Extract Certificate Transparency SCTs from stapled OCSP responses

net/cert/asn1_util.h

Index: net/cert/asn1_util.h
diff --git a/net/cert/asn1_util.h b/net/cert/asn1_util.h
index ed379b3f1223cf9f2cf2aa92fd71082f22c80edc..339b2945c6fe06a803b6ed774ec6187afb154efc 100644
--- a/net/cert/asn1_util.h
+++ b/net/cert/asn1_util.h
@@ -20,6 +20,8 @@ static const unsigned kINTEGER = 0x02;
 static const unsigned kBITSTRING = 0x03;
 static const unsigned kOCTETSTRING = 0x04;
 static const unsigned kOID = 0x06;
+static const unsigned kENUMERATED = 0x0a;
+static const unsigned kGENERALIZEDTIME = 0x18;
 static const unsigned kSEQUENCE = 0x30;
 
 // These are flags that can be ORed with the above tag numbers.
@@ -86,6 +88,16 @@ NET_EXPORT_PRIVATE bool ExtractCRLURLsFromDERCert(
     base::StringPiece cert,
     std::vector<base::StringPiece>* urls_out);
 
+// ExtractSCTExtensionFromOCSPResponse parses the DER encoded OCSP response in
+// |ocsp_response| and extracts the SignedCertificateTimestampList matching the
+// serial number given in |cert_serial_number|. On successful return, the
+// |sct_list_out| is either empty (no response found), or points into
+// |ocsp_response|.
+NET_EXPORT_PRIVATE bool ExtractSCTExtensionFromOCSPResponse(

[Ryan Sleevi, 2013/12/03 21:03:18]

Not LGTM here. We should not be doing this using asn1_util.

asn1_util is only meant to be used over trusted data (eg: validated to some root
of trust). The SCT extraction, by definition, happens before the OCSP validity
checks.

+    base::StringPiece ocsp_response,
+    base::StringPiece cert_serial_number,
+    base::StringPiece* sct_list_out);
+
 } // namespace asn1
 
 } // namespace net