Extract PreCert from final certificate
RFC 6962, §3.2:
Note that it is also possible to reconstruct this TBSCertificate from the final certificate by extracting the TBSCertificate from it and deleting the SCT extension. Also note that since the TBSCertificate contains an AlgorithmIdentifier that must match both the Precertificate signature algorithm and final certificate signature algorithm, they must be signed with the same algorithm and parameters. If the Precertificate is issued using a Precertificate Signing Certificate and an Authority Key Identifier extension is present in the TBSCertificate, the corresponding extension must also be present in the Precertificate Signing Certificate -- in this case, the TBSCertificate also has its Authority Key Identifier changed to match the final issuer.
So what we need is something like
func PrecertificateTBS(crt *x509.Certificate, issuerHash [32]byte) ([]byte, error) {
return nil, fmt.Errorf("TODO")
}
to verify embedded SCT signatures.