Extract Certificate Transparency SCTs from stapled OCSP responses

net/cert/asn1_util.h

Index: net/cert/asn1_util.h
diff --git a/net/cert/asn1_util.h b/net/cert/asn1_util.h
index ed379b3f1223cf9f2cf2aa92fd71082f22c80edc..d32ff5f21daf00ae0177b410ae0b1b892ba093fb 100644
--- a/net/cert/asn1_util.h
+++ b/net/cert/asn1_util.h
@@ -20,6 +20,8 @@ static const unsigned kINTEGER = 0x02;
 static const unsigned kBITSTRING = 0x03;
 static const unsigned kOCTETSTRING = 0x04;
 static const unsigned kOID = 0x06;
+static const unsigned kENUMERATED = 0x0a;
+static const unsigned kGENERALIZEDTIME = 0x18;
 static const unsigned kSEQUENCE = 0x30;
 
 // These are flags that can be ORed with the above tag numbers.
@@ -86,6 +88,15 @@ NET_EXPORT_PRIVATE bool ExtractCRLURLsFromDERCert(
     base::StringPiece cert,
     std::vector<base::StringPiece>* urls_out);
 
+// ExtractSCTExtensionFromOCSPResponse parses the DER encoded OCSP response in
+// |ocsp_response| and extracts the SignedCertificateTimestampList matching the
+// serial number given in |cert_serial_number|. On successful return, the
+// |sct_list_out| is either empty (no response found), or points into |cert|.

[wtc, 2013/12/03 01:18:06]

Typo: |cert| => |ocsp_response|

[ekasper, 2013/12/03 13:50:51]

Done.

+NET_EXPORT_PRIVATE bool ExtractSCTExtensionFromOCSPResponse(
+    base::StringPiece ocsp_response,
+    const base::StringPiece& cert_serial_number,

[wtc, 2013/12/03 01:18:06]

Nit: this should be base::StringPiece, without the const ref. (We are not very
consistent about this, but we should be consistent within a function.)

[ekasper, 2013/12/03 13:50:51]

The other one can't be const because it's modified; |cert_serial_number| is
const. But, done.

+    base::StringPiece* sct_list_out);
+
 } // namespace asn1
 
 } // namespace net