summaryrefslogtreecommitdiffstats
path: root/tests/ocsp-tests
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--tests/ocsp-tests/certs/ca.key144
-rw-r--r--tests/ocsp-tests/certs/ca.pem18
-rw-r--r--tests/ocsp-tests/certs/chain-akamai.com.pem54
-rw-r--r--tests/ocsp-tests/certs/chain-amazon.com-unsorted.pem90
-rw-r--r--tests/ocsp-tests/certs/chain-amazon.com.pem68
-rw-r--r--tests/ocsp-tests/certs/ocsp-akamai.com.derbin0 -> 1033 bytes
-rw-r--r--tests/ocsp-tests/certs/ocsp-amazon.com.derbin0 -> 1608 bytes
-rw-r--r--tests/ocsp-tests/certs/ocsp-server.key144
-rw-r--r--tests/ocsp-tests/certs/ocsp-server.pem20
-rw-r--r--tests/ocsp-tests/certs/ocsp-staple-unrelated.derbin0 -> 1609 bytes
-rw-r--r--tests/ocsp-tests/certs/ocsp_index.txt2
-rw-r--r--tests/ocsp-tests/certs/ocsp_index.txt.attr1
-rw-r--r--tests/ocsp-tests/certs/server_bad.key39
-rw-r--r--tests/ocsp-tests/certs/server_bad.template9
-rw-r--r--tests/ocsp-tests/certs/server_good.key39
-rw-r--r--tests/ocsp-tests/certs/server_good.template9
-rwxr-xr-xtests/ocsp-tests/ocsp-load-chain.sh67
-rwxr-xr-xtests/ocsp-tests/ocsp-must-staple-connection.sh515
-rwxr-xr-xtests/ocsp-tests/ocsp-signer-verify.sh61
-rwxr-xr-xtests/ocsp-tests/ocsp-test.sh72
-rwxr-xr-xtests/ocsp-tests/ocsp-tls-connection.sh231
-rwxr-xr-xtests/ocsp-tests/ocsptool.sh89
-rw-r--r--tests/ocsp-tests/response1.derbin0 -> 1220 bytes
-rw-r--r--tests/ocsp-tests/response1.pem45
-rw-r--r--tests/ocsp-tests/response2.derbin0 -> 1318 bytes
-rw-r--r--tests/ocsp-tests/response2.pem47
-rw-r--r--tests/ocsp-tests/response3.der2
-rw-r--r--tests/ocsp-tests/signer-verify/response-ca.derbin0 -> 1704 bytes
-rw-r--r--tests/ocsp-tests/signer-verify/response-delegated.derbin0 -> 1707 bytes
-rw-r--r--tests/ocsp-tests/signer-verify/response-non-delegated.derbin0 -> 1789 bytes
-rw-r--r--tests/ocsp-tests/signer-verify/trust.pem50
-rw-r--r--tests/ocsp-tests/suppressions.valgrind8
32 files changed, 1824 insertions, 0 deletions
diff --git a/tests/ocsp-tests/certs/ca.key b/tests/ocsp-tests/certs/ca.key
new file mode 100644
index 0000000..3e6f5d8
--- /dev/null
+++ b/tests/ocsp-tests/certs/ca.key
@@ -0,0 +1,144 @@
+Public Key Info:
+ Public Key Algorithm: RSA
+ Key Security Level: Medium (2048 bits)
+
+modulus:
+ 00:a0:55:e9:3e:44:31:28:a3:31:fc:7f:7b:d3:24:
+ 6a:c1:f1:2e:2e:55:0e:fe:20:61:be:58:fe:7b:b1:
+ 8a:54:75:0a:90:91:83:a4:f0:9e:aa:6e:fe:d9:a4:
+ 8f:d5:d4:db:77:b0:66:e2:31:8d:bf:9e:3d:d3:87:
+ ec:09:a2:15:92:98:c5:9a:68:eb:ec:75:87:a1:82:
+ 06:a0:69:8e:78:96:37:5c:a0:b7:f9:8b:b3:a8:c0:
+ a4:90:25:18:e7:e0:ae:38:05:5b:38:3c:87:0b:20:
+ 9c:de:93:e6:09:f7:9c:54:bb:08:b8:45:90:94:5a:
+ bf:a0:ef:80:67:1f:46:74:86:42:ff:4e:fd:e1:99:
+ 0d:40:08:50:63:e8:bb:49:51:a6:23:8d:ef:b5:33:
+ 0d:19:af:10:d9:1e:eb:ee:b4:2c:1c:a0:25:90:f8:
+ ef:46:22:40:76:d4:e9:66:44:45:01:c4:ab:52:42:
+ 6e:1d:e2:5c:1d:52:b8:24:6a:7b:74:74:ef:92:3f:
+ bb:ff:b3:3a:40:f2:80:39:95:08:f4:18:aa:81:c9:
+ fb:70:27:7d:7a:63:b2:74:d3:8e:83:2e:a9:85:de:
+ d1:05:72:0a:0c:c0:78:58:1a:b7:25:d4:bb:14:af:
+ 3e:af:2b:55:35:58:bd:be:be:00:e5:c1:55:30:e2:
+ 76:9d:
+
+public exponent:
+ 01:00:01:
+
+private exponent:
+ 45:69:6b:f4:7c:e9:1b:42:ab:5d:38:83:8e:c0:f1:
+ 46:cc:f6:c5:30:25:b1:76:ab:5a:10:84:fb:5f:bd:
+ 17:1b:24:5b:b9:e3:58:00:a3:6f:fd:65:6f:2b:82:
+ e9:7b:a1:17:8b:d2:be:91:dd:5f:db:4d:c0:c9:d3:
+ 31:c8:6d:b6:6d:54:fe:a7:f5:9b:04:b6:97:01:07:
+ 85:62:ad:3f:1f:29:10:7c:b3:a8:e1:06:02:44:83:
+ f9:b3:55:b8:ec:d7:ff:80:b2:21:02:73:24:2a:16:
+ 3f:75:9f:dd:28:c9:11:15:77:8c:ee:f0:cc:89:0c:
+ f4:cb:3a:b7:6a:1e:c2:4a:be:38:97:c4:8a:e9:c6:
+ 63:12:6f:49:ab:6a:63:15:c2:3e:7a:d1:d9:55:cf:
+ 76:24:e7:f1:2b:f1:42:9c:bd:bd:c1:a4:bd:70:31:
+ 8e:7e:be:7d:2b:83:e7:ee:2e:50:36:3c:2a:db:d8:
+ df:4b:52:ce:d9:8e:ab:03:98:0f:8a:12:f2:01:2f:
+ bb:da:23:23:e4:fd:87:6e:ea:84:70:68:e1:55:8f:
+ 0c:14:99:ee:98:ff:09:9c:d4:11:b7:a1:fe:47:a2:
+ 5f:e7:d6:6f:06:25:cc:c0:b9:bf:01:08:1f:cb:36:
+ d5:fc:fb:be:e0:7f:54:9e:60:4c:f7:41:66:a1:12:
+ 31:
+
+prime1:
+ 00:cf:14:c8:cc:6d:58:82:10:47:f7:d2:4f:4f:d5:
+ db:ad:ef:17:97:94:b1:5d:4e:34:ee:97:9c:46:08:
+ 48:4c:d1:e6:e9:6f:7c:56:b2:2d:63:ba:c5:d1:29:
+ b5:61:c9:fe:96:6a:72:a7:ce:1a:45:90:96:28:0d:
+ 7e:02:7a:74:af:a8:50:d6:8e:d9:86:d1:a0:8d:d9:
+ 6e:7c:05:0b:cd:b4:84:84:78:3f:f2:e5:91:45:cb:
+ a8:04:3c:86:0a:d8:8f:49:31:74:fd:2b:3a:b8:ee:
+ da:e8:01:a7:e7:89:fa:b2:60:1b:de:a3:37:4d:98:
+ e8:a8:5f:0a:68:05:c4:5c:db:
+
+prime2:
+ 00:c6:36:30:e5:d1:3d:76:d2:b2:ef:40:67:77:ce:
+ d8:20:a9:6d:35:c4:1d:45:93:a3:ba:9e:03:d5:ce:
+ 9e:65:d1:ed:f1:52:0e:d9:7b:a9:f6:6e:cd:dd:ea:
+ c1:49:a9:47:24:98:7b:3f:f2:fc:cc:a6:65:06:b7:
+ f2:0a:00:71:31:e8:d0:2a:95:65:06:5b:12:44:8d:
+ 96:17:d2:42:31:c8:57:41:2d:37:24:57:14:0f:97:
+ a1:6f:f1:28:db:67:06:67:06:51:16:58:e8:c6:c8:
+ a7:4c:58:bc:68:69:de:1a:2c:e2:0b:3c:15:d5:28:
+ b4:90:e8:62:20:0a:81:17:e7:
+
+coefficient:
+ 4d:92:c6:fe:bb:a3:0d:d1:33:46:87:75:cb:33:6b:
+ 68:07:d9:3a:d0:48:9c:75:ee:ba:2c:73:c4:96:96:
+ 39:d9:b5:65:d2:20:8d:b9:6a:7f:39:a7:dd:44:ea:
+ 65:8b:fd:2b:dd:0d:08:13:92:c1:98:74:be:5e:cb:
+ e9:14:a4:d9:02:0b:ee:04:ed:de:34:eb:40:51:d6:
+ a4:7e:bf:ba:0f:ee:e6:2c:e8:0b:5b:e7:28:bd:2d:
+ a2:7a:8c:66:83:f6:d6:4c:9f:5d:9c:66:c5:26:1a:
+ 16:44:43:a9:2c:64:fd:3f:54:a2:14:22:81:e0:80:
+ 7f:46:5e:a4:8e:cd:8d:50:
+
+exp1:
+ 2e:1b:72:9a:11:be:a3:36:fc:cf:31:04:77:c2:26:
+ 27:94:14:ac:ab:6e:d2:57:97:71:88:50:43:47:94:
+ d1:85:ea:e4:0e:ee:a0:5f:0b:bc:28:d9:e2:b8:66:
+ aa:5f:4f:50:2e:63:58:f9:8a:df:f2:51:7c:99:84:
+ 75:08:ce:f2:4d:87:b2:3e:1c:30:e8:7b:d7:19:92:
+ 80:0a:9f:96:2d:9b:53:e3:72:59:a2:c3:b5:c6:a2:
+ a2:4e:d7:89:92:ae:54:9d:ae:6e:b0:31:62:fb:cb:
+ c1:dc:9c:85:f1:32:e0:84:85:b0:0c:a7:43:9f:c8:
+ 2d:b4:fb:9c:2d:ac:8b:
+
+exp2:
+ 4e:79:88:14:85:2a:1b:90:41:ed:bd:86:f9:85:38:
+ 46:7e:2d:d1:da:aa:68:30:92:e3:40:ca:6d:ed:17:
+ 03:63:01:1c:c9:0b:3e:09:da:f9:c9:56:d2:64:ae:
+ 50:16:a8:27:12:03:c2:06:d7:15:c3:4f:3e:40:b7:
+ a0:44:1a:8c:d3:0b:0f:c1:04:35:66:fb:2d:8f:0c:
+ fc:b3:6f:27:bc:94:e7:26:1a:ad:d5:98:08:b0:54:
+ e7:38:08:a0:0d:03:18:e9:04:53:9f:b1:d1:7a:01:
+ da:95:4b:4a:df:97:62:af:a0:73:28:3f:d0:9c:04:
+ 19:57:17:fa:6d:8e:3c:c3:
+
+
+Public Key ID: 2D:D8:14:9A:16:D5:6D:FE:FB:B0:E0:DE:F1:F5:C5:23:0B:D3:62:BE
+Public key's random art:
++--[ RSA 2048]----+
+| ..o. . |
+| + .. o |
+| + . o |
+| . + . . |
+| . S . . |
+| . . .. |
+| =.ooo+|
+| o.+o+==|
+| E+.o.+|
++-----------------+
+
+-----BEGIN RSA PRIVATE KEY-----
+MIIEoAIBAAKCAQEAoFXpPkQxKKMx/H970yRqwfEuLlUO/iBhvlj+e7GKVHUKkJGD
+pPCeqm7+2aSP1dTbd7Bm4jGNv54904fsCaIVkpjFmmjr7HWHoYIGoGmOeJY3XKC3
++YuzqMCkkCUY5+CuOAVbODyHCyCc3pPmCfecVLsIuEWQlFq/oO+AZx9GdIZC/079
+4ZkNQAhQY+i7SVGmI43vtTMNGa8Q2R7r7rQsHKAlkPjvRiJAdtTpZkRFAcSrUkJu
+HeJcHVK4JGp7dHTvkj+7/7M6QPKAOZUI9Biqgcn7cCd9emOydNOOgy6phd7RBXIK
+DMB4WBq3JdS7FK8+rytVNVi9vr4A5cFVMOJ2nQIDAQABAoIBAEVpa/R86RtCq104
+g47A8UbM9sUwJbF2q1oQhPtfvRcbJFu541gAo2/9ZW8rgul7oReL0r6R3V/bTcDJ
+0zHIbbZtVP6n9ZsEtpcBB4VirT8fKRB8s6jhBgJEg/mzVbjs1/+AsiECcyQqFj91
+n90oyREVd4zu8MyJDPTLOrdqHsJKvjiXxIrpxmMSb0mramMVwj560dlVz3Yk5/Er
+8UKcvb3BpL1wMY5+vn0rg+fuLlA2PCrb2N9LUs7ZjqsDmA+KEvIBL7vaIyPk/Ydu
+6oRwaOFVjwwUme6Y/wmc1BG3of5Hol/n1m8GJczAub8BCB/LNtX8+77gf1SeYEz3
+QWahEjECgYEAzxTIzG1YghBH99JPT9Xbre8Xl5SxXU407pecRghITNHm6W98VrIt
+Y7rF0Sm1Ycn+lmpyp84aRZCWKA1+Anp0r6hQ1o7ZhtGgjdlufAULzbSEhHg/8uWR
+RcuoBDyGCtiPSTF0/Ss6uO7a6AGn54n6smAb3qM3TZjoqF8KaAXEXNsCgYEAxjYw
+5dE9dtKy70Bnd87YIKltNcQdRZOjup4D1c6eZdHt8VIO2Xup9m7N3erBSalHJJh7
+P/L8zKZlBrfyCgBxMejQKpVlBlsSRI2WF9JCMchXQS03JFcUD5ehb/Eo22cGZwZR
+FljoxsinTFi8aGneGiziCzwV1Si0kOhiIAqBF+cCfy4bcpoRvqM2/M8xBHfCJieU
+FKyrbtJXl3GIUENHlNGF6uQO7qBfC7wo2eK4ZqpfT1AuY1j5it/yUXyZhHUIzvJN
+h7I+HDDoe9cZkoAKn5Ytm1Pjclmiw7XGoqJO14mSrlSdrm6wMWL7y8HcnIXxMuCE
+hbAMp0OfyC20+5wtrIsCgYBOeYgUhSobkEHtvYb5hThGfi3R2qpoMJLjQMpt7RcD
+YwEcyQs+Cdr5yVbSZK5QFqgnEgPCBtcVw08+QLegRBqM0wsPwQQ1Zvstjwz8s28n
+vJTnJhqt1ZgIsFTnOAigDQMY6QRTn7HRegHalUtK35dir6BzKD/QnAQZVxf6bY48
+wwKBgE2Sxv67ow3RM0aHdcsza2gH2TrQSJx17rosc8SWljnZtWXSII25an85p91E
+6mWL/SvdDQgTksGYdL5ey+kUpNkCC+4E7d4060BR1qR+v7oP7uYs6Atb5yi9LaJ6
+jGaD9tZMn12cZsUmGhZEQ6ksZP0/VKIUIoHggH9GXqSOzY1Q
+-----END RSA PRIVATE KEY-----
diff --git a/tests/ocsp-tests/certs/ca.pem b/tests/ocsp-tests/certs/ca.pem
new file mode 100644
index 0000000..2a5b006
--- /dev/null
+++ b/tests/ocsp-tests/certs/ca.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC8DCCAdigAwIBAgIIVvMK4C5SmsswDQYJKoZIhvcNAQELBQAwHDEaMBgGA1UE
+AxMRVGVzdGluZyBBdXRob3JpdHkwIhgPMjAxNjAzMjMyMTMwMTVaGA85OTk5MTIz
+MTIzNTk1OVowHDEaMBgGA1UEAxMRVGVzdGluZyBBdXRob3JpdHkwggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCgVek+RDEoozH8f3vTJGrB8S4uVQ7+IGG+
+WP57sYpUdQqQkYOk8J6qbv7ZpI/V1Nt3sGbiMY2/nj3Th+wJohWSmMWaaOvsdYeh
+ggagaY54ljdcoLf5i7OowKSQJRjn4K44BVs4PIcLIJzek+YJ95xUuwi4RZCUWr+g
+74BnH0Z0hkL/Tv3hmQ1ACFBj6LtJUaYjje+1Mw0ZrxDZHuvutCwcoCWQ+O9GIkB2
+1OlmREUBxKtSQm4d4lwdUrgkant0dO+SP7v/szpA8oA5lQj0GKqByftwJ316Y7J0
+046DLqmF3tEFcgoMwHhYGrcl1LsUrz6vK1U1WL2+vgDlwVUw4nadAgMBAAGjMjAw
+MA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFC3YFJoW1W3++7Dg3vH1xSML02K+
+MA0GCSqGSIb3DQEBCwUAA4IBAQBhhfGrP9BMNaa60Cjikm1Qd56yCxew/XzsSiBF
