From bc36175a53855d941ce0a6c57747aaca6d6db267 Mon Sep 17 00:00:00 2001
From: Andrew Ayer <andrew@sslmate.com>
Date: Sun, 5 Feb 2023 08:18:28 -0500
Subject: [PATCH] Ensure that precertificates match the Merkle leaf input

---
 monitor/process.go | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/monitor/process.go b/monitor/process.go
index 2b72c16..eb4b7b2 100644
--- a/monitor/process.go
+++ b/monitor/process.go
@@ -74,6 +74,10 @@ func processPrecertLogEntry(ctx context.Context, config *Config, entry *logEntry
 		return processMalformedLogEntry(ctx, config, entry, fmt.Errorf("error parsing extra_data for precert entry: %w", err))
 	}
 
+	if _, err := certspotter.ValidatePrecert(chain[0], precert.TBSCertificate); err != nil {
+		return processMalformedLogEntry(ctx, config, entry, fmt.Errorf("precertificate in extra_data does not match TBSCertificate in leaf_input: %w", err))
+	}
+
 	return processCertificate(ctx, config, entry, certInfo, chain)
 }