[RFC 6962] s2n Client can Validate Signed Certificate Timestamp TLS Extension

[alexw91]

RFC: https://tools.ietf.org/html/rfc6962

Right now the s2n Client can request and accept SCT TLS Extensions, but does not validate the extension.

Function s2n_recv_server_sct_list() in s2n_server_extensions.c conn->ct_response is never validated before being copied to the connection struct.

[baldwinmatt]

i'm working on a PR which will add an extension callback which can be invoked for a specific extension, and it will pass in the data from the peer. this can be used to validate OCSP, SCT and potentially other data.

[xonatius]

I think most certificates today have SCT embedded into X509, so would be nice to validate those too. Not sure if this should be part of this story or a separate one.