+BDqa7WBoI7735Khu8Q0ET0ryIlct19MGUKc8rQoL5I13kPELCCDJ62KY8uokQkZA
+5bYt4lKses6Owe4mGhCHSisurgp+c/0T7YuViSHqr4N1qkzXjl41iCt2nOnETqlH
+FJS8ctQLpDUWLr6VbM0LvRQ7PXnHQOWjrwb29FpVY2xFN+xFbqL3msgaYD9HNiO8
+btswJKGzXZ+yWDThiceMffFjJXAj9GVOztMMJPcv1PxcQEanxSMwwtiWp04ti8ch
+3UMPIlgL2gZLG+7y3TJ59vaa17XyoXAly1RAsUibiNbMBxEw
+-----END CERTIFICATE-----
diff --git a/tests/ocsp-tests/certs/chain-akamai.com.pem b/tests/ocsp-tests/certs/chain-akamai.com.pem
new file mode 100644
index 0000000..bcb506e
--- /dev/null
+++ b/tests/ocsp-tests/certs/chain-akamai.com.pem
@@ -0,0 +1,54 @@
+-----BEGIN CERTIFICATE-----
+MIIEujCCBGCgAwIBAgIQY7nsfv+YgzXxE9Z9L4ZNNTAKBggqhkjOPQQDAjCBgDEL
+MAkGA1UEBhMCVVMxHTAbBgNVBAoTFFN5bWFudGVjIENvcnBvcmF0aW9uMR8wHQYD
+VQQLExZTeW1hbnRlYyBUcnVzdCBOZXR3b3JrMTEwLwYDVQQDEyhTeW1hbnRlYyBD
+bGFzcyAzIEVDQyAyNTYgYml0IFNTTCBDQSAtIEcyMB4XDTE2MDcyODAwMDAwMFoX
+DTE3MDcyODIzNTk1OVoweTELMAkGA1UEBhMCVVMxFjAUBgNVBAgMDU1hc3NhY2h1
+c2V0dHMxEjAQBgNVBAcMCUNhbWJyaWRnZTEiMCAGA1UECgwZQWthbWFpIFRlY2hu
+b2xvZ2llcywgSW5jLjEaMBgGA1UEAwwRYTI0OC5lLmFrYW1haS5uZXQwWTATBgcq
+hkjOPQIBBggqhkjOPQMBBwNCAAQCpvwTzWb1uqosqE52ItPukH6zYbx1GjvTx4Bg
+HGulRdgt9psnHybLLv404jXSmt1KkitP6xmokBA4qb1HZnQro4ICwDCCArwwbgYD
+VR0RBGcwZYIOKi5ha2FtYWloZC5uZXSCFiouYWthbWFpaGQtc3RhZ2luZy5uZXSC
+FyouYWthbWFpemVkLXN0YWdpbmcubmV0gg8qLmFrYW1haXplZC5uZXSCEWEyNDgu
+ZS5ha2FtYWkubmV0MAkGA1UdEwQCMAAwDgYDVR0PAQH/BAQDAgeAMGEGA1UdIARa
+MFgwVgYGZ4EMAQICMEwwIwYIKwYBBQUHAgEWF2h0dHBzOi8vZC5zeW1jYi5jb20v
+Y3BzMCUGCCsGAQUFBwICMBkMF2h0dHBzOi8vZC5zeW1jYi5jb20vcnBhMCsGA1Ud
+HwQkMCIwIKAeoByGGmh0dHA6Ly9yYy5zeW1jYi5jb20vcmMuY3JsMB0GA1UdJQQW
+MBQGCCsGAQUFBwMBBggrBgEFBQcDAjAfBgNVHSMEGDAWgBQl8IrhS3rZAZUK7cZT
+8Yx4H9nz+DBXBggrBgEFBQcBAQRLMEkwHwYIKwYBBQUHMAGGE2h0dHA6Ly9yYy5z
+eW1jZC5jb20wJgYIKwYBBQUHMAKGGmh0dHA6Ly9yYy5zeW1jYi5jb20vcmMuY3J0
+MIIBBAYKKwYBBAHWeQIEAgSB9QSB8gDwAHYA3esdK3oNT6Ygi4GtgWhwfi6OnQHV
+XIiNPRHEzbbsvswAAAFWMxw8DAAABAMARzBFAiEA0jnhAc04ytMqwcpzdhepDolx
+k4/Ly01z7TbzhrdEm68CIDBoqkfHeUf/Egy4Dc6WtF7d4Yaz6VQwtPZtE62nYobW
+AHYApLkJkLQYWBSHuxOizGdwCjw1mAT5G9+443fNDsgN3BAAAAFWMxw8aQAABAMA
+RzBFAiEAtmv/WDAEkIzPoAmNg8rDB3hxjrqDE28O9ypcHfLfDKQCIAkexztlslo9
+vvg88draHLAFn6LehOKa+CDmG+7iBshSMAoGCCqGSM49BAMCA0gAMEUCIQCaLLx7
+OCmOUhNgoZX/s6pyGzE4p5dFiLJJm3u6dDw/jQIgS8vB1RZeveychMbXDPrx5y/W
+HvfPyxlCkvHQR9TX15o=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIEajCCA1KgAwIBAgIQP5KHvp0dpKN6nfYoLndaxDANBgkqhkiG9w0BAQsFADCB
+yjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
+ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJp
+U2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxW
+ZXJpU2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0
+aG9yaXR5IC0gRzUwHhcNMTUwNTEyMDAwMDAwWhcNMjUwNTExMjM1OTU5WjCBgDEL
+MAkGA1UEBhMCVVMxHTAbBgNVBAoTFFN5bWFudGVjIENvcnBvcmF0aW9uMR8wHQYD
+VQQLExZTeW1hbnRlYyBUcnVzdCBOZXR3b3JrMTEwLwYDVQQDEyhTeW1hbnRlYyBD
+bGFzcyAzIEVDQyAyNTYgYml0IFNTTCBDQSAtIEcyMFkwEwYHKoZIzj0CAQYIKoZI
+zj0DAQcDQgAEDxukkdfnrOfRTk63ZFvhj39uBNOrONtEt0Bcbb2WljffeYmGZ/ex
+Hwie/WM7RoyfvVPoFdyXPiuBRq2Gfw4BOaOCAV0wggFZMC4GCCsGAQUFBwEBBCIw
+IDAeBggrBgEFBQcwAYYSaHR0cDovL3Muc3ltY2QuY29tMBIGA1UdEwEB/wQIMAYB
+Af8CAQAwZQYDVR0gBF4wXDBaBgpghkgBhvhFAQc2MEwwIwYIKwYBBQUHAgEWF2h0
+dHBzOi8vZC5zeW1jYi5jb20vY3BzMCUGCCsGAQUFBwICMBkaF2h0dHBzOi8vZC5z
+eW1jYi5jb20vcnBhMC8GA1UdHwQoMCYwJKAioCCGHmh0dHA6Ly9zLnN5bWNiLmNv
+bS9wY2EzLWc1LmNybDAOBgNVHQ8BAf8EBAMCAQYwKwYDVR0RBCQwIqQgMB4xHDAa
+BgNVBAMTE1NZTUMtRUNDLUNBLXAyNTYtMjIwHQYDVR0OBBYEFCXwiuFLetkBlQrt
+xlPxjHgf2fP4MB8GA1UdIwQYMBaAFH/TZafC3ey78DAJ80M5+gKvMzEzMA0GCSqG
+SIb3DQEBCwUAA4IBAQAMMGUXBaWTdaLxsTGtcB/naqjIQrLvoV9NG+7MoHpGd/69
+dZ/h2zOy7sGFUHoG/0HGRA9rxT/5w5GkEVIVkxtWyIWWq6rs4CTZt8Bej/KHYRbo
+jtEDUkCTZSTLiCvguPyvinXgxy+LHT+PmdtEfXsvcdbeBSWUYpOsDYvD2hNtz9dw
+Od5nBosMApmdxt+z7LQyZu8wMnfI1U6IMO+RWowxZ8uy0oswdFYd32l9xe+aAE/k
+y9alLu/M9pvxiUKufqHJRgDBKA6uDjHLMPX+/nxXaNCPX3SI4KVZ1stHQ/U5oNlM
+dHN9umAvlU313g0IgJrjsQ2nIdf9dsdP+6lrmP7s
+-----END CERTIFICATE-----
diff --git a/tests/ocsp-tests/certs/chain-amazon.com-unsorted.pem b/tests/ocsp-tests/certs/chain-amazon.com-unsorted.pem
new file mode 100644
index 0000000..fc3818b
--- /dev/null
+++ b/tests/ocsp-tests/certs/chain-amazon.com-unsorted.pem
@@ -0,0 +1,90 @@
+-----BEGIN CERTIFICATE-----
+MIIGmzCCBYOgAwIBAgIQHUq9qnjQmv55nUG863p2YjANBgkqhkiG9w0BAQsFADB+
+MQswCQYDVQQGEwJVUzEdMBsGA1UEChMUU3ltYW50ZWMgQ29ycG9yYXRpb24xHzAd
+BgNVBAsTFlN5bWFudGVjIFRydXN0IE5ldHdvcmsxLzAtBgNVBAMTJlN5bWFudGVj
+IENsYXNzIDMgU2VjdXJlIFNlcnZlciBDQSAtIEc0MB4XDTE2MTAzMTAwMDAwMFoX
+DTE3MTIzMTIzNTk1OVowaDELMAkGA1UEBhMCVVMxEzARBgNVBAgMCldhc2hpbmd0
+b24xEDAOBgNVBAcMB1NlYXR0bGUxGTAXBgNVBAoMEEFtYXpvbi5jb20sIEluYy4x
+FzAVBgNVBAMMDnd3dy5hbWF6b24uY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEAwlooZ3Wf+B8c1nTZj/14wCPIjyhcOV5ytEZQDbtftWixOxTpG2Sl
+k2GI1pztESpopBmbY/haM5YNWDYDHr01AQvzAqwsNyz5sX4rytkIEWI92DomKbvx
+QKry0m0Zuj9MzabZb2vHb0dbWwUl2yXn5nlfHJSfmD0TS3UFNaQzXExFnlKU/i7V
+omLEB/O9OtfJ0V2XZzbzOx3RfvTy5wmn4AxCC7nGRklNBKVa+npRl0zj+loyCaM+
+AF5YV9ZbURIuxYiZOW3u2a66VzYwCRa2EdtIbPALO/dSrFNAuaAhKqpFN0OB42d1
+6IWUOKiMiHDJL512YAJJBmfQPI7fVQtXJwIDAQABo4IDKTCCAyUwgdQGA1UdEQSB
+zDCByYIKYW1hem9uLmNvbYIIYW16bi5jb22CEXVlZGF0YS5hbWF6b24uY29tgg11
+cy5hbWF6b24uY29tgg53d3cuYW1hem9uLmNvbYIMd3d3LmFtem4uY29tghRjb3Jw
+b3JhdGUuYW1hem9uLmNvbYIRYnV5Ym94LmFtYXpvbi5jb22CEWlwaG9uZS5hbWF6
+b24uY29tgg15cC5hbWF6b24uY29tgg9ob21lLmFtYXpvbi5jb22CFW9yaWdpbi13
+d3cuYW1hem9uLmNvbTAJBgNVHRMEAjAAMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUE
+FjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwYQYDVR0gBFowWDBWBgZngQwBAgIwTDAj
+BggrBgEFBQcCARYXaHR0cHM6Ly9kLnN5bWNiLmNvbS9jcHMwJQYIKwYBBQUHAgIw
+GQwXaHR0cHM6Ly9kLnN5bWNiLmNvbS9ycGEwHwYDVR0jBBgwFoAUX2DPYZBV34RD
+FIpgKrL1evRDGO8wKwYDVR0fBCQwIjAgoB6gHIYaaHR0cDovL3NzLnN5bWNiLmNv
+bS9zcy5jcmwwVwYIKwYBBQUHAQEESzBJMB8GCCsGAQUFBzABhhNodHRwOi8vc3Mu
+c3ltY2QuY29tMCYGCCsGAQUFBzAChhpodHRwOi8vc3Muc3ltY2IuY29tL3NzLmNy
+dDCCAQYGCisGAQQB1nkCBAIEgfcEgfQA8gB3AN3rHSt6DU+mIIuBrYFocH4ujp0B
+1VyIjT0RxM227L7MAAABWBifyfEAAAQDAEgwRgIhAOnxZYIIOlu0L1nvY3+yk8Ay
+gYzt3RsoZD1Wcs5Tl+W/AiEArj03tMyYoSa1I25zrqujXDQp5GnMXoI0MHAXINWc
+EV0AdwBo9pj4H2SCvjqM7rkoHUz8cVFdZ5PURNEKZ6y7T0/7xAAAAVgYn8oaAAAE
+AwBIMEYCIQDRlQQ8KC2R/bvOeWJr0FGedxbjE4OglejZEYKSCHekRQIhALbGyJPw
+AagwlRnFD5iqE1ZzSTO6uadnKEazPJcW2sRnMA0GCSqGSIb3DQEBCwUAA4IBAQA6
+5KlsAxxtgfs05qV0ywTqM6qGzBkMIgJzJpCh9OR+X+STrfjphnLQlOwIuHxiF0oV
+phsf9oYW6TYQimBIKoFpP94WbG2ojsr39YJ6kiDhudt3ef24QnZ3AtnXM5OLVv46
+iwZst4TwdwO3/Ialn7ql3sVX7+13yscEXfwfMT0JI1yzl+vZ8tR6bc5X9HqwjuAD
+JelImPs/TxshDt3JRhbUuKcFxjaEcEtRqoGemgZgEpRnifUSBvnl01IVzb71DGWu
+Bpx0qrpruMAUU1lOJrg/rwQMSXC2lSZDiDn1cjK0z+XLi7x86N/7jW6zKh5RjSgr
+r6H7ZhiwtwpJzLsjT1CX
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIDhDCCAwqgAwIBAgIQL4D+I4wOIg9IZxIokYesszAKBggqhkjOPQQDAzCByjEL
+MAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZW
+ZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNyBWZXJpU2ln
+biwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxWZXJp
+U2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9y
+aXR5IC0gRzQwHhcNMDcxMTA1MDAwMDAwWhcNMzgwMTE4MjM1OTU5WjCByjELMAkG
+A1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJp
+U2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNyBWZXJpU2lnbiwg
+SW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxWZXJpU2ln
+biBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5
+IC0gRzQwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAASnVnp8Utpkmw4tXNherJI9/gHm
+GUo9FANL+mAnINmDiWn6VMaaGF5VKmTeBvaNSjutEDxlPZCIBIngMGGzrl0Bp3ve
+fLK+ymVhAIau2o970ImtTR1ZmkGxvEeA3J5iw/mjgbIwga8wDwYDVR0TAQH/BAUw
+AwEB/zAOBgNVHQ8BAf8EBAMCAQYwbQYIKwYBBQUHAQwEYTBfoV2gWzBZMFcwVRYJ
+aW1hZ2UvZ2lmMCEwHzAHBgUrDgMCGgQUj+XTGoasjY5rw8+AatRIGCx7GS4wJRYj
+aHR0cDovL2xvZ28udmVyaXNpZ24uY29tL3ZzbG9nby5naWYwHQYDVR0OBBYEFLMW
+kf3upm7ktS5Jj4d4gYDs5bG1MAoGCCqGSM49BAMDA2gAMGUCMGYhDBgmYFo4e1ZC
+4Kf8NoRRkSAsdk1DPcQdhCPQrNZ8NQbOzWm9kA3bbEhCHQ6qQgIxAJw9SDkjOVga
+FRJZap7v1VmyHVIsmXHNxynfGyphe3HR3vPA5Q06Sqotp9iGKt0uEA==
+-----END CERTIFICATE-----
+
+-----BEGIN CERTIFICATE-----
+MIIFODCCBCCgAwIBAgIQUT+5dDhwtzRAQY0wkwaZ/zANBgkqhkiG9w0BAQsFADCB
+yjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
+ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJp
+U2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxW
+ZXJpU2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0
+aG9yaXR5IC0gRzUwHhcNMTMxMDMxMDAwMDAwWhcNMjMxMDMwMjM1OTU5WjB+MQsw
+CQYDVQQGEwJVUzEdMBsGA1UEChMUU3ltYW50ZWMgQ29ycG9yYXRpb24xHzAdBgNV
+BAsTFlN5bWFudGVjIFRydXN0IE5ldHdvcmsxLzAtBgNVBAMTJlN5bWFudGVjIENs
+YXNzIDMgU2VjdXJlIFNlcnZlciBDQSAtIEc0MIIBIjANBgkqhkiG9w0BAQEFAAOC
+AQ8AMIIBCgKCAQEAstgFyhx0LbUXVjnFSlIJluhL2AzxaJ+aQihiw6UwU35VEYJb
+A3oNL+F5BMm0lncZgQGUWfm893qZJ4Itt4PdWid/sgN6nFMl6UgfRk/InSn4vnlW
+9vf92Tpo2otLgjNBEsPIPMzWlnqEIRoiBAMnF4scaGGTDw5RgDMdtLXO637QYqzu
+s3sBdO9pNevK1T2p7peYyo2qRA4lmUoVlqTObQJUHypqJuIGOmNIrLRM0XWTUP8T
+L9ba4cYY9Z/JJV3zADreJk20KQnNDz0jbxZKgRb78oMQw7jW2FUyPfG9D72MUpVK
+Fpd6UiFjdS8W+cRmvvW1Cdj/JwDNRHxvSz+w9wIDAQABo4IBYzCCAV8wEgYDVR0T
+AQH/BAgwBgEB/wIBADAwBgNVHR8EKTAnMCWgI6Ahhh9odHRwOi8vczEuc3ltY2Iu
