Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(691)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: net/tools/testserver/testserver.py

Issue 92443002: Extract Certificate Transparency SCTs from stapled OCSP responses (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@extract_scts
Patch Set: review comments Created 7 years ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« net/tools/testserver/minica.py ('K') | « net/tools/testserver/minica.py ('k') | third_party/tlslite/README.chromium » ('j') | third_party/tlslite/tlslite/TLSConnection.py » ('J')
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: net/tools/testserver/testserver.py
diff --git a/net/tools/testserver/testserver.py b/net/tools/testserver/testserver.py
index 83c14d638d33219009b0c7baa176107e80e44131..675f271cf5334a2f428d0c03179e214489d69c66 100755
--- a/net/tools/testserver/testserver.py
+++ b/net/tools/testserver/testserver.py
@@ -128,7 +128,8 @@ class HTTPSServer(tlslite.api.TLSSocketServerMixIn,
def __init__(self, server_address, request_hander_class, pem_cert_and_key,
ssl_client_auth, ssl_client_cas, ssl_bulk_ciphers,
- record_resume_info, tls_intolerant, signed_cert_timestamps):
+ record_resume_info, tls_intolerant,
+ signed_cert_timestamps, ocsp_response):
self.cert_chain = tlslite.api.X509CertChain().parseChain(pem_cert_and_key)
# Force using only python implementation - otherwise behavior is different
# depending on whether m2crypto Python module is present (error is thrown
@@ -141,6 +142,7 @@ class HTTPSServer(tlslite.api.TLSSocketServerMixIn,
self.ssl_client_cas = []
self.tls_intolerant = tls_intolerant
self.signed_cert_timestamps = signed_cert_timestamps
+ self.ocsp_response = ocsp_response
for ca_file in ssl_client_cas:
s = open(ca_file).read()
@@ -174,7 +176,8 @@ class HTTPSServer(tlslite.api.TLSSocketServerMixIn,
reqCAs=self.ssl_client_cas,
tlsIntolerant=self.tls_intolerant,
signedCertTimestamps=
- self.signed_cert_timestamps)
+ self.signed_cert_timestamps,
+ OCSPResponse = self.ocsp_response)
wtc 2013/12/03 21:04:25 Nit: should "OCSPResponse" start in lowercase "ocs
ekasper 2013/12/04 19:25:15 Done.
tlsConnection.ignoreAbruptClose = True
return True
except tlslite.api.TLSAbruptCloseError:
@@ -1886,6 +1889,7 @@ class ServerRunner(testserver_base.TestServerRunner):
def create_server(self, server_data):
port = self.options.port
host = self.options.host
+ ocsp_der = None
if self.options.server_type == SERVER_HTTP:
if self.options.https:
@@ -1902,7 +1906,6 @@ class ServerRunner(testserver_base.TestServerRunner):
print ('OCSP server started on %s:%d...' %
(host, self.__ocsp_server.server_port))
- ocsp_der = None
ocsp_state = None
if self.options.ocsp == 'ok':
@@ -1924,7 +1927,12 @@ class ServerRunner(testserver_base.TestServerRunner):
ocsp_url = ("http://%s:%d/ocsp" %
(host, self.__ocsp_server.server_port)),
ocsp_state = ocsp_state,
- serial = self.options.cert_serial)
+ serial = self.options.cert_serial,
+ # Signed Certificate Timestamps are only accepted in a stapled
+ # response: when included in a non-stapled response, the client
+ # will simply ignore the extension.
wtc 2013/12/03 21:04:25 Is this comment true? If I get an OCSP response fr
ekasper 2013/12/04 19:25:15 I've reverted the extension code here as the testi
+ sct_extension = (
+ self.options.signed_cert_timestamps_ocsp.decode("base64")))
self.__ocsp_server.ocsp_response = ocsp_der
@@ -1933,14 +1941,16 @@ class ServerRunner(testserver_base.TestServerRunner):
raise testserver_base.OptionError(
'specified trusted client CA file not found: ' + ca_cert +
' exiting...')
+
server = HTTPSServer((host, port), TestPageHandler, pem_cert_and_key,
self.options.ssl_client_auth,
self.options.ssl_client_ca,
self.options.ssl_bulk_cipher,
self.options.record_resume,
self.options.tls_intolerant,
- self.options.signed_cert_timestamps.decode(
- "base64"))
+ self.options.signed_cert_timestamps_tls_ext.decode(
+ "base64"),
+ ocsp_der)
wtc 2013/12/03 21:04:25 Should we use self.__ocsp_server.ocsp_response her
ekasper 2013/12/04 19:25:15 Changed.
print 'HTTPS server started on %s:%d...' % (host, server.server_port)
else:
server = HTTPServer((host, port), TestPageHandler)
@@ -2078,13 +2088,20 @@ class ServerRunner(testserver_base.TestServerRunner):
'aborted. 2 means TLS 1.1 or higher will be '
'aborted. 3 means TLS 1.2 or higher will be '
'aborted.')
- self.option_parser.add_option('--signed-cert-timestamps',
- dest='signed_cert_timestamps',
+ self.option_parser.add_option('--signed-cert-timestamps-tls-ext',
+ dest='signed_cert_timestamps_tls_ext',
default='',
help='Base64 encoded SCT list. If set, '
'server will respond with a '
'signed_certificate_timestamp TLS extension '
'whenever the client supports it.')
+ self.option_parser.add_option('--signed-cert-timestamps-ocsp',
+ dest='signed_cert_timestamps_ocsp',
+ default='',
+ help='Base64 encoded SCT list. If set, '
+ 'server will include the list in a stapled '
+ 'OCSP response whenever the client supports '
+ 'OCSP stapling.')
self.option_parser.add_option('--https-record-resume',
dest='record_resume', const=True,
default=False, action='store_const',
« net/tools/testserver/minica.py ('K') | « net/tools/testserver/minica.py ('k') | third_party/tlslite/README.chromium » ('j') | third_party/tlslite/tlslite/TLSConnection.py » ('J')

Powered by Google App Engine
This is Rietveld 408576698