Enable Certificate Transparency in the OpenSSL port.

net/socket/ssl_client_socket_unittest.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/socket/ssl_client_socket.h"
 
 #include "base/callback_helpers.h"
 #include "base/memory/ref_counted.h"
 #include "base/run_loop.h"
 #include "base/time/time.h"
 #include "net/base/address_list.h"
 #include "net/base/io_buffer.h"
 #include "net/base/net_errors.h"
 #include "net/base/net_log.h"
 #include "net/base/net_log_unittest.h"
 #include "net/base/test_completion_callback.h"
 #include "net/base/test_data_directory.h"
+#include "net/cert/asn1_util.h"
+#include "net/cert/ct_verifier.h"
 #include "net/cert/mock_cert_verifier.h"
 #include "net/cert/test_root_certs.h"
 #include "net/dns/host_resolver.h"
 #include "net/http/transport_security_state.h"
 #include "net/socket/client_socket_factory.h"
 #include "net/socket/client_socket_handle.h"
 #include "net/socket/socket_test_util.h"
 #include "net/socket/tcp_client_socket.h"
 #include "net/ssl/channel_id_service.h"
 #include "net/ssl/default_channel_id_store.h"
@@ skipping 621 matching lines @@
                                        base::Time delete_end,
                                        const base::Closure& completion_callback)
       OVERRIDE {}
   virtual void DeleteAll(const base::Closure& completion_callback) OVERRIDE {}
   virtual void GetAllChannelIDs(const GetChannelIDListCallback& callback)
       OVERRIDE {}
   virtual int GetChannelIDCount() OVERRIDE { return 0; }
   virtual void SetForceKeepSessionState() OVERRIDE {}
 };
 
+// A mock CTVerifier that records every call to Verify but doesn't verify
+// anything.
+class MockCTVerifier : public CTVerifier {
+ public:
+  // A single call to Verify.
+  struct Call {
+    scoped_refptr<X509Certificate> cert;
+    std::string stapled_ocsp_response;
+    std::string sct_list_from_tls_extension;
+  };
+
+  MockCTVerifier() {}
+  const std::vector<Call>& calls() const { return calls_; }
+
+  virtual int Verify(X509Certificate* cert,
+                     const std::string& stapled_ocsp_response,
+                     const std::string& sct_list_from_tls_extension,
+                     ct::CTVerifyResult* result,
+                     const BoundNetLog& net_log) OVERRIDE {
+    // Save the call and otherwise do nothing.
+    Call call;
+    call.cert = cert;
+    call.stapled_ocsp_response = stapled_ocsp_response;
+    call.sct_list_from_tls_extension = sct_list_from_tls_extension;
+    calls_.push_back(call);
+    return ERR_CT_NO_SCTS_VERIFIED_OK;
+  }
+
+
+ private:
+  std::vector<Call> calls_;
+
+  DISALLOW_COPY_AND_ASSIGN(MockCTVerifier);
+};
+
 class SSLClientSocketTest : public PlatformTest {
  public:
   SSLClientSocketTest()
       : socket_factory_(ClientSocketFactory::GetDefaultFactory()),
         cert_verifier_(new MockCertVerifier),
+        ct_verifier_(new MockCTVerifier),
         transport_security_state_(new TransportSecurityState),
         ran_handshake_completion_callback_(false) {
     cert_verifier_->set_default_result(OK);
     context_.cert_verifier = cert_verifier_.get();
+    context_.cert_transparency_verifier = ct_verifier_.get();
     context_.transport_security_state = transport_security_state_.get();
   }
 
   void RecordCompletedHandshake() { ran_handshake_completion_callback_ = true; }
 
  protected:
   // The address of the spawned test server, after calling StartTestServer().
   const AddressList& addr() const { return addr_; }
 
   // The SpawnedTestServer object, after calling StartTestServer().
@@ skipping 57 matching lines @@
       LOG(ERROR) << "SSL Socket prematurely connected";
       return false;
     }
 
     *result = callback_.GetResult(sock_->Connect(callback_.callback()));
     return true;
   }
 
   ClientSocketFactory* socket_factory_;
   scoped_ptr<MockCertVerifier> cert_verifier_;
+  scoped_ptr<MockCTVerifier> ct_verifier_;
   scoped_ptr<TransportSecurityState> transport_security_state_;
   SSLClientSocketContext context_;
   scoped_ptr<SSLClientSocket> sock_;
   CapturingNetLog log_;
   bool ran_handshake_completion_callback_;
 
  private:
   scoped_ptr<StreamSocket> transport_;
   scoped_ptr<SpawnedTestServer> test_server_;
   TestCompletionCallback callback_;
@@ skipping 1749 matching lines @@
   CapturingNetLog::CapturedEntryList entries;
   log.GetEntries(&entries);
   EXPECT_TRUE(LogContainsBeginEvent(entries, 5, NetLog::TYPE_SSL_CONNECT));
   if (rv == ERR_IO_PENDING)
     rv = callback.WaitForResult();
   EXPECT_EQ(OK, rv);
   EXPECT_TRUE(sock->IsConnected());
   log.GetEntries(&entries);
   EXPECT_TRUE(LogContainsSSLConnectEndEvent(entries, -1));
 
