Extract Certificate Transparency SCTs from stapled OCSP responses

net/cert/ct_objects_extractor_nss.cc

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/cert/ct_objects_extractor.h"
 
 #include <cert.h>
 #include <secasn1.h>
 #include <secitem.h>
 #include <secoid.h>
 
 #include "base/lazy_instance.h"
+#include "base/sha1.h"
 #include "crypto/scoped_nss_types.h"
 #include "crypto/sha2.h"
 #include "net/cert/asn1_util.h"
 #include "net/cert/scoped_nss_types.h"
 #include "net/cert/signed_certificate_timestamp.h"
 
 namespace net {
 
 namespace ct {
 
 namespace {
 
+// NSS black magic to get the address of externally defined template at runtime.
+SEC_ASN1_MKSUB(SEC_IntegerTemplate)
+SEC_ASN1_MKSUB(SECOID_AlgorithmIDTemplate)
+SEC_ASN1_MKSUB(SEC_GeneralizedTimeTemplate)
+SEC_ASN1_MKSUB(CERT_SequenceOfCertExtensionTemplate)
+
 // Wrapper class to convert a X509Certificate::OSCertHandle directly
 // into a CERTCertificate* usable with other NSS functions. This is used for
 // platforms where X509Certificate::OSCertHandle refers to a different type
 // than a CERTCertificate*.
 struct NSSCertWrapper {
   explicit NSSCertWrapper(X509Certificate::OSCertHandle cert_handle);
   ~NSSCertWrapper() {}
 
   ScopedCERTCertificate cert;
 };
@@ skipping 20 matching lines @@
 }
 
 // The wire form of the OID 1.3.6.1.4.1.11129.2.4.2. See Section 3.3 of
 // RFC6962.
 const unsigned char kEmbeddedSCTOid[] = {0x2B, 0x06, 0x01, 0x04, 0x01,
                                          0xD6, 0x79, 0x02, 0x04, 0x02};
 const char kEmbeddedSCTDescription[] =
     "X.509v3 Certificate Transparency Embedded Signed Certificate Timestamp "
     "List";
 
+// The wire form of the OID 1.3.6.1.4.1.11129.2.4.5 - OCSP SingleExtension for
+// X.509v3 Certificate Transparency Signed Certificate Timestamp List, see
+// see Section 3.3 of RFC6962.

[wtc, 2013/12/10 04:23:17]

Nit: the "see" on this line is a duplicate and should be removed.

[ekasper, 2013/12/10 14:45:20]

Done.

+const unsigned char kOCSPExtensionOid[] = {0x2B, 0x06, 0x01, 0x04, 0x01,
+                                           0xD6, 0x79, 0x02, 0x04, 0x05};
+
+const SECItem kOCSPExtensionItem = {

[wtc, 2013/12/10 04:23:17]

Nit: this variable name should also contain "Oid": kOCSPExtensionOidItem

[ekasper, 2013/12/10 14:45:20]

Done.

+  siBuffer, const_cast<unsigned char*>(kOCSPExtensionOid),
+  sizeof(kOCSPExtensionOid)
+};
+
 // Initializes the necessary NSS internals for use with Certificate
 // Transparency.
 class CTInitSingleton {
  public:
   SECOidTag embedded_oid() const { return embedded_oid_; }
 
  private:
   friend struct base::DefaultLazyInstanceTraits<CTInitSingleton>;
 
   CTInitSingleton() : embedded_oid_(SEC_OID_UNKNOWN) {
@@ skipping 26 matching lines @@
 
   SECOidTag embedded_oid_;
 
   DISALLOW_COPY_AND_ASSIGN(CTInitSingleton);
 };
 
 base::LazyInstance<CTInitSingleton>::Leaky g_ct_singleton =
     LAZY_INSTANCE_INITIALIZER;
 
