Commit 121738d1 authored by David von Oheimb's avatar David von Oheimb Committed by Rich Salz
Browse files

Fix OCSP_basic_verify() cert chain construction in case bs->certs is NULL 

Now the certs arg is not any more neglected when building the signer cert chain.
Added case to test/recipes/80-test_ocsp.t proving fix for 3-level CA hierarchy.

See also http://rt.openssl.org/Ticket/Display.html?id=4620



Reviewed-by: default avatarMatt Caswell <matt@openssl.org>
Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4124)
parent e0584e96

crypto/ocsp/ocsp_vfy.c

+2 −0
Original line number Diff line number Diff line
@@ -73,6 +73,8 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, 
                    goto f_err;

                }

            }

        } else if (certs != NULL) {

            untrusted = certs;

        } else {

            untrusted = bs->certs;

        }

test/ocsp-tests/ND1_Cross_Root.pem

0 → 100644
+25 −0
Original line number Diff line number Diff line 
-----BEGIN CERTIFICATE-----

MIIENjCCAx6gAwIBAgIBATANBgkqhkiG9w0BAQUFADBvMQswCQYDVQQGEwJTRTEU

MBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFkZFRydXN0IEV4dGVybmFs

IFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBFeHRlcm5hbCBDQSBSb290

MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFowbzELMAkGA1UEBhMCU0Ux

FDASBgNVBAoTC0FkZFRydXN0IEFCMSYwJAYDVQQLEx1BZGRUcnVzdCBFeHRlcm5h

bCBUVFAgTmV0d29yazEiMCAGA1UEAxMZQWRkVHJ1c3QgRXh0ZXJuYWwgQ0EgUm9v

dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALf3GjPm8gAELTngTlvt

H7xsD821+iO2zt6bETOXpClMfZOfvUq8k+0DGuOPz+VtUFrWlymUWoCwSXrbLpX9

uMq/NzgtHj6RQa1wVsfwTz/oMp50ysiQVOnGXw94nZpAPA6sYapeFI+eh6FqUNzX

mk6vBbOmcZSccbNQYArHE504B4YCqOmoaSYYkKtMsE8jqzpPhNjfzp/haW+710LX

a0Tkx63ubUFfclpxCDezeWWkWaCUN/cALw3CknLa0Dhy2xSoRcRdKn23tNbE7qzN

E0S3ySvdQwAl+mG5aWpYIxG3pzOPVnVZ9c0p10a3CitlttNCbxWyuHv77+ldU9U0

WicCAwEAAaOB3DCB2TAdBgNVHQ4EFgQUrb2YejS0Jvf6xCZU7wO94CTLVBowCwYD

VR0PBAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wgZkGA1UdIwSBkTCBjoAUrb2YejS0

Jvf6xCZU7wO94CTLVBqhc6RxMG8xCzAJBgNVBAYTAlNFMRQwEgYDVQQKEwtBZGRU

cnVzdCBBQjEmMCQGA1UECxMdQWRkVHJ1c3QgRXh0ZXJuYWwgVFRQIE5ldHdvcmsx

IjAgBgNVBAMTGUFkZFRydXN0IEV4dGVybmFsIENBIFJvb3SCAQEwDQYJKoZIhvcN

AQEFBQADggEBALCb4IUlwtYj4g+WBpKdQZic2YR5gdkeWxQHIzZlj7DYd7usQWxH

YINRsPkyPef89iYTx4AWpb9a/IfPeHmJIZriTAcKhjW88t5RxNKWt9x+Tu5w/Rw5

6wwCURQtjr0W4MHfRnXnJK3s9EK0hZNwEGe6nQY1ShjTK3rMUUKhemPR5ruhxSvC

Nr4TDea9Y355e6cJDUCrat2PisP29owaQgVR1EX1n6diIWgVIEM8med8vSTYqZEX

c4g/VhsxOBi0cQ+azcgOno4uG+GMmIPLHzHxREzGBHNJdmAPx/i9F4BrLunMTA5a

mnkPIAou1Z5jJh5VkpTYghdae9C8x49OhgQ=

-----END CERTIFICATE-----

test/ocsp-tests/ND1_Issuer_ICA-Cross.pem

0 → 100644
+58 −0
Original line number Diff line number Diff line 
-----BEGIN CERTIFICATE-----

MIIFBjCCA+6gAwIBAgIQEaO00OyNt3+doM1dLVEvQjANBgkqhkiG9w0BAQUFADCB

gTELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G

A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxJzAlBgNV

BAMTHkNPTU9ETyBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0xMDA1MjQwMDAw

MDBaFw0yMDA1MzAxMDQ4MzhaMIGOMQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3Jl

YXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxmb3JkMRowGAYDVQQKExFDT01P

RE8gQ0EgTGltaXRlZDE0MDIGA1UEAxMrQ09NT0RPIEV4dGVuZGVkIFZhbGlkYXRp

b24gU2VjdXJlIFNlcnZlciBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC

ggEBAMxKljPNJY1n7iiWN4dG8PYEooR/U6qW5h+xAhxu7X0h1Nc8HqLYaS+ot/Wi

7WRYZOFEZTZJQSABjTsT4gjzDPJXOZM3txyTRIOOvy3xoQV12m7ue28b6naDKHRK

HCvT9cQDcpOvhs4JjDx11MkKL3Lzrb0OMDyEoXMfAyUUpY/D1vS15N2GevUZumjy

hVSiMBHK0ZLLO3QGEqA3q2rYVBHfbJoWlLm0p2XGdC0x801S6VVRn8s+oo12mHDS

b6ZlRS8bhbtbbfnywARmE4R6nc4n2PREnr+svpnba0/bWCGwiSe0jzLWS15ykV7f

BZ3ZSS/0tm9QH3XLgJ3m0+TR8tMCAwEAAaOCAWkwggFlMB8GA1UdIwQYMBaAFAtY

5YvGTBU3pECpMKkhvkc2Wlb/MB0GA1UdDgQWBBSIRFH/UCppXi2I9CG62Qzyzsvq

fDAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADA+BgNVHSAENzA1

MDMGBFUdIAAwKzApBggrBgEFBQcCARYdaHR0cHM6Ly9zZWN1cmUuY29tb2RvLmNv

bS9DUFMwSQYDVR0fBEIwQDA+oDygOoY4aHR0cDovL2NybC5jb21vZG9jYS5jb20v

Q09NT0RPQ2VydGlmaWNhdGlvbkF1dGhvcml0eS5jcmwwdAYIKwYBBQUHAQEEaDBm

MD4GCCsGAQUFBzAChjJodHRwOi8vY3J0LmNvbW9kb2NhLmNvbS9DT01PRE9BZGRU

cnVzdFNlcnZlckNBLmNydDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuY29tb2Rv

Y2EuY29tMA0GCSqGSIb3DQEBBQUAA4IBAQCaQ7+vpHJezX1vf/T8PYy7cOYe3QT9

P9ydn7+JdpvyhjH8f7PtKpFTLOKqsOPILHH3FYojHPFpLoH7sbxiC6saVBzZIl40

TKX2Iw9dej3bQ81pfhc3Us1TocIR1FN4J2TViUFNFlW7kMvw2OTd3dMJZEgo/zIj

hC+Me1UvzymINzR4DzOq/7fylqSbRIC1vmxWVKukgZ4lGChUOn8sY89ZIIwYazgs

tN3t40DeDDYlV5rA0WCeXgNol64aO+pF11GZSe5EWVYLXrGPaOqKnsrSyaADfnAl

9DLJTlCDh6I0SD1PNXf82Ijq9n0ezkO21cJqfjhmY03n7jLvDyToKmf6

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

MIIE8TCCA9mgAwIBAgIQbyXcFa/fXqMIVgw7ek/H+DANBgkqhkiG9w0BAQUFADBv

MQswCQYDVQQGEwJTRTEUMBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFk

ZFRydXN0IEV4dGVybmFsIFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBF

eHRlcm5hbCBDQSBSb290MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFow

gYExCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO

BgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMScwJQYD

VQQDEx5DT01PRE8gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwggEiMA0GCSqGSIb3

DQEBAQUAA4IBDwAwggEKAoIBAQDQQIuLcuORG/dRwRtUBJjTqb/B5opdO4f7u4jO

DeMvPwaW8KIpUJmu2zuhV7B0UXHN7UKRTUH+qcjYaoZ3RLtZZpdQXrTULHBEz9o3

lUJpPDDEcbNS8CFNodi6OXwcnqMknfKDFpiqFnxDmxVbt640kf7UYiYYRpo/68H5

8ZBX66x6DYvbcjBqZtXgRqNw3GjZ/wRIiXfeten7Z21B6bw5vTLZYgLxsag9bjec

4i/i06Imi8a4VUOI4SM+pdIkOWpHqwDUobOpJf4NP6cdutNRwQuk2qw471VQJAVl

RpM0Ty2NrcbUIRnSjsoFYXEHc0flihkSvQRNzk6cpUisuyb3AgMBAAGjggF0MIIB

cDAfBgNVHSMEGDAWgBStvZh6NLQm9/rEJlTvA73gJMtUGjAdBgNVHQ4EFgQUC1jl

i8ZMFTekQKkwqSG+RzZaVv8wDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMB

Af8wEQYDVR0gBAowCDAGBgRVHSAAMEQGA1UdHwQ9MDswOaA3oDWGM2h0dHA6Ly9j

cmwudXNlcnRydXN0LmNvbS9BZGRUcnVzdEV4dGVybmFsQ0FSb290LmNybDCBswYI

KwYBBQUHAQEEgaYwgaMwPwYIKwYBBQUHMAKGM2h0dHA6Ly9jcnQudXNlcnRydXN0

LmNvbS9BZGRUcnVzdEV4dGVybmFsQ0FSb290LnA3YzA5BggrBgEFBQcwAoYtaHR0

cDovL2NydC51c2VydHJ1c3QuY29tL0FkZFRydXN0VVROU0dDQ0EuY3J0MCUGCCsG

AQUFBzABhhlodHRwOi8vb2NzcC51c2VydHJ1c3QuY29tMA0GCSqGSIb3DQEBBQUA

A4IBAQAHYJOZqs7Q00fQNzPeP2S35S6jJQzVMx0Njav2fkZ7WQaS44LE5/X289kF

z0k0LTdf9CXH8PtrI3fx8UDXTLtJRTHdAChntylMdagfeTHJNjcPyjVPjPF+3vxG

q79om3AjMC63xVx7ivsYE3lLkkKM3CyrbCK3KFOzGkrOG/soDrc6pNoN90AyT99v

uwFQ/IfTdtn8+7aEA8rJNhj33Wzbu7qBHKat/ij5z7micV0ZBepKRtxzQe+JlEKx

Q4hvNRevHmCDrHqMEHufyfaDbZ76iO4+3e6esL/garnQnweyCROa9aTlyFt5p0c1

M2jlVZ6qW8swC53HD79oRIGXi1FK

-----END CERTIFICATE-----

test/recipes/80-test_ocsp.t

+62 −56
Original line number Diff line number Diff line
@@ -29,6 +29,10 @@ sub test_ocsp { 
    my $title = shift;

    my $inputfile = shift;

    my $CAfile = shift;

    my $untrusted = shift;

    if ($untrusted eq "") {

        $untrusted = $CAfile;

    }

    my $expected_exit = shift;



    run(app(["openssl", "base64", "-d",
@@ -38,7 +42,7 @@ sub test_ocsp { 
         sