Index: net/cert/ct_objects_extractor.h |
diff --git a/net/cert/ct_objects_extractor.h b/net/cert/ct_objects_extractor.h |
index de47c8521770f048cd3a9a70450749175947ec19..314f800efb51f929471a1b4f4ef37e0b741e8698 100644 |
--- a/net/cert/ct_objects_extractor.h |
+++ b/net/cert/ct_objects_extractor.h |
@@ -45,6 +45,24 @@ NET_EXPORT_PRIVATE bool GetPrecertLogEntry(X509Certificate::OSCertHandle leaf, |
NET_EXPORT_PRIVATE bool GetX509LogEntry(X509Certificate::OSCertHandle leaf, |
LogEntry* result); |
+// Extracts a SignedCertificateTimestampList that has been embedded within |
+// an OCSP response as an extension with the OID 1.3.6.1.4.1.11129.2.4.5. |
+// If the extension is present, and matches the serial number of the leaf |
+// certificate, returns true, updating |*sct_list| to contain |
+// the encoded list, minus the DER encoding necessary for the extension. |
+// |*sct_list| can then be further decoded with ct::DecodeSCTList. |
+// |
+// Note that we do response matching by serial number only so if the response |
wtc
2013/12/03 01:18:06
Nit: add a comma (,) after "by serial number only"
ekasper
2013/12/03 13:50:51
Done.
|
+// contains statuses for different certificates with the same serial number, |
+// this method does not work. However, repeating serial numbers within the same |
wtc
2013/12/03 01:18:06
I don't think we need to worry about this, because
ekasper
2013/12/03 13:50:51
In theory we should. In practice a collision here
|
+// OCSP response are unlikely to begin with, and since CT further only |
+// uses stapled OCSP responses which are known to pertain to the server (leaf) |
+// certificate, this is a non-concern for us. |
+NET_EXPORT_PRIVATE bool ExtractSCTListFromOCSPResponse( |
+ X509Certificate::OSCertHandle leaf, |
+ const std::string& ocsp_response, |
+ std::string* sct_list); |
+ |
} // namespace ct |
} // namespace net |