Extract Certificate Transparency SCTs from stapled OCSP responses

net/cert/ct_objects_extractor_nss.cc

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/cert/ct_objects_extractor.h"
 
 #include <cert.h>
+#include <certt.h>
 #include <secasn1.h>
+#include <secasn1t.h>
+#include <secdert.h>

[wtc, 2013/12/08 04:52:45]

The xxxt.h headers define types. The corresponding xxx.h headers
always include xxxt.h. So <certt.h> and <secasn1t.h> are not needed.

[ekasper, 2013/12/09 14:17:05]

Done. secdert.h is also no longer needed in the latest patch.

 #include <secitem.h>
 #include <secoid.h>
 
 #include "base/lazy_instance.h"
+#include "base/sha1.h"
 #include "crypto/scoped_nss_types.h"
 #include "crypto/sha2.h"
 #include "net/cert/asn1_util.h"
 #include "net/cert/scoped_nss_types.h"
 #include "net/cert/signed_certificate_timestamp.h"
 
 namespace net {
 
 namespace ct {
 
 namespace {
 
+// NSS black magic to get the address of externally defined template at runtime.
+SEC_ASN1_MKSUB(SEC_IntegerTemplate)
+SEC_ASN1_MKSUB(SECOID_AlgorithmIDTemplate)
+SEC_ASN1_MKSUB(SEC_GeneralizedTimeTemplate)
+SEC_ASN1_MKSUB(CERT_SequenceOfCertExtensionTemplate)
+
 // Wrapper class to convert a X509Certificate::OSCertHandle directly
 // into a CERTCertificate* usable with other NSS functions. This is used for
 // platforms where X509Certificate::OSCertHandle refers to a different type
 // than a CERTCertificate*.
 struct NSSCertWrapper {
   explicit NSSCertWrapper(X509Certificate::OSCertHandle cert_handle);
   ~NSSCertWrapper() {}
 
   ScopedCERTCertificate cert;
 };
@@ skipping 20 matching lines @@
 }
 
 // The wire form of the OID 1.3.6.1.4.1.11129.2.4.2. See Section 3.3 of
 // RFC6962.
 const unsigned char kEmbeddedSCTOid[] = {0x2B, 0x06, 0x01, 0x04, 0x01,
                                          0xD6, 0x79, 0x02, 0x04, 0x02};
 const char kEmbeddedSCTDescription[] =
     "X.509v3 Certificate Transparency Embedded Signed Certificate Timestamp "
     "List";
 
+// The wire form of the OID 1.3.6.1.4.1.11129.2.4.2. See Section 3.3 of

[wtc, 2013/12/08 04:52:45]

Typo: the OCSP extension OID should be 1.3.6.1.4.1.11129.2.4.5 (ending in .5).

[ekasper, 2013/12/09 14:17:05]

Done.

+// RFC6962.
+const unsigned char kOCSPExtensionOid[] = {0x2B, 0x06, 0x01, 0x04, 0x01, 0xD6,
+                                           0x79, 0x02, 0x04, 0x05};

[wtc, 2013/12/08 04:52:45]

Nit: it would be nice to fold the previous line before "0xD6," to match the
formatting of lines 69-70.

[ekasper, 2013/12/09 14:17:05]

Done.

+
+const char kOCSPExtensionDescription[] =
+    "OCSP SingleExtension for X.509v3 Certificate Transparency Signed "
+    "Certificate Timestamp List ";
+
 // Initializes the necessary NSS internals for use with Certificate
 // Transparency.
 class CTInitSingleton {
  public:
   SECOidTag embedded_oid() const { return embedded_oid_; }
+  SECOidTag ocsp_extension_oid() const { return ocsp_extension_oid_; }
 
  private:
   friend struct base::DefaultLazyInstanceTraits<CTInitSingleton>;
 
-  CTInitSingleton() : embedded_oid_(SEC_OID_UNKNOWN) {
+  CTInitSingleton() : embedded_oid_(SEC_OID_UNKNOWN),
+                      ocsp_extension_oid_(SEC_OID_UNKNOWN) {
     embedded_oid_ = RegisterOid(
         kEmbeddedSCTOid, sizeof(kEmbeddedSCTOid), kEmbeddedSCTDescription);
+    ocsp_extension_oid_ = RegisterOid(
+        kOCSPExtensionOid, sizeof(kOCSPExtensionOid),
+        kOCSPExtensionDescription);
   }
 
