Extract Certificate Transparency SCTs from stapled OCSP responses

net/cert/ct_objects_extractor_unittest.cc

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/cert/ct_objects_extractor.h"
 
 #include "base/files/file_path.h"
 #include "net/base/test_data_directory.h"
 #include "net/cert/ct_log_verifier.h"
 #include "net/cert/ct_serialization.h"
@@ skipping 105 matching lines @@
   scoped_refptr<ct::SignedCertificateTimestamp> sct(
       new ct::SignedCertificateTimestamp());
   GetX509CertSCT(&sct);
 
   LogEntry entry;
   ASSERT_TRUE(GetX509LogEntry(test_cert_->os_cert_handle(), &entry));
 
   EXPECT_TRUE(log_->Verify(entry, *sct));
 }
 
+// Test that the extractor can parse OCSP responses.
+TEST_F(CTObjectsExtractorTest, ExtractSCTListFromOCSPResponse) {
+  std::string der_subject_cert(ct::GetDerEncodedFakeOCSPResponseCert());
+  scoped_refptr<X509Certificate> subject_cert =
+      X509Certificate::CreateFromBytes(der_subject_cert.data(),
+                                       der_subject_cert.length());
+  std::string der_issuer_cert(ct::GetDerEncodedFakeOCSPResponseIssuerCert());
+  scoped_refptr<X509Certificate> issuer_cert =
+      X509Certificate::CreateFromBytes(der_issuer_cert.data(),
+                                       der_issuer_cert.length());
+
+  std::string fake_sct_list = ct::GetFakeOCSPExtensionValue();
+  ASSERT_FALSE(fake_sct_list.empty());
+  std::string ocsp_response = ct::GetDerEncodedFakeOCSPResponse();
+
+  std::string extracted_sct_list;
+  EXPECT_TRUE(ct::ExtractSCTListFromOCSPResponse(
+      issuer_cert->os_cert_handle(), subject_cert->serial_number(),
+      ocsp_response, &extracted_sct_list));
+  EXPECT_EQ(extracted_sct_list, fake_sct_list);
+}
+
+// Test that the extractor honours serial number.
+TEST_F(CTObjectsExtractorTest, ExtractSCTListFromOCSPResponseMatchesSerial) {
+  std::string der_issuer_cert(ct::GetDerEncodedFakeOCSPResponseIssuerCert());
+  scoped_refptr<X509Certificate> issuer_cert =
+      X509Certificate::CreateFromBytes(der_issuer_cert.data(),
+                                       der_issuer_cert.length());
+
+  std::string ocsp_response = ct::GetDerEncodedFakeOCSPResponse();
+
+  std::string extracted_sct_list;
+  EXPECT_FALSE(ct::ExtractSCTListFromOCSPResponse(
+      issuer_cert->os_cert_handle(), test_cert_->serial_number(),
+      ocsp_response, &extracted_sct_list));
+}
+
+// Test that the extractor honours issuer ID.
+TEST_F(CTObjectsExtractorTest, ExtractSCTListFromOCSPResponseMatchesIssuer) {
+  std::string der_subject_cert(ct::GetDerEncodedFakeOCSPResponseCert());
+  scoped_refptr<X509Certificate> subject_cert =
+      X509Certificate::CreateFromBytes(der_subject_cert.data(),
+                                       der_subject_cert.length());
+
+  std::string ocsp_response = ct::GetDerEncodedFakeOCSPResponse();
+
+  std::string extracted_sct_list;
+  // Use test_cert_ for issuer - it is not the correct issuer of |subject_cert|.
+  EXPECT_FALSE(ct::ExtractSCTListFromOCSPResponse(
+      test_cert_->os_cert_handle(), subject_cert->serial_number(),
+      ocsp_response, &extracted_sct_list));
+}
+
 }  // namespace ct
 
 }  // namespace net