Implement Expect-Staple

net/cert/expect_staple_report_unittest.cc

+// Copyright 2016 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "net/cert/expect_staple_report.h"
+
+#include "base/macros.h"
+#include "net/base/host_port_pair.h"
+#include "net/cert/internal/test_helpers.h"
+
+namespace net {
+
+namespace {
+
+const char kOCSPPathPrefix[] = "net/data/parse_ocsp_unittest/";
+
+const base::TimeDelta kOCSPResponseMaxAge = base::TimeDelta::FromDays(3650);
+
+struct OCSPTest {
+  std::string response;
+  scoped_refptr<X509Certificate> certificate;
+};
+
+bool LoadOCSPFromFile(std::string file_name, OCSPTest* ocsp) {
+  std::string ca_data;
+  std::string cert_data;
+  const PemBlockMapping mappings[] = {
+      {"OCSP RESPONSE", &ocsp->response},
+      {"CA CERTIFICATE", &ca_data},
+      {"CERTIFICATE", &cert_data},
+  };
+  std::string full_path = std::string(kOCSPPathPrefix) + file_name;
+  if (!ReadTestDataFromPemFile(full_path, mappings))
+    return false;
+
+  // Parse the server certificate
+  CertificateList server_cert_list =
+      X509Certificate::CreateCertificateListFromBytes(
+          cert_data.data(), cert_data.size(),
+          X509Certificate::FORMAT_SINGLE_CERTIFICATE);
+  ocsp->certificate = server_cert_list[0];
+  return true;
+}
+
+}  // namespace
+
+class ExpectStapleReportTest : public testing::Test {
+ public:
+  ExpectStapleReportTest() {}
+
+ protected:
+  void SetUp() override { verify_time_ = base::Time::Now(); }

[svaldez, 2016/06/16 11:14:38]

Maybe hardcode this so that the tests don't break?

[dadrian, 2016/06/16 19:20:18]

Done.

+
+  std::unique_ptr<ExpectStapleReport> MakeReport(const OCSPTest& ocsp) {
+    std::unique_ptr<ExpectStapleReport> report =
+        ExpectStapleReport::FromRawOCSPResponse(ocsp.response, verify_time_,
+                                                kOCSPResponseMaxAge,
+                                                *ocsp.certificate);
+    return report;
+  }
+
+  base::Time verify_time_;
+
+ private:
+  DISALLOW_COPY_AND_ASSIGN(ExpectStapleReportTest);
+};
+
+TEST_F(ExpectStapleReportTest, Valid) {
+  OCSPTest ocsp;
+  ASSERT_TRUE(LoadOCSPFromFile("good_response.pem", &ocsp));
+  auto report = MakeReport(ocsp);
+  ASSERT_TRUE(report);
+  EXPECT_EQ(ExpectStapleReport::StapleError::OK, report->staple_error());
+  EXPECT_EQ(verify_time_, report->verify_time());
+  const auto& stapled_responses = report->stapled_responses();
+  ASSERT_EQ(1u, stapled_responses.size());
+  EXPECT_TRUE(stapled_responses[0].is_date_valid);
+  EXPECT_TRUE(stapled_responses[0].is_correct_certificate);
+  EXPECT_EQ(OCSPCertStatus::Status::GOOD, stapled_responses[0].status);
+};
+
+TEST_F(ExpectStapleReportTest, ValidWithExtension) {
+  OCSPTest ocsp;
+  ASSERT_TRUE(LoadOCSPFromFile("has_extension.pem", &ocsp));
+  auto report = MakeReport(ocsp);
+  ASSERT_TRUE(report);
+  EXPECT_EQ(ExpectStapleReport::StapleError::OK, report->staple_error());
+  EXPECT_EQ(verify_time_, report->verify_time());
+};
+
+TEST_F(ExpectStapleReportTest, MissingSingleResponse) {
+  OCSPTest ocsp;
+  ASSERT_TRUE(LoadOCSPFromFile("missing_response.pem", &ocsp));
+  auto report = MakeReport(ocsp);
+  ASSERT_TRUE(report);
+  EXPECT_EQ(ExpectStapleReport::StapleError::NO_MATCHING_RESPONSE,
+            report->staple_error());
+  EXPECT_EQ(verify_time_, report->verify_time());
+  const auto& stapled_responses = report->stapled_responses();
+  EXPECT_EQ(0u, stapled_responses.size());
+};
+
+TEST_F(ExpectStapleReportTest, MultipleResponse) {
+  OCSPTest ocsp;
+  ASSERT_TRUE(LoadOCSPFromFile("multiple_response.pem", &ocsp));
+  auto report = MakeReport(ocsp);
+  ASSERT_TRUE(report);
+  EXPECT_EQ(ExpectStapleReport::StapleError::OK, report->staple_error());
+  EXPECT_EQ(verify_time_, report->verify_time());
+  const auto& stapled_responses = report->stapled_responses();
+  ASSERT_EQ(2u, stapled_responses.size());
+  for (const auto& staple : stapled_responses) {
+    EXPECT_TRUE(staple.is_date_valid);
+    EXPECT_TRUE(staple.is_correct_certificate);
+  }
+  EXPECT_EQ(OCSPCertStatus::Status::GOOD, stapled_responses[0].status);
+  EXPECT_EQ(OCSPCertStatus::Status::UNKNOWN, stapled_responses[1].status);
+};
+
+TEST_F(ExpectStapleReportTest, RevokeResponse) {
+  OCSPTest ocsp;
+  ASSERT_TRUE(LoadOCSPFromFile("revoke_response.pem", &ocsp));
+  auto report = MakeReport(ocsp);
+  ASSERT_TRUE(report);
+  EXPECT_EQ(ExpectStapleReport::StapleError::NO_MATCHING_RESPONSE,
+            report->staple_error());
+  EXPECT_EQ(verify_time_, report->verify_time());
+  const auto& stapled_responses = report->stapled_responses();
+  ASSERT_EQ(1u, stapled_responses.size());
+  EXPECT_TRUE(stapled_responses[0].is_date_valid);
+  EXPECT_TRUE(stapled_responses[0].is_correct_certificate);
+  EXPECT_EQ(OCSPCertStatus::Status::REVOKED, stapled_responses[0].status);
+};
+
+}  // namespace