   ~CTInitSingleton() {}
 
   SECOidTag RegisterOid(const unsigned char* oid,
                         unsigned int oid_len,
                         const char* description) {
     SECOidData oid_data;
     oid_data.oid.len = oid_len;
     oid_data.oid.data = const_cast<unsigned char*>(oid);
     oid_data.offset = SEC_OID_UNKNOWN;
     oid_data.desc = description;
     oid_data.mechanism = CKM_INVALID_MECHANISM;
     // Setting this to SUPPORTED_CERT_EXTENSION ensures that if a certificate
     // contains this extension with the critical bit set, NSS will not reject
     // it. However, because verification of this extension happens after NSS,
     // it is currently left as INVALID_CERT_EXTENSION.

[wtc, 2013/12/08 04:52:45]

Nit: this comment doesn't really apply to the OCSP extension. It would be nice
to update it. The main point is that we don't need NSS to use it. We just need
NSS to be able to decode it.

     oid_data.supportedExtension = INVALID_CERT_EXTENSION;
 
     SECOidTag result = SECOID_AddEntry(&oid_data);
     CHECK_NE(SEC_OID_UNKNOWN, result);
 
     return result;
   }
 
   SECOidTag embedded_oid_;
+  SECOidTag ocsp_extension_oid_;
 
   DISALLOW_COPY_AND_ASSIGN(CTInitSingleton);
 };
 
 base::LazyInstance<CTInitSingleton>::Leaky g_ct_singleton =
     LAZY_INSTANCE_INITIALIZER;
 
 // Obtains the data for an X.509v3 certificate extension identified by |oid|
-// and encoded as an OCTET STRING. Returns true if the extension was found,
-// updating |ext_data| to be the extension data after removing the DER
-// encoding of OCTET STRING.
-bool GetOctetStringExtension(CERTCertificate* cert,
-                             SECOidTag oid,
-                             std::string* extension_data) {
+// and encoded as an OCTET STRING. Returns true if the extension was found in
+// the certificate, updating |ext_data| to be the extension data after removing
+// the DER encoding of OCTET STRING.
+bool GetCertOctetStringExtension(CERTCertificate* cert,
+                                 SECOidTag oid,
+                                 std::string* extension_data) {
   SECItem extension;
   SECStatus rv = CERT_FindCertExtension(cert, oid, &extension);
   if (rv != SECSuccess)
     return false;
 
   base::StringPiece raw_data(reinterpret_cast<char*>(extension.data),
                              extension.len);
   base::StringPiece parsed_data;
   if (!asn1::GetElement(&raw_data, asn1::kOCTETSTRING, &parsed_data) ||
       raw_data.size() > 0) { // Decoding failure or raw data left
     rv = SECFailure;
   } else {
     parsed_data.CopyToString(extension_data);
   }
 
   SECITEM_FreeItem(&extension, PR_FALSE);
   return rv == SECSuccess;
 }
 
+// NSS offers CERT_FindCertExtension for certificates, but we also need to
+// to extract extensions from OCSP responses, so we inspect the extensions
+// manually.
+//
+// Obtains the data for an X.509v3 certificate extension identified by |oid|

[wtc, 2013/12/08 04:52:45]

Typo: |oid| => |tag|

[ekasper, 2013/12/09 14:17:05]

This has gone away.

+// and encoded as an OCTET STRING. Returns true if the extension was found in
+// |extensions|, updating |ext_data| to be the extension data after removing

[wtc, 2013/12/08 04:52:45]

Typo: |ext_data| => |extension_data|

[ekasper, 2013/12/09 14:17:05]

Done. Sorry for all the typos!

+// the DER encoding of OCTET STRING.
+bool GetOctetStringExtension(PLArenaPool* arena,

[wtc, 2013/12/08 04:52:45]

OCTET STRING is trivial to decode. If this function uses
asn1::GetElement(asn1::kOCTETSTRING) to decode OCTET STRING, then this function
won't need the |arena| parameter, and we can remove the
GetCertOctetStringExtension function -- just call this function with
|cert->extensions| as the extensions argument.

