Extract Certificate Transparency SCTs from stapled OCSP responses

net/socket/ssl_client_socket_unittest.cc

Index: net/socket/ssl_client_socket_unittest.cc
diff --git a/net/socket/ssl_client_socket_unittest.cc b/net/socket/ssl_client_socket_unittest.cc
index 0e667c689410adbf84cbb0c4ad13edb62ed4e1d4..c919c4a84b663e0d81a00444ae09800459769e00 100644
--- a/net/socket/ssl_client_socket_unittest.cc
+++ b/net/socket/ssl_client_socket_unittest.cc
@@ -1793,9 +1793,9 @@ TEST_F(SSLClientSocketCertRequestInfoTest, TwoAuthorities) {
       request_info->cert_authorities[1]);
 }
 
-TEST_F(SSLClientSocketTest, ConnectSignedCertTimestampsEnabled) {
+TEST_F(SSLClientSocketTest, ConnectSignedCertTimestampsEnabledTLSExtension) {
   SpawnedTestServer::SSLOptions ssl_options;
-  ssl_options.signed_cert_timestamps = "test";
+  ssl_options.signed_cert_timestamps_tls_ext = "test";
 
   SpawnedTestServer test_server(SpawnedTestServer::TYPE_HTTPS,
                                 ssl_options,
@@ -1845,9 +1845,68 @@ TEST_F(SSLClientSocketTest, ConnectSignedCertTimestampsEnabled) {
   EXPECT_FALSE(sock->IsConnected());
 }
 
+// Test that enabling Signed Certificate Timestamps enables OCSP stapling.
+TEST_F(SSLClientSocketTest, ConnectSignedCertTimestampsEnabledOCSP) {
+  SpawnedTestServer::SSLOptions ssl_options;
+  ssl_options.staple_ocsp_response = true;
+  // The test server currently only knows how to generate OCSP responses
+  // for a freshly minted certificate.
+  ssl_options.server_certificate = SpawnedTestServer::SSLOptions::CERT_AUTO;
+
+  SpawnedTestServer test_server(SpawnedTestServer::TYPE_HTTPS,
+                                ssl_options,
+                                base::FilePath());
+  ASSERT_TRUE(test_server.Start());
+
+  AddressList addr;
+  ASSERT_TRUE(test_server.GetAddressList(&addr));
+
+  TestCompletionCallback callback;
+  CapturingNetLog log;
+  scoped_ptr<StreamSocket> transport(
+      new TCPClientSocket(addr, &log, NetLog::Source()));
+  int rv = transport->Connect(callback.callback());
+  if (rv == ERR_IO_PENDING)
+    rv = callback.WaitForResult();
+  EXPECT_EQ(OK, rv);
+
+  SSLConfig ssl_config;
+  // Enabling Signed Cert Timestamps ensures we request stapled OCSP for

[wtc, 2013/12/10 04:23:17]

Nit: stapled OCSP => OCSP stapling

[ekasper, 2013/12/10 14:45:20]

Done.

+  // Certificate Transparency verification regardless of whether the platform
+  // is able to process the OCSP status itself.

[wtc, 2013/12/10 04:23:17]

Nit: OCSP status => OCSP response.

[ekasper, 2013/12/10 14:45:20]

Hm, no, I meant "OCSP status" as in revocation status.

[wtc, 2013/12/12 02:31:45]

I see. I found "OCSP status" a little ambiguous because it could mean
OCSPResponseStatus (successful, malformedRequest, etc.) or CertStatus (good,
revoked, unknown). In any case, this is not a problem.

+  ssl_config.signed_cert_timestamps_enabled = true;
+
+  scoped_ptr<SSLClientSocket> sock(CreateSSLClientSocket(
+      transport.Pass(), test_server.host_port_pair(), ssl_config));
+
+  EXPECT_FALSE(sock->IsConnected());
+
+  rv = sock->Connect(callback.callback());
+
+  CapturingNetLog::CapturedEntryList entries;
+  log.GetEntries(&entries);
+  EXPECT_TRUE(LogContainsBeginEvent(entries, 5, NetLog::TYPE_SSL_CONNECT));
+  if (rv == ERR_IO_PENDING)
+    rv = callback.WaitForResult();
+  EXPECT_EQ(OK, rv);
+  EXPECT_TRUE(sock->IsConnected());
+  log.GetEntries(&entries);
+  EXPECT_TRUE(LogContainsSSLConnectEndEvent(entries, -1));
+
+#if !defined(USE_OPENSSL)
+  EXPECT_TRUE(sock->WasStapledOCSPResponseReceived());
+#else
+  // OCSP stapling isn't currently supported in the OpenSSL socket.
+  EXPECT_FALSE(sock->WasStapledOCSPResponseReceived());
+#endif
+
+  sock->Disconnect();
+  EXPECT_FALSE(sock->IsConnected());
+}
+
 TEST_F(SSLClientSocketTest, ConnectSignedCertTimestampsDisabled) {
   SpawnedTestServer::SSLOptions ssl_options;
-  ssl_options.signed_cert_timestamps = "test";
+  ssl_options.signed_cert_timestamps_tls_ext = "test";
 
   SpawnedTestServer test_server(SpawnedTestServer::TYPE_HTTPS,
                                 ssl_options,