+Y29tL3BjYTMtZzUuY3JsMA4GA1UdDwEB/wQEAwIBBjAvBggrBgEFBQcBAQQjMCEw
+HwYIKwYBBQUHMAGGE2h0dHA6Ly9zMi5zeW1jYi5jb20wawYDVR0gBGQwYjBgBgpg
+hkgBhvhFAQc2MFIwJgYIKwYBBQUHAgEWGmh0dHA6Ly93d3cuc3ltYXV0aC5jb20v
+Y3BzMCgGCCsGAQUFBwICMBwaGmh0dHA6Ly93d3cuc3ltYXV0aC5jb20vcnBhMCkG
+A1UdEQQiMCCkHjAcMRowGAYDVQQDExFTeW1hbnRlY1BLSS0xLTUzNDAdBgNVHQ4E
+FgQUX2DPYZBV34RDFIpgKrL1evRDGO8wHwYDVR0jBBgwFoAUf9Nlp8Ld7LvwMAnz
+Qzn6Aq8zMTMwDQYJKoZIhvcNAQELBQADggEBAF6UVkndji1l9cE2UbYD49qecxny
+H1mrWH5sJgUs+oHXXCMXIiw3k/eG7IXmsKP9H+IyqEVv4dn7ua/ScKAyQmW/hP4W
+Ko8/xabWo5N9Q+l0IZE1KPRj6S7t9/Vcf0uatSDpCr3gRRAMFJSaXaXjS5HoJJtG
+QGX0InLNmfiIEfXzf+YzguaoxX7+0AjiJVgIcWjmzaLmFN5OUiQt/eV5E1PnXi8t
+TRttQBVSK/eHiXgSgW7ZTaoteNTCLD0IX4eRnh8OsN4wUmSGiaqdZpwOdgyA8nTY
+Kvi4Os7X1g8RvmurFPW9QaAiY4nxug9vKWNmLT+sjHLF+8fk1A/yO0+MKcc=
+-----END CERTIFICATE-----
diff --git a/tests/ocsp-tests/certs/chain-amazon.com.pem b/tests/ocsp-tests/certs/chain-amazon.com.pem
new file mode 100644
index 0000000..970f695
--- /dev/null
+++ b/tests/ocsp-tests/certs/chain-amazon.com.pem
@@ -0,0 +1,68 @@
+-----BEGIN CERTIFICATE-----
+MIIGmzCCBYOgAwIBAgIQHUq9qnjQmv55nUG863p2YjANBgkqhkiG9w0BAQsFADB+
+MQswCQYDVQQGEwJVUzEdMBsGA1UEChMUU3ltYW50ZWMgQ29ycG9yYXRpb24xHzAd
+BgNVBAsTFlN5bWFudGVjIFRydXN0IE5ldHdvcmsxLzAtBgNVBAMTJlN5bWFudGVj
+IENsYXNzIDMgU2VjdXJlIFNlcnZlciBDQSAtIEc0MB4XDTE2MTAzMTAwMDAwMFoX
+DTE3MTIzMTIzNTk1OVowaDELMAkGA1UEBhMCVVMxEzARBgNVBAgMCldhc2hpbmd0
+b24xEDAOBgNVBAcMB1NlYXR0bGUxGTAXBgNVBAoMEEFtYXpvbi5jb20sIEluYy4x
+FzAVBgNVBAMMDnd3dy5hbWF6b24uY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEAwlooZ3Wf+B8c1nTZj/14wCPIjyhcOV5ytEZQDbtftWixOxTpG2Sl
+k2GI1pztESpopBmbY/haM5YNWDYDHr01AQvzAqwsNyz5sX4rytkIEWI92DomKbvx
+QKry0m0Zuj9MzabZb2vHb0dbWwUl2yXn5nlfHJSfmD0TS3UFNaQzXExFnlKU/i7V
+omLEB/O9OtfJ0V2XZzbzOx3RfvTy5wmn4AxCC7nGRklNBKVa+npRl0zj+loyCaM+
+AF5YV9ZbURIuxYiZOW3u2a66VzYwCRa2EdtIbPALO/dSrFNAuaAhKqpFN0OB42d1
+6IWUOKiMiHDJL512YAJJBmfQPI7fVQtXJwIDAQABo4IDKTCCAyUwgdQGA1UdEQSB
+zDCByYIKYW1hem9uLmNvbYIIYW16bi5jb22CEXVlZGF0YS5hbWF6b24uY29tgg11
+cy5hbWF6b24uY29tgg53d3cuYW1hem9uLmNvbYIMd3d3LmFtem4uY29tghRjb3Jw
+b3JhdGUuYW1hem9uLmNvbYIRYnV5Ym94LmFtYXpvbi5jb22CEWlwaG9uZS5hbWF6
+b24uY29tgg15cC5hbWF6b24uY29tgg9ob21lLmFtYXpvbi5jb22CFW9yaWdpbi13
+d3cuYW1hem9uLmNvbTAJBgNVHRMEAjAAMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUE
+FjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwYQYDVR0gBFowWDBWBgZngQwBAgIwTDAj
+BggrBgEFBQcCARYXaHR0cHM6Ly9kLnN5bWNiLmNvbS9jcHMwJQYIKwYBBQUHAgIw
+GQwXaHR0cHM6Ly9kLnN5bWNiLmNvbS9ycGEwHwYDVR0jBBgwFoAUX2DPYZBV34RD
+FIpgKrL1evRDGO8wKwYDVR0fBCQwIjAgoB6gHIYaaHR0cDovL3NzLnN5bWNiLmNv
+bS9zcy5jcmwwVwYIKwYBBQUHAQEESzBJMB8GCCsGAQUFBzABhhNodHRwOi8vc3Mu
+c3ltY2QuY29tMCYGCCsGAQUFBzAChhpodHRwOi8vc3Muc3ltY2IuY29tL3NzLmNy
+dDCCAQYGCisGAQQB1nkCBAIEgfcEgfQA8gB3AN3rHSt6DU+mIIuBrYFocH4ujp0B
+1VyIjT0RxM227L7MAAABWBifyfEAAAQDAEgwRgIhAOnxZYIIOlu0L1nvY3+yk8Ay
+gYzt3RsoZD1Wcs5Tl+W/AiEArj03tMyYoSa1I25zrqujXDQp5GnMXoI0MHAXINWc
+EV0AdwBo9pj4H2SCvjqM7rkoHUz8cVFdZ5PURNEKZ6y7T0/7xAAAAVgYn8oaAAAE
+AwBIMEYCIQDRlQQ8KC2R/bvOeWJr0FGedxbjE4OglejZEYKSCHekRQIhALbGyJPw
+AagwlRnFD5iqE1ZzSTO6uadnKEazPJcW2sRnMA0GCSqGSIb3DQEBCwUAA4IBAQA6
+5KlsAxxtgfs05qV0ywTqM6qGzBkMIgJzJpCh9OR+X+STrfjphnLQlOwIuHxiF0oV
+phsf9oYW6TYQimBIKoFpP94WbG2ojsr39YJ6kiDhudt3ef24QnZ3AtnXM5OLVv46
+iwZst4TwdwO3/Ialn7ql3sVX7+13yscEXfwfMT0JI1yzl+vZ8tR6bc5X9HqwjuAD
+JelImPs/TxshDt3JRhbUuKcFxjaEcEtRqoGemgZgEpRnifUSBvnl01IVzb71DGWu
+Bpx0qrpruMAUU1lOJrg/rwQMSXC2lSZDiDn1cjK0z+XLi7x86N/7jW6zKh5RjSgr
+r6H7ZhiwtwpJzLsjT1CX
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIFODCCBCCgAwIBAgIQUT+5dDhwtzRAQY0wkwaZ/zANBgkqhkiG9w0BAQsFADCB
+yjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
+ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJp
+U2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxW
+ZXJpU2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0
+aG9yaXR5IC0gRzUwHhcNMTMxMDMxMDAwMDAwWhcNMjMxMDMwMjM1OTU5WjB+MQsw
+CQYDVQQGEwJVUzEdMBsGA1UEChMUU3ltYW50ZWMgQ29ycG9yYXRpb24xHzAdBgNV
+BAsTFlN5bWFudGVjIFRydXN0IE5ldHdvcmsxLzAtBgNVBAMTJlN5bWFudGVjIENs
+YXNzIDMgU2VjdXJlIFNlcnZlciBDQSAtIEc0MIIBIjANBgkqhkiG9w0BAQEFAAOC
+AQ8AMIIBCgKCAQEAstgFyhx0LbUXVjnFSlIJluhL2AzxaJ+aQihiw6UwU35VEYJb
+A3oNL+F5BMm0lncZgQGUWfm893qZJ4Itt4PdWid/sgN6nFMl6UgfRk/InSn4vnlW
+9vf92Tpo2otLgjNBEsPIPMzWlnqEIRoiBAMnF4scaGGTDw5RgDMdtLXO637QYqzu
+s3sBdO9pNevK1T2p7peYyo2qRA4lmUoVlqTObQJUHypqJuIGOmNIrLRM0XWTUP8T
+L9ba4cYY9Z/JJV3zADreJk20KQnNDz0jbxZKgRb78oMQw7jW2FUyPfG9D72MUpVK
+Fpd6UiFjdS8W+cRmvvW1Cdj/JwDNRHxvSz+w9wIDAQABo4IBYzCCAV8wEgYDVR0T
+AQH/BAgwBgEB/wIBADAwBgNVHR8EKTAnMCWgI6Ahhh9odHRwOi8vczEuc3ltY2Iu
+Y29tL3BjYTMtZzUuY3JsMA4GA1UdDwEB/wQEAwIBBjAvBggrBgEFBQcBAQQjMCEw
+HwYIKwYBBQUHMAGGE2h0dHA6Ly9zMi5zeW1jYi5jb20wawYDVR0gBGQwYjBgBgpg
+hkgBhvhFAQc2MFIwJgYIKwYBBQUHAgEWGmh0dHA6Ly93d3cuc3ltYXV0aC5jb20v
+Y3BzMCgGCCsGAQUFBwICMBwaGmh0dHA6Ly93d3cuc3ltYXV0aC5jb20vcnBhMCkG
+A1UdEQQiMCCkHjAcMRowGAYDVQQDExFTeW1hbnRlY1BLSS0xLTUzNDAdBgNVHQ4E
+FgQUX2DPYZBV34RDFIpgKrL1evRDGO8wHwYDVR0jBBgwFoAUf9Nlp8Ld7LvwMAnz
+Qzn6Aq8zMTMwDQYJKoZIhvcNAQELBQADggEBAF6UVkndji1l9cE2UbYD49qecxny
+H1mrWH5sJgUs+oHXXCMXIiw3k/eG7IXmsKP9H+IyqEVv4dn7ua/ScKAyQmW/hP4W
+Ko8/xabWo5N9Q+l0IZE1KPRj6S7t9/Vcf0uatSDpCr3gRRAMFJSaXaXjS5HoJJtG
+QGX0InLNmfiIEfXzf+YzguaoxX7+0AjiJVgIcWjmzaLmFN5OUiQt/eV5E1PnXi8t
+TRttQBVSK/eHiXgSgW7ZTaoteNTCLD0IX4eRnh8OsN4wUmSGiaqdZpwOdgyA8nTY
+Kvi4Os7X1g8RvmurFPW9QaAiY4nxug9vKWNmLT+sjHLF+8fk1A/yO0+MKcc=
+-----END CERTIFICATE-----
diff --git a/tests/ocsp-tests/certs/ocsp-akamai.com.der b/tests/ocsp-tests/certs/ocsp-akamai.com.der
new file mode 100644
index 0000000..0687207
--- /dev/null
+++ b/tests/ocsp-tests/certs/ocsp-akamai.com.der
Binary files differ
diff --git a/tests/ocsp-tests/certs/ocsp-amazon.com.der b/tests/ocsp-tests/certs/ocsp-amazon.com.der
new file mode 100644
index 0000000..71f8f8f
--- /dev/null
+++ b/tests/ocsp-tests/certs/ocsp-amazon.com.der
Binary files differ
diff --git a/tests/ocsp-tests/certs/ocsp-server.key b/tests/ocsp-tests/certs/ocsp-server.key
new file mode 100644
index 0000000..3092de2
--- /dev/null
+++ b/tests/ocsp-tests/certs/ocsp-server.key
@@ -0,0 +1,144 @@
+Public Key Info:
+ Public Key Algorithm: RSA
+ Key Security Level: Medium (2048 bits)
+
+modulus:
+ 00:d3:02:64:0a:0d:62:25:6e:e1:f4:ec:6d:f0:84:
+ dc:45:38:6e:5e:eb:24:2b:8c:a9:92:81:11:51:d9:
+ e3:44:cf:6d:5c:3f:d1:b2:12:16:7b:3e:ee:b2:b9:
+ 95:ac:d3:62:fb:d2:b9:32:75:74:26:47:9a:7c:16:
+ af:df:c9:93:9e:17:2e:b8:9e:67:25:61:f5:f3:cf:
+ eb:08:1e:77:71:fe:ac:2f:23:78:10:18:aa:0c:e3:
+ 2e:3a:79:f5:11:76:16:37:0f:b6:3e:9b:b5:fb:07:
+ 2d:b1:ef:08:d8:c6:78:e8:5d:97:a4:f0:c7:4f:cc:
+ 31:80:04:be:b5:da:d9:19:40:73:fd:5b:14:3e:93:
+ 6d:20:4e:cc:7a:cd:82:94:06:0c:45:3f:ce:33:af:
+ b1:22:55:2d:f7:5e:83:38:1d:bf:73:5a:61:c2:73:
+ d4:1d:c2:6d:66:5f:1d:b9:0e:9e:a8:39:1f:7b:a1:
+ 04:bf:49:af:a9:04:cf:a1:81:ff:1b:81:48:16:77:
+ 51:97:28:e6:b5:73:c4:56:02:c2:47:fc:59:a4:4d:
+ 39:0a:31:d0:d3:70:19:3a:20:2b:33:fa:97:f9:8c:
+ 16:5e:da:ad:86:c6:af:06:87:f8:ec:93:9e:18:d0:
+ a0:c1:91:ce:ab:09:89:ec:47:3d:4e:5a:64:18:73:
+ d4:95:
+
+public exponent:
+ 01:00:01:
+
+private exponent:
+ 00:95:9c:e8:59:c8:4b:82:c7:30:27:7d:4c:26:71:
+ cd:cc:b6:ca:6b:3a:c6:96:aa:51:c1:b3:0a:18:c3:
+ 29:45:ac:dd:99:bf:16:6b:f0:2f:48:8b:c2:ab:ae:
+ b2:d5:ab:bc:4f:59:86:3e:a4:d1:0a:23:53:02:11:
+ 03:fa:e4:ee:69:f5:7e:07:21:29:79:74:0f:f4:23:
+ c4:3e:29:7b:ff:b3:d7:5a:45:07:e8:41:d4:b0:f6:
+ 93:dc:9a:84:8d:30:f1:67:71:18:83:23:dc:d0:74:
+ b2:8d:ab:32:d6:a1:43:31:5e:cb:1b:04:2e:0e:02:
+ 76:46:93:16:b5:d2:ca:83:ff:c8:5a:c4:b0:dd:1a:
+ fa:8b:4c:3e:7e:50:ad:6f:87:4f:56:46:09:8a:33:
+ 0f:16:ff:c0:e0:ce:8c:a4:78:27:f4:9b:f2:9c:44:
+ a0:0d:33:42:07:16:1e:7f:4c:d8:79:54:d6:ce:24:
+ f0:bc:85:67:97:04:7c:43:f3:89:60:41:91:14:b5:
+ eb:e7:7d:71:3a:ac:73:eb:4c:1b:ee:1e:c2:91:47:
+ 4e:be:a5:af:94:bc:97:a5:67:61:f6:8c:a6:e9:4f:
+ 46:dd:f6:a7:4d:df:ea:25:58:1b:d7:e8:43:e8:13:
+ f6:a1:94:2d:85:8d:df:ee:38:85:fd:2a:5c:1e:c8:
+ 68:01:
+
+prime1:
+ 00:d4:b0:87:a1:7f:b7:8c:ef:99:fb:5d:d7:e4:0a:
+ 62:78:aa:00:46:dc:01:6d:aa:fc:22:a0:0a:76:54:
+ d1:ea:3b:54:69:7c:ed:39:64:3d:14:13:48:9c:a5:
+ 60:66:9f:d0:7e:8c:09:34:23:c7:60:16:58:c6:dd:
+ 60:05:3c:07:e4:80:b8:17:c9:10:5d:a1:1d:74:b7:
+ 61:b4:42:24:04:73:a3:c4:ed:72:47:58:86:c6:ef:
+ 59:af:79:77:02:2e:c1:62:1e:db:c3:6e:67:05:ca:
+ 70:10:b2:88:9a:23:6c:c8:5d:4e:af:e8:a6:c9:89:
+ 39:97:21:23:99:bf:e4:94:81:
+
+prime2:
+ 00:fd:fa:45:55:f4:ac:5d:da:54:49:4f:1e:96:3a:
+ 8b:95:bc:3a:bf:6c:ad:a9:54:94:90:e6:fd:10:49:
+ 74:2e:00:18:43:b9:55:2c:a4:37:19:d8:95:d2:c7:
+ f1:b2:47:c1:c4:27:f6:d7:d9:76:df:89:43:0e:34:
+ f0:84:ba:26:5e:97:94:de:30:db:55:ee:83:51:51:
+ 5e:4f:59:6a:52:69:ca:ed:58:e7:eb:00:46:c1:3c:
+ 58:be:82:d5:c0:77:64:9b:73:af:77:1a:de:3d:56:
+ 15:90:90:94:97:67:6e:35:aa:14:b7:43:fc:9a:76:
+ 17:2a:f5:d5:7d:ce:68:a6:15:
+
+coefficient:
+ 36:6e:b8:49:6c:ae:c6:be:21:a2:69:b9:35:af:ff:
+ 43:90:70:1c:6b:c2:b5:cd:dc:29:dc:5b:bf:50:f3:
+ d0:63:43:be:bc:5d:f8:9b:64:3c:6e:6e:6b:ee:78:
+ 48:7a:06:6c:15:85:db:90:e1:bb:ca:ad:23:fd:33:
+ 04:eb:89:d2:29:c1:c2:4c:69:80:42:c3:6d:9c:e5:
