Extract Certificate Transparency SCTs from stapled OCSP responses

third_party/tlslite/tlslite/TLSConnection.py

Index: third_party/tlslite/tlslite/TLSConnection.py
diff --git a/third_party/tlslite/tlslite/TLSConnection.py b/third_party/tlslite/tlslite/TLSConnection.py
index e6ce1870de4781f627dc761c517f735f2ff5da99..94ee5eb7bf3e3b8a1ff5118dcf18e449c39f08fc 100644
--- a/third_party/tlslite/tlslite/TLSConnection.py
+++ b/third_party/tlslite/tlslite/TLSConnection.py
@@ -937,8 +937,8 @@ class TLSConnection(TLSRecordLayer):
                         certChain=None, privateKey=None, reqCert=False,
                         sessionCache=None, settings=None, checker=None,
                         reqCAs=None, tlsIntolerant=0,
-                        signedCertTimestamps=None,
-                        fallbackSCSV=False):
+                        signedCertTimestamps=None, fallbackSCSV=False,
+                        ocspResponse=None):
         """Perform a handshake in the role of server.
 
         This function performs an SSL or TLS handshake.  Depending on
@@ -1014,6 +1014,16 @@ class TLSConnection(TLSRecordLayer):
         binary 8-bit string) that will be sent as a TLS extension whenever
         the client announces support for the extension.
 
+        @type ocspResponse: str
+        @param ocspResponse: An OCSP response (as a binary 8-bit string) that
+        will be sent stapled in the handshake whenever the client announces
+        support for the status_request extension.
+        Note that the response is sent independent of the ClientHello
+        status_request extension contents, and is thus only meant for testing
+        environments. Real OCSP stapling is more complicated as it requires
+        choosing a suitable response based on the ClientHello status_request
+        extension contents.
+
         @raise socket.error: If a socket error occurs.
         @raise tlslite.errors.TLSAbruptCloseError: If the socket is closed
         without a preceding alert.
@@ -1024,7 +1034,7 @@ class TLSConnection(TLSRecordLayer):
         for result in self.handshakeServerAsync(sharedKeyDB, verifierDB,
                 certChain, privateKey, reqCert, sessionCache, settings,
                 checker, reqCAs, tlsIntolerant, signedCertTimestamps,
-                fallbackSCSV):
+                fallbackSCSV, ocspResponse):
             pass
 
 
@@ -1033,7 +1043,7 @@ class TLSConnection(TLSRecordLayer):
                              sessionCache=None, settings=None, checker=None,
                              reqCAs=None, tlsIntolerant=0,
                              signedCertTimestamps=None,
-                             fallbackSCSV=False):
+                             fallbackSCSV=False, ocspResponse=None):
         """Start a server handshake operation on the TLS connection.
 
         This function returns a generator which behaves similarly to
@@ -1053,7 +1063,8 @@ class TLSConnection(TLSRecordLayer):
             reqCAs=reqCAs,
             tlsIntolerant=tlsIntolerant,
             signedCertTimestamps=signedCertTimestamps,
-            fallbackSCSV=fallbackSCSV)
+            fallbackSCSV=fallbackSCSV, ocspResponse=ocspResponse)
+
         for result in self._handshakeWrapperAsync(handshaker, checker):
             yield result
 
@@ -1062,7 +1073,7 @@ class TLSConnection(TLSRecordLayer):
                                     certChain, privateKey, reqCert,
                                     sessionCache, settings, reqCAs,
                                     tlsIntolerant, signedCertTimestamps,
-                                    fallbackSCSV):
+                                    fallbackSCSV, ocspResponse):
 
         self._handshakeStart(client=False)
 
@@ -1439,10 +1450,14 @@ class TLSConnection(TLSRecordLayer):
                     sessionID, cipherSuite, certificateType)
             serverHello.channel_id = clientHello.channel_id
             if clientHello.support_signed_cert_timestamps:
-                serverHello.signed_cert_timestamps = signedCertTimestamps
+              serverHello.signed_cert_timestamps = signedCertTimestamps
+            serverHello.status_request = (clientHello.status_request and
+                                          ocspResponse)
             doingChannelID = clientHello.channel_id
             msgs.append(serverHello)
             msgs.append(Certificate(certificateType).create(serverCertChain))
+            if serverHello.status_request:
+                msgs.append(CertificateStatus().create(ocspResponse))
             if reqCert and reqCAs:
                 msgs.append(CertificateRequest().create([], reqCAs))
             elif reqCert: