type CertBlacklistEntry struct {
	IssuerCN  string
	serialNum *big.Int
}

var CertBlacklist []CertBlacklistEntry

// RejectBlacklistedCerts returns an error if the remote server of conn has
// presented a certificate present in the blacklist.
func RejectBlacklistedCerts(conn *tls.Conn, cfg *tls.Config) error {
	cs := conn.ConnectionState()
	if cs.VerifiedChains == nil {
		return errors.New("http: TLS verification completed but no verified chains")
	}
	for _, chain := range cs.VerifiedChains {
		serverCert := chain[0]
		for j := range CertBlacklist {
			if serverCert.Issuer.CommonName != CertBlacklist[j].IssuerCN {
				continue
			}
			if serverCert.SerialNumber.Cmp(CertBlacklist[j].serialNum) != 0 {
				continue
			}
			return fmt.Errorf("server presented a blacklisted cert: %q (serial %s) issued by %q",
				serverCert.Subject.CommonName, serverCert.SerialNumber, serverCert.Issuer.CommonName,
			)
		}
	}
	return nil
}