 // Obtains the data for an X.509v3 certificate extension identified by |oid|
-// and encoded as an OCTET STRING. Returns true if the extension was found,
-// updating |ext_data| to be the extension data after removing the DER
-// encoding of OCTET STRING.
-bool GetOctetStringExtension(CERTCertificate* cert,
-                             SECOidTag oid,
-                             std::string* extension_data) {
+// and encoded as an OCTET STRING. Returns true if the extension was found in
+// the certificate, updating |ext_data| to be the extension data after removing
+// the DER encoding of OCTET STRING.
+bool GetCertOctetStringExtension(CERTCertificate* cert,
+                                 SECOidTag oid,
+                                 std::string* extension_data) {
   SECItem extension;
   SECStatus rv = CERT_FindCertExtension(cert, oid, &extension);
   if (rv != SECSuccess)
     return false;
 
   base::StringPiece raw_data(reinterpret_cast<char*>(extension.data),
                              extension.len);
   base::StringPiece parsed_data;
   if (!asn1::GetElement(&raw_data, asn1::kOCTETSTRING, &parsed_data) ||
       raw_data.size() > 0) { // Decoding failure or raw data left
     rv = SECFailure;
   } else {
     parsed_data.CopyToString(extension_data);
   }
 
   SECITEM_FreeItem(&extension, PR_FALSE);
   return rv == SECSuccess;
 }
 
+// NSS offers CERT_FindCertExtension for certificates, but we also need to
+// to extract extensions from OCSP responses, so we inspect the extensions
+// manually.
+//
+// Obtains the data for an X.509v3 certificate extension identified by

[wtc, 2013/12/10 04:23:17]

Nit: it seems wrong to call this "an X.509v3 certificate extension". Should we
say "an OCSP extension" instead?

[ekasper, 2013/12/10 14:45:20]

OCSP gets its extension definition from X509, which is why we can use
CERTCertExtension but, ok.

+// kOCSPExtensionItem and encoded as an OCTET STRING. Returns true if the
+// extension was found in |extensions|, updating |extension_data| to be the
+// extension data after removing the DER encoding of OCTET STRING.
+bool GetSCTListFromOCSPExtension(PLArenaPool* arena,
+                                 const CERTCertExtension* const* extensions,
+                                 std::string* extension_data) {
+  if (!extensions)
+    return false;
+
+  const CERTCertExtension* match = NULL;
+
+  for (const CERTCertExtension* const* exts = extensions; *exts; ++exts) {
+    const CERTCertExtension* ext = *exts;
+    if (SECITEM_ItemsAreEqual(&kOCSPExtensionItem, &ext->id)) {
+      match = ext;
+      break;
+    }
+  }
+
+  if (!match)
+    return false;
+
+  SECItem contents;
+  // QuickDER will point to |match|, so we don't have to free |contents|.
+  SECStatus rv = SEC_QuickDERDecodeItem(arena, &contents,
+                                        SEC_ASN1_GET(SEC_OctetStringTemplate),
+                                        &match->value);
+  if (rv != SECSuccess)
+    return false;
+
+  base::StringPiece parsed_data(reinterpret_cast<char*>(contents.data),
+                                contents.len);
+  parsed_data.CopyToString(extension_data);
+  return true;
+}
+
 // Given a |cert|, extract the TBSCertificate from this certificate, also
 // removing the X.509 extension with OID 1.3.6.1.4.1.11129.2.4.2 (that is,
 // the embedded SCT)
 bool ExtractTBSCertWithoutSCTs(CERTCertificate* cert,
                                std::string* to_be_signed) {
   SECOidData* oid = SECOID_FindOIDByTag(g_ct_singleton.Get().embedded_oid());
   if (!oid)
     return false;
 
   // This is a giant hack, due to the fact that NSS does not expose a good API
@@ skipping 27 matching lines @@
                                     &tbs_data,
                                     &temp_cert,
                                     SEC_ASN1_GET(CERT_CertificateTemplate));
   if (!result)
     return false;
 
   to_be_signed->assign(reinterpret_cast<char*>(tbs_data.data), tbs_data.len);
   return true;
 }
 
