Extract Certificate Transparency SCTs from stapled OCSP responses

BUG=309578 Review URL: https://codereview.chromium.org/92443002 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@240721 0039d316-1c4b-4281-b951-d872f2087c98
author: ekasper@google.com <ekasper@google.com@0039d316-1c4b-4281-b951-d872f2087c98> 2013-12-13 19:57:48 +0000
committer: ekasper@google.com <ekasper@google.com@0039d316-1c4b-4281-b951-d872f2087c98> 2013-12-13 19:57:48 +0000
commit: 9a72d237330d80648f93b2e466d5027b9ce8bb2a (patch)
tree: 10c449fbd40cba62d54916af30c81b106536b46a /net/test
parent: b4c4dc526a5163fafc4430ee190a4ee075efc543 (diff)
download: chromium_src-9a72d237330d80648f93b2e466d5027b9ce8bb2a.zip
chromium_src-9a72d237330d80648f93b2e466d5027b9ce8bb2a.tar.gz
chromium_src-9a72d237330d80648f93b2e466d5027b9ce8bb2a.tar.bz2
4 files changed, 98 insertions, 9 deletions
diff --git a/net/test/ct_test_util.cc b/net/test/ct_test_util.cc
index 924366e..4e95e19 100644
--- a/net/test/ct_test_util.cc
+++ b/net/test/ct_test_util.cc
@@ -101,6 +101,59 @@ const char kTestSCTPrecertSignatureData[] =
     "30450220482f6751af35dba65436be1fd6640f3dbf9a41429495924530288fa3e5e23e0602"
     "2100e4edc0db3ac572b1e2f5e8ab6a680653987dcf41027dfeffa105519d89edbf08";
 
+// A well-formed OCSP response with fake SCT contents. Does not come from
+// http://code.google.com/p/certificate-transparency, does not pertain to any
+// of the test certs here, and is only used to test extracting the extension
+// contents from the response.
+const char kFakeOCSPResponse[] =
+    "3082016e0a0100a08201673082016306092b060105050730010104820154308201503081ba"
+    "a21604144edfdf5ff9c90ffacfca66e7fbc436bc39ee3fc7180f3230313030313031303630"
+    "3030305a30818e30818b3049300906052b0e03021a050004141833a1e6a4f09577cca0e64c"
+    "e7d145ca4b93700904144edfdf5ff9c90ffacfca66e7fbc436bc39ee3fc7021001aef99bde"
+    "e0bb58c6f2b816bc3ae02f8000180f32303130303130313036303030305aa011180f323033"
+    "30303130313036303030305aa11830163014060a2b06010401d67902040504060404746573"
+    "74300d06092a864886f70d0101050500038181003586ffcf0794e64eb643d52a3d570a1c93"
+    "836395986a2f792dd4e9c70b05161186c55c1658e0607dc9ec0d0924ac37fb99506c870579"
+    "634be1de62ba2fced5f61f3b428f959fcee9bddf6f268c8e14c14fdf3b447786e638a5c8cc"
+    "b610893df17a60e4cff30f4780aeffe0086ef19910f0d9cd7414bc93d1945686f88ad0a3c3"
+    ;
+
+const char kFakeOCSPResponseCert[] =
+    "3082022930820192a003020102021001aef99bdee0bb58c6f2b816bc3ae02f300d06092a86"
+    "4886f70d01010505003015311330110603550403130a54657374696e67204341301e170d31"
+    "30303130313036303030305a170d3332313230313036303030305a30373112301006035504"
+    "0313093132372e302e302e31310b300906035504061302585831143012060355040a130b54"
+    "657374696e67204f726730819d300d06092a864886f70d010101050003818b003081870281"
+    "8100a71998f2930bfe73d031a87f133d2f378eeeeed52a77e44d0fc9ff6f07ff32cbf3da99"
+    "9de4ed65832afcb0807f98787506539d258a0ce3c2c77967653099a9034a9b115a876c39a8"
+    "c4e4ed4acd0c64095946fb39eeeb47a0704dbb018acf48c3a1c4b895fc409fb4a340a986b1"
+    "afc45519ab9eca47c30185c771c64aa5ecf07d020103a35a3058303a06082b060105050701"
+    "01010100042b3029302706082b06010505073001861b687474703a2f2f3132372e302e302e"
+    "313a35353038312f6f637370301a0603551d200101000410300e300c060a2b06010401d679"
+    "020401300d06092a864886f70d01010505000381810065e04fadd3484197f3412479d917e1"
+    "9d8f7db57b526f2d0e4c046f86cebe643bf568ea0cd6570b228842aa057c6a7c79f209dfcd"
+    "3419a4d93b1ecfb1c0224f33083c7d4da023499fbd00d81d6711ad58ffcf65f1545247fe9d"
+    "83203425fd706b4fc5e797002af3d88151be5901eef56ec30aacdfc404be1bd35865ff1943"
+    "2516";
+
+const char kFakeOCSPResponseIssuerCert[] =
+    "308201d13082013aa003020102020101300d06092a864886f70d0101050500301531133011"
+    "0603550403130a54657374696e67204341301e170d3130303130313036303030305a170d33"
+    "32313230313036303030305a3015311330110603550403130a54657374696e672043413081"
+    "9d300d06092a864886f70d010101050003818b0030818702818100a71998f2930bfe73d031"
+    "a87f133d2f378eeeeed52a77e44d0fc9ff6f07ff32cbf3da999de4ed65832afcb0807f9878"
+    "7506539d258a0ce3c2c77967653099a9034a9b115a876c39a8c4e4ed4acd0c64095946fb39"
+    "eeeb47a0704dbb018acf48c3a1c4b895fc409fb4a340a986b1afc45519ab9eca47c30185c7"
+    "71c64aa5ecf07d020103a333303130120603551d130101ff040830060101ff020100301b06"
+    "03551d200101000411300f300d060b2b06010401d6790201ce0f300d06092a864886f70d01"
+    "01050500038181003f4936f8d00e83fbdde331f2c64335dcf7dec8b1a2597683edeed61af0"
+    "fa862412fad848938fe7ab77f1f9a43671ff6fdb729386e26f49e7aca0c0ea216e5970d933"
+    "3ea1e11df2ccb357a5fed5220f9c6239e8946b9b7517707631d51ab996833d58a022cff5a6"
+    "2169ac9258ec110efee78da9ab4a641e3b3c9ee5e8bd291460";
+
+
+const char kFakeOCSPExtensionValue[] = "74657374";  // "test"
+
 }  // namespace
 
