Extract Certificate Transparency SCTs from stapled OCSP responses

net/cert/ct_verifier.h

Index: net/cert/ct_verifier.h
diff --git a/net/cert/ct_verifier.h b/net/cert/ct_verifier.h
index 5a6868680c01b09dcab19fe368cb882f27f449a4..054dce6191aa2399be8f64d3c0f5185341c74de0 100644
--- a/net/cert/ct_verifier.h
+++ b/net/cert/ct_verifier.h
@@ -21,12 +21,15 @@ class NET_EXPORT CTVerifier {
  public:
   virtual ~CTVerifier() {}
 
-  // Verifies either embedded SCTs or SCTs obtained via the
-  // signed_certificate_timestamp TLS extension or OCSP on  the given |cert|
-  // |result| will be filled with these SCTs, divided into categories based on
-  // the verification result.
+  // Verifies SCTs embedded in the certificate itself, SCTs embedded in a
+  // stapled OCSP response, and SCTs obtained via the
+  // signed_certificate_timestamp TLS extension on the given |cert|.
+  // Only some SCT methods may be used for the given |cert|; unused
+  // |stapled_ocsp_response| and |sct_list_from_tls_extension| should be left

[Ryan Sleevi, 2013/12/11 07:33:05]

I don't understand the "unused" comment here, or the sentence preceding.

// A given |cert| may have restrictions on which SCT methods it can be used with

or is it

// If no stapled OCSP response was available, |stapled_ocsp_response| should be
an empty string.
// If no SCT list extension was negotiated, |sct_list_from_tls_extension| should
be an empty string.

[ekasper, 2013/12/11 15:40:51]

Clarified.

+  // empty. |result| will be filled with these SCTs, divided into categories
+  // based on the verification result.
   virtual int Verify(X509Certificate* cert,
-                     const std::string& sct_list_from_ocsp,
+                     const std::string& stapled_ocsp_response,
                      const std::string& sct_list_from_tls_extension,
                      ct::CTVerifyResult* result,
                      const BoundNetLog& net_log) = 0;