+// The following code is adapted from the NSS OCSP module, in order to expose
+// the internal structure of an OCSP response.
+
+// ResponseBytes ::=       SEQUENCE {
+//     responseType   OBJECT IDENTIFIER,
+//     response       OCTET STRING }
+struct ResponseBytes {
+  SECItem response_type;
+  SECItem der_response;
+};
+
+const SEC_ASN1Template kResponseBytesTemplate[] = {
+  { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(ResponseBytes) },
+  { SEC_ASN1_OBJECT_ID, offsetof(ResponseBytes, response_type) },
+  { SEC_ASN1_OCTET_STRING, offsetof(ResponseBytes, der_response) },
+  { 0 }
+};
+
+// OCSPResponse ::=     SEQUENCE {
+//      responseStatus          OCSPResponseStatus,
+//      responseBytes           [0] EXPLICIT ResponseBytes OPTIONAL }
+struct OCSPResponse {
+  SECItem response_status;
+  // This indirection is needed because |response_bytes| is an optional
+  // component and we need a way to determine if it is missing.
+  ResponseBytes* response_bytes;
+};
+
+const SEC_ASN1Template kPointerToResponseBytesTemplate[] = {
+  { SEC_ASN1_POINTER, 0, kResponseBytesTemplate }
+};
+
+const SEC_ASN1Template kOCSPResponseTemplate[] = {
+  { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(OCSPResponse) },
+  { SEC_ASN1_ENUMERATED, offsetof(OCSPResponse, response_status) },
+  { SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED |
+    SEC_ASN1_CONTEXT_SPECIFIC | 0, offsetof(OCSPResponse, response_bytes),
+    kPointerToResponseBytesTemplate },
+  { 0 }
+};
+
+// CertID          ::=     SEQUENCE {
+//   hashAlgorithm       AlgorithmIdentifier,
+//   issuerNameHash      OCTET STRING, -- Hash of Issuer's DN
+//   issuerKeyHash       OCTET STRING, -- Hash of Issuers public key
+//   serialNumber        CertificateSerialNumber }
+struct CertID {
+  SECAlgorithmID hash_algorithm;
+  SECItem issuer_name_hash;
+  SECItem issuer_key_hash;
+  SECItem serial_number;
+};
+
+const SEC_ASN1Template kCertIDTemplate[] = {
+  { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(CertID) },
+  { SEC_ASN1_INLINE | SEC_ASN1_XTRN, offsetof(CertID, hash_algorithm),
+    SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
+  { SEC_ASN1_OCTET_STRING, offsetof(CertID, issuer_name_hash) },
+  { SEC_ASN1_OCTET_STRING, offsetof(CertID, issuer_key_hash) },
+  { SEC_ASN1_INTEGER, offsetof(CertID, serial_number) },
+  { 0 }
+};
+
+// SingleResponse ::= SEQUENCE {
+//   certID                       CertID,
+//   certStatus                   CertStatus,
+//   thisUpdate                   GeneralizedTime,
+//   nextUpdate           [0]     EXPLICIT GeneralizedTime OPTIONAL,
+//   singleExtensions     [1]     EXPLICIT Extensions OPTIONAL }
+struct SingleResponse {
+  CertID cert_id;
+  SECItem der_cert_status;
+  SECItem this_update;
+  SECItem next_update;

[wtc, 2013/12/10 04:23:17]

Should this member be a pointer because it is optional?

In the NSS CERTOCSPSingleResponseStr struct, nextUpdate is a pointer.

Update: I think not using a pointer is fine. I found an example of this in
CERTCrl:
http://mxr.mozilla.org/nss/ident?i=CERTCrlStr

NSS tests crl->nextUpdate.data && crl->nextUpdate.len to determine if
crl->nextUpdate is present.

I also found that NSS ASN.1 has a SEC_ASN1_SKIP flag to skip elements we are not
interested in:
http://mxr.mozilla.org/nss/ident?i=CERT_CrlTemplateEntriesOnly

Don't try to use SEC_ASN1_SKIP in this CL. This can be a TODO if you think it's
worth doing.

[ekasper, 2013/12/10 14:45:20]

It should be a pointer if we used this field, but we don't. Checking for .data
and .len works too except you can't distinguish between an empty item, and a
missing one.

I've used SEC_ASN1_SKIP_REST for skipping an unused complex structure. I didn't
think skipping simple fields was important - premature optimization and all that
- but I've added a TODO.

[wtc, 2013/12/12 02:31:45]

Yes, I remember this now. I am impressed by how much you figured out about NSS
ASN.1 templates on your own.
 
I didn't realize you chose not to skip simple fields. You
can remove the TODO comment.

[ekasper, 2013/12/13 13:09:51]

Done.

