Enable Certificate Transparency in the OpenSSL port.

net/socket/ssl_client_socket_unittest.cc

Index: net/socket/ssl_client_socket_unittest.cc
diff --git a/net/socket/ssl_client_socket_unittest.cc b/net/socket/ssl_client_socket_unittest.cc
index f695e27c240f9edff7d8f4397f9f32f854190f2d..2a54431324b8a042e32086e09359ca1e2f973667 100644
--- a/net/socket/ssl_client_socket_unittest.cc
+++ b/net/socket/ssl_client_socket_unittest.cc
@@ -15,6 +15,8 @@
 #include "net/base/net_log_unittest.h"
 #include "net/base/test_completion_callback.h"
 #include "net/base/test_data_directory.h"
+#include "net/cert/asn1_util.h"
+#include "net/cert/ct_verifier.h"
 #include "net/cert/mock_cert_verifier.h"
 #include "net/cert/test_root_certs.h"
 #include "net/dns/host_resolver.h"
@@ -656,15 +658,52 @@ class AsyncFailingChannelIDStore : public ChannelIDStore {
   virtual void SetForceKeepSessionState() OVERRIDE {}
 };
 
+// A mock CTVerifier that records every call to Verify but doesn't verify
+// anything.
+class MockCTVerifier : public CTVerifier {
+ public:
+  // A single call to Verify.
+  struct Call {
+    scoped_refptr<X509Certificate> cert;
+    std::string stapled_ocsp_response;
+    std::string sct_list_from_tls_extension;
+  };
+
+  MockCTVerifier() {}
+  const std::vector<Call>& calls() const { return calls_; }
+
+  virtual int Verify(X509Certificate* cert,
+                     const std::string& stapled_ocsp_response,
+                     const std::string& sct_list_from_tls_extension,
+                     ct::CTVerifyResult* result,
+                     const BoundNetLog& net_log) OVERRIDE {
+    // Save the call and otherwise do nothing.
+    Call call;
+    call.cert = cert;
+    call.stapled_ocsp_response = stapled_ocsp_response;
+    call.sct_list_from_tls_extension = sct_list_from_tls_extension;
+    calls_.push_back(call);
+    return ERR_CT_NO_SCTS_VERIFIED_OK;
+  }
+
+
+ private:
+  std::vector<Call> calls_;
+
+  DISALLOW_COPY_AND_ASSIGN(MockCTVerifier);
+};
+
 class SSLClientSocketTest : public PlatformTest {
  public:
   SSLClientSocketTest()
       : socket_factory_(ClientSocketFactory::GetDefaultFactory()),
         cert_verifier_(new MockCertVerifier),
+        ct_verifier_(new MockCTVerifier),
         transport_security_state_(new TransportSecurityState),
         ran_handshake_completion_callback_(false) {
     cert_verifier_->set_default_result(OK);
     context_.cert_verifier = cert_verifier_.get();
+    context_.cert_transparency_verifier = ct_verifier_.get();
     context_.transport_security_state = transport_security_state_.get();
   }
 
@@ -742,6 +781,7 @@ class SSLClientSocketTest : public PlatformTest {
 
   ClientSocketFactory* socket_factory_;
   scoped_ptr<MockCertVerifier> cert_verifier_;
+  scoped_ptr<MockCTVerifier> ct_verifier_;
   scoped_ptr<TransportSecurityState> transport_security_state_;
   SSLClientSocketContext context_;
   scoped_ptr<SSLClientSocket> sock_;
@@ -2511,12 +2551,12 @@ TEST_F(SSLClientSocketTest, ConnectSignedCertTimestampsEnabledTLSExtension) {
   log.GetEntries(&entries);
   EXPECT_TRUE(LogContainsSSLConnectEndEvent(entries, -1));
 
-#if !defined(USE_OPENSSL)
+  // Check that the SCT extension was extracted in the expected format.
   EXPECT_TRUE(sock->signed_cert_timestamps_received_);
-#else
-  // Enabling CT for OpenSSL is currently a noop.
-  EXPECT_FALSE(sock->signed_cert_timestamps_received_);
-#endif
+  ASSERT_EQ(1u, ct_verifier_->calls().size());
+  MockCTVerifier::Call call = ct_verifier_->calls()[0];
+  EXPECT_EQ("", call.stapled_ocsp_response);

[Ryan Sleevi, 2014/08/28 21:01:02]

EXPECT_TRUE(.empty())

[davidben, 2014/08/28 21:23:25]

Done.

+  EXPECT_EQ("test", call.sct_list_from_tls_extension);
 
   sock->Disconnect();
   EXPECT_FALSE(sock->IsConnected());
@@ -2570,12 +2610,24 @@ TEST_F(SSLClientSocketTest, ConnectSignedCertTimestampsEnabledOCSP) {
   log.GetEntries(&entries);
   EXPECT_TRUE(LogContainsSSLConnectEndEvent(entries, -1));
 
-#if !defined(USE_OPENSSL)
+  // Check that the OCSP response was extracted in the expected format.
   EXPECT_TRUE(sock->stapled_ocsp_response_received_);
-#else
-  // OCSP stapling isn't currently supported in the OpenSSL socket.
-  EXPECT_FALSE(sock->stapled_ocsp_response_received_);
-#endif
+  EXPECT_EQ(1u, ct_verifier_->calls().size());
+  MockCTVerifier::Call call = ct_verifier_->calls()[0];
+  EXPECT_EQ("", call.sct_list_from_tls_extension);

[Ryan Sleevi, 2014/08/28 21:01:02]

EXPECT_TRUE(.empty())

[davidben, 2014/08/28 21:23:25]

Done.

+
+  // The stapled OCSPResponse is generated each time. It should be the DER
+  // encoding of an OCSPResponse (RFC 2560), so check that it consists of a
+  // SEQUENCE of an ENUMERATED type and an element tagged with [0] EXPLICIT.
+  base::StringPiece ocsp_response(call.stapled_ocsp_response);
+  base::StringPiece sequence, response_status, response_bytes;
+  EXPECT_TRUE(asn1::GetElement(&ocsp_response, asn1::kSEQUENCE, &sequence));
+  EXPECT_TRUE(ocsp_response.empty());
+  EXPECT_TRUE(asn1::GetElement(&sequence, asn1::kENUMERATED, &response_status));
+  EXPECT_TRUE(asn1::GetElement(&sequence,
+                               asn1::kContextSpecific | asn1::kConstructed | 0,
+                               &response_status));
+  EXPECT_TRUE(sequence.empty());
 
   sock->Disconnect();
   EXPECT_FALSE(sock->IsConnected());