Implement Expect-Staple

net/http/transport_security_state_unittest.cc

Index: net/http/transport_security_state_unittest.cc
diff --git a/net/http/transport_security_state_unittest.cc b/net/http/transport_security_state_unittest.cc
index 9f092d84a8462f27928f5630af1fd225c51681d9..c1f36e142e0a73107b3c15e8dbe045031f921c23 100644
--- a/net/http/transport_security_state_unittest.cc
+++ b/net/http/transport_security_state_unittest.cc
@@ -26,6 +26,7 @@
 #include "net/cert/cert_verifier.h"
 #include "net/cert/cert_verify_result.h"
 #include "net/cert/ct_policy_status.h"
+#include "net/cert/internal/test_helpers.h"
 #include "net/cert/test_root_certs.h"
 #include "net/cert/x509_cert_types.h"
 #include "net/cert/x509_certificate.h"
@@ -1851,4 +1852,88 @@ TEST_F(TransportSecurityStateTest, ExpectCTReporter) {
   EXPECT_EQ(GURL(kExpectCTStaticReportURI), reporter.report_uri());
 }
 
+static const char kOCSPPathPrefix[] = "net/data/parse_ocsp_unittest/";

[svaldez, 2016/06/13 14:03:04]

Doesn't need to be static?

[dadrian, 2016/06/13 23:03:32]

Done.

+
+class MockExpectStapleReportSender : public MockCertificateReportSender {
+ public:
+  bool ReportSent() { return latest_report() != ""; }
+};
+
+class ExpectStapleTest : public TransportSecurityStateTest {
+ public:
+  void SetUp() override {
+    TransportSecurityStateTest::SetUp();
+    security_state_.SetReportSender(&report_sender_);
+    EnableStaticExpectStaple(&security_state_);
+  }
+
+  struct OCSPTest {
+    std::string ocsp_response;
+    scoped_refptr<X509Certificate> certificate;
+  };
+
+  static bool LoadOCSPFromFile(std::string file_name, OCSPTest* ocsp) {
+    std::string ca_data;
+    std::string cert_data;
+    const PemBlockMapping mappings[] = {
+        {"OCSP RESPONSE", &ocsp->ocsp_response},
+        {"CA CERTIFICATE", &ca_data},
+        {"CERTIFICATE", &cert_data},
+    };
+    std::string full_path = std::string(kOCSPPathPrefix) + file_name;
+    if (!ReadTestDataFromPemFile(full_path, mappings))
+      return false;
+
+    // Parse the server certificate
+    CertificateList server_cert_list =
+        X509Certificate::CreateCertificateListFromBytes(
+            cert_data.data(), cert_data.size(),
+            X509Certificate::FORMAT_SINGLE_CERTIFICATE);
+    ocsp->certificate = server_cert_list[0];
+    return true;
+  }
+
+  static TransportSecurityState::ExpectStapleState
+  GetDefaultExpectStapleState() {
+    TransportSecurityState::ExpectStapleState state;
+    state.domain = "example.com";  // Doesn't matter

[svaldez, 2016/06/13 14:03:04]

Can you use kHost?

[dadrian, 2016/06/13 23:03:32]

Done.

+    state.report_uri = GURL("reports.example.com/expect-staple");

[svaldez, 2016/06/13 14:03:04]

Use constant.

[dadrian, 2016/06/13 23:03:32]

Done.

+    state.include_subdomains = false;
+    return state;
+  }
+
+ protected:
+  void CheckExpectStaple(const OCSPTest& ocsp) {
+    TransportSecurityState::ExpectStapleState expect_staple_state =
+        GetDefaultExpectStapleState();
+    HostPortPair host_port(kExpectCTStaticHostname, 443);
+    security_state_.CheckExpectStaple(host_port, expect_staple_state,
+                                      *ocsp.certificate, ocsp.ocsp_response);
+  }
+
+  TransportSecurityState security_state_;
+  MockExpectStapleReportSender report_sender_;
+};
+
+TEST_F(ExpectStapleTest, Valid) {
+  OCSPTest ocsp;
+  ASSERT_TRUE(LoadOCSPFromFile("good_response.pem", &ocsp));
+  CheckExpectStaple(ocsp);
+  EXPECT_FALSE(report_sender_.ReportSent());
+};
+
+TEST_F(ExpectStapleTest, ValidWithExtension) {
+  OCSPTest ocsp;
+  ASSERT_TRUE(LoadOCSPFromFile("has_extension.pem", &ocsp));
+  CheckExpectStaple(ocsp);
+  EXPECT_FALSE(report_sender_.ReportSent());
+};
+
+TEST_F(ExpectStapleTest, MissingSingleResponse) {
+  OCSPTest ocsp;
+  ASSERT_TRUE(LoadOCSPFromFile("missing_response.pem", &ocsp));
+  CheckExpectStaple(ocsp);
+  EXPECT_TRUE(report_sender_.ReportSent());
+};
+
 }  // namespace net