Extract Certificate Transparency SCTs from stapled OCSP responses

net/tools/testserver/testserver.py

Index: net/tools/testserver/testserver.py
diff --git a/net/tools/testserver/testserver.py b/net/tools/testserver/testserver.py
index 83c14d638d33219009b0c7baa176107e80e44131..675f271cf5334a2f428d0c03179e214489d69c66 100755
--- a/net/tools/testserver/testserver.py
+++ b/net/tools/testserver/testserver.py
@@ -128,7 +128,8 @@ class HTTPSServer(tlslite.api.TLSSocketServerMixIn,
 
   def __init__(self, server_address, request_hander_class, pem_cert_and_key,
                ssl_client_auth, ssl_client_cas, ssl_bulk_ciphers,
-               record_resume_info, tls_intolerant, signed_cert_timestamps):
+               record_resume_info, tls_intolerant,
+               signed_cert_timestamps, ocsp_response):
     self.cert_chain = tlslite.api.X509CertChain().parseChain(pem_cert_and_key)
     # Force using only python implementation - otherwise behavior is different
     # depending on whether m2crypto Python module is present (error is thrown
@@ -141,6 +142,7 @@ class HTTPSServer(tlslite.api.TLSSocketServerMixIn,
     self.ssl_client_cas = []
     self.tls_intolerant = tls_intolerant
     self.signed_cert_timestamps = signed_cert_timestamps
+    self.ocsp_response = ocsp_response
 
     for ca_file in ssl_client_cas:
       s = open(ca_file).read()
@@ -174,7 +176,8 @@ class HTTPSServer(tlslite.api.TLSSocketServerMixIn,
                                     reqCAs=self.ssl_client_cas,
                                     tlsIntolerant=self.tls_intolerant,
                                     signedCertTimestamps=
-                                    self.signed_cert_timestamps)
+                                    self.signed_cert_timestamps,
+                                    OCSPResponse = self.ocsp_response)
       tlsConnection.ignoreAbruptClose = True
       return True
     except tlslite.api.TLSAbruptCloseError:
@@ -1886,6 +1889,7 @@ class ServerRunner(testserver_base.TestServerRunner):
   def create_server(self, server_data):
     port = self.options.port
     host = self.options.host
+    ocsp_der = None
 
     if self.options.server_type == SERVER_HTTP:
       if self.options.https:
@@ -1902,7 +1906,6 @@ class ServerRunner(testserver_base.TestServerRunner):
           print ('OCSP server started on %s:%d...' %
               (host, self.__ocsp_server.server_port))
 
-          ocsp_der = None
           ocsp_state = None
 
           if self.options.ocsp == 'ok':
@@ -1924,7 +1927,12 @@ class ServerRunner(testserver_base.TestServerRunner):
               ocsp_url = ("http://%s:%d/ocsp" %
                   (host, self.__ocsp_server.server_port)),
               ocsp_state = ocsp_state,
-              serial = self.options.cert_serial)
+              serial = self.options.cert_serial,
+              # Signed Certificate Timestamps are only accepted in a stapled
+              # response: when included in a non-stapled response, the client
+              # will simply ignore the extension.
+              sct_extension = (
+                  self.options.signed_cert_timestamps_ocsp.decode("base64")))
 
           self.__ocsp_server.ocsp_response = ocsp_der
 
@@ -1933,14 +1941,16 @@ class ServerRunner(testserver_base.TestServerRunner):
             raise testserver_base.OptionError(
                 'specified trusted client CA file not found: ' + ca_cert +
                 ' exiting...')
+
         server = HTTPSServer((host, port), TestPageHandler, pem_cert_and_key,
                              self.options.ssl_client_auth,
                              self.options.ssl_client_ca,
                              self.options.ssl_bulk_cipher,
                              self.options.record_resume,
                              self.options.tls_intolerant,
-                             self.options.signed_cert_timestamps.decode(
-                                 "base64"))
+                             self.options.signed_cert_timestamps_tls_ext.decode(
+                                 "base64"),
+                             ocsp_der)
         print 'HTTPS server started on %s:%d...' % (host, server.server_port)
       else:
         server = HTTPServer((host, port), TestPageHandler)
@@ -2078,13 +2088,20 @@ class ServerRunner(testserver_base.TestServerRunner):
                                   'aborted. 2 means TLS 1.1 or higher will be '
                                   'aborted. 3 means TLS 1.2 or higher will be '
                                   'aborted.')
-    self.option_parser.add_option('--signed-cert-timestamps',
-                                  dest='signed_cert_timestamps',
+    self.option_parser.add_option('--signed-cert-timestamps-tls-ext',
+                                  dest='signed_cert_timestamps_tls_ext',
                                   default='',
                                   help='Base64 encoded SCT list. If set, '
                                   'server will respond with a '
                                   'signed_certificate_timestamp TLS extension '
                                   'whenever the client supports it.')
+    self.option_parser.add_option('--signed-cert-timestamps-ocsp',
+                                  dest='signed_cert_timestamps_ocsp',
+                                  default='',
+                                  help='Base64 encoded SCT list. If set, '
+                                  'server will include the list in a stapled '
+                                  'OCSP response whenever the client supports '
+                                  'OCSP stapling.')
     self.option_parser.add_option('--https-record-resume',
                                   dest='record_resume', const=True,
                                   default=False, action='store_const',