This repository has been archived by the owner on Aug 2, 2023. It is now read-only.
Support for resubmitted certificates and SCTs from a special purpose authority. #1431
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Current implementation of X509ChainToEntry does not support certificates with embedded SCTs that were submitted to a certificate log again in order to get SCTs that can be additionally used in TLS handshake extensions or in stapled OCSP responses.
The same implementation also supports only embedded SCTs, whose precertificates were issued directly by the issuer of the certificate. However, according to RFC 6962, section 3.1, those precertificates can be also issued by a special-purpose certification authority.
This change addresses both these issues.