+ e4:10:f7:4f:f0:68:3b:fb:7e:e6:3d:4c:26:fc:28:
+ d2:27:f5:43:70:1f:e7:93:ce:58:7b:d5:c0:fc:bf:
+ 31:4f:52:ff:37:de:f8:f7:f8:1a:42:44:5f:d3:b1:
+ 02:ed:2d:07:5a:4a:e0:da:
+
+exp1:
+ 00:ae:cb:35:6c:40:6e:34:e1:65:06:f4:24:cd:40:
+ cb:94:a7:01:fb:3a:2b:e2:59:37:45:ad:89:6b:9e:
+ 61:b5:c2:74:a9:0d:06:58:b8:4c:8a:07:1f:11:bd:
+ c7:f0:0f:3f:66:00:e8:3f:75:78:11:3b:cc:52:02:
+ f5:3a:d8:0f:14:77:c4:d3:a7:66:4f:cc:6d:4c:d2:
+ b8:f5:4f:b6:12:02:87:80:fc:33:82:f6:fa:2c:db:
+ e0:35:19:f9:f8:4d:3c:98:cb:0b:89:1d:5e:85:9f:
+ cd:61:ab:98:20:35:24:dd:b5:f1:49:18:46:9a:32:
+ b0:a5:c7:92:5e:75:1a:02:01:
+
+exp2:
+ 2e:09:f8:17:a4:ca:ba:18:a1:be:c8:40:db:2a:b1:
+ b2:ea:f4:1b:4f:30:0b:c9:f1:44:73:1a:dc:a0:f4:
+ 16:82:9d:e3:68:ed:2f:b2:74:ea:92:80:56:3d:38:
+ 6b:00:e6:f7:0f:e7:87:29:3c:8b:38:ee:96:dc:b1:
+ dc:dd:81:a7:14:03:40:63:ca:de:c0:e5:bd:0f:ea:
+ f0:a7:5c:c6:a3:b6:cd:5f:98:6a:d9:19:fa:5d:5e:
+ 18:ea:ce:a4:9c:ff:f7:cd:f8:b8:b6:7e:22:d0:40:
+ 08:7c:ac:f2:e5:24:ed:45:6f:8b:e9:1f:19:40:de:
+ e2:42:bd:f8:98:3a:10:21:
+
+
+Public Key ID: E7:3E:A1:70:15:01:A8:DA:F2:70:43:EF:4C:C8:87:1A:C3:98:74:3D
+Public key's random art:
++--[ RSA 2048]----+
+| ..... |
+| . . |
+| .. . |
+| . .oE . |
+|.+.= +. S.. |
+|o B B = .o. |
+| O * o ... |
+| . . o ... |
+| .. |
++-----------------+
+
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEA0wJkCg1iJW7h9Oxt8ITcRThuXuskK4ypkoERUdnjRM9tXD/R
+shIWez7usrmVrNNi+9K5MnV0JkeafBav38mTnhcuuJ5nJWH188/rCB53cf6sLyN4
+EBiqDOMuOnn1EXYWNw+2Ppu1+wctse8I2MZ46F2XpPDHT8wxgAS+tdrZGUBz/VsU
+PpNtIE7Mes2ClAYMRT/OM6+xIlUt916DOB2/c1phwnPUHcJtZl8duQ6eqDkfe6EE
+v0mvqQTPoYH/G4FIFndRlyjmtXPEVgLCR/xZpE05CjHQ03AZOiArM/qX+YwWXtqt
+hsavBof47JOeGNCgwZHOqwmJ7Ec9TlpkGHPUlQIDAQABAoIBAQCVnOhZyEuCxzAn
+fUwmcc3MtsprOsaWqlHBswoYwylFrN2ZvxZr8C9Ii8KrrrLVq7xPWYY+pNEKI1MC
+EQP65O5p9X4HISl5dA/0I8Q+KXv/s9daRQfoQdSw9pPcmoSNMPFncRiDI9zQdLKN
+qzLWoUMxXssbBC4OAnZGkxa10sqD/8haxLDdGvqLTD5+UK1vh09WRgmKMw8W/8Dg
+zoykeCf0m/KcRKANM0IHFh5/TNh5VNbOJPC8hWeXBHxD84lgQZEUtevnfXE6rHPr
+TBvuHsKRR06+pa+UvJelZ2H2jKbpT0bd9qdN3+olWBvX6EPoE/ahlC2Fjd/uOIX9
+KlweyGgBAoGBANSwh6F/t4zvmftd1+QKYniqAEbcAW2q/CKgCnZU0eo7VGl87Tlk
+PRQTSJylYGaf0H6MCTQjx2AWWMbdYAU8B+SAuBfJEF2hHXS3YbRCJARzo8TtckdY
+hsbvWa95dwIuwWIe28NuZwXKcBCyiJojbMhdTq/opsmJOZchI5m/5JSBAoGBAP36
+RVX0rF3aVElPHpY6i5W8Or9sralUlJDm/RBJdC4AGEO5VSykNxnYldLH8bJHwcQn
+9tfZdt+JQw408IS6Jl6XlN4w21Xug1FRXk9ZalJpyu1Y5+sARsE8WL6C1cB3ZJtz
+r3ca3j1WFZCQlJdnbjWqFLdD/Jp2Fyr11X3OaKYVAoGBAK7LNWxAbjThZQb0JM1A
+y5SnAfs6K+JZN0WtiWueYbXCdKkNBli4TIoHHxG9x/APP2YA6D91eBE7zFIC9TrY
+DxR3xNOnZk/MbUzSuPVPthICh4D8M4L2+izb4DUZ+fhNPJjLC4kdXoWfzWGrmCA1
+JN218UkYRpoysKXHkl51GgIBAoGALgn4F6TKuhihvshA2yqxsur0G08wC8nxRHMa
+3KD0FoKd42jtL7J06pKAVj04awDm9w/nhyk8izjultyx3N2BpxQDQGPK3sDlvQ/q
+8KdcxqO2zV+YatkZ+l1eGOrOpJz/9834uLZ+ItBACHys8uUk7UVvi+kfGUDe4kK9
++Jg6ECECgYA2brhJbK7GviGiabk1r/9DkHAca8K1zdwp3Fu/UPPQY0O+vF34m2Q8
+bm5r7nhIegZsFYXbkOG7yq0j/TME64nSKcHCTGmAQsNtnOXkEPdP8Gg7+37mPUwm
+/CjSJ/VDcB/nk85Ye9XA/L8xT1L/N9749/gaQkRf07EC7S0HWkrg2g==
+-----END RSA PRIVATE KEY-----
diff --git a/tests/ocsp-tests/certs/ocsp-server.pem b/tests/ocsp-tests/certs/ocsp-server.pem
new file mode 100644
index 0000000..fb9d2f9
--- /dev/null
+++ b/tests/ocsp-tests/certs/ocsp-server.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDQzCCAiugAwIBAgIMVvMY1hLemRdsyqHgMA0GCSqGSIb3DQEBCwUAMBwxGjAY
+BgNVBAMTEVRlc3RpbmcgQXV0aG9yaXR5MB4XDTE2MDMyMzIyMjk0MloXDTE3MDMy
+MzIyMjk0MlowKzEpMCcGA1UEAxMgVGVzdGluZyBBdXRob3JpdHkgT0NTUCBSZXNw
+b25kZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDTAmQKDWIlbuH0
+7G3whNxFOG5e6yQrjKmSgRFR2eNEz21cP9GyEhZ7Pu6yuZWs02L70rkydXQmR5p8
+Fq/fyZOeFy64nmclYfXzz+sIHndx/qwvI3gQGKoM4y46efURdhY3D7Y+m7X7By2x
+7wjYxnjoXZek8MdPzDGABL612tkZQHP9WxQ+k20gTsx6zYKUBgxFP84zr7EiVS33
+XoM4Hb9zWmHCc9Qdwm1mXx25Dp6oOR97oQS/Sa+pBM+hgf8bgUgWd1GXKOa1c8RW
+AsJH/FmkTTkKMdDTcBk6ICsz+pf5jBZe2q2Gxq8Gh/jsk54Y0KDBkc6rCYnsRz1O
+WmQYc9SVAgMBAAGjdjB0MAwGA1UdEwEB/wQCMAAwEwYDVR0lBAwwCgYIKwYBBQUH
+AwkwDwYDVR0PAQH/BAUDAweAADAdBgNVHQ4EFgQU5z6hcBUBqNrycEPvTMiHGsOY
+dD0wHwYDVR0jBBgwFoAULdgUmhbVbf77sODe8fXFIwvTYr4wDQYJKoZIhvcNAQEL
+BQADggEBAHqmxPdEtXJAcLZnvfyExhlkS4QHxj9dw8OWYma1HHAyEiNxLlvXgcng
+YspTVNHHHiErluOa3TdDkBlgdTdQ14aRJqEIT+EDXorU8MvvT7ujvDW/hm2IDDbr
+bd4Cyd1g6sQJpuilBUvm4RV/LpkkAhRhd4dEhngHsoV0q1FbA7IxiPSNSixVjpBo
+u2EhOPQFp4nFxFQvnEFK1gzltj22+plrekuiZtMS7Ofhg+ZaHb2QB0bhvqbMyL6j
+b0/sxQZyy1qjID54G6nrr7j+PzN+SHqo1dfWhuYbHBQMJdp+AGmusGFhwGem1PmO
+5AadPjc6lXs9mS///txyiheLGJJodQY=
+-----END CERTIFICATE-----
diff --git a/tests/ocsp-tests/certs/ocsp-staple-unrelated.der b/tests/ocsp-tests/certs/ocsp-staple-unrelated.der
new file mode 100644
index 0000000..963da0f
--- /dev/null
+++ b/tests/ocsp-tests/certs/ocsp-staple-unrelated.der
Binary files differ
diff --git a/tests/ocsp-tests/certs/ocsp_index.txt b/tests/ocsp-tests/certs/ocsp_index.txt
new file mode 100644
index 0000000..e9e2dd7
--- /dev/null
+++ b/tests/ocsp-tests/certs/ocsp_index.txt
@@ -0,0 +1,2 @@
+R 260329162441Z 160428142441Z 3 unknown CN=localhost
+V 260329162441Z 2 unknown CN=localhost
diff --git a/tests/ocsp-tests/certs/ocsp_index.txt.attr b/tests/ocsp-tests/certs/ocsp_index.txt.attr
new file mode 100644
index 0000000..3a7e39e
--- /dev/null
+++ b/tests/ocsp-tests/certs/ocsp_index.txt.attr
@@ -0,0 +1 @@
+unique_subject = no
diff --git a/tests/ocsp-tests/certs/server_bad.key b/tests/ocsp-tests/certs/server_bad.key
new file mode 100644
index 0000000..814693e
--- /dev/null
+++ b/tests/ocsp-tests/certs/server_bad.key
@@ -0,0 +1,39 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIG4wIBAAKCAYEArwu2ueiYin7b177OgSjWY0Et7ypE1gXTuXdgTyu+LH2pYmsb
+HxbAFIDf2OeOs/8z+FK0VqxvcRw2zb3lnsLYD3fgHNj8bZdZssiXy8+um/Mtnec2
+J8tkapdjUVkd7vTsUqardOTRcTwM0SWOgQXirZMSdkU1eoqkzAczxsPJTPVKnqVD
+KhBEcPz/7OR+/ocYmQdAaOdl9m6gJn4lBBr2vCozjx0LyWig7zf5j6CgkZECb7jg
+rANhDE3gD9iHC8CyaVPLuuDkllwIetBTfWGDi0tdHv1mY3K6YuuDsjdUnmOeFrPL
+3i3zvnQEMLAD1f0GeRzUMNTHUOe5bKIAxKW9hlhJat10/VZyuP1Sjm1gdpoJkU4z
+g5HPyr/C7mHHC2ofJZZ68Q4bQ2KXAq45MwPPkq0jEFzPdrDR925CRv+3HO6rw+2+
+atIylvZzzdwXfBuB5bOKpcU68tbjGSq58N3V/72DGSxDdNephGTMAmtmum22T+38
+KSPKiuIWT/bsSefbAgMBAAECggGAHQs6hFo9hS1LWN7F8NRPziQwdPB0f3Z0DN/r
+0PcXFNa81iGjXGMv97bybVDucpszik5escrmqsPdrAGIKfF2XAqt2tt99skYDvwN
+g7mv5RxSQ1Lrv2qV/MGlrwe0WcO1unkBFeIphjpKfiFXJb1OQTKX65vMJcr/UQMY
+6i/uJKDGgtA09rPAR2cTJ8E5+Q19XVbArydF2b+9PuXLSoUWz13JNEPDguWjXk3R
+UK18Nurylor8bE4bOilptfddYOvV5/UNxgy8y0XJq6ZJ/g3FqRsiu5e5C8jXm2t/
+qfJ33rJIAZv8LW0YWPteNw0OSo4DCbtfZQdekiJwz5tS0shhOqKhcFIX2hRwUMhj
+yYBMxota6n5bQcKQBv+jf3URKFMDCThUst3GUZz6GIVb9xqTxavgU/KMXkZPUJ8N
+KA5qYBrTK5lMVTf6iZ/N93yZKVky9rrrJdWmX/wWhPt1hr2Mj1UF/W6oi142SLjy
+z7M8A/LaI2/gsm8sSp64JjDdtabBAoHBAObVHQSgV4SoseW5j0BjAklFHN9MRjOc
+17GgZ4hfIda4bs+RpnDXjREU3kdAFmyg0F3/TLzQZklCAui2NKMvz+XHtbwF9aNP
++fK1eLOKiSRzAlKrAwiNPTKFkIFYNVFthH5pWBzS0be+Va52OoxwnSMmSaBEPzDH
+NF7GKZHI+mEDWE+Vz7MiGpLkDuPj3UzG3KQwhxmy+ZVF2LVENFf+FGjiWSQMpxyx
+q7M5nzq6pVPSbxqLFF+X9J7MScbCajL6sQKBwQDCIYIMsBM2pf2zFTifsH39BsXP
+qpztEmdfDqy6D+dquEH5HTUSt2as6FMyk7oxRmuxxunl5bBtL3X2AR3eDdLP42W0
+sPphUQt2RFpyNu2Sd5pjYXcCxH7IQv16EQqPdxYytBU9jJMnRf+QN7Nl9j4nZrDC
+wZcs2PUO1LDoK20+IKSeYRGMUMC65N9x+/qTGEaF4bRJJSGjkhyWPBAdrMekeTJH
+4h5YRZfzXspzpJ1CSKRt+1zhO6IWM8YcalQTVksCgcA75eUnxCuxosy23dXMUWTQ
+enypfPNihTp7PzJecsEnJKiseBEGiwhx/EZJmtm2ymwHWC4jeLhyHgz/Mfiqt8ds
+ysvfxHQfMqubTXfKrxIzQRzDMtkQqQXOTFZZGfiL7q1I2DEjGZmN4nf9U3SR6M79
+xfuo+Myk7awrQ6SZzdsavXF3BVrmEt1ubHtoq0JLn/a1LFqCUqztDTjUoKQsiSPm
+q4WSEy5yBbCWS0eER9aKz7pA2wIoZBf39O7YAq7oF6ECgcBl5Gx7+Fa9UjZsrnC/
+8ETQb6OXsfcXv5ceH3etWPef3gJSnG/k2Po9OtugKkWJ42pXLw5JKluFk2mYq1Ff
+4WWK09HoGxPvzDf15T6LwCTFwZz5GIj8nOHmfrLIRPWEA39VMYwMeCIsdOMEcRfq
+JmrNB2szbaTJVz6YgC4yTcjS2RNORaiOOzxNXB+jlhwY5J7vWl3kHmcfkWsLt47F
+5JAM1cf8TsSalDyC8nfUZsxbpAEZ8Nr5JPGYMaiD9ZMXay0CgcEAjDWHG31/+Vmd
+L17lUfNCNcyDChlf4cVXA748/HCHM49JuS7NSSxToAzWCaoy5DkUesg0xSHLM0Ko
+HOAiCuQmzFDjOIi4/NSDEYwe02SnFF1trGFLIzta+Ona8VQlDKp6onQ9lxefL8In
+9+6PujFy6/HEKk57Nypd3k1J0LHj0u5QeRHVnSiMq0XioXR/61yxeNURHPzI+wVd
+726pM6NA3e6RFencK5SOgBoUi28RNAE1a3+BiXJGQRD2WxG9DaOG
+-----END RSA PRIVATE KEY-----
diff --git a/tests/ocsp-tests/certs/server_bad.template b/tests/ocsp-tests/certs/server_bad.template
new file mode 100644
index 0000000..0408a97
--- /dev/null
+++ b/tests/ocsp-tests/certs/server_bad.template
@@ -0,0 +1,9 @@
+# static serial so the OCSP DB does not need to be changed
+serial=3
+cn=localhost
+tls_www_server
+signing_key
+encryption_key
+dns_name="localhost"
+activation_date = "2016-03-29 16:21:42"
+expiration_date = "2026-03-29 16:24:41"
diff --git a/tests/ocsp-tests/certs/server_good.key b/tests/ocsp-tests/certs/server_good.key
new file mode 100644
index 0000000..f5e71dd
--- /dev/null
+++ b/tests/ocsp-tests/certs/server_good.key
@@ -0,0 +1,39 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIG5QIBAAKCAYEApKIYxjNSYijlzMBWXLM7BEtKXUFtYpvta/fKgC16wuVW1rCT
+sS6xB10QFjeVtYAnDY3qBSC17xVL7gmhYTJHBW6dBEzq0NBLimWDvy9FnHerwSn1
+q1EUBqFjlTKwEgKsRzI5AOnUf0jHV9FoSNJdyTO9vunEAPMylcqQRIDCnkpSQwh/
+8KAU2iIhaasoOw8uj5RH5w8NAepEY8AV+W2OPJB1vGip+TU+q8MoXjT9lYRK0E7J
+c6iJAGb24ZjvHp3mpJcDhASifrp6E1OxeFfdADulAQ9xj8VLOzi8EmMjOrZritYl
