Index: net/cert/ct_objects_extractor.h |
diff --git a/net/cert/ct_objects_extractor.h b/net/cert/ct_objects_extractor.h |
index de47c8521770f048cd3a9a70450749175947ec19..6a9cc11db5f4f0886c1f5238d9f6072a2a47285b 100644 |
--- a/net/cert/ct_objects_extractor.h |
+++ b/net/cert/ct_objects_extractor.h |
@@ -45,6 +45,26 @@ NET_EXPORT_PRIVATE bool GetPrecertLogEntry(X509Certificate::OSCertHandle leaf, |
NET_EXPORT_PRIVATE bool GetX509LogEntry(X509Certificate::OSCertHandle leaf, |
LogEntry* result); |
+// Extracts a SignedCertificateTimestampList that has been embedded within |
+// an OCSP response as an extension with the OID 1.3.6.1.4.1.11129.2.4.5. |
+// If the extension is present, and matches the serial number of the leaf |
+// certificate, returns true, updating |*sct_list| to contain |
+// the encoded list, minus the DER encoding necessary for the extension. |
+// |*sct_list| can then be further decoded with ct::DecodeSCTList. |
+// |
+// TODO(ekasper): change this to match by the entire CertID in an OCSP response. |
+// We currently do response matching by serial number only, so if the response |
+// contains statuses for different certificates with the same serial number, |
+// this method does not work. However, repeating serial numbers within the same |
+// OCSP response are unlikely to begin with (different CAs would have to be |
+// using the same serial number AND delegating to the same OCSP responder), |
+// and since CT further only uses stapled OCSP responses which are known to |
+// pertain to the server (leaf) certificate, this is a very low concern for us. |
+NET_EXPORT_PRIVATE bool ExtractSCTListFromOCSPResponse( |
+ X509Certificate::OSCertHandle leaf, |
wtc
2013/12/03 21:04:25
Nit: If CT can also be used for CA certificates, I
ekasper
2013/12/04 19:25:15
I've changed it to take a serial number directly.
|
+ const std::string& ocsp_response, |
+ std::string* sct_list); |
+ |
} // namespace ct |
} // namespace net |