 void GetX509CertLogEntry(LogEntry* entry) {
@@ -171,6 +224,22 @@ std::string GetDefaultIssuerKeyHash() {
   return HexToBytes(kDefaultIssuerKeyHash);
 }
 
+std::string GetDerEncodedFakeOCSPResponse() {
+return HexToBytes(kFakeOCSPResponse);
+}
+
+std::string GetFakeOCSPExtensionValue() {
+  return HexToBytes(kFakeOCSPExtensionValue);
+}
+
+std::string GetDerEncodedFakeOCSPResponseCert() {
+  return HexToBytes(kFakeOCSPResponseCert);
+}
+
+std::string GetDerEncodedFakeOCSPResponseIssuerCert() {
+  return HexToBytes(kFakeOCSPResponseIssuerCert);
+}
+
 }  // namespace ct
 
 }  // namespace net
diff --git a/net/test/ct_test_util.h b/net/test/ct_test_util.h
index 6a07f32..87afc10 100644
--- a/net/test/ct_test_util.h
+++ b/net/test/ct_test_util.h
@@ -50,6 +50,18 @@ void GetPrecertSCT(scoped_refptr<SignedCertificateTimestamp>* sct);
 // Issuer key hash
 std::string GetDefaultIssuerKeyHash();
 
+// Fake OCSP response with an embedded SCT list.
+std::string GetDerEncodedFakeOCSPResponse();
+
+// The SCT list embedded in the response above.
+std::string GetFakeOCSPExtensionValue();
+
+// The cert the OCSP response is for.
+std::string GetDerEncodedFakeOCSPResponseCert();
+
+// The issuer of the previous cert.
+std::string GetDerEncodedFakeOCSPResponseIssuerCert();
+
 }  // namespace ct
 