+Iq9ITlyw1ws+bFwG9szLXB6eV38e5Ubbu/VMqGx/XQ90SDgP7MAsorkRoe48i2IQ
++fea9QUGSgOfxAKu/SjehplpsGaARyb1Y5wXxzRnyVrX8dNwP5OojK5mQUaUW76k
+biCbwOM37QDPUgwEgpLkItiNCwcXMdjwxsuXSusAn41u9cDF0+uXr9tUkDLaLcNz
+9OZyNlZJO1ba3ksvAgMBAAECggGBAJRRPISDA/tO4Qh/Vs6Y4dhShCJTqVonI9Qb
+HqIvVuNyfbNYzRXY/L+nhbCeTw9+7q/1ZBlOiNlllExU/MB17SnlpyuSqBGLNiLu
+pax9x/bYkTGqvZqjpqj6iJ6HVbxEEDTr+BLslfY9+OkSzSKd8sQrCwyNyXkZoD72
+iNZOMgcs6cNeSvTbIy4JhZSPD+V1HftYGRb+pjdNeGNtT96wZm4FrywYFtlesKFJ
+ZnrIvpQO5N+Zuz+pXBOyr0Q65WHt2cOxniTrMTlgWiGJvGlRF6s0UMnVJDFd36dD
+OHyCHHkRYxVh5M4wnBnoVjRRPfO7Dr37MdZQuvMgcG3uZ600g2+8UEE6NS1WgsRk
+oANsbyzoZkwNJplmPgJZ9b+Iupkp+ivTebzkxZbMWDaM+jGRZy0EwlNHKxRZubcF
+bsxnfsR8zlzsTTRRFQxsvqjadg0d0SVH2+3+0ksfCIs7qbqDfLNSLKzkW3pQySII
+EOEnNSb4Iwgb/hc7LluBdI5dd9WfEQKBwQDWyuyeepmMR9OqTKXPVB5Xe1yLq3vQ
+HCN5n1Fp6weIpiWAZDHTGWfcQkUOVYm0dILoz0JXYQMV5n09NAN7QxU8SAaK5Skb
+d2QBawny7At4MrpnSowA0cdyuTughLb7Lg2Yb77u1b09w71vXZHaAqIxmZCUMdjW
+7o/PWHbVApmB3XlDpJ3Y2WMIbTKkAWJOgh7IfZXSeJR672yuDJOEfHX3BNcdJQZC
+OmuNB36I3ZJmhxTlPOX9kO0nguLNDpol2GMCgcEAxDeyy7nk2kOZWdxzLfSS0m2E
+/K3uJCzbqj4LBJ8pZFJRO5V8k4pIArz28jTrgt85OtvG14PJQIYIS1V2kRDFXHt3
+qTKZdzoylpplNTSvIIiVFj7TaneT6E+oqYUKKaYOn8wDMOxgflElf352F7/NgYEA
+ZgTrmHm4FdcUQpVRQu3H1Cn4+6oyC5/ZQpxG/WZMbBN6xl5kNMFf4CSw5c98G/ZT
+jeb0cb1MrQ6PYNTr8VVbMQd+nJzoYbPyf5UVg03FAoHAN6rF4ljR3Lps0BEnU/Fw
+H6oYFRavcwMn6ohw2CuSe0bcJ0dQZm6KLVp7fTiMBNnBZ8b3YaAB5bYjtS36zQJY
+yZO9Jlg37CdoIrn0DSJB4rf6+XQnjrrPnxsEqhhbOAP6gAxOBqYccpp9SRSODVtr
+X8F16AJ3OVUArnM18QTIdhDJMc/DHQVSFkf+vOSi7sfoZHuvzal0idvtZbparRZ4
+mDmH6sTCt31ejGFp2Nzb6XiO4M6EqM/btsbEMvLa3n4TAoHBAKpImB8bTZNptOz6
+Vu7b4ItDxnSu0QuN7niY7WDua7KHib3G5lz4VbQin8Dk0jo6VOVSlAa2dPJNH2eZ
+XJNaVZ0D/X3Vzr9cv0hZ51k8RntabN/oV/t+mNq0PvAW6BHq7agaGe7cRIV7EKrL
+adsEdmlcNadTv84MXAiAJjH+eY424wOqBU0Kj/HsoFShYS5KGCp24UbD5fyukPDp
+hqd54AA4TpzIgP0wRhmtmBp1zekbpU8wbN2ngjhAPUQhcpEH7QKBwQDFqimO5IDb
+8DuWT6E5R/4TYttP2BjtaFgcV26UhKsKlcyy31OP7nHOM9jICodEKCVzfw477Dtf
+g8Xp8QUnQ4MM8sTmokMtsKX6yKCGLxeadPV0jw0ASsDH7op0CBH30pcWNVPeEGlC
+b3qfqHMNGDQJyAkGun5mAjAzjWT89eDrwJDfeuxnos5+XlAPz/xIqZaj9TSV0Xjs
+1U/np8oqu50iEXhyLVqG6GqXRkiqJ4W73qRqCYCBu1O3Fuc00/TOPLM=
+-----END RSA PRIVATE KEY-----
diff --git a/tests/ocsp-tests/certs/server_good.template b/tests/ocsp-tests/certs/server_good.template
new file mode 100644
index 0000000..2d02758
--- /dev/null
+++ b/tests/ocsp-tests/certs/server_good.template
@@ -0,0 +1,9 @@
+# static serial so the OCSP DB does not need to be changed
+serial=2
+cn=localhost
+tls_www_server
+signing_key
+encryption_key
+dns_name="localhost"
+activation_date = "2016-03-29 16:21:42"
+expiration_date = "2026-03-29 16:24:41"
diff --git a/tests/ocsp-tests/ocsp-load-chain.sh b/tests/ocsp-tests/ocsp-load-chain.sh
new file mode 100755
index 0000000..33cc020
--- /dev/null
+++ b/tests/ocsp-tests/ocsp-load-chain.sh
@@ -0,0 +1,67 @@
+#!/bin/sh
+
+# Copyright (C) 2017 Red Hat, Inc.
+#
+# This file is part of GnuTLS.
+#
+# GnuTLS is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 3 of the License, or (at
+# your option) any later version.
+#
+# GnuTLS is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this program. If not, see <https://www.gnu.org/licenses/>
+
+#set -e
+
+: ${srcdir=.}
+: ${OCSPTOOL=../src/ocsptool${EXEEXT}}
+: ${DIFF=diff}
+
+if ! test -x "${OCSPTOOL}"; then
+ exit 77
+fi
+
+export TZ="UTC"
+
+. "${srcdir}/scripts/common.sh"
+
+skip_if_no_datefudge
+
+datefudge -s "2017-06-19" \
+ "${OCSPTOOL}" -e --load-chain "${srcdir}/ocsp-tests/certs/chain-amazon.com.pem" --infile "${srcdir}/ocsp-tests/certs/ocsp-amazon.com.der" --verify-allow-broken
+rc=$?
+
+# We're done.
+if test "${rc}" != "0"; then
+ echo "Test 1 - Amazon OCSP response verification - failed"
+ exit ${rc}
+fi
+
+datefudge -s "2017-06-19" \
+ "${OCSPTOOL}" -e --load-chain "${srcdir}/ocsp-tests/certs/chain-amazon.com-unsorted.pem" --infile "${srcdir}/ocsp-tests/certs/ocsp-amazon.com.der" --verify-allow-broken
+rc=$?
+
+# We're done.
+if test "${rc}" != "0"; then
+ echo "Test 2 - Amazon OCSP response verification - failed"
+ exit ${rc}
+fi
+
+# verify an OCSP response using ECDSA
+datefudge -s "2017-06-29" \
+ "${OCSPTOOL}" -d 6 -e --load-chain "${srcdir}/ocsp-tests/certs/chain-akamai.com.pem" --infile "${srcdir}/ocsp-tests/certs/ocsp-akamai.com.der"
+rc=$?
+
+# We're done.
+if test "${rc}" != "0"; then
+ echo "Test 3 - Akamai (ECDSA) OCSP response verification - failed"
+ exit ${rc}
+fi
+
+exit 0
diff --git a/tests/ocsp-tests/ocsp-must-staple-connection.sh b/tests/ocsp-tests/ocsp-must-staple-connection.sh
new file mode 100755
index 0000000..049491a
--- /dev/null
+++ b/tests/ocsp-tests/ocsp-must-staple-connection.sh
@@ -0,0 +1,515 @@
+#!/bin/sh
+
+# Copyright (C) 2016 Red Hat, Inc.
+#
+# This file is part of GnuTLS.
+#
+# GnuTLS is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 3 of the License, or (at
+# your option) any later version.
+#
+# GnuTLS is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with GnuTLS; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+
+: ${srcdir=.}
+: ${CERTTOOL=../src/certtool${EXEEXT}}
+: ${OCSPTOOL=../src/ocsptool${EXEEXT}}
+: ${SERV=../src/gnutls-serv${EXEEXT}}
+: ${CLI=../src/gnutls-cli${EXEEXT}}
+: ${DIFF=diff}
+TEMPLATE_FILE="ms-out.$$.tmpl.tmp"
+SERVER_CERT_FILE="ms-cert.$$.pem.tmp"
+SERVER_CERT_NO_EXT_FILE="ms-cert-no-ext.$$.pem.tmp"
+OCSP_RESPONSE_FILE="ms-resp.$$.tmp"
+OCSP_REQ_FILE="ms-req.$$.tmp"
+
+export TZ="UTC"
+
+if ! test -x "${CERTTOOL}"; then
+ exit 77
+fi
+
+if ! test -x "${OCSPTOOL}"; then
+ exit 77
+fi
+
+if ! test -x "${SERV}"; then
+ exit 77
+fi
+
+if ! test -x "${CLI}"; then
+ exit 77
+fi
+
+if ! test -z "${VALGRIND}"; then
+ VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND} --error-exitcode=15"
+fi
+
+. "${srcdir}/scripts/common.sh"
+
+skip_if_no_datefudge
+
+eval "${GETPORT}"
+# Port for gnutls-serv
+TLS_SERVER_PORT=$PORT
+
+# Port to use for OCSP server, must match the OCSP URI set in the
+# server_*.pem certificates
+eval "${GETPORT}"
+OCSP_PORT=$PORT
+
+# Maximum timeout for server startup (OCSP and TLS)
+SERVER_START_TIMEOUT=10
+
+# Check for OpenSSL
+: ${OPENSSL=openssl}
+if ! ("$OPENSSL" version) > /dev/null 2>&1; then
+ echo "You need openssl to run this test."
+ exit 77
+fi
+
+CERTDATE="2016-04-28"
+TESTDATE="2016-04-29"
+EXP_OCSP_DATE="2016-03-27"
+
+OCSP_PID=""
+TLS_SERVER_PID=""
+stop_servers ()
+{
+ test -z "${OCSP_PID}" || kill "${OCSP_PID}"
+ test -z "${TLS_SERVER_PID}" || kill "${TLS_SERVER_PID}"
+ rm -f "$TEMPLATE_FILE"
+ rm -f "$SERVER_CERT_FILE"
+ rm -f "$SERVER_CERT_NO_EXT_FILE"
+ rm -f "$OCSP_RESPONSE_FILE"
+ rm -f "$OCSP_REQ_FILE"
+}
+trap stop_servers 1 15 2 EXIT
+
+echo "=== Generating good server certificate ==="
+
+rm -f "$TEMPLATE_FILE"
+cp "${srcdir}/ocsp-tests/certs/server_good.template" "$TEMPLATE_FILE"
+chmod u+w "$TEMPLATE_FILE"
+echo "ocsp_uri=http://localhost:${OCSP_PORT}/ocsp/" >>"$TEMPLATE_FILE"
+
+# Generate certificates with the random port
+datefudge -s "${CERTDATE}" ${CERTTOOL} \
+ --generate-certificate --load-ca-privkey "${srcdir}/ocsp-tests/certs/ca.key" \
+ --load-ca-certificate "${srcdir}/ocsp-tests/certs/ca.pem" \
+ --load-privkey "${srcdir}/ocsp-tests/certs/server_good.key" \
+ --template "${TEMPLATE_FILE}" --outfile "${SERVER_CERT_NO_EXT_FILE}" 2>/dev/null
+
+# Generate certificates with the random port (with mandatory stapling extension)
+echo "tls_feature = 5" >>"$TEMPLATE_FILE"
+
+datefudge -s "${CERTDATE}" ${CERTTOOL} \
+ --generate-certificate --load-ca-privkey "${srcdir}/ocsp-tests/certs/ca.key" \
+ --load-ca-certificate "${srcdir}/ocsp-tests/certs/ca.pem" \
+ --load-privkey "${srcdir}/ocsp-tests/certs/server_good.key" \
+ --template "${TEMPLATE_FILE}" --outfile "${SERVER_CERT_FILE}" 2>/dev/null
+
+echo "=== Bringing OCSP server up ==="
+
+INDEXFILE="ocsp_index.txt"
+ATTRFILE="${INDEXFILE}.attr"
+cp "${srcdir}/ocsp-tests/certs/ocsp_index.txt" ${INDEXFILE}
+cp "${srcdir}/ocsp-tests/certs/ocsp_index.txt.attr" ${ATTRFILE}
+
+# Start OpenSSL OCSP server
+#
+# WARNING: As of version 1.0.2g, OpenSSL OCSP cannot bind the TCP port
+# if started repeatedly in a short time, probably a lack of
+# SO_REUSEADDR usage.
+PORT=${OCSP_PORT}
+launch_bare_server \
+ datefudge "${TESTDATE}" \
+ "${OPENSSL}" ocsp -index "${INDEXFILE}" -text \
+ -port "${OCSP_PORT}" \
+ -rsigner "${srcdir}/ocsp-tests/certs/ocsp-server.pem" \
+ -rkey "${srcdir}/ocsp-tests/certs/ocsp-server.key" \
+ -CA "${srcdir}/ocsp-tests/certs/ca.pem"
+OCSP_PID="${!}"
+wait_server "${OCSP_PID}"
+
+echo "=== Verifying OCSP server is up ==="
+
+# Port probing (as done in wait_port) makes the OpenSSL OCSP server
+# crash due to the "invalid request", so try proper requests
+t=0
+while test "${t}" -lt "${SERVER_START_TIMEOUT}"; do
+ # Run a test request to make sure the server works
+ datefudge "${TESTDATE}" \
+ ${VALGRIND} "${OCSPTOOL}" --ask \
+ --load-cert "${SERVER_CERT_FILE}" \
+ --load-issuer "${srcdir}/ocsp-tests/certs/ca.pem" \
+ --outfile "${OCSP_RESPONSE_FILE}"
+ rc=$?
