Add support for fetching Certificate Transparency SCTs over a TLS extension

net/tools/testserver/testserver.py

Index: net/tools/testserver/testserver.py
diff --git a/net/tools/testserver/testserver.py b/net/tools/testserver/testserver.py
index e0317e8868524bece9b141f20b74a02c3faae673..af57a113ed3950fee18392a6991f5cc8a91d3f0a 100755
--- a/net/tools/testserver/testserver.py
+++ b/net/tools/testserver/testserver.py
@@ -128,7 +128,7 @@ class HTTPSServer(tlslite.api.TLSSocketServerMixIn,
 
   def __init__(self, server_address, request_hander_class, pem_cert_and_key,
                ssl_client_auth, ssl_client_cas, ssl_bulk_ciphers,
-               record_resume_info, tls_intolerant):
+               record_resume_info, tls_intolerant, signed_cert_timestamps):
     self.cert_chain = tlslite.api.X509CertChain().parseChain(pem_cert_and_key)
     # Force using only python implementation - otherwise behavior is different
     # depending on whether m2crypto Python module is present (error is thrown
@@ -140,6 +140,7 @@ class HTTPSServer(tlslite.api.TLSSocketServerMixIn,
     self.ssl_client_auth = ssl_client_auth
     self.ssl_client_cas = []
     self.tls_intolerant = tls_intolerant
+    self.signed_cert_timestamps = signed_cert_timestamps
 
     for ca_file in ssl_client_cas:
       s = open(ca_file).read()
@@ -171,7 +172,9 @@ class HTTPSServer(tlslite.api.TLSSocketServerMixIn,
                                     reqCert=self.ssl_client_auth,
                                     settings=self.ssl_handshake_settings,
                                     reqCAs=self.ssl_client_cas,
-                                    tlsIntolerant=self.tls_intolerant)
+                                    tlsIntolerant=self.tls_intolerant,
+                                    signedCertTimestamps=
+                                    self.signed_cert_timestamps)
       tlsConnection.ignoreAbruptClose = True
       return True
     except tlslite.api.TLSAbruptCloseError:
@@ -1933,7 +1936,8 @@ class ServerRunner(testserver_base.TestServerRunner):
                              self.options.ssl_client_ca,
                              self.options.ssl_bulk_cipher,
                              self.options.record_resume,
-                             self.options.tls_intolerant)
+                             self.options.tls_intolerant,
+                             self.options.signed_cert_timestamps)
         print 'HTTPS server started on %s:%d...' % (host, server.server_port)
       else:
         server = HTTPServer((host, port), TestPageHandler)
@@ -2071,6 +2075,12 @@ class ServerRunner(testserver_base.TestServerRunner):
                                   'aborted. 2 means TLS 1.1 or higher will be '
                                   'aborted. 3 means TLS 1.2 or higher will be '
                                   'aborted.')
+    self.option_parser.add_option('--signed-cert-timestamps',
+                                  dest='signed_cert_timestamps',
+                                  default='',

[wtc, 2013/11/26 17:32:55]

I assume the option's value is a string. What is the format? Base64-encoded, or
a hex string such as "1A35FD08..."?

[ekasper, 2013/11/26 19:33:54]

I've made them base64-encoded.

+                                  help='If set, server will respond with a '
+                                  'signed_certificate_timestamp TLS extension '
+                                  'whenever the client supports it.')
     self.option_parser.add_option('--https-record-resume',
                                   dest='record_resume', const=True,
                                   default=False, action='store_const',