _, err := client.Checkpoint(context.TODO())
+	if err != nil {
+		panic(err)
+	}
+	entry, _, err := client.Entry(context.TODO(), checkpoint.Tree, 142424242)
+	if err != nil {
+		panic(err)
+	}
+	println(entry.Timestamp)
+}

go.mod

@@ -1,21 +1,21 @@
 module filippo.io/sunlight
 
-go 1.24.4
+go 1.24.0
 
 require (
 	crawshaw.io/sqlite v0.3.3-0.20220618202545-d1964889ea3c
-	filippo.io/torchwood v0.5.1-0.20251108121651-147243fa786b
+	filippo.io/torchwood v0.8.0
 	github.com/aws/aws-sdk-go-v2 v1.30.3
 	github.com/aws/aws-sdk-go-v2/config v1.27.27
 	github.com/aws/aws-sdk-go-v2/service/dynamodb v1.34.4
 	github.com/aws/aws-sdk-go-v2/service/s3 v1.58.3
 	github.com/aws/smithy-go v1.20.3
 	github.com/google/certificate-transparency-go v1.3.2
 	github.com/prometheus/client_golang v1.22.0
-	golang.org/x/crypto v0.39.0
-	golang.org/x/mod v0.25.0
-	golang.org/x/net v0.40.0
-	golang.org/x/sync v0.15.0
+	golang.org/x/crypto v0.44.0
+	golang.org/x/mod v0.29.0
+	golang.org/x/net v0.46.0
+	golang.org/x/sync v0.18.0
 	gopkg.in/yaml.v3 v3.0.1
 )
 
@@ -57,8 +57,8 @@ require (
 	github.com/prometheus/client_model v0.6.1 // indirect
 	github.com/prometheus/common v0.62.0 // indirect
 	github.com/prometheus/procfs v0.15.1 // indirect
-	golang.org/x/sys v0.33.0 // indirect
-	golang.org/x/text v0.26.0 // indirect
+	golang.org/x/sys v0.38.0 // indirect
+	golang.org/x/text v0.31.0 // indirect
 	golang.org/x/time v0.11.0 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20250303144028-a0af3efb3deb // indirect
 	google.golang.org/grpc v1.72.2 // indirect