[ekasper, 2013/12/09 14:17:05]

I am not supposed to use asn1_util for these inputs and I think it's best to be
consistent about this.

So I think it's better to keep two version of the GetOctet... around - one for
certificates that is going through the API, the ugly manual one for OCSP that is
hopefully temporary and can one day be swapped for an API version.

However, you make a very good point that the singleton is not needed anymore, so
I've removed it, and even removed the OID from the args. This method has only
one call site, and is factored out just for readability.

+                             CERTCertExtension** extensions,

[wtc, 2013/12/08 04:52:45]

Nit: this can be const:
  const CERTCertExtension** extensions,

[ekasper, 2013/12/09 14:17:05]

Hm, that's not allowed, but it can be a const CERTExtension* const* extensions.

+                             SECOidTag tag, std::string* extension_data) {
+  if (!extensions)
+    return false;
+
+  SECOidData* oid = SECOID_FindOIDByTag(tag);

[wtc, 2013/12/08 04:52:45]

If we directly pass the SECItem of oid bytes to this function (equivalent to
&oid->oid), then we don't need to register the OID with NSS, and we won't need
CTInitSingleton.

This will require updating Eran's code, so you don't need to make this change.

[ekasper, 2013/12/09 14:17:05]

I've done this for my case (see comment above).

+  if (!oid)
+    return false;
+
+  CERTCertExtension *match = NULL;

[wtc, 2013/12/08 04:52:45]

Nit: search for " *" in this file and move the '*' to be adjacent to the type.

[ekasper, 2013/12/09 14:17:05]

Done.

+
+  for (CERTCertExtension** exts = extensions; *exts; ++exts) {
+    CERTCertExtension* ext = *exts;
+    SECComparison result = SECITEM_CompareItem(&oid->oid, &ext->id);
+    if (result == SECEqual) {

[wtc, 2013/12/08 04:52:45]

You can say
    if (SECITEM_ItemsAreEqual(&oid->oid, &ext->id)) {

[ekasper, 2013/12/09 14:17:05]

Done.

+      match = ext;
+      break;
+    }
+  }
+
+  if (!match)
+    return false;
+
+  SECItem contents;
+  // QuickDER will point to |match|, so we don't have to free |contents|.
+  SECStatus rv = SEC_QuickDERDecodeItem(arena, &contents,
+                                        SEC_ASN1_GET(SEC_OctetStringTemplate),
+                                        &match->value);
+  if (rv != SECSuccess)
+    return false;
+
+  base::StringPiece parsed_data(reinterpret_cast<char*>(contents.data),
+                                contents.len);
+  parsed_data.CopyToString(extension_data);
+  return true;
+}
+
+

[wtc, 2013/12/08 04:52:45]

Nit: delete one blank line.

[ekasper, 2013/12/09 14:17:05]

Done.

 // Given a |cert|, extract the TBSCertificate from this certificate, also
 // removing the X.509 extension with OID 1.3.6.1.4.1.11129.2.4.2 (that is,
 // the embedded SCT)
 bool ExtractTBSCertWithoutSCTs(CERTCertificate* cert,
                                std::string* to_be_signed) {
   SECOidData* oid = SECOID_FindOIDByTag(g_ct_singleton.Get().embedded_oid());
   if (!oid)
     return false;
 
   // This is a giant hack, due to the fact that NSS does not expose a good API
@@ skipping 27 matching lines @@
                                     &tbs_data,
                                     &temp_cert,
                                     SEC_ASN1_GET(CERT_CertificateTemplate));
   if (!result)
     return false;
 
   to_be_signed->assign(reinterpret_cast<char*>(tbs_data.data), tbs_data.len);
   return true;
 }
 