+  CERTCertExtension** single_extensions;
+};
+
+const SEC_ASN1Template kSingleResponseTemplate[] = {
+  { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SingleResponse) },
+  { SEC_ASN1_INLINE, offsetof(SingleResponse, cert_id), kCertIDTemplate },
+  // ANY because (a) NSS ASN.1 doesn't support automatic CHOICE and

[wtc, 2013/12/10 04:23:17]

Not sure what you meant by "automatic CHOICE". NSS ASN.1 has SEC_ASN1_CHOICE:
http://mxr.mozilla.org/nss/ident?i=SEC_ASN1_CHOICE

[ekasper, 2013/12/10 14:45:20]

I assumed the comment in ocsp.c was accurate:
 * XXX Because the ASN.1 encoder and decoder currently do not provide
 * a way to automatically handle a CHOICE, we need to do it in two
 * steps, looking at the type tag and feeding the exact choice back
 * to the ASN.1 code. 

Since SEC_ASN1_CHOICE does exist, it would be prudent to validate the CHOICE
tags but I'll leave this for a follow-up.

[wtc, 2013/12/12 02:31:45]

I see. I found that this comment and the other XXX comments asserting the lack
of CHOICE support all came from the initial open-source revision of NSS. So it's
possible that this code was written before NSS could decode CHOICE, or simply
that the author of this code didn't know CHOICE was supported.

+  // (b) we don't care about the contents of this field anyway.
+  { SEC_ASN1_ANY, offsetof(SingleResponse, der_cert_status) },
+  { SEC_ASN1_GENERALIZED_TIME, offsetof(SingleResponse, this_update) },
+  { SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT |
+    SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0,
+    offsetof(SingleResponse, next_update),
+    SEC_ASN1_SUB(SEC_GeneralizedTimeTemplate) },
+  { SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED |
+    SEC_ASN1_CONTEXT_SPECIFIC | 1,
+    offsetof(SingleResponse, single_extensions),
+    SEC_ASN1_SUB(CERT_SequenceOfCertExtensionTemplate) },
+  { 0 }
+};
+
+// ResponseData ::= SEQUENCE {
+//   version              [0] EXPLICIT Version DEFAULT v1,
+//   responderID              ResponderID,
+//   producedAt               GeneralizedTime,
+//   responses                SEQUENCE OF SingleResponse,
+//   responseExtensions   [1] EXPLICIT Extensions OPTIONAL }
+struct ResponseData {
+  SECItem version;
+  SECItem der_responder_id;
+  SECItem produced_at;
+  SingleResponse** single_responses;
+  // Skip extensions.
+};
+
+const SEC_ASN1Template kResponseDataTemplate[] = {
+  { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(ResponseData) },
+  { SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED |
+    SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0,
+    offsetof(ResponseData, version), SEC_ASN1_SUB(SEC_IntegerTemplate) },
+  // ANY because (a) NSS ASN.1 doesn't support automatic CHOICE and
+  // (b) we don't care about the contents of this field anyway.
+  { SEC_ASN1_ANY, offsetof(ResponseData, der_responder_id) },
+  { SEC_ASN1_GENERALIZED_TIME, offsetof(ResponseData, produced_at) },
+  { SEC_ASN1_SEQUENCE_OF, offsetof(ResponseData, single_responses),
+    kSingleResponseTemplate },
+  { SEC_ASN1_SKIP_REST },
+  { 0 }
+};
+
+// BasicOCSPResponse       ::= SEQUENCE {
+//   tbsResponseData      ResponseData,
+//   signatureAlgorithm   AlgorithmIdentifier,
+//   signature            BIT STRING,
+//   certs                [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
+struct BasicOCSPResponse {
+  ResponseData tbs_response_data;
+  // We do not care about the rest.
+};
+
+const SEC_ASN1Template kBasicOCSPResponseTemplate[] = {
+  { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(BasicOCSPResponse) },
+  { SEC_ASN1_INLINE, offsetof(BasicOCSPResponse, tbs_response_data),
+    kResponseDataTemplate },
+  { SEC_ASN1_SKIP_REST },
+  { 0 }
+};
+
+bool StringEqualToSECItem(const std::string& value1, const SECItem& value2) {
+  if (value1.size() != value2.len)
+    return false;
+  return memcmp(value1.data(), value2.data, value2.len) == 0;
+}
+
+bool CertIDsMatch(const std::string& serial_number,
+                  const std::string& issuer_key_sha1_hash,
+                  const std::string& issuer_key_sha256_hash,
+                  const CertID& cert_id) {

[wtc, 2013/12/10 04:23:17]

1. The NSS version of this function (ocsp_CertIDsMatch)  matches both the
issuer_name_hash and issuer_key_hash. We should at least add a (TODO?) comment
to point that we are not matching issuer_name_hash.