-#if !defined(USE_OPENSSL)
+  // Check that the SCT extension was extracted in the expected format.
   EXPECT_TRUE(sock->signed_cert_timestamps_received_);
-#else
-  // Enabling CT for OpenSSL is currently a noop.
-  EXPECT_FALSE(sock->signed_cert_timestamps_received_);
-#endif
+  ASSERT_EQ(1u, ct_verifier_->calls().size());
+  MockCTVerifier::Call call = ct_verifier_->calls()[0];
+  EXPECT_EQ("", call.stapled_ocsp_response);

[Ryan Sleevi, 2014/08/28 21:01:02]

EXPECT_TRUE(.empty())

[davidben, 2014/08/28 21:23:25]

Done.

+  EXPECT_EQ("test", call.sct_list_from_tls_extension);
 
   sock->Disconnect();
   EXPECT_FALSE(sock->IsConnected());
 }
 
 // Test that enabling Signed Certificate Timestamps enables OCSP stapling.
 TEST_F(SSLClientSocketTest, ConnectSignedCertTimestampsEnabledOCSP) {
   SpawnedTestServer::SSLOptions ssl_options;
   ssl_options.staple_ocsp_response = true;
   // The test server currently only knows how to generate OCSP responses
@@ skipping 33 matching lines @@
   CapturingNetLog::CapturedEntryList entries;
   log.GetEntries(&entries);
   EXPECT_TRUE(LogContainsBeginEvent(entries, 5, NetLog::TYPE_SSL_CONNECT));
   if (rv == ERR_IO_PENDING)
     rv = callback.WaitForResult();
   EXPECT_EQ(OK, rv);
   EXPECT_TRUE(sock->IsConnected());
   log.GetEntries(&entries);
   EXPECT_TRUE(LogContainsSSLConnectEndEvent(entries, -1));
 
-#if !defined(USE_OPENSSL)
+  // Check that the OCSP response was extracted in the expected format.
   EXPECT_TRUE(sock->stapled_ocsp_response_received_);
-#else
-  // OCSP stapling isn't currently supported in the OpenSSL socket.
-  EXPECT_FALSE(sock->stapled_ocsp_response_received_);
-#endif
+  EXPECT_EQ(1u, ct_verifier_->calls().size());
+  MockCTVerifier::Call call = ct_verifier_->calls()[0];
+  EXPECT_EQ("", call.sct_list_from_tls_extension);

[Ryan Sleevi, 2014/08/28 21:01:02]

EXPECT_TRUE(.empty())

[davidben, 2014/08/28 21:23:25]

Done.

+
+  // The stapled OCSPResponse is generated each time. It should be the DER
+  // encoding of an OCSPResponse (RFC 2560), so check that it consists of a
+  // SEQUENCE of an ENUMERATED type and an element tagged with [0] EXPLICIT.
+  base::StringPiece ocsp_response(call.stapled_ocsp_response);
+  base::StringPiece sequence, response_status, response_bytes;
+  EXPECT_TRUE(asn1::GetElement(&ocsp_response, asn1::kSEQUENCE, &sequence));
+  EXPECT_TRUE(ocsp_response.empty());
+  EXPECT_TRUE(asn1::GetElement(&sequence, asn1::kENUMERATED, &response_status));
+  EXPECT_TRUE(asn1::GetElement(&sequence,
+                               asn1::kContextSpecific | asn1::kConstructed | 0,
+                               &response_status));
+  EXPECT_TRUE(sequence.empty());
 
   sock->Disconnect();
   EXPECT_FALSE(sock->IsConnected());
 }
 
 TEST_F(SSLClientSocketTest, ConnectSignedCertTimestampsDisabled) {
   SpawnedTestServer::SSLOptions ssl_options;
   ssl_options.signed_cert_timestamps_tls_ext = "test";
 
   SpawnedTestServer test_server(SpawnedTestServer::TYPE_HTTPS,
@@ skipping 401 matching lines @@
   ssl_config.channel_id_enabled = true;
 
   int rv;
   ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv));
 
   EXPECT_EQ(ERR_UNEXPECTED, rv);
   EXPECT_FALSE(sock_->IsConnected());
 }
 
 }  // namespace net