+// The following code is adapted from the NSS OCSP module, in order to expose
+// the internal structure of an OCSP response.
+
+// ResponseBytes ::=       SEQUENCE {
+//     responseType   OBJECT IDENTIFIER,
+//     response       OCTET STRING }
+struct ResponseBytes {
+  SECItem response_type;
+  SECItem der_response;
+};
+
+const SEC_ASN1Template kResponseBytesTemplate[] = {
+  { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(ResponseBytes) },
+  { SEC_ASN1_OBJECT_ID, offsetof(ResponseBytes, response_type) },
+  { SEC_ASN1_OCTET_STRING, offsetof(ResponseBytes, der_response) },
+  { 0 }
+};
+
+// OCSPResponse ::=     SEQUENCE {
+//      responseStatus          OCSPResponseStatus,
+//      responseBytes           [0] EXPLICIT ResponseBytes OPTIONAL }
+struct OCSPResponse {
+  SECItem response_status;
+  // This indirection is needed because |response_bytes| is an optional
+  // component and we need a way to determine if it is missing.
+  ResponseBytes *response_bytes;
+};
+
+const SEC_ASN1Template kPointerToResponseBytesTemplate[] = {
+  { SEC_ASN1_POINTER, 0, kResponseBytesTemplate }
+};
+
+const SEC_ASN1Template kOCSPResponseTemplate[] = {
+  { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(OCSPResponse) },
+  { SEC_ASN1_ENUMERATED, offsetof(OCSPResponse, response_status) },
+  { SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED |
+    SEC_ASN1_CONTEXT_SPECIFIC | 0, offsetof(OCSPResponse, response_bytes),
+    kPointerToResponseBytesTemplate },
+  { 0 }
+};
+
+// CertID          ::=     SEQUENCE {
+//   hashAlgorithm       AlgorithmIdentifier,
+//   issuerNameHash      OCTET STRING, -- Hash of Issuer's DN
+//   issuerKeyHash       OCTET STRING, -- Hash of Issuers public key
+//   serialNumber        CertificateSerialNumber }
+struct CertID {
+  SECAlgorithmID hash_algorithm;
+  SECItem issuer_name_hash;
+  SECItem issuer_key_hash;
+  SECItem serial_number;
+};
+
+const SEC_ASN1Template kCertIDTemplate[] = {
+  { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(CertID) },
+  { SEC_ASN1_INLINE | SEC_ASN1_XTRN, offsetof(CertID, hash_algorithm),
+    SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
+  { SEC_ASN1_OCTET_STRING, offsetof(CertID, issuer_name_hash) },
+  { SEC_ASN1_OCTET_STRING, offsetof(CertID, issuer_key_hash) },
+  { SEC_ASN1_INTEGER, offsetof(CertID, serial_number) },
+  { 0 }
+};
+
+// SingleResponse ::= SEQUENCE {
+//   certID                       CertID,
+//   certStatus                   CertStatus,
+//   thisUpdate                   GeneralizedTime,
+//   nextUpdate           [0]     EXPLICIT GeneralizedTime OPTIONAL,
+//   singleExtensions     [1]     EXPLICIT Extensions OPTIONAL }
+struct SingleResponse {
+  CertID cert_id;
+  SECItem der_cert_status;
+  SECItem this_update;
+  SECItem next_update;
+  CERTCertExtension **single_extensions;
+};
+
+const SEC_ASN1Template kSingleResponseTemplate[] = {
+  { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SingleResponse) },
+  { SEC_ASN1_INLINE, offsetof(SingleResponse, cert_id), kCertIDTemplate },
+  // ANY because (a) NSS ASN.1 doesn't support automatic CHOICE and
+  // (b) we don't care about the contents of this field anyway.
+  { SEC_ASN1_ANY, offsetof(SingleResponse, der_cert_status) },
