Add support for fetching Certificate Transparency SCTs over a TLS extension

third_party/tlslite/tlslite/messages.py

Index: third_party/tlslite/tlslite/messages.py
diff --git a/third_party/tlslite/tlslite/messages.py b/third_party/tlslite/tlslite/messages.py
index fa4d8174c1aeb81f0ddd00af614e568dde22b450..fe4296be8fda20bd6bf60485a718019a5716ba5f 100644
--- a/third_party/tlslite/tlslite/messages.py
+++ b/third_party/tlslite/tlslite/messages.py
@@ -131,6 +131,7 @@ class ClientHello(HandshakeMsg):
         self.compression_methods = []   # a list of 8-bit values
         self.srp_username = None        # a string
         self.channel_id = False
+        self.support_signed_cert_timestamps = False
 
     def create(self, version, random, session_id, cipher_suites,
                certificate_types=None, srp_username=None):
@@ -171,12 +172,20 @@ class ClientHello(HandshakeMsg):
                 while soFar != totalExtLength:
                     extType = p.get(2)
                     extLength = p.get(2)
+                    # Note: the mapping of the following two types is not
+                    # RFC-compatible:
+                    # extension 6 is user_mapping
+                    # extension 7 is client_authz

[wtc, 2013/11/26 22:46:12]

Sorry about the confusion. I didn't mean to ask you to comment this. I was just
writing down my thoughts as I reviewed this code.

This code has been fixed in the current version of tlslite to use
ExtensionType.srp (12) and ExtensionType.cert_type (9), respectively:
https://github.com/trevp/tlslite/blob/master/tlslite/messages.py

So I suggest we remove this comment.

[ekasper, 2013/11/27 14:09:04]

Done.

                     if extType == 6:
                         self.srp_username = bytesToString(p.getVarBytes(1))
                     elif extType == 7:
                         self.certificate_types = p.getVarList(1, 1)
                     elif extType == ExtensionType.channel_id:
                         self.channel_id = True
+                    elif extType == ExtensionType.signed_cert_timestamps:
+                        if extLength:
+                            raise SyntaxError()
+                        self.support_signed_cert_timestamps = True
                     else:
                         p.getFixBytes(extLength)
                     soFar += 4 + extLength
@@ -224,6 +233,7 @@ class ServerHello(HandshakeMsg):
         self.certificate_type = CertificateType.x509
         self.compression_method = 0
         self.channel_id = False
+        self.signed_cert_timestamps = None
 
     def create(self, version, random, session_id, cipher_suite,
                certificate_type):
@@ -273,6 +283,9 @@ class ServerHello(HandshakeMsg):
         if self.channel_id:
             extLength += 4
 
+        if self.signed_cert_timestamps:
+            extLength += 4 + len(self.signed_cert_timestamps)
+
         if extLength != 0:
             w.add(extLength, 2)
 
@@ -286,6 +299,10 @@ class ServerHello(HandshakeMsg):
             w.add(ExtensionType.channel_id, 2)
             w.add(0, 2)
 
+        if self.signed_cert_timestamps:
+            w.add(ExtensionType.signed_cert_timestamps, 2)
+            w.addVarSeq(stringToBytes(self.signed_cert_timestamps), 1, 2)
+
         return HandshakeMsg.postWrite(self, w, trial)
 
 class Certificate(HandshakeMsg):