+ if test "${rc}" = "0"; then
+ break
+ else
+ t=`expr ${t} + 1`
+ sleep 1
+ fi
+done
+# Fail if the final OCSP request failed
+if test "${rc}" != "0"; then
+ echo "OCSP server check failed."
+ exit ${rc}
+fi
+
+#echo "placed staple in ${OCSP_RESPONSE_FILE}"
+
+echo "=== Test 1: Server with valid certificate - no staple ==="
+
+PORT=${TLS_SERVER_PORT}
+launch_bare_server \
+ datefudge "${TESTDATE}" \
+ "${SERV}" --echo --disable-client-cert \
+ --x509keyfile="${srcdir}/ocsp-tests/certs/server_good.key" \
+ --x509certfile="${SERVER_CERT_FILE}" \
+ --port="${TLS_SERVER_PORT}"
+TLS_SERVER_PID="${!}"
+wait_server $TLS_SERVER_PID
+
+wait_for_port "${TLS_SERVER_PORT}"
+
+echo "test 123456" | \
+ datefudge -s "${TESTDATE}" \
+ "${CLI}" --ocsp --x509cafile="${srcdir}/ocsp-tests/certs/ca.pem" \
+ --port="${TLS_SERVER_PORT}" localhost
+rc=$?
+
+if test "${rc}" != "1"; then
+ echo "Connecting to server with valid certificate and no staple succeeded"
+ exit ${rc}
+fi
+
+kill "${TLS_SERVER_PID}"
+wait "${TLS_SERVER_PID}"
+unset TLS_SERVER_PID
+
+echo "=== Test 2: Server with valid certificate - valid staple ==="
+
+eval "${GETPORT}"
+# Port for gnutls-serv
+TLS_SERVER_PORT=$PORT
+PORT=${TLS_SERVER_PORT}
+launch_bare_server \
+ datefudge "${TESTDATE}" \
+ "${SERV}" --echo --disable-client-cert \
+ --x509keyfile="${srcdir}/ocsp-tests/certs/server_good.key" \
+ --x509certfile="${SERVER_CERT_FILE}" \
+ --port="${TLS_SERVER_PORT}" \
+ --ocsp-response="${OCSP_RESPONSE_FILE}" --ignore-ocsp-response-errors
+TLS_SERVER_PID="${!}"
+wait_server $TLS_SERVER_PID
+
+wait_for_port "${TLS_SERVER_PORT}"
+
+echo "test 123456" | \
+ datefudge -s "${TESTDATE}" \
+ "${CLI}" --ocsp --x509cafile="${srcdir}/ocsp-tests/certs/ca.pem" \
+ --port="${TLS_SERVER_PORT}" localhost
+rc=$?
+
+if test "${rc}" != "0"; then
+ echo "Connecting to server with valid certificate and valid staple failed"
+ exit ${rc}
+fi
+
+kill "${TLS_SERVER_PID}"
+wait "${TLS_SERVER_PID}"
+unset TLS_SERVER_PID
+
+echo "=== Test 3: Server with valid certificate - invalid staple ==="
+
+head -c 64 /dev/urandom >"${OCSP_RESPONSE_FILE}"
+
+eval "${GETPORT}"
+# Port for gnutls-serv
+TLS_SERVER_PORT=$PORT
+PORT=${TLS_SERVER_PORT}
+launch_bare_server \
+ datefudge "${TESTDATE}" \
+ "${SERV}" --echo --disable-client-cert \
+ --x509keyfile="${srcdir}/ocsp-tests/certs/server_good.key" \
+ --x509certfile="${SERVER_CERT_FILE}" \
+ --port="${TLS_SERVER_PORT}" \
+ --ocsp-response="${OCSP_RESPONSE_FILE}" --ignore-ocsp-response-errors
+TLS_SERVER_PID="${!}"
+wait_server $TLS_SERVER_PID
+
+wait_for_port "${TLS_SERVER_PORT}"
+
+echo "test 123456" | \
+ datefudge -s "${TESTDATE}" \
+ "${CLI}" --ocsp --x509cafile="${srcdir}/ocsp-tests/certs/ca.pem" \
+ --port="${TLS_SERVER_PORT}" localhost
+rc=$?
+
+if test "${rc}" != "1"; then
+ echo "Connecting to server with valid certificate and invalid staple succeeded"
+ exit ${rc}
+fi
+
+kill "${TLS_SERVER_PID}"
+wait "${TLS_SERVER_PID}"
+unset TLS_SERVER_PID
+
+echo "=== Test 4: Server with valid certificate - unrelated cert staple ==="
+
+rm -f "${OCSP_RESPONSE_FILE}"
+cp "${srcdir}/ocsp-tests/certs/ocsp-staple-unrelated.der" "${OCSP_RESPONSE_FILE}"
+
+eval "${GETPORT}"
+# Port for gnutls-serv
+TLS_SERVER_PORT=$PORT
+PORT=${TLS_SERVER_PORT}
+launch_bare_server \
+ datefudge "${TESTDATE}" \
+ "${SERV}" --echo --disable-client-cert \
+ --x509keyfile="${srcdir}/ocsp-tests/certs/server_good.key" \
+ --x509certfile="${SERVER_CERT_FILE}" \
+ --port="${TLS_SERVER_PORT}" \
+ --ocsp-response="${OCSP_RESPONSE_FILE}" --ignore-ocsp-response-errors
+TLS_SERVER_PID="${!}"
+wait_server $TLS_SERVER_PID
+
+wait_for_port "${TLS_SERVER_PORT}"
+
+echo "test 123456" | \
+ datefudge -s "${TESTDATE}" \
+ "${CLI}" --ocsp --x509cafile="${srcdir}/ocsp-tests/certs/ca.pem" \
+ --port="${TLS_SERVER_PORT}" localhost
+rc=$?
+
+if test "${rc}" != "1"; then
+ echo "Connecting to server with valid certificate and invalid staple succeeded"
+ exit ${rc}
+fi
+
+kill "${TLS_SERVER_PID}"
+wait "${TLS_SERVER_PID}"
+unset TLS_SERVER_PID
+
+
+echo "=== Test 5: Server with valid certificate - expired staple ==="
+
+rm -f "${OCSP_RESPONSE_FILE}"
+
+# Generate an OCSP response which expires in 2 days and use it after
+# a month. gnutls server doesn't send such a staple to clients.
+${VALGRIND} ${OCSPTOOL} --generate-request --load-issuer "${srcdir}/ocsp-tests/certs/ocsp-server.pem" --load-cert "${SERVER_CERT_FILE}" --outfile "${OCSP_REQ_FILE}"
+datefudge -s ${EXP_OCSP_DATE} \
+ ${OPENSSL} ocsp -index "${INDEXFILE}" -rsigner "${srcdir}/ocsp-tests/certs/ocsp-server.pem" -rkey "${srcdir}/ocsp-tests/certs/ocsp-server.key" -CA "${srcdir}/ocsp-tests/certs/ca.pem" -reqin "${OCSP_REQ_FILE}" -respout "${OCSP_RESPONSE_FILE}" -ndays 2
+
+eval "${GETPORT}"
+# Port for gnutls-serv
+TLS_SERVER_PORT=$PORT
+PORT=${TLS_SERVER_PORT}
+
+: ${TIMEOUT=timeout}
+if ("$TIMEOUT" --version) >/dev/null 2>&1; then
+${TIMEOUT} 30 "${SERV}" --echo --disable-client-cert \
+ --x509keyfile="${srcdir}/ocsp-tests/certs/server_good.key" \
+ --x509certfile="${SERVER_CERT_FILE}" \
+ --port="${TLS_SERVER_PORT}" \
+ --ocsp-response="${OCSP_RESPONSE_FILE}"
+if test $? != 1;then
+ echo "Running gnutls-serv with an expired response, succeeds!"
+ exit ${rc}
+fi
+fi
+
+echo "=== Test 5.1: Server with valid certificate - expired staple (ignoring errors) ==="
+
+launch_bare_server \
+ datefudge "${TESTDATE}" \
+ "${SERV}" --echo --disable-client-cert \
+ --x509keyfile="${srcdir}/ocsp-tests/certs/server_good.key" \
+ --x509certfile="${SERVER_CERT_FILE}" \
+ --port="${TLS_SERVER_PORT}" \
+ --ignore-ocsp-response-errors \
+ --ocsp-response="${OCSP_RESPONSE_FILE}"
+TLS_SERVER_PID="${!}"
+wait_server $TLS_SERVER_PID
+
+wait_for_port "${TLS_SERVER_PORT}"
+
+echo "test 123456" | \
+ datefudge -s "${TESTDATE}" \
+ "${CLI}" --ocsp --x509cafile="${srcdir}/ocsp-tests/certs/ca.pem" \
+ --port="${TLS_SERVER_PORT}" localhost
+rc=$?
+
+if test "${rc}" != "1"; then
+ echo "Connecting to server with valid certificate and expired staple succeeded"
+ exit ${rc}
+fi
+
+kill "${TLS_SERVER_PID}"
+wait "${TLS_SERVER_PID}"
+unset TLS_SERVER_PID
+
+echo "=== Test 6: Server with valid certificate - old staple ==="
+
+# This case is funny. OCSP doesn't mandate an expiration date for a response so
+# we are left to decide what to do with responses that don't contain the NextUpdate
+# field. Here we test whether a month-old response with no clear expiration is rejected.
+
+rm -f "${OCSP_RESPONSE_FILE}"
+
+${VALGRIND} ${OCSPTOOL} --generate-request --load-issuer "${srcdir}/ocsp-tests/certs/ocsp-server.pem" --load-cert "${SERVER_CERT_FILE}" --outfile "${OCSP_REQ_FILE}"
+datefudge -s ${EXP_OCSP_DATE} \
+ ${OPENSSL} ocsp -index ${INDEXFILE} -rsigner "${srcdir}/ocsp-tests/certs/ocsp-server.pem" -rkey "${srcdir}/ocsp-tests/certs/ocsp-server.key" -CA "${srcdir}/ocsp-tests/certs/ca.pem" -reqin "${OCSP_REQ_FILE}" -respout "${OCSP_RESPONSE_FILE}"
+
+eval "${GETPORT}"
+# Port for gnutls-serv
+TLS_SERVER_PORT=$PORT
+PORT=${TLS_SERVER_PORT}
+launch_bare_server \
+ datefudge "${TESTDATE}" \
+ "${SERV}" --echo --disable-client-cert \
+ --x509keyfile="${srcdir}/ocsp-tests/certs/server_good.key" \
+ --x509certfile="${SERVER_CERT_FILE}" \
+ --port="${TLS_SERVER_PORT}" \
+ --ocsp-response="${OCSP_RESPONSE_FILE}" --ignore-ocsp-response-errors
+TLS_SERVER_PID="${!}"
+wait_server $TLS_SERVER_PID
+
+wait_for_port "${TLS_SERVER_PORT}"
+
+echo "test 123456" | \
+ datefudge -s "${TESTDATE}" \
+ "${CLI}" --ocsp --x509cafile="${srcdir}/ocsp-tests/certs/ca.pem" \
+ --port="${TLS_SERVER_PORT}" localhost
+rc=$?
+
+if test "${rc}" != "1"; then
+ echo "Connecting to server with valid certificate and old staple succeeded"
+ exit ${rc}
+fi
+
+kill "${TLS_SERVER_PID}"
+wait "${TLS_SERVER_PID}"
+unset TLS_SERVER_PID
+
+echo "=== Test 7: OSCP response error - client doesn't send status_request ==="
+
+eval "${GETPORT}"
+# Port for gnutls-serv
+TLS_SERVER_PORT=$PORT
+PORT=${TLS_SERVER_PORT}
+launch_bare_server \
+ datefudge "${TESTDATE}" \
+ "${SERV}" --echo --disable-client-cert \
+ --x509keyfile="${srcdir}/ocsp-tests/certs/server_good.key" \
+ --x509certfile="${SERVER_CERT_FILE}" \
+ --port="${TLS_SERVER_PORT}" \
+ --ocsp-response="${srcdir}/ocsp-tests/response3.der" --ignore-ocsp-response-errors
+TLS_SERVER_PID="${!}"
+wait_server $TLS_SERVER_PID
+
+wait_for_port "${TLS_SERVER_PORT}"
+
+echo "test 123456" | \
+ datefudge -s "${TESTDATE}" \
+ "${CLI}" --priority "NORMAL:%NO_EXTENSIONS" --ocsp --x509cafile="${srcdir}/ocsp-tests/certs/ca.pem" \
+ --port="${TLS_SERVER_PORT}" localhost
+rc=$?
+
+if test "${rc}" != "0"; then
+ echo "Connecting to server with valid certificate and OCSP error response failed"
+ exit ${rc}
+fi
+
+kill "${TLS_SERVER_PID}"
+wait "${TLS_SERVER_PID}"
+unset TLS_SERVER_PID
+
+echo "=== Test 8: OSCP response error - client sends status_request, no TLS feature extension ==="
+
+eval "${GETPORT}"
+# Port for gnutls-serv
+TLS_SERVER_PORT=$PORT
+PORT=${TLS_SERVER_PORT}
+launch_bare_server \
+ datefudge "${TESTDATE}" \
+ "${SERV}" --echo --disable-client-cert \
+ --x509keyfile="${srcdir}/ocsp-tests/certs/server_good.key" \
+ --x509certfile="${SERVER_CERT_NO_EXT_FILE}" \
+ --port="${TLS_SERVER_PORT}" \
+ --ocsp-response="${srcdir}/ocsp-tests/response3.der" --ignore-ocsp-response-errors
+TLS_SERVER_PID="${!}"
+wait_server $TLS_SERVER_PID
+
+wait_for_port "${TLS_SERVER_PORT}"
+
+echo "test 123456" | \
+ datefudge -s "${TESTDATE}" \
+ "${CLI}" --ocsp --x509cafile="${srcdir}/ocsp-tests/certs/ca.pem" \
+ --port="${TLS_SERVER_PORT}" localhost
+rc=$?
+
+if test "${rc}" != "0"; then
+ echo "Connecting to server with valid certificate and OCSP error response failed"
+ exit ${rc}
+fi
+
+kill "${TLS_SERVER_PID}"
+wait "${TLS_SERVER_PID}"
+unset TLS_SERVER_PID
+
+echo "=== Test 9: OSCP response error - client sends status_request, TLS feature extension present ==="
+
+eval "${GETPORT}"
+# Port for gnutls-serv
+TLS_SERVER_PORT=$PORT
+PORT=${TLS_SERVER_PORT}
+launch_bare_server \
+ datefudge "${TESTDATE}" \
+ "${SERV}" --echo --disable-client-cert \
+ --x509keyfile="${srcdir}/ocsp-tests/certs/server_good.key" \
+ --x509certfile="${SERVER_CERT_FILE}" \
+ --port="${TLS_SERVER_PORT}" \
+ --ocsp-response="${srcdir}/ocsp-tests/response3.der" --ignore-ocsp-response-errors
+TLS_SERVER_PID="${!}"
+wait_server $TLS_SERVER_PID
+
+wait_for_port "${TLS_SERVER_PORT}"
+
+echo "test 123456" | \
+ datefudge -s "${TESTDATE}" \
+ "${CLI}" --ocsp --x509cafile="${srcdir}/ocsp-tests/certs/ca.pem" \
+ --port="${TLS_SERVER_PORT}" localhost
+rc=$?
+
+if test "${rc}" = "0"; then
+ echo "Connecting to server with valid certificate and OCSP error response unexpectedly succeeded"
+ exit ${rc}
+fi
+
+kill "${TLS_SERVER_PID}"
+wait "${TLS_SERVER_PID}"
+unset TLS_SERVER_PID
+
+
+kill ${OCSP_PID}
+wait ${OCSP_PID}
+unset OCSP_PID
+
+rm -f "${OCSP_RESPONSE_FILE}"
+rm -f "${OCSP_REQ_FILE}"
+rm -f "${SERVER_CERT_FILE}"
+rm -f "${TEMPLATE_FILE}"
+rm -f "${INDEXFILE}" "${ATTRFILE}"
+
+exit 0
diff --git a/tests/ocsp-tests/ocsp-signer-verify.sh b/tests/ocsp-tests/ocsp-signer-verify.sh
new file mode 100755
index 0000000..ce815ce
--- /dev/null
+++ b/tests/ocsp-tests/ocsp-signer-verify.sh
@@ -0,0 +1,61 @@
+#!/bin/sh
+
+# Copyright (C) 2021 Fiona Klute
+#
+# This file is part of GnuTLS.
+#
+# GnuTLS is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 3 of the License, or (at
+# your option) any later version.
+#
+# GnuTLS is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this program. If not, see <https://www.gnu.org/licenses/>
+
+: ${srcdir=.}
+: ${OCSPTOOL=../src/ocsptool${EXEEXT}}
+: ${DIFF=diff}
+
+if ! test -x "${OCSPTOOL}"; then
+ exit 77
+fi
+
+export TZ="UTC"
+
+. "${srcdir}/scripts/common.sh"
+
+skip_if_no_datefudge
+
+date="2021-07-14 00:00"
+sample_dir="${srcdir}/ocsp-tests/signer-verify"
+trusted="${sample_dir}/trust.pem"
+
+verify_response ()
+{
+ echo "verifying ${sample_dir}/${1} using ${trusted}"
+ datefudge --static "${date}" \
+ "${OCSPTOOL}" --infile="${sample_dir}/${1}" \
+ --verify-response --load-trust="${trusted}"
+ return $?