2. Nit: I suggest making |cert_id| the first argument, and renaming this
function "CertIDMatches", or even making this function a method of the CertID
class.

[ekasper, 2013/12/10 14:45:20]

1. Added a TODO

2. Not sure why this preference, but went with it anyway and swapped arguments.
I prefer not to mix the structs effectively borrowed from NSS, and our methods,
though.

[wtc, 2013/12/12 02:31:45]

When I first read the CertIDsMatch, I was confused why it's named "CertIDs
(plural) match" even though there was only one CertID argument. That's why I
thought the CertID argument should be listed more prominently because the
function name said "CertIDs".

Later I checked the NSS ocsp.c code and found this function was inspired by the
NSS ocsp_CertIDsMatch function. Then it all became clear to me. But for the
benefit of future maintainers don't know the history of this code, it's better
for this function to have a name that matches its current form.

[ekasper, 2013/12/13 13:09:51]

Renamed to CertIDMatches.

+  if (!StringEqualToSECItem(serial_number, cert_id.serial_number))
+      return false;
+
+  SECOidTag hash_alg = SECOID_FindOIDTag(&cert_id.hash_algorithm.algorithm);
+  switch (hash_alg) {
+    case SEC_OID_SHA1:
+      return StringEqualToSECItem(issuer_key_sha1_hash,
+                                  cert_id.issuer_key_hash);
+    case SEC_OID_SHA256:
+      return StringEqualToSECItem(issuer_key_sha256_hash,
+                                  cert_id.issuer_key_hash);
+    default:
+      return false;
+  }
+}
+
 }  // namespace
 
 bool ExtractEmbeddedSCTList(X509Certificate::OSCertHandle cert,
                             std::string* sct_list) {
   DCHECK(cert);
 
   NSSCertWrapper leaf_cert(cert);
   if (!leaf_cert.cert)
     return false;
 
-  return GetOctetStringExtension(
-      leaf_cert.cert.get(), g_ct_singleton.Get().embedded_oid(), sct_list);
+  return GetCertOctetStringExtension(leaf_cert.cert.get(),
+                                     g_ct_singleton.Get().embedded_oid(),
+                                     sct_list);
 }
 
 bool GetPrecertLogEntry(X509Certificate::OSCertHandle leaf,
                         X509Certificate::OSCertHandle issuer,
                         LogEntry* result) {
   DCHECK(leaf);
   DCHECK(issuer);
 
   NSSCertWrapper leaf_cert(leaf);
   NSSCertWrapper issuer_cert(issuer);
@@ skipping 57 matching lines @@
   std::string encoded;
   if (!X509Certificate::GetDEREncoded(leaf, &encoded))
     return false;
 
   result->Reset();
   result->type = ct::LogEntry::LOG_ENTRY_TYPE_X509;
   result->leaf_certificate.swap(encoded);
   return true;
 }
 
