Add nil check to isPrecertificate (#187)

Author: roger2hk

internal/scti/chain_validation.go

@@ -124,6 +124,10 @@ func NewChainValidationOpts(trustedRoots *x509util.PEMCertPool, rejectExpired, r
 // An error is returned if the CT extension is present but is not ASN.1 NULL as defined
 // by the spec.
 func isPrecertificate(cert *x509.Certificate) (bool, error) {
+	if cert == nil {
+		return false, errors.New("nil certificate")
+	}
+
 	for _, ext := range cert.Extensions {
 		if x509.OIDExtensionCTPoison.Equal(ext.Id) {
 			if !ext.Critical || !bytes.Equal(asn1.NullBytes, ext.Value) {

internal/scti/chain_validation_test.go

@@ -212,6 +212,12 @@ func TestIsPrecertificate(t *testing.T) {
 			wantPrecert: false,
 			wantErr:     true,
 		},
+		{
+			desc:        "nil-cert",
+			cert:        nil,
+			wantPrecert: false,
+			wantErr:     true,
+		},
 	}
 
 	for _, test := range tests {