+}
+
+if ! verify_response response-ca.der; then
+ echo "verification of OCSP response signature by CA failed"
+ exit 1
+fi
+
+if ! verify_response response-delegated.der; then
+ echo "verification of OCSP response signature by delegated signer failed"
+ exit 1
+fi
+
+if verify_response response-non-delegated.der; then
+ echo "verification of OCSP response signature by non-signer certificate " \
+ "from the same CA succeeded, but should have failed"
+ exit 1
+fi
diff --git a/tests/ocsp-tests/ocsp-test.sh b/tests/ocsp-tests/ocsp-test.sh
new file mode 100755
index 0000000..cfb3033
--- /dev/null
+++ b/tests/ocsp-tests/ocsp-test.sh
@@ -0,0 +1,72 @@
+#!/bin/sh
+
+# Copyright (C) 2016 Nikos Mavrogiannopoulos
+#
+# This file is part of GnuTLS.
+#
+# GnuTLS is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 3 of the License, or (at
+# your option) any later version.
+#
+# GnuTLS is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with GnuTLS; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+
+#set -e
+
+: ${srcdir=.}
+: ${OCSPTOOL=../src/ocsptool${EXEEXT}}
+: ${DIFF=diff}
+
+if ! test -x "${OCSPTOOL}"; then
+ exit 77
+fi
+
+export TZ="UTC"
+
+. "${srcdir}/scripts/common.sh"
+
+skip_if_no_datefudge
+
+# Note that in rare cases this test may fail because the
+# time set using datefudge could have changed since the generation
+# (if example the system was busy)
+
+datefudge -s "2016-04-22" \
+ "${OCSPTOOL}" -e --load-signer "${srcdir}/ocsp-tests/certs/ca.pem" --infile "${srcdir}/ocsp-tests/response1.der"
+rc=$?
+
+# We're done.
+if test "${rc}" != "0"; then
+ echo "Test 1 - OCSP signed by CA - failed"
+ exit ${rc}
+fi
+
+datefudge -s "2016-04-22" \
+ "${OCSPTOOL}" -e --load-signer "${srcdir}/ocsp-tests/certs/ocsp-server.pem" --infile "${srcdir}/ocsp-tests/response2.der"
+rc=$?
+
+# We're done.
+if test "${rc}" != "0"; then
+ echo "Test 2 - OCSP signed by delegated cert - failed"
+ exit ${rc}
+fi
+
+datefudge -s "2016-04-22" \
+ "${OCSPTOOL}" -e --load-signer "${srcdir}/ocsp-tests/certs/ca.pem" --infile "${srcdir}/ocsp-tests/response2.der" -d 4
+rc=$?
+
+# We're done.
+if test "${rc}" != "0"; then
+ echo "Test 3 - OCSP signed by delegated cert - failed"
+ exit ${rc}
+fi
+
+
+exit 0
diff --git a/tests/ocsp-tests/ocsp-tls-connection.sh b/tests/ocsp-tests/ocsp-tls-connection.sh
new file mode 100755
index 0000000..84eda22
--- /dev/null
+++ b/tests/ocsp-tests/ocsp-tls-connection.sh
@@ -0,0 +1,231 @@
+#!/bin/sh
+
+# Test case: Try to establish TLS connections with gnutls-cli and
+# check the validity of the server certificate via OCSP
+#
+# Copyright (C) 2016 Thomas Klute
+#
+# This file is part of GnuTLS.
+#
+# GnuTLS is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 3 of the License, or (at
+# your option) any later version.
+#
+# GnuTLS is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with GnuTLS; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+
+: ${srcdir=.}
+: ${CERTTOOL=../src/certtool${EXEEXT}}
+: ${OCSPTOOL=../src/ocsptool${EXEEXT}}
+: ${SERV=../src/gnutls-serv${EXEEXT}}
+: ${CLI=../src/gnutls-cli${EXEEXT}}
+: ${DIFF=diff}
+TEMPLATE_FILE="out.$$.tmpl.tmp"
+SERVER_CERT_FILE="cert.$$.pem.tmp"
+
+if ! test -x "${CERTTOOL}"; then
+ exit 77
+fi
+
+if ! test -x "${OCSPTOOL}"; then
+ exit 77
+fi
+
+if ! test -x "${SERV}"; then
+ exit 77
+fi
+
+if ! test -x "${CLI}"; then
+ exit 77
+fi
+
+if ! test -z "${VALGRIND}"; then
+ VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND} --error-exitcode=15"
+fi
+
+export TZ="UTC"
+
+. "${srcdir}/scripts/common.sh"
+
+skip_if_no_datefudge
+
+eval "${GETPORT}"
+# Port for gnutls-serv
+TLS_SERVER_PORT=$PORT
+
+# Port to use for OCSP server, must match the OCSP URI set in the
+# server_*.pem certificates
+eval "${GETPORT}"
+OCSP_PORT=$PORT
+
+# Maximum timeout for server startup (OCSP and TLS)
+SERVER_START_TIMEOUT=10
+
+# Check for OpenSSL
+: ${OPENSSL=openssl}
+if ! ("$OPENSSL" version) > /dev/null 2>&1; then
+ echo "You need openssl to run this test."
+ exit 77
+fi
+
+CERTDATE="2016-04-28"
+TESTDATE="2016-04-29"
+
+OCSP_PID=""
+TLS_SERVER_PID=""
+stop_servers ()
+{
+ test -z "${OCSP_PID}" || kill "${OCSP_PID}"
+ test -z "${TLS_SERVER_PID}" || kill "${TLS_SERVER_PID}"
+ rm -f "$TEMPLATE_FILE"
+ rm -f "$SERVER_CERT_FILE"
+}
+trap stop_servers 1 15 2 EXIT
+
+echo "=== Generating good server certificate ==="
+
+rm -f "$TEMPLATE_FILE"
+cp "${srcdir}/ocsp-tests/certs/server_good.template" "$TEMPLATE_FILE"
+chmod u+w "$TEMPLATE_FILE"
+echo "ocsp_uri=http://localhost:${OCSP_PORT}/ocsp/" >>"$TEMPLATE_FILE"
+
+# Generate certificates with the random port
+datefudge -s "${CERTDATE}" ${CERTTOOL} \
+ --generate-certificate --load-ca-privkey "${srcdir}/ocsp-tests/certs/ca.key" \
+ --load-ca-certificate "${srcdir}/ocsp-tests/certs/ca.pem" \
+ --load-privkey "${srcdir}/ocsp-tests/certs/server_good.key" \
+ --template "${TEMPLATE_FILE}" --outfile "${SERVER_CERT_FILE}" 2>/dev/null
+
+echo "=== Bringing OCSP server up ==="
+
+# Start OpenSSL OCSP server
+#
+# WARNING: As of version 1.0.2g, OpenSSL OCSP cannot bind the TCP port
+# if started repeatedly in a short time, probably a lack of
+# SO_REUSEADDR usage.
+PORT=${OCSP_PORT}
+launch_bare_server \
+ datefudge "${TESTDATE}" \
+ "${OPENSSL}" ocsp -index "${srcdir}/ocsp-tests/certs/ocsp_index.txt" -text \
+ -port "${OCSP_PORT}" \
+ -rsigner "${srcdir}/ocsp-tests/certs/ocsp-server.pem" \
+ -rkey "${srcdir}/ocsp-tests/certs/ocsp-server.key" \
+ -CA "${srcdir}/ocsp-tests/certs/ca.pem"
+OCSP_PID="${!}"
+wait_server "${OCSP_PID}"
+
+echo "=== Verifying OCSP server is up ==="
+
+# Port probing (as done in wait_port) makes the OpenSSL OCSP server
+# crash due to the "invalid request", so try proper requests
+t=0
+while test "${t}" -lt "${SERVER_START_TIMEOUT}"; do
+ # Run a test request to make sure the server works
+ datefudge "${TESTDATE}" \
+ ${VALGRIND} "${OCSPTOOL}" --ask \
+ --load-cert "${SERVER_CERT_FILE}" \
+ --load-issuer "${srcdir}/ocsp-tests/certs/ca.pem"
+ rc=$?
+ if test "${rc}" = "0"; then
+ break
+ else
+ t=`expr ${t} + 1`
+ sleep 1
+ fi
+done
+# Fail if the final OCSP request failed
+if test "${rc}" != "0"; then
+ echo "OCSP server check failed."
+ exit ${rc}
+fi
+
+echo "=== Test 1: Server with valid certificate ==="
+
+PORT=${TLS_SERVER_PORT}
+launch_bare_server \
+ datefudge "${TESTDATE}" \
+ "${SERV}" --echo --disable-client-cert \
+ --x509keyfile="${srcdir}/ocsp-tests/certs/server_good.key" \
+ --x509certfile="${SERVER_CERT_FILE}" \
+ --port="${TLS_SERVER_PORT}"
+TLS_SERVER_PID="${!}"
+wait_server $TLS_SERVER_PID
+
+wait_for_port "${TLS_SERVER_PORT}"
+
+echo "test 123456" | \
+ datefudge -s "${TESTDATE}" \
+ "${CLI}" --ocsp --x509cafile="${srcdir}/ocsp-tests/certs/ca.pem" \
+ --port="${TLS_SERVER_PORT}" localhost
+rc=$?
+
+if test "${rc}" != "0"; then
+ echo "Connecting to server with valid certificate failed."
+ exit ${rc}
+fi
+
+kill "${TLS_SERVER_PID}"
+wait "${TLS_SERVER_PID}"
+unset TLS_SERVER_PID
+
+echo "=== Generating bad server certificate ==="
+
+rm -f "${SERVER_CERT_FILE}"
+rm -f "${TEMPLATE_FILE}"
+cp "${srcdir}/ocsp-tests/certs/server_bad.template" "$TEMPLATE_FILE"
+echo "ocsp_uri=http://localhost:${OCSP_PORT}/ocsp/" >>"$TEMPLATE_FILE"
+
+# Generate certificates with the random port
+datefudge -s "${CERTDATE}" ${CERTTOOL} \
+ --generate-certificate --load-ca-privkey "${srcdir}/ocsp-tests/certs/ca.key" \
+ --load-ca-certificate "${srcdir}/ocsp-tests/certs/ca.pem" \
+ --load-privkey "${srcdir}/ocsp-tests/certs/server_bad.key" \
+ --template "${TEMPLATE_FILE}" --outfile "${SERVER_CERT_FILE}"
+
+echo "=== Test 2: Server with revoked certificate ==="
+
+eval "${GETPORT}"
+TLS_SERVER_PORT=$PORT
+
+launch_bare_server \
+ datefudge "${TESTDATE}" \
+ "${SERV}" --echo --disable-client-cert \
+ --x509keyfile="${srcdir}/ocsp-tests/certs/server_bad.key" \
+ --x509certfile="${SERVER_CERT_FILE}" \
+ --port="${TLS_SERVER_PORT}"
+TLS_SERVER_PID="${!}"
+wait_server ${TLS_SERVER_PID}
+wait_for_port "${TLS_SERVER_PORT}"
+
+echo "test 123456" | \
+ datefudge -s "${TESTDATE}" \
+ "${CLI}" --ocsp --x509cafile="${srcdir}/ocsp-tests/certs/ca.pem" \
+ --port="${TLS_SERVER_PORT}" localhost
+rc=$?
+
+kill "${TLS_SERVER_PID}"
+wait "${TLS_SERVER_PID}"
+unset TLS_SERVER_PID
+
+# This connection should not work because the certificate has been
+# revoked.
+if test "${rc}" = "0"; then
+ echo "Connecting to server with revoked certificate succeeded."
+ exit 1
+fi
+
+kill ${OCSP_PID}
+wait ${OCSP_PID}
+unset OCSP_PID
+
+rm -f "${SERVER_CERT_FILE}"
+rm -f "${TEMPLATE_FILE}"
+
+exit 0
diff --git a/tests/ocsp-tests/ocsptool.sh b/tests/ocsp-tests/ocsptool.sh
new file mode 100755
index 0000000..b10013e
--- /dev/null
+++ b/tests/ocsp-tests/ocsptool.sh
@@ -0,0 +1,89 @@
+#!/bin/sh
+
+# Copyright (C) 2017 Red Hat, Inc.
+#
+# This file is part of GnuTLS.
+#
+# GnuTLS is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 3 of the License, or (at
+# your option) any later version.
+#
+# GnuTLS is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this program. If not, see <https://www.gnu.org/licenses/>
+
+#set -e
+
+# Sanity check program for various ocsptool options
+
+: ${srcdir=.}
+: ${OCSPTOOL=../src/ocsptool${EXEEXT}}
+: ${DIFF=diff}
+: ${CMP=cmp}
+TMPFILE=ocsp.$$.tmp
+
+if ! test -x "${OCSPTOOL}"; then
+ exit 77
+fi
+
+export TZ="UTC"
+
+"${OCSPTOOL}" -j --infile "${srcdir}/ocsp-tests/response1.pem" --outfile "${TMPFILE}"
+rc=$?
+
+# We're done.
+if test "${rc}" != "0"; then
+ echo "Test 1 - PEM loading failed"
+ exit ${rc}
+fi
+
+${CMP} "${srcdir}/ocsp-tests/response1.der" "${TMPFILE}" >/dev/null 2>&1
+rc=$?
+if test "${rc}" != "0"; then
+ echo "Test 1 - Comparison of DER file failed"
+ exit ${rc}
+fi
+
+"${OCSPTOOL}" -j --outpem --infile "${srcdir}/ocsp-tests/response1.pem" --outfile "${TMPFILE}"
+rc=$?
+
+# We're done.
+if test "${rc}" != "0"; then
+ echo "Test 2 - PEM loading failed"
+ exit ${rc}
+fi
+
+${DIFF} -B "${srcdir}/ocsp-tests/response1.pem" "${TMPFILE}" >/dev/null 2>&1
+rc=$?
+if test "${rc}" != "0"; then
+ echo "Test 2 - Comparison of PEM file failed $TMPFILE"
+ exit ${rc}
+fi
+
+
+"${OCSPTOOL}" -j --infile "${srcdir}/ocsp-tests/response1.der"
+rc=$?
+
+# We're done.
+if test "${rc}" != "0"; then
+ echo "Test 3 - Transparent (backwards compatible) DER loading failed"
+ exit ${rc}
+fi
+
+"${OCSPTOOL}" -j --inder --infile "${srcdir}/ocsp-tests/response1.der"
+rc=$?
+
+# We're done.