 }  // namespace net
diff --git a/net/test/spawned_test_server/base_test_server.cc b/net/test/spawned_test_server/base_test_server.cc
index 3b06a0a..ac37c70 100644
--- a/net/test/spawned_test_server/base_test_server.cc
+++ b/net/test/spawned_test_server/base_test_server.cc
@@ -61,7 +61,8 @@ BaseTestServer::SSLOptions::SSLOptions()
       bulk_ciphers(SSLOptions::BULK_CIPHER_ANY),
       record_resume(false),
       tls_intolerant(TLS_INTOLERANT_NONE),
-      fallback_scsv_enabled(false) {}
+      fallback_scsv_enabled(false),
+      staple_ocsp_response(false) {}
 
 BaseTestServer::SSLOptions::SSLOptions(
     BaseTestServer::SSLOptions::ServerCertificate cert)
@@ -72,7 +73,8 @@ BaseTestServer::SSLOptions::SSLOptions(
       bulk_ciphers(SSLOptions::BULK_CIPHER_ANY),
       record_resume(false),
       tls_intolerant(TLS_INTOLERANT_NONE),
-      fallback_scsv_enabled(false) {}
+      fallback_scsv_enabled(false),
+      staple_ocsp_response(false) {}
 
 BaseTestServer::SSLOptions::~SSLOptions() {}
 
@@ -400,11 +402,14 @@ bool BaseTestServer::GenerateArguments(base::DictionaryValue* arguments) const {
     }
     if (ssl_options_.fallback_scsv_enabled)
       arguments->Set("fallback-scsv", base::Value::CreateNullValue());
-    if (!ssl_options_.signed_cert_timestamps.empty()) {
-      std::string b64_scts;
-      base::Base64Encode(ssl_options_.signed_cert_timestamps, &b64_scts);
-      arguments->SetString("signed-cert-timestamps", b64_scts);
+    if (!ssl_options_.signed_cert_timestamps_tls_ext.empty()) {
+      std::string b64_scts_tls_ext;
+      base::Base64Encode(ssl_options_.signed_cert_timestamps_tls_ext,
+                         &b64_scts_tls_ext);
+      arguments->SetString("signed-cert-timestamps-tls-ext", b64_scts_tls_ext);
     }
+    if (ssl_options_.staple_ocsp_response)
+      arguments->Set("staple-ocsp-response", base::Value::CreateNullValue());
   }
 
   return GenerateAdditionalArguments(arguments);
diff --git a/net/test/spawned_test_server/base_test_server.h b/net/test/spawned_test_server/base_test_server.h
index bb82ed0..fb8d6ed 100644
--- a/net/test/spawned_test_server/base_test_server.h
+++ b/net/test/spawned_test_server/base_test_server.h
@@ -155,13 +155,16 @@ class BaseTestServer {
     // connections.
     bool fallback_scsv_enabled;
 
-    // (Fake) SignedCertificateTimestampList (as a raw binary string) to send in
-    // a TLS extension.
     // Temporary glue for testing: validation of SCTs is application-controlled
     // and can be appropriately mocked out, so sending fake data here does not
     // affect handshaking behaviour.
     // TODO(ekasper): replace with valid SCT files for test certs.
-    std::string signed_cert_timestamps;
+    // (Fake) SignedCertificateTimestampList (as a raw binary string) to send in
+    // a TLS extension.
+    std::string signed_cert_timestamps_tls_ext;
+
+    // Whether to staple the OCSP response.
+    bool staple_ocsp_response;
   };
 
   // Pass as the 'host' parameter during construction to server on 127.0.0.1
author	ekasper@google.com <ekasper@google.com@0039d316-1c4b-4281-b951-d872f2087c98>	2013-12-13 19:57:48 +0000
committer	ekasper@google.com <ekasper@google.com@0039d316-1c4b-4281-b951-d872f2087c98>	2013-12-13 19:57:48 +0000
commit	9a72d237330d80648f93b2e466d5027b9ce8bb2a (patch)
tree	10c449fbd40cba62d54916af30c81b106536b46a /net/test
parent	b4c4dc526a5163fafc4430ee190a4ee075efc543 (diff)
download	chromium_src-9a72d237330d80648f93b2e466d5027b9ce8bb2a.zip chromium_src-9a72d237330d80648f93b2e466d5027b9ce8bb2a.tar.gz chromium_src-9a72d237330d80648f93b2e466d5027b9ce8bb2a.tar.bz2