Revert of Extract Certificate Transparency SCTs from stapled OCSP responses

third_party/tlslite/patches/status_request.patch

Index: third_party/tlslite/patches/status_request.patch
diff --git a/third_party/tlslite/patches/status_request.patch b/third_party/tlslite/patches/status_request.patch
deleted file mode 100644
index 15f01d42809edf3fea8347da8d1f225d08798077..0000000000000000000000000000000000000000
--- a/third_party/tlslite/patches/status_request.patch
+++ /dev/null
@@ -1,208 +0,0 @@
-diff --git a/third_party/tlslite/tlslite/TLSConnection.py b/third_party/tlslite/tlslite/TLSConnection.py
-index e6ce187..94ee5eb 100644
---- a/third_party/tlslite/tlslite/TLSConnection.py
-+++ b/third_party/tlslite/tlslite/TLSConnection.py
-@@ -937,8 +937,8 @@ class TLSConnection(TLSRecordLayer):
-                         certChain=None, privateKey=None, reqCert=False,
-                         sessionCache=None, settings=None, checker=None,
-                         reqCAs=None, tlsIntolerant=0,
--                        signedCertTimestamps=None,
--                        fallbackSCSV=False):
-+                        signedCertTimestamps=None, fallbackSCSV=False,
-+                        ocspResponse=None):
-         """Perform a handshake in the role of server.
- 
-         This function performs an SSL or TLS handshake.  Depending on
-@@ -1014,6 +1014,16 @@ class TLSConnection(TLSRecordLayer):
-         binary 8-bit string) that will be sent as a TLS extension whenever
-         the client announces support for the extension.
- 
-+        @type ocspResponse: str
-+        @param ocspResponse: An OCSP response (as a binary 8-bit string) that
-+        will be sent stapled in the handshake whenever the client announces
-+        support for the status_request extension.
-+        Note that the response is sent independent of the ClientHello
-+        status_request extension contents, and is thus only meant for testing
-+        environments. Real OCSP stapling is more complicated as it requires
-+        choosing a suitable response based on the ClientHello status_request
-+        extension contents.
-+
-         @raise socket.error: If a socket error occurs.
-         @raise tlslite.errors.TLSAbruptCloseError: If the socket is closed
-         without a preceding alert.
-@@ -1024,7 +1034,7 @@ class TLSConnection(TLSRecordLayer):
-         for result in self.handshakeServerAsync(sharedKeyDB, verifierDB,
-                 certChain, privateKey, reqCert, sessionCache, settings,
-                 checker, reqCAs, tlsIntolerant, signedCertTimestamps,
--                fallbackSCSV):
-+                fallbackSCSV, ocspResponse):
-             pass
- 
- 
-@@ -1033,7 +1043,7 @@ class TLSConnection(TLSRecordLayer):
-                              sessionCache=None, settings=None, checker=None,
-                              reqCAs=None, tlsIntolerant=0,
-                              signedCertTimestamps=None,
--                             fallbackSCSV=False):
-+                             fallbackSCSV=False, ocspResponse=None):
-         """Start a server handshake operation on the TLS connection.
- 
-         This function returns a generator which behaves similarly to
-@@ -1053,7 +1063,8 @@ class TLSConnection(TLSRecordLayer):
-             reqCAs=reqCAs,
-             tlsIntolerant=tlsIntolerant,
-             signedCertTimestamps=signedCertTimestamps,
--            fallbackSCSV=fallbackSCSV)
-+            fallbackSCSV=fallbackSCSV, ocspResponse=ocspResponse)
-+
-         for result in self._handshakeWrapperAsync(handshaker, checker):
-             yield result
- 
-@@ -1062,7 +1073,7 @@ class TLSConnection(TLSRecordLayer):
-                                     certChain, privateKey, reqCert,
-                                     sessionCache, settings, reqCAs,
-                                     tlsIntolerant, signedCertTimestamps,
--                                    fallbackSCSV):
-+                                    fallbackSCSV, ocspResponse):
- 
-         self._handshakeStart(client=False)
- 
-@@ -1439,10 +1450,14 @@ class TLSConnection(TLSRecordLayer):
-                     sessionID, cipherSuite, certificateType)
-             serverHello.channel_id = clientHello.channel_id
-             if clientHello.support_signed_cert_timestamps:
--                serverHello.signed_cert_timestamps = signedCertTimestamps
-+              serverHello.signed_cert_timestamps = signedCertTimestamps
-+            serverHello.status_request = (clientHello.status_request and
-+                                          ocspResponse)
-             doingChannelID = clientHello.channel_id
-             msgs.append(serverHello)
-             msgs.append(Certificate(certificateType).create(serverCertChain))
-+            if serverHello.status_request:
-+                msgs.append(CertificateStatus().create(ocspResponse))
-             if reqCert and reqCAs:
-                 msgs.append(CertificateRequest().create([], reqCAs))
-             elif reqCert:
-diff --git a/third_party/tlslite/tlslite/constants.py b/third_party/tlslite/tlslite/constants.py
-index 23e3dcb..d027ef5 100644
---- a/third_party/tlslite/tlslite/constants.py
-+++ b/third_party/tlslite/tlslite/constants.py
-@@ -22,6 +22,7 @@ class HandshakeType:
-     certificate_verify = 15
-     client_key_exchange = 16
-     finished = 20
-+    certificate_status = 22
-     encrypted_extensions = 203
- 
- class ContentType:
-@@ -31,7 +32,11 @@ class ContentType:
-     application_data = 23
-     all = (20,21,22,23)
- 
-+class CertificateStatusType:
-+    ocsp = 1
-+
- class ExtensionType:
-+    status_request = 5  # OCSP stapling
-     signed_cert_timestamps = 18  # signed_certificate_timestamp in RFC 6962
-     channel_id = 30031
- 
-diff --git a/third_party/tlslite/tlslite/messages.py b/third_party/tlslite/tlslite/messages.py
-index 296f422..497ef60 100644
---- a/third_party/tlslite/tlslite/messages.py
-+++ b/third_party/tlslite/tlslite/messages.py
-@@ -132,6 +132,7 @@ class ClientHello(HandshakeMsg):
-         self.srp_username = None        # a string
-         self.channel_id = False
-         self.support_signed_cert_timestamps = False
-+        self.status_request = False
- 
-     def create(self, version, random, session_id, cipher_suites,
-                certificate_types=None, srp_username=None):
-@@ -182,6 +183,19 @@ class ClientHello(HandshakeMsg):
-                         if extLength:
-                             raise SyntaxError()
-                         self.support_signed_cert_timestamps = True
-+                    elif extType == ExtensionType.status_request:
-+                        # Extension contents are currently ignored.
-+                        # According to RFC 6066, this is not strictly forbidden
-+                        # (although it is suboptimal):
-+                        # Servers that receive a client hello containing the
-+                        # "status_request" extension MAY return a suitable
-+                        # certificate status response to the client along with
-+                        # their certificate.  If OCSP is requested, they
-+                        # SHOULD use the information contained in the extension
-+                        # when selecting an OCSP responder and SHOULD include
-+                        # request_extensions in the OCSP request.
-+                        p.getFixBytes(extLength)
-+                        self.status_request = True
-                     else:
-                         p.getFixBytes(extLength)
-                     soFar += 4 + extLength
-@@ -230,6 +244,7 @@ class ServerHello(HandshakeMsg):
-         self.compression_method = 0
-         self.channel_id = False
-         self.signed_cert_timestamps = None
-+        self.status_request = False
- 
-     def create(self, version, random, session_id, cipher_suite,
-                certificate_type):
-@@ -282,6 +297,9 @@ class ServerHello(HandshakeMsg):
-         if self.signed_cert_timestamps:
-             extLength += 4 + len(self.signed_cert_timestamps)
- 
-+        if self.status_request:
-+            extLength += 4
-+
-         if extLength != 0:
-             w.add(extLength, 2)
- 
-@@ -299,6 +317,10 @@ class ServerHello(HandshakeMsg):
-             w.add(ExtensionType.signed_cert_timestamps, 2)
-             w.addVarSeq(stringToBytes(self.signed_cert_timestamps), 1, 2)
- 
-+        if self.status_request:
-+            w.add(ExtensionType.status_request, 2)
-+            w.add(0, 2)
-+
-         return HandshakeMsg.postWrite(self, w, trial)
- 
- class Certificate(HandshakeMsg):
-@@ -367,6 +389,37 @@ class Certificate(HandshakeMsg):
-             raise AssertionError()
-         return HandshakeMsg.postWrite(self, w, trial)
- 
-+class CertificateStatus(HandshakeMsg):
-+    def __init__(self):
-+        self.contentType = ContentType.handshake
-+
-+    def create(self, ocsp_response):
-+        self.ocsp_response = ocsp_response
-+        return self
-+
-+    # Defined for the sake of completeness, even though we currently only
-+    # support sending the status message (server-side), not requesting
-+    # or receiving it (client-side).
-+    def parse(self, p):
-+        p.startLengthCheck(3)
-+        status_type = p.get(1)
-+        # Only one type is specified, so hardwire it.
-+        if status_type != CertificateStatusType.ocsp:
-+            raise SyntaxError()
-+        ocsp_response = p.getVarBytes(3)
-+        if not ocsp_response:
-+            # Can't be empty
-+            raise SyntaxError()
-+        self.ocsp_response = ocsp_response
-+        return self
-+
-+    def write(self, trial=False):
-+        w = HandshakeMsg.preWrite(self, HandshakeType.certificate_status,
-+                                  trial)
-+        w.add(CertificateStatusType.ocsp, 1)
-+        w.addVarSeq(stringToBytes(self.ocsp_response), 1, 3)
-+        return HandshakeMsg.postWrite(self, w, trial)
-+
- class CertificateRequest(HandshakeMsg):
-     def __init__(self):
-         self.contentType = ContentType.handshake