Extract Certificate Transparency SCTs from stapled OCSP responses

net/socket/ssl_client_socket_unittest.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/socket/ssl_client_socket.h"
 
 #include "base/callback_helpers.h"
 #include "base/memory/ref_counted.h"
 #include "net/base/address_list.h"
 #include "net/base/io_buffer.h"
@@ skipping 1775 matching lines @@
   scoped_refptr<SSLCertRequestInfo> request_info = GetCertRequest(ssl_options);
   ASSERT_TRUE(request_info.get());
   ASSERT_EQ(2u, request_info->cert_authorities.size());
   EXPECT_EQ(std::string(reinterpret_cast<const char*>(kThawteDN), kThawteLen),
             request_info->cert_authorities[0]);
   EXPECT_EQ(
       std::string(reinterpret_cast<const char*>(kDiginotarDN), kDiginotarLen),
       request_info->cert_authorities[1]);
 }
 
-TEST_F(SSLClientSocketTest, ConnectSignedCertTimestampsEnabled) {
+TEST_F(SSLClientSocketTest, ConnectSignedCertTimestampsEnabledTLSExtension) {
   SpawnedTestServer::SSLOptions ssl_options;
-  ssl_options.signed_cert_timestamps = "test";
+  ssl_options.signed_cert_timestamps_tls_ext = "test";
 
   SpawnedTestServer test_server(SpawnedTestServer::TYPE_HTTPS,
                                 ssl_options,
                                 base::FilePath());
   ASSERT_TRUE(test_server.Start());
 
   AddressList addr;
   ASSERT_TRUE(test_server.GetAddressList(&addr));
 
   TestCompletionCallback callback;
@@ skipping 29 matching lines @@
   EXPECT_TRUE(sock->WereSignedCertTimestampsReceived());
 #else
   // Enabling CT for OpenSSL is currently a noop.
   EXPECT_FALSE(sock->WereSignedCertTimestampsReceived());
 #endif
 
   sock->Disconnect();
   EXPECT_FALSE(sock->IsConnected());
 }
 
+// Test that enabling Signed Certificate Timestamps enables OCSP stapling.
+TEST_F(SSLClientSocketTest, ConnectSignedCertTimestampsEnabledOCSP) {
+  SpawnedTestServer::SSLOptions ssl_options;
+  ssl_options.staple_ocsp_response = true;
+  // The test server currently only knows how to generate OCSP responses
+  // for a freshly minted certificate.
+  ssl_options.server_certificate = SpawnedTestServer::SSLOptions::CERT_AUTO;
+
+  SpawnedTestServer test_server(SpawnedTestServer::TYPE_HTTPS,
+                                ssl_options,
+                                base::FilePath());
+  ASSERT_TRUE(test_server.Start());
+
+  AddressList addr;
+  ASSERT_TRUE(test_server.GetAddressList(&addr));
+
+  TestCompletionCallback callback;
+  CapturingNetLog log;
+  scoped_ptr<StreamSocket> transport(
+      new TCPClientSocket(addr, &log, NetLog::Source()));
+  int rv = transport->Connect(callback.callback());
+  if (rv == ERR_IO_PENDING)
+    rv = callback.WaitForResult();
+  EXPECT_EQ(OK, rv);
+
+  SSLConfig ssl_config;
+  // Enabling Signed Cert Timestamps ensures we request stapled OCSP for

[wtc, 2013/12/10 04:23:17]

Nit: stapled OCSP => OCSP stapling

[ekasper, 2013/12/10 14:45:20]

Done.

+  // Certificate Transparency verification regardless of whether the platform
+  // is able to process the OCSP status itself.

[wtc, 2013/12/10 04:23:17]

Nit: OCSP status => OCSP response.

[ekasper, 2013/12/10 14:45:20]

Hm, no, I meant "OCSP status" as in revocation status.

[wtc, 2013/12/12 02:31:45]

I see. I found "OCSP status" a little ambiguous because it could mean
OCSPResponseStatus (successful, malformedRequest, etc.) or CertStatus (good,
revoked, unknown). In any case, this is not a problem.

+  ssl_config.signed_cert_timestamps_enabled = true;
+
+  scoped_ptr<SSLClientSocket> sock(CreateSSLClientSocket(
+      transport.Pass(), test_server.host_port_pair(), ssl_config));
+
+  EXPECT_FALSE(sock->IsConnected());
+
+  rv = sock->Connect(callback.callback());
+
+  CapturingNetLog::CapturedEntryList entries;
+  log.GetEntries(&entries);
+  EXPECT_TRUE(LogContainsBeginEvent(entries, 5, NetLog::TYPE_SSL_CONNECT));
+  if (rv == ERR_IO_PENDING)
+    rv = callback.WaitForResult();
+  EXPECT_EQ(OK, rv);
+  EXPECT_TRUE(sock->IsConnected());
+  log.GetEntries(&entries);
+  EXPECT_TRUE(LogContainsSSLConnectEndEvent(entries, -1));
+
+#if !defined(USE_OPENSSL)
+  EXPECT_TRUE(sock->WasStapledOCSPResponseReceived());
+#else
+  // OCSP stapling isn't currently supported in the OpenSSL socket.
+  EXPECT_FALSE(sock->WasStapledOCSPResponseReceived());
+#endif
+
+  sock->Disconnect();
+  EXPECT_FALSE(sock->IsConnected());
+}
+
 TEST_F(SSLClientSocketTest, ConnectSignedCertTimestampsDisabled) {
   SpawnedTestServer::SSLOptions ssl_options;
-  ssl_options.signed_cert_timestamps = "test";
+  ssl_options.signed_cert_timestamps_tls_ext = "test";
 
   SpawnedTestServer test_server(SpawnedTestServer::TYPE_HTTPS,
                                 ssl_options,
                                 base::FilePath());
   ASSERT_TRUE(test_server.Start());
 
   AddressList addr;
   ASSERT_TRUE(test_server.GetAddressList(&addr));
 
   TestCompletionCallback callback;
@@ skipping 27 matching lines @@
 
   EXPECT_FALSE(sock->WereSignedCertTimestampsReceived());
 
   sock->Disconnect();
   EXPECT_FALSE(sock->IsConnected());
 }
 
 }  // namespace
 
 }  // namespace net