go.sum

@@ -8,8 +8,8 @@ filippo.io/edwards25519 v1.1.0 h1:FNf4tywRC1HmFuKW5xopWpigGjJKiJSV0Cqo0cJWDaA=
 filippo.io/edwards25519 v1.1.0/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4=
 filippo.io/keygen v0.0.0-20240718133620-7f162efbbd87 h1:HlcHAMbI9Xvw3aWnhPngghMl5AKE2GOvjmvSGOKzCcI=
 filippo.io/keygen v0.0.0-20240718133620-7f162efbbd87/go.mod h1:nAs0+DyACEQGudhkTwlPC9atyqDYC7ZotgZR7D8OwXM=
-filippo.io/torchwood v0.5.1-0.20251108121651-147243fa786b h1:jGqc2PtRwqj8vUstjGJeaMUTL91OKWbr01u+6p2ycgE=
-filippo.io/torchwood v0.5.1-0.20251108121651-147243fa786b/go.mod h1:B1iitdrTUBuGJIHrh4r0PsdKmI4XzlAsPDe/9B4iAnw=
+filippo.io/torchwood v0.8.0 h1:vZsUJRwcy/TE+qR6mBNzWOcQc2rYnP1rtLUzyzO8E/U=
+filippo.io/torchwood v0.8.0/go.mod h1:bV91zf15ZZ3E4h5nCSfAAiuDe/8aT54s/R5gXBLKhVk=
 github.com/DATA-DOG/go-sqlmock v1.5.2 h1:OcvFkGmslmlZibjAjaHm3L//6LiuBgolP7OputlJIzU=
 github.com/DATA-DOG/go-sqlmock v1.5.2/go.mod h1:88MAG/4G7SMwSE3CeA0ZKzrT5CiOU3OJ+JlNzwDqpNU=
 github.com/aws/aws-sdk-go-v2 v1.30.3 h1:jUeBtG0Ih+ZIFH0F4UkmL9w3cSpaMv9tYYDbzILP8dY=
@@ -134,18 +134,18 @@ go.opentelemetry.io/otel/sdk/metric v1.34.0 h1:5CeK9ujjbFVL5c1PhLuStg1wxA7vQv7ce
 go.opentelemetry.io/otel/sdk/metric v1.34.0/go.mod h1:jQ/r8Ze28zRKoNRdkjCZxfs6YvBTG1+YIqyFVFYec5w=
 go.opentelemetry.io/otel/trace v1.34.0 h1:+ouXS2V8Rd4hp4580a8q23bg0azF2nI8cqLYnC8mh/k=
 go.opentelemetry.io/otel/trace v1.34.0/go.mod h1:Svm7lSjQD7kG7KJ/MUHPVXSDGz2OX4h0M2jHBhmSfRE=
-golang.org/x/crypto v0.39.0 h1:SHs+kF4LP+f+p14esP5jAoDpHU8Gu/v9lFRK6IT5imM=
-golang.org/x/crypto v0.39.0/go.mod h1:L+Xg3Wf6HoL4Bn4238Z6ft6KfEpN0tJGo53AAPC632U=
-golang.org/x/mod v0.25.0 h1:n7a+ZbQKQA/Ysbyb0/6IbB1H/X41mKgbhfv7AfG/44w=
-golang.org/x/mod v0.25.0/go.mod h1:IXM97Txy2VM4PJ3gI61r1YEk/gAj6zAHN3AdZt6S9Ww=
-golang.org/x/net v0.40.0 h1:79Xs7wF06Gbdcg4kdCCIQArK11Z1hr5POQ6+fIYHNuY=
-golang.org/x/net v0.40.0/go.mod h1:y0hY0exeL2Pku80/zKK7tpntoX23cqL3Oa6njdgRtds=
-golang.org/x/sync v0.15.0 h1:KWH3jNZsfyT6xfAfKiz6MRNmd46ByHDYaZ7KSkCtdW8=
-golang.org/x/sync v0.15.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
-golang.org/x/sys v0.33.0 h1:q3i8TbbEz+JRD9ywIRlyRAQbM0qF7hu24q3teo2hbuw=
-golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
-golang.org/x/text v0.26.0 h1:P42AVeLghgTYr4+xUnTRKDMqpar+PtX7KWuNQL21L8M=
-golang.org/x/text v0.26.0/go.mod h1:QK15LZJUUQVJxhz7wXgxSy/CJaTFjd0G+YLonydOVQA=
+golang.org/x/crypto v0.44.0 h1:A97SsFvM3AIwEEmTBiaxPPTYpDC47w720rdiiUvgoAU=
+golang.org/x/crypto v0.44.0/go.mod h1:013i+Nw79BMiQiMsOPcVCB5ZIJbYkerPrGnOa00tvmc=
+golang.org/x/mod v0.29.0 h1:HV8lRxZC4l2cr3Zq1LvtOsi/ThTgWnUk/y64QSs8GwA=
+golang.org/x/mod v0.29.0/go.mod h1:NyhrlYXJ2H4eJiRy/WDBO6HMqZQ6q9nk4JzS3NuCK+w=
+golang.org/x/net v0.46.0 h1:giFlY12I07fugqwPuWJi68oOnpfqFnJIJzaIIm2JVV4=
+golang.org/x/net v0.46.0/go.mod h1:Q9BGdFy1y4nkUwiLvT5qtyhAnEHgnQ/zd8PfU6nc210=
+golang.org/x/sync v0.18.0 h1:kr88TuHDroi+UVf+0hZnirlk8o8T+4MrK6mr60WkH/I=
+golang.org/x/sync v0.18.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
+golang.org/x/sys v0.38.0 h1:3yZWxaJjBmCWXqhN1qh02AkOnCQ1poK6oF+a7xWL6Gc=
+golang.org/x/sys v0.38.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/text v0.31.0 h1:aC8ghyu4JhP8VojJ2lEHBnochRno1sgL6nEi9WGFGMM=
+golang.org/x/text v0.31.0/go.mod h1:tKRAlv61yKIjGGHX/4tP1LTbc13YSec1pxVEWXzfoeM=
 golang.org/x/time v0.11.0 h1:/bpjEDfN9tkoN/ryeYHnv5hcMlc8ncjMcM4XBk5NWV0=
 golang.org/x/time v0.11.0/go.mod h1:CDIdPxbZBQxdj6cxyCIdrNogrJKMJ7pr37NYpMcMDSg=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 h1:go1bK/D/BFZV2I8cIQd1NKEZ+0owSTG1fDTci4IqFcE=