Extract Certificate Transparency SCTs from stapled OCSP responses

net/cert/ct_objects_extractor_unittest.cc

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/cert/ct_objects_extractor.h"
 
 #include "base/files/file_path.h"
 #include "net/base/test_data_directory.h"
 #include "net/cert/ct_log_verifier.h"
 #include "net/cert/ct_serialization.h"
@@ skipping 105 matching lines @@
   scoped_refptr<ct::SignedCertificateTimestamp> sct(
       new ct::SignedCertificateTimestamp());
   GetX509CertSCT(&sct);
 
   LogEntry entry;
   ASSERT_TRUE(GetX509LogEntry(test_cert_->os_cert_handle(), &entry));
 
   EXPECT_TRUE(log_->Verify(entry, *sct));
 }
 
+// Test that the extractor can parse OCSP responses.
+TEST_F(CTObjectsExtractorTest, ExtractSCTListFromOCSPResponse) {

[wtc, 2013/12/03 01:18:06]

Do we need to put this unit test inside #if !defined(USE_OPENSSL) ?

[ekasper, 2013/12/03 13:50:51]

I think not - none of the objects extraction is implemented for OpenSSL so the
whole test suite is excluded in net.gyp (line 2095).

+  std::string der_test_cert(ct::GetDerEncodedFakeOCSPResponseCert());
+  scoped_refptr<X509Certificate> test_cert =
+      X509Certificate::CreateFromBytes(der_test_cert.data(),
+                                       der_test_cert.length());
+
+  std::string fake_sct_list = ct::GetFakeOCSPExtensionValue();
+  ASSERT_FALSE(fake_sct_list.empty());
+  std::string ocsp_response = ct::GetDerEncodedFakeOCSPResponse();
+
+  std::string extracted_sct_list;
+  EXPECT_TRUE(ct::ExtractSCTListFromOCSPResponse(
+      test_cert->os_cert_handle(), ocsp_response, &extracted_sct_list));
+  EXPECT_EQ(extracted_sct_list, fake_sct_list);
+}
+
 }  // namespace ct
 
 }  // namespace net