+  { SEC_ASN1_GENERALIZED_TIME, offsetof(SingleResponse, this_update) },
+  { SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT |
+    SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0,
+    offsetof(SingleResponse, next_update),
+    SEC_ASN1_SUB(SEC_GeneralizedTimeTemplate) },
+  { SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED |
+    SEC_ASN1_CONTEXT_SPECIFIC | 1,
+    offsetof(SingleResponse, single_extensions),
+    SEC_ASN1_SUB(CERT_SequenceOfCertExtensionTemplate) },
+  { 0 }
+};
+
+// ResponseData ::= SEQUENCE {
+//   version              [0] EXPLICIT Version DEFAULT v1,
+//   responderID              ResponderID,
+//   producedAt               GeneralizedTime,
+//   responses                SEQUENCE OF SingleResponse,
+//   responseExtensions   [1] EXPLICIT Extensions OPTIONAL }
+struct ResponseData {
+  SECItem version;
+  SECItem der_responder_id;
+  SECItem produced_at;
+  SingleResponse **single_responses;
+  // Skip extensions.
+};
+
+const SEC_ASN1Template kResponseDataTemplate[] = {
+  { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(ResponseData) },
+  { SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED |
+    SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0,
+    offsetof(ResponseData, version), SEC_ASN1_SUB(SEC_IntegerTemplate) },
+  // ANY because (a) NSS ASN.1 doesn't support automatic CHOICE and
+  // (b) we don't care about the contents of this field anyway.
+  { SEC_ASN1_ANY, offsetof(ResponseData, der_responder_id) },
+  { SEC_ASN1_GENERALIZED_TIME, offsetof(ResponseData, produced_at) },
+  { SEC_ASN1_SEQUENCE_OF, offsetof(ResponseData, single_responses),
+    kSingleResponseTemplate },
+  { SEC_ASN1_SKIP_REST },
+  { 0 }
+};
+
+// BasicOCSPResponse       ::= SEQUENCE {
+//   tbsResponseData      ResponseData,
+//   signatureAlgorithm   AlgorithmIdentifier,
+//   signature            BIT STRING,
+//   certs                [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
+struct BasicOCSPResponse {
+  ResponseData tbs_response_data;
+  // We do not care about the rest.
+};
+
+const SEC_ASN1Template kBasicOCSPResponseTemplate[] = {
+  { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(BasicOCSPResponse) },
+  { SEC_ASN1_INLINE, offsetof(BasicOCSPResponse, tbs_response_data),
+    kResponseDataTemplate },
+  { SEC_ASN1_SKIP_REST },
+  { 0 }
+};
+
+bool StringEqualToSECItem(const std::string& value1, const SECItem& value2) {
+  if (value1.size() != value2.len)
+    return false;
+  return memcmp(value1.data(), value2.data, value2.len) == 0;
+}
+
+bool CertIDsMatch(const std::string& serial_number,
+                  const std::string& issuer_key_sha1_hash,
+                  const std::string& issuer_key_sha256_hash,
+                  const CertID& cert_id) {
+  if (!StringEqualToSECItem(serial_number, cert_id.serial_number))
+      return false;
+
+  SECOidTag hash_alg = SECOID_FindOIDTag(&cert_id.hash_algorithm.algorithm);
+  switch (hash_alg) {
+    case SEC_OID_SHA1:
+      return StringEqualToSECItem(issuer_key_sha1_hash,
+                                  cert_id.issuer_key_hash);
+    case SEC_OID_SHA256:
+      return StringEqualToSECItem(issuer_key_sha256_hash,
+                                  cert_id.issuer_key_hash);
+    default:
+      return false;
+  }
+}
+
 }  // namespace
 