+bool ExtractSCTListFromOCSPResponse(X509Certificate::OSCertHandle issuer,
+                                    const std::string& cert_serial_number,
+                                    const std::string& ocsp_response,
+                                    std::string* sct_list) {
+  DCHECK(issuer);
+  crypto::ScopedPLArenaPool arena(PORT_NewArena(DER_DEFAULT_CHUNKSIZE));
+
+  // QuickDERDecodeItem returns data that points into |src|. This is
+  // ok for us as the decoded items never leave the method scope.
+  SECItem src = { siBuffer,
+                  reinterpret_cast<unsigned char*>(const_cast<char*>(
+                      ocsp_response.data())), ocsp_response.size() };
+
+  OCSPResponse response;
+  memset(&response, 0, sizeof(response));
+
+  SECStatus rv = SEC_QuickDERDecodeItem(arena.get(), &response,
+                                        kOCSPResponseTemplate, &src);
+  if (rv != SECSuccess)
+    return false;
+
+  // id-ad-ocsp: 1.3.6.1.5.5.7.48.1.1
+  static const uint8 kBasicOCSPResponseOID[] = { 0x2b, 0x06, 0x01, 0x05, 0x05,
+                                                 0x07, 0x30, 0x01, 0x01 };
+
+  if (!response.response_bytes)
+    return false;
+
+  if (response.response_bytes->response_type.len !=
+      sizeof(kBasicOCSPResponseOID) ||
+      memcmp(response.response_bytes->response_type.data, kBasicOCSPResponseOID,
+             sizeof(kBasicOCSPResponseOID)) != 0) {
+    return false;
+  }
+
+  BasicOCSPResponse basic_response;
+  memset(&basic_response, 0, sizeof(basic_response));
+
+  rv = SEC_QuickDERDecodeItem(arena.get(), &basic_response,
+                              kBasicOCSPResponseTemplate,
+                              &response.response_bytes->der_response);
+  if (rv != SECSuccess)
+    return false;
+
+  SingleResponse** responses =
+      basic_response.tbs_response_data.single_responses;
+  if (!responses)
+    return false;
+
+  std::string issuer_der;
+  if (!X509Certificate::GetDEREncoded(issuer, &issuer_der))
+    return false;
+
+  base::StringPiece issuer_spki;
+  if (!asn1::ExtractSPKIFromDERCert(issuer_der, &issuer_spki))
+    return false;
+
+  // In OCSP, only the key itself is under hash.
+  base::StringPiece issuer_spk;
+  if (!asn1::ExtractSubjectPublicKeyFromSPKI(issuer_spki, &issuer_spk))
+    return false;
+
+  // ExtractSubjectPublicKey... does not remove the leading pad byte from the
+  // BitString so we do it here. For public keys, the pad byte is in practice
+  // always 0.

[wtc, 2013/12/10 04:23:17]

Do you think this is a bug in asn1::ExtractSubjectPublicKeyFromSPKI? But we
can't change it without updating the existing callers.

We should mention that the leading byte is the number of unused bits in the last
byte of the bit string.

Nit: it's a little misleading to call it a pad byte.

[ekasper, 2013/12/10 14:45:20]

Clarified the meaning of the leading byte.

I think the bug is in the RFC that defines the public key as BIT STRING :) It's
hard to handle this elegantly though I suppose, given that we know that we're
dealing with byte-aligned public keys, stripping this byte should happen in
asn1_util.

[wtc, 2013/12/12 02:31:45]

I have to admit that when I checked the OCSP RFC 6960, I could not understand
exactly what should be hashed:

   o  issuerKeyHash is the hash of the issuer's public key.  The hash
      shall be calculated over the value (excluding tag and length) of
      the subject public key field in the issuer's certificate.

I later found a more accurate description of a similar hash in RFC 5280:

      (1) The keyIdentifier is composed of the 160-bit SHA-1 hash of the
           value of the BIT STRING subjectPublicKey (excluding the tag,
           length, and number of unused bits).

It turns out the OCSP RFC also has something similar:

KeyHash ::= OCTET STRING -- SHA-1 hash of responder's public key
                         -- (i.e., the SHA-1 hash of the value of the
                         -- BIT STRING subjectPublicKey [excluding
                         -- the tag, length, and number of unused
                         -- bits] in the responder's certificate)

[ekasper, 2013/12/13 13:09:51]

Yep, the RFC is ambiguous there.

+  if (issuer_spk.empty() || issuer_spk[0] != 0)
+    return false;
+  issuer_spk.remove_prefix(1);
+
+  // NSS OCSP lib recognizes SHA1, MD5 and MD2; MD5 and MD2 are dead but
+  // https://bugzilla.mozilla.org/show_bug.cgi?id=663315 will add SHA-256
+  // and SHA-384.
+  // TODO(ekasper): add SHA-384 to crypto/sha2.h and here if it proves
+  // necessary.
+  // TODO(ekasper): only compute the hashes on demand.
+  std::string issuer_key_sha256_hash = crypto::SHA256HashString(issuer_spk);
+  std::string issuer_key_sha1_hash = base::SHA1HashString(
+      issuer_spk.as_string());
+
+  SingleResponse* match = NULL;
+  for (int i = 0; responses[i] != NULL; ++i) {
+    if (CertIDsMatch(cert_serial_number, issuer_key_sha1_hash,
+                     issuer_key_sha256_hash, responses[i]->cert_id)) {
+      match = responses[i];
+      break;
+    }
+  }
+
+  if (!match)
+    return false;
+
+  return GetSCTListFromOCSPExtension(arena.get(), match->single_extensions,
+                                     sct_list);
+}
+
 }  // namespace ct
 
 }  // namespace net