Closed asteinha closed 6 years ago
Thanks for your pull request. It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).
:memo: Please visit https://cla.developers.google.com/ to sign.
Once you've signed, please reply here (e.g. I signed it!
) and we'll verify. Thanks.
We found a Contributor License Agreement for you (the sender of this pull request), but were unable to find agreements for the commit author(s). If you authored these, maybe you used a different email address in the git commits than was used to sign the CLA (login here to double check)? If these were authored by someone else, then they will need to sign a CLA as well, and confirm that they're okay with these being contributed to Google. In order to pass this check, please resolve this problem and have the pull request author add another comment and the bot will run again. If the bot doesn't comment, it means it doesn't think anything has changed.
Current implementation of X509ChainToEntry does not support certificates with embedded SCTs that were submitted to a certificate log again in order to get SCTs that can be additionally used in TLS handshake extensions or in stapled OCSP responses.
The same implementation also supports only embedded SCTs, whose precertificates were issued directly by the issuer of the certificate. However, according to RFC 6962, section 3.1, those precertificates can be also issued by a special-purpose certification authority.
This change addresses both these issues.