 bool ExtractEmbeddedSCTList(X509Certificate::OSCertHandle cert,
                             std::string* sct_list) {
   DCHECK(cert);
 
   NSSCertWrapper leaf_cert(cert);
   if (!leaf_cert.cert)
     return false;
 
-  return GetOctetStringExtension(
-      leaf_cert.cert.get(), g_ct_singleton.Get().embedded_oid(), sct_list);
+  return GetCertOctetStringExtension(leaf_cert.cert.get(),
+                                     g_ct_singleton.Get().embedded_oid(),
+                                     sct_list);
 }
 
 bool GetPrecertLogEntry(X509Certificate::OSCertHandle leaf,
                         X509Certificate::OSCertHandle issuer,
                         LogEntry* result) {
   DCHECK(leaf);
   DCHECK(issuer);
 
   NSSCertWrapper leaf_cert(leaf);
   NSSCertWrapper issuer_cert(issuer);
@@ skipping 57 matching lines @@
   std::string encoded;
   if (!X509Certificate::GetDEREncoded(leaf, &encoded))
     return false;
 
   result->Reset();
   result->type = ct::LogEntry::LOG_ENTRY_TYPE_X509;
   result->leaf_certificate.swap(encoded);
   return true;
 }
 
+bool ExtractSCTListFromOCSPResponse(const std::string& cert_serial_number,
+                                    X509Certificate::OSCertHandle issuer,
+                                    const std::string& ocsp_response,
+                                    std::string* sct_list) {
+  DCHECK(issuer);
+  crypto::ScopedPLArenaPool arena(PORT_NewArena(DER_DEFAULT_CHUNKSIZE));
+
+  // QuickDERDecodeItem returns data that points into |src|. This is
+  // ok for us as the decoded items never leave the method scope.
+  SECItem src = { siBuffer,
+                  reinterpret_cast<unsigned char*>(const_cast<char*>(
+                      ocsp_response.data())), ocsp_response.size() };
+
+  OCSPResponse response;
+  memset(&response, 0, sizeof(response));
+
+  SECStatus rv = SEC_QuickDERDecodeItem(arena.get(), &response,
+                                        kOCSPResponseTemplate, &src);
+  if (rv != SECSuccess)
+    return false;
+
+  // id-ad-ocsp: 1.3.6.1.5.5.7.48.1.1
+  static const uint8 kBasicOCSPResponseOID[] = { 0x2b, 0x06, 0x01, 0x05, 0x05,
+                                                 0x07, 0x30, 0x01, 0x01 };
+
+  if (!response.response_bytes)
+    return false;
+
+  if (response.response_bytes->response_type.len !=
+      sizeof(kBasicOCSPResponseOID) ||
+      memcmp(response.response_bytes->response_type.data, kBasicOCSPResponseOID,
+             sizeof(kBasicOCSPResponseOID)) != 0) {
+    return false;
+  }
+
+  BasicOCSPResponse basic_response;
+  memset(&basic_response, 0, sizeof(basic_response));
+
+  rv = SEC_QuickDERDecodeItem(arena.get(), &basic_response,
+                              kBasicOCSPResponseTemplate,
+                              &response.response_bytes->der_response);
+  if (rv != SECSuccess)
+    return false;
+
+  SingleResponse** responses =
+      basic_response.tbs_response_data.single_responses;
+  if (!responses)
+    return false;
+
+  std::string issuer_der;
+  if (!X509Certificate::GetDEREncoded(issuer, &issuer_der))
+    return false;
+
+  base::StringPiece issuer_spki;
+  if (!asn1::ExtractSPKIFromDERCert(issuer_der, &issuer_spki))
+    return false;
+
+  // In OCSP, only the key itself is under hash.
+  base::StringPiece issuer_spk;
+  if (!asn1::ExtractSubjectPublicKeyFromSPKI(issuer_spki, &issuer_spk))
+    return false;
+
+  // ExtractSubjectPublicKey... does not remove the leading pad byte from the
+  // BitString so we do it here. For public keys, the pad byte is in practice
+  // always 0.
+  if (issuer_spk.empty() || issuer_spk[0] != 0)
+    return false;
+  issuer_spk.remove_prefix(1);
+
+  // NSS OCSP lib recognizes SHA1, MD5 and MD2; MD5 and MD2 are dead but
+  // https://bugzilla.mozilla.org/show_bug.cgi?id=663315 will add SHA-256
+  // and SHA-384.
+  // TODO(ekasper): add SHA-384 to crypto/sha2.h and here if it proves
+  // necessary.
+  std::string issuer_key_sha256_hash = crypto::SHA256HashString(issuer_spk);
+  std::string issuer_key_sha1_hash = base::SHA1HashString(
+      issuer_spk.as_string());
+
+  SingleResponse* match = NULL;
+  for (int i = 0; responses[i] != NULL; ++i) {
+    if (CertIDsMatch(cert_serial_number, issuer_key_sha1_hash,

[wtc, 2013/12/08 04:52:45]

With more work, we can compute the issuer key hash on demand and cache it. Right
now the SHA-256 hash is computed in vain.

You can just add a TODO comment.

[ekasper, 2013/12/09 14:17:05]

Added a TODO.

+                     issuer_key_sha256_hash, responses[i]->cert_id)) {
+      match = responses[i];
+      break;
+    }
+  }
+
+  if (!match)
+    return false;
+
+  return GetOctetStringExtension(arena.get(), match->single_extensions,
+                                 g_ct_singleton.Get().ocsp_extension_oid(),
+                                 sct_list);
+}
+
 }  // namespace ct
 
 }  // namespace net