+if test "${rc}" != "0"; then
+ echo "Test 4 - DER loading failed"
+ exit ${rc}
+fi
+
+rm -f "${TMPFILE}"
+
+exit 0
diff --git a/tests/ocsp-tests/response1.der b/tests/ocsp-tests/response1.der
new file mode 100644
index 0000000..f632b4a
--- /dev/null
+++ b/tests/ocsp-tests/response1.der
Binary files differ
diff --git a/tests/ocsp-tests/response1.pem b/tests/ocsp-tests/response1.pem
new file mode 100644
index 0000000..66adfe3
--- /dev/null
+++ b/tests/ocsp-tests/response1.pem
@@ -0,0 +1,45 @@
+OCSP Response Information:
+ Response Status: Successful
+ Response Type: Basic OCSP Response
+ Version: 1
+ Responder ID: CN=Testing Authority
+ Produced At: Wed Mar 23 21:55:28 UTC 2016
+ Responses:
+ Certificate ID:
+ Hash Algorithm: SHA1
+ Issuer Name Hash: bac68790352ceb4c4de1534445348f8b4b5309b3
+ Issuer Key Hash: e865fcb9123c7285fc28c803149f06ad94dfd934
+ Serial Number: 56f304a1326dc9b2d51b31b3
+ Certificate Status: unknown
+ This Update: Wed Mar 23 21:55:28 UTC 2016
+ Extensions:
+ Signature Algorithm: RSA-SHA256
+
+-----BEGIN OCSP RESPONSE-----
+MIIEwAoBAKCCBLkwggS1BgkrBgEFBQcwAQEEggSmMIIEojCBj6EeMBwxGjAYBgNV
+BAMTEVRlc3RpbmcgQXV0aG9yaXR5GA8yMDE2MDMyMzIxNTUyOFowXDBaMEUwCQYF
+Kw4DAhoFAAQUusaHkDUs60xN4VNERTSPi0tTCbMEFOhl/LkSPHKF/CjIAxSfBq2U
+39k0AgxW8wShMm3JstUbMbOCABgPMjAxNjAzMjMyMTU1MjhaMA0GCSqGSIb3DQEB
+CwUAA4IBAQBKkt+j9Rd5Pjq67WsiWIc9rVjxA0vdiZahZUAYlCCauKpLN+FxSsda
+uCUzYmotc4Jq4Erbmpl0pfvR5Y3nFArCQuKiLayOKk5NevUgnVMLbcaojrtwfPl/
+puf8zPFGOo+Ue2SQH+H8YX3wmQqeMEIblF2GonPVWm8pY+Gjx9ElBjUMCqAoCtig
+CWcS9BbOm1BON0IEOsCb9gJ+VtRrLxpaOzLsc0lZGip74IuqHEyb6foA/bME8Ydy
+T8v28oA9pfMdW0xoB/drpeq+lJfO3Hiu7QmHC56zRNyWNv3ovU9R87cEGEM2QD7o
+/23eXMmoFODYx7Y5B6UOmiD34ufq7UaRoIIC+DCCAvQwggLwMIIB2KADAgECAghW
+8wrgLlKayzANBgkqhkiG9w0BAQsFADAcMRowGAYDVQQDExFUZXN0aW5nIEF1dGhv
+cml0eTAiGA8yMDE2MDMyMzIxMzAxNVoYDzk5OTkxMjMxMjM1OTU5WjAcMRowGAYD
+VQQDExFUZXN0aW5nIEF1dGhvcml0eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
+AQoCggEBAKBV6T5EMSijMfx/e9MkasHxLi5VDv4gYb5Y/nuxilR1CpCRg6Twnqpu
+/tmkj9XU23ewZuIxjb+ePdOH7AmiFZKYxZpo6+x1h6GCBqBpjniWN1ygt/mLs6jA
+pJAlGOfgrjgFWzg8hwsgnN6T5gn3nFS7CLhFkJRav6DvgGcfRnSGQv9O/eGZDUAI
+UGPou0lRpiON77UzDRmvENke6+60LBygJZD470YiQHbU6WZERQHEq1JCbh3iXB1S
+uCRqe3R075I/u/+zOkDygDmVCPQYqoHJ+3AnfXpjsnTTjoMuqYXe0QVyCgzAeFga
+tyXUuxSvPq8rVTVYvb6+AOXBVTDidp0CAwEAAaMyMDAwDwYDVR0TAQH/BAUwAwEB
+/zAdBgNVHQ4EFgQULdgUmhbVbf77sODe8fXFIwvTYr4wDQYJKoZIhvcNAQELBQAD
+ggEBAGGF8as/0Ew1prrQKOKSbVB3nrILF7D9fOxKIEUEOprtYGgjvvfkqG7xDQRP
+SvIiVy3X0wZQpzytCgvkjXeQ8QsIIMnrYpjy6iRCRkDlti3iUqx6zo7B7iYaEIdK
+Ky6uCn5z/RPti5WJIeqvg3WqTNeOXjWIK3ac6cROqUcUlLxy1AukNRYuvpVszQu9
+FDs9ecdA5aOvBvb0WlVjbEU37EVuoveayBpgP0c2I7xu2zAkobNdn7JYNOGJx4x9
+8WMlcCP0ZU7O0wwk9y/U/FxARqfFIzDC2JanTi2LxyHdQw8iWAvaBksb7vLdMnn2
+9prXtfKhcCXLVECxSJuI1swHETA=
+-----END OCSP RESPONSE-----
diff --git a/tests/ocsp-tests/response2.der b/tests/ocsp-tests/response2.der
new file mode 100644
index 0000000..ee428bd
--- /dev/null
+++ b/tests/ocsp-tests/response2.der
Binary files differ
diff --git a/tests/ocsp-tests/response2.pem b/tests/ocsp-tests/response2.pem
new file mode 100644
index 0000000..1ca75c3
--- /dev/null
+++ b/tests/ocsp-tests/response2.pem
@@ -0,0 +1,47 @@
+OCSP Response Information:
+ Response Status: Successful
+ Response Type: Basic OCSP Response
+ Version: 1
+ Responder ID: CN=Testing Authority OCSP Responder
+ Produced At: Wed Mar 23 22:31:19 UTC 2016
+ Responses:
+ Certificate ID:
+ Hash Algorithm: SHA1
+ Issuer Name Hash: bac68790352ceb4c4de1534445348f8b4b5309b3
+ Issuer Key Hash: e865fcb9123c7285fc28c803149f06ad94dfd934
+ Serial Number: 56f318d612de99176ccaa1e0
+ Certificate Status: unknown
+ This Update: Wed Mar 23 22:31:19 UTC 2016
+ Extensions:
+ Signature Algorithm: RSA-SHA256
+
+-----BEGIN OCSP RESPONSE-----
+MIIFIgoBAKCCBRswggUXBgkrBgEFBQcwAQEEggUIMIIFBDCBnqEtMCsxKTAnBgNV
+BAMTIFRlc3RpbmcgQXV0aG9yaXR5IE9DU1AgUmVzcG9uZGVyGA8yMDE2MDMyMzIy
+MzExOVowXDBaMEUwCQYFKw4DAhoFAAQUusaHkDUs60xN4VNERTSPi0tTCbMEFOhl
+/LkSPHKF/CjIAxSfBq2U39k0AgxW8xjWEt6ZF2zKoeCCABgPMjAxNjAzMjMyMjMx
+MTlaMA0GCSqGSIb3DQEBCwUAA4IBAQAuMHdyI3qMEyU4v60vCsLQqZkbA7x7lh4X
+detCl+Woe0WJoDUKZV8C78Ns9fhMY03tZLH2xGKtS8+C9r7Chi7r5SQUA9XyVaH1
+0L+McNed42kHtxvqNXNjZJHAZtY6NJ7IhocF97tPT/MZT+aCwNVh3DXCAo17b9bO
+eKtwM4OwGJhtm4THGS2iyKlytll2yQM52bX/cp1yDensz8zcV1GxCwD2yGEI/iD3
+L/g/IzeY9B3RKZ1uZ21K8VU9aSBygpcbV7Ii9yb+zx21sL2PJCYTHUCsSyzJcWId
+csrp8G2fdZfYEI6fJ/1GLUbSfVkbFWmEuvxNdN64vrYF3Vj2EU8qoIIDSzCCA0cw
+ggNDMIICK6ADAgECAgxW8xjWEt6ZF2zKoeAwDQYJKoZIhvcNAQELBQAwHDEaMBgG
+A1UEAxMRVGVzdGluZyBBdXRob3JpdHkwHhcNMTYwMzIzMjIyOTQyWhcNMTcwMzIz
+MjIyOTQyWjArMSkwJwYDVQQDEyBUZXN0aW5nIEF1dGhvcml0eSBPQ1NQIFJlc3Bv
+bmRlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANMCZAoNYiVu4fTs
+bfCE3EU4bl7rJCuMqZKBEVHZ40TPbVw/0bISFns+7rK5lazTYvvSuTJ1dCZHmnwW
+r9/Jk54XLrieZyVh9fPP6wged3H+rC8jeBAYqgzjLjp59RF2FjcPtj6btfsHLbHv
+CNjGeOhdl6Twx0/MMYAEvrXa2RlAc/1bFD6TbSBOzHrNgpQGDEU/zjOvsSJVLfde
+gzgdv3NaYcJz1B3CbWZfHbkOnqg5H3uhBL9Jr6kEz6GB/xuBSBZ3UZco5rVzxFYC
+wkf8WaRNOQox0NNwGTogKzP6l/mMFl7arYbGrwaH+OyTnhjQoMGRzqsJiexHPU5a
+ZBhz1JUCAwEAAaN2MHQwDAYDVR0TAQH/BAIwADATBgNVHSUEDDAKBggrBgEFBQcD
+CTAPBgNVHQ8BAf8EBQMDB4AAMB0GA1UdDgQWBBTnPqFwFQGo2vJwQ+9MyIcaw5h0
+PTAfBgNVHSMEGDAWgBQt2BSaFtVt/vuw4N7x9cUjC9NivjANBgkqhkiG9w0BAQsF
+AAOCAQEAeqbE90S1ckBwtme9/ITGGWRLhAfGP13Dw5ZiZrUccDISI3EuW9eByeBi
+ylNU0cceISuW45rdN0OQGWB1N1DXhpEmoQhP4QNeitTwy+9Pu6O8Nb+GbYgMNutt
+3gLJ3WDqxAmm6KUFS+bhFX8umSQCFGF3h0SGeAeyhXSrUVsDsjGI9I1KLFWOkGi7
+YSE49AWnicXEVC+cQUrWDOW2Pbb6mWt6S6Jm0xLs5+GD5lodvZAHRuG+pszIvqNv
+T+zFBnLLWqMgPngbqeuvuP4/M35IeqjV19aG5hscFAwl2n4Aaa6wYWHAZ6bU+Y7k
+Bp0+NzqVez2ZL//+3HKKF4sYkmh1Bg==
+-----END OCSP RESPONSE-----
diff --git a/tests/ocsp-tests/response3.der b/tests/ocsp-tests/response3.der
new file mode 100644
index 0000000..39e09cf
--- /dev/null
+++ b/tests/ocsp-tests/response3.der
@@ -0,0 +1,2 @@
+0
+ \ No newline at end of file
diff --git a/tests/ocsp-tests/signer-verify/response-ca.der b/tests/ocsp-tests/signer-verify/response-ca.der
new file mode 100644
index 0000000..6052421
--- /dev/null
+++ b/tests/ocsp-tests/signer-verify/response-ca.der
Binary files differ
diff --git a/tests/ocsp-tests/signer-verify/response-delegated.der b/tests/ocsp-tests/signer-verify/response-delegated.der
new file mode 100644
index 0000000..717edfd
--- /dev/null
+++ b/tests/ocsp-tests/signer-verify/response-delegated.der
Binary files differ
diff --git a/tests/ocsp-tests/signer-verify/response-non-delegated.der b/tests/ocsp-tests/signer-verify/response-non-delegated.der
new file mode 100644
index 0000000..02574d5
--- /dev/null
+++ b/tests/ocsp-tests/signer-verify/response-non-delegated.der
Binary files differ
diff --git a/tests/ocsp-tests/signer-verify/trust.pem b/tests/ocsp-tests/signer-verify/trust.pem
new file mode 100644
index 0000000..941a18a
--- /dev/null
+++ b/tests/ocsp-tests/signer-verify/trust.pem
@@ -0,0 +1,50 @@
+-----BEGIN CERTIFICATE-----
+MIIEVDCCArygAwIBAgIEL5gfejANBgkqhkiG9w0BAQsFADAcMRowGAYDVQQDExFU
+ZXN0aW5nIEF1dGhvcml0eTAeFw0yMTA3MTExNjAxNTFaFw0yMjA3MTExNjAxNTFa
+MBExDzANBgNVBAMTBlN1YiBDQTCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoC
+ggGBAM2sgcNoA0aadfC4CrZYsJyxYU+2o+Ai8YgadLhjQHwVhs6O4oXV5HEcgXrr
+t0RLXY1bMnfXESeXMsawAo84D4tFY1WXXwBo6DqwpR886lHtxE8DJeahR6lejt/b
+4Pv6i85gDLwVWfPIfvEDo1YBimPWYokRGNdrX087qkVMhiylESH/+E4X4ucEAN2m
+bHBuYpw3DtEVZkZFABHBgp+2cj28JX5vDYv4yDbXBe+PlgMQTjpOMJOL5KyEmBh0
+BEqFpWltQvKZSiJEyIxB/SlVCu0RFqDyJDCvmuxZeYVadtna0BZ8mWyE/UCTnntc
+/vgcoLVl70rldLqxtM8gauIbnFseUoKO7azsOGvHzpJHep3H45JjaKUzfmGxlkIg
+mjzxRUVo6y4B2EzW2uuq/KRUH5E6nz7EXAXLpZorPWM1SO2Wvtj1agcY2B1q3/sb
+ytmpAslcA24uhbjliQtv2luloGW9MumbIGMdM9TK3QCi1FmpC/xgLM7x+HY05JMm
++T3mHwIDAQABo4GoMIGlMA8GA1UdEwEB/wQFMAMBAf8wQQYIKwYBBQUHAQEENTAz
+MDEGCCsGAQUFBzABhiVodHRwOi8vbG9jYWxob3N0Ojk5MzYvb2NzcC9hdXRob3Jp
+dHkvMA8GA1UdDwEB/wQFAwMHBgAwHQYDVR0OBBYEFGzMZrzodsQyo/WdQc9poCPB
+rR5EMB8GA1UdIwQYMBaAFKNgxYBNWRk9dHE+PBe9koa4tpMpMA0GCSqGSIb3DQEB
+CwUAA4IBgQBYPjCSqo7DuIE8t9/yh0wqOcLXXpM03fxFLeTGZIA+qodW4BN7R1GD
+a+CmjXhBZe/hV4h6toENXbLwGZe0rMF8VoV9+YdH8Dc3qW6Xzz5qWbliqi48pi1x
+fMPlJFFCd7+Upob4L0OmB+iAk5iLtlSdNivAVelgTX9jqb6d0hSySoaoxfKcqD6L
+VhoIc7sjBAFUtRAg9fpqQEVCCoY+uV+Fkf45/i9kyj3uwHiSmdQ8PgggkUr2+KU5
+1O4UJiE/Z/N+7qBBCnrhSqpe3U+pI/2R9OWG4b8+hy3AQBx/3PRmVsSeY64MZm+1
+CKNvNYRhH+EyyFIBxszqJQz9oZSK9/LKkXZNEcJN6p7BNWRxunerzlrexVtFyaX9
+sTCBvJWnioAYRTzuo0sv6BA1jCTUfLp/iKeSwxBftlAGu65c3kynLowITWLCgSiX
+N1CZjBW3wLyLs+66Ab4YapdlPka/Ru0ws6v3968iCgixNF3Dtu0nuEe2iYfCrdx2
+1qtUEwQRpJ4=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIID9jCCAl6gAwIBAgIBATANBgkqhkiG9w0BAQsFADAcMRowGAYDVQQDExFUZXN0
+aW5nIEF1dGhvcml0eTAeFw0yMTA3MTExNTQxMzBaFw0yMjA3MTExNTQxMzBaMBwx
+GjAYBgNVBAMTEVRlc3RpbmcgQXV0aG9yaXR5MIIBojANBgkqhkiG9w0BAQEFAAOC
+AY8AMIIBigKCAYEAvws8rQionbM4c8Cy8nYa9CHay+CFvTTLVw9EO0Kczqaq4PAG
+uP+72DF4qmoWemNZslV5609K/MMumVzjyBT/b1kn1i8RAH4STKZMpswA2wouLLd0
+QhUYlxvbD+9Fe7LXk9U+kdO6V+lpYQVW0F8uB1zYRIOpuQ11DWXllcDexHHJrTsj
+NOeOI3Bicr2QuB1KhOlZHH7sC8eDtTzsT9TLP8ftzEynSeF0MbMobv6IB9xC405V
+mD4Zlpmw8Zggu+exOhGNbmlMgvfvfYqRJOjO5JDEEuzgAeOvlqay35VwaVJDdXMF
+0Rn+C5n8Hfaz1Eq1qkPo8C13YI2na7ZzhjWP//8H1gJUgkD2ajcR2mD8g2KSx3zw
+GQMmLgqTERB6qoR0D+uLfPC7qSA/eIN5PdYGHDRwybKuiQLR2Q2Uh2kvmMk3LoDb
+dMLbdKdQTB9aKKsy7lM0NItrXERleu4Ty/rJUVR2miYUqWFHuuNzXLMtVihFgmSb
+/G+eSzqzRxauXfzjAgMBAAGjQzBBMA8GA1UdEwEB/wQFMAMBAf8wDwYDVR0PAQH/
+BAUDAwcGADAdBgNVHQ4EFgQUo2DFgE1ZGT10cT48F72Shri2kykwDQYJKoZIhvcN
+AQELBQADggGBAKqI+hv9mMV/4cGN6XHt5p6ks1j5j6Q5uH8cahQhyIvwc54F3d6q
+Arkit25QhGs8IOriAO/BRTMCDv6hKQNgNN/3Lux1NPX9LBddku5S1NtfOF9Lqss4
+E5TYcZxPzY0QxdGeMa0TH5eq+9CNayXqo95n5ixx9NCnMHROAtgOfUr4j3AGfBdz
+4C16x35+kB0EO/N4ieCZo84ArF3IpOKd6RLLbI6Y5GygxMn29BLLQWWYsckW67j2
+iQFvlSE67p+lJ3WDQHJ6acgIb1ZNiEAwC5y6za7XPbwhJ02HL+jbL8q4DpNwtd0r
+PGU/xMB7C5Sx9DryoWQk9pLelIpLgnDSUfHUuxunpFf5b2QIB/6JKA/f2dNjZY/w
+ma/HoS3nN6Poi+tO628GbBh07JTzbL0hTpRCIde5XbbuHyKdS//KERswCXYe0AGB
+gL2IE87/6/+Ax+e78O62evlyHpuOQ82PR8qN0sldpANPG2Ko/KUT7W1hlo4wBLrn
+1kb6HIISAJS1pQ==
+-----END CERTIFICATE-----
diff --git a/tests/ocsp-tests/suppressions.valgrind b/tests/ocsp-tests/suppressions.valgrind
new file mode 100644
index 0000000..64c3db6
--- /dev/null
+++ b/tests/ocsp-tests/suppressions.valgrind
@@ -0,0 +1,8 @@
+{
+ ld-uncond-jump
+ Memcheck:Cond
+ fun:index
+ fun:expand_dynamic_string_token
+ fun:fillin_rpath
+ ...
+}