Port SCT test to EmbeddedTestServer

Bug: 492672, 1250903
Change-Id: Icac6ca051805f98c51fcacef079b105bc97cc181
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3170212
Auto-Submit: David Benjamin <[email protected]>
Reviewed-by: Ryan Sleevi <[email protected]>
Commit-Queue: David Benjamin <[email protected]>
Cr-Commit-Position: refs/heads/main@{#923009}

net/socket/ssl_client_socket.h

@@ -66,7 +66,7 @@ class NET_EXPORT SSLClientSocket : public SSLSocket {
  private:
   FRIEND_TEST_ALL_PREFIXES(SSLClientSocket, SerializeNextProtos);
   // For signed_cert_timestamps_received_ and stapled_ocsp_response_received_.
-  FRIEND_TEST_ALL_PREFIXES(SSLClientSocketTest,
+  FRIEND_TEST_ALL_PREFIXES(SSLClientSocketVersionTest,
                            ConnectSignedCertTimestampsTLSExtension);
   FRIEND_TEST_ALL_PREFIXES(SSLClientSocketVersionTest,
                            ConnectSignedCertTimestampsEnablesOCSP);

net/socket/ssl_client_socket_unittest.cc

@@ -2877,13 +2877,15 @@ TEST_P(SSLClientSocketCertRequestInfoTest, CertKeyTypes) {
 
 // Tests that the Certificate Transparency (RFC 6962) TLS extension is
 // supported.
-TEST_F(SSLClientSocketTest, ConnectSignedCertTimestampsTLSExtension) {
+TEST_P(SSLClientSocketVersionTest, ConnectSignedCertTimestampsTLSExtension) {
   // Encoding of SCT List containing 'test'.
   base::StringPiece sct_ext("\x00\x06\x00\x04test", 8);
 
-  SpawnedTestServer::SSLOptions ssl_options;
-  ssl_options.signed_cert_timestamps_tls_ext = std::string(sct_ext);
-  ASSERT_TRUE(StartTestServer(ssl_options));
+  SSLServerConfig server_config = GetServerConfig();
+  server_config.signed_cert_timestamp_list =
+      std::vector<uint8_t>(sct_ext.begin(), sct_ext.end());
+  ASSERT_TRUE(
+      StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, server_config));
 
   auto ct_verifier = std::make_unique<MockCTVerifier>();
 

net/socket/ssl_server_socket_impl.cc

@@ -1056,6 +1056,12 @@ void SSLServerContextImpl::Init() {
                               ssl_server_config_.ocsp_response.size());
   }
 
+  if (!ssl_server_config_.signed_cert_timestamp_list.empty()) {
+    SSL_CTX_set_signed_cert_timestamp_list(
+        ssl_ctx_.get(), ssl_server_config_.signed_cert_timestamp_list.data(),
+        ssl_server_config_.signed_cert_timestamp_list.size());
+  }
+
   if (ssl_server_config_.ech_keys) {
     CHECK(SSL_CTX_set1_ech_keys(ssl_ctx_.get(),
                                 ssl_server_config_.ech_keys.get()));

net/ssl/ssl_server_config.h

@@ -114,6 +114,10 @@ struct NET_EXPORT SSLServerConfig {
   // If non-empty, the DER-encoded OCSP response to staple.
   std::vector<uint8_t> ocsp_response;
 
+  // If non-empty, the serialized SignedCertificateTimestampList to send in the
+  // handshake.
+  std::vector<uint8_t> signed_cert_timestamp_list;
+
   // This is a workaround for BoringSSL's scopers not being copyable. See
   // https://crbug.com/boringssl/431.
   class NET_EXPORT ECHKeysContainer {

net/test/spawned_test_server/base_test_server.cc

@@ -474,13 +474,6 @@ bool BaseTestServer::GenerateArguments(base::DictionaryValue* arguments) const {
     if (ssl_options_.tls_max_version != SSLOptions::TLS_MAX_VERSION_DEFAULT) {
       arguments->SetIntKey("tls-max-version", ssl_options_.tls_max_version);
     }
-    if (!ssl_options_.signed_cert_timestamps_tls_ext.empty()) {
-      std::string b64_scts_tls_ext;
-      base::Base64Encode(ssl_options_.signed_cert_timestamps_tls_ext,
-                         &b64_scts_tls_ext);
-      arguments->SetStringKey("signed-cert-timestamps-tls-ext",
-                              b64_scts_tls_ext);
-    }
     if (ssl_options_.alert_after_handshake)
       arguments->SetKey("alert-after-handshake", base::Value());
 

net/test/spawned_test_server/base_test_server.h

@@ -147,14 +147,6 @@ class BaseTestServer {
     // The maximum TLS version to support.
     TLSMaxVersion tls_max_version = TLS_MAX_VERSION_DEFAULT;
 
-    // Temporary glue for testing: validation of SCTs is application-controlled
-    // and can be appropriately mocked out, so sending fake data here does not
-    // affect handshaking behaviour.
-    // TODO(ekasper): replace with valid SCT files for test certs.
-    // (Fake) SignedCertificateTimestampList (as a raw binary string) to send in
-    // a TLS extension.
-    std::string signed_cert_timestamps_tls_ext;
-
     // Whether to send a fatal alert immediately after completing the handshake.
     bool alert_after_handshake = false;
 

net/tools/testserver/testserver.py

@@ -102,9 +102,9 @@ class HTTPSServer(tlslite.api.TLSSocketServerMixIn,
 
   def __init__(self, server_address, request_hander_class, pem_cert_and_key,
                ssl_client_auth, ssl_client_cas, ssl_client_cert_types,
-               tls_intolerant, tls_intolerance_type, signed_cert_timestamps,
-               alert_after_handshake, simulate_tls13_downgrade,
-               simulate_tls12_downgrade, tls_max_version):
+               tls_intolerant, tls_intolerance_type, alert_after_handshake,
+               simulate_tls13_downgrade, simulate_tls12_downgrade,
+               tls_max_version):
     self.cert_chain = tlslite.api.X509CertChain()
     self.cert_chain.parsePemList(pem_cert_and_key)
     # Force using only python implementation - otherwise behavior is different
@@ -117,7 +117,6 @@ def __init__(self, server_address, request_hander_class, pem_cert_and_key,
     self.ssl_client_auth = ssl_client_auth
     self.ssl_client_cas = []
     self.ssl_client_cert_types = []
-    self.signed_cert_timestamps = signed_cert_timestamps
 
     if ssl_client_auth:
       for ca_file in ssl_client_cas:
@@ -157,15 +156,13 @@ def handshake(self, tlsConnection):
 
     try:
       self.tlsConnection = tlsConnection
-      tlsConnection.handshakeServer(
-          certChain=self.cert_chain,
-          privateKey=self.private_key,
-          sessionCache=self.session_cache,
-          reqCert=self.ssl_client_auth,
-          settings=self.ssl_handshake_settings,
-          reqCAs=self.ssl_client_cas,
-          reqCertTypes=self.ssl_client_cert_types,
-          signedCertTimestamps=self.signed_cert_timestamps)
+      tlsConnection.handshakeServer(certChain=self.cert_chain,
+                                    privateKey=self.private_key,
+                                    sessionCache=self.session_cache,
+                                    reqCert=self.ssl_client_auth,
+                                    settings=self.ssl_handshake_settings,
+                                    reqCAs=self.ssl_client_cas,
+                                    reqCertTypes=self.ssl_client_cert_types)
       tlsConnection.ignoreAbruptClose = True
       return True
     except tlslite.api.TLSAbruptCloseError:
@@ -417,7 +414,6 @@ def create_server(self, server_data):
             self.options.ssl_client_auth, self.options.ssl_client_ca,
             self.options.ssl_client_cert_type, self.options.tls_intolerant,
             self.options.tls_intolerance_type,
-            base64.b64decode(self.options.signed_cert_timestamps_tls_ext),
             self.options.alert_after_handshake,
             self.options.simulate_tls13_downgrade,
             self.options.simulate_tls12_downgrade, self.options.tls_max_version)
@@ -522,13 +518,6 @@ def add_options(self):
                                   help='Controls how the server reacts to a '
                                   'TLS version it is intolerant to. Valid '
                                   'values are "alert", "close", and "reset".')
-    self.option_parser.add_option('--signed-cert-timestamps-tls-ext',
-                                  dest='signed_cert_timestamps_tls_ext',
-                                  default='',
-                                  help='Base64 encoded SCT list. If set, '
-                                  'server will respond with a '
-                                  'signed_certificate_timestamp TLS extension '
-                                  'whenever the client supports it.')
     self.option_parser.add_option('--ssl-client-auth', action='store_true',
                                   help='Require SSL client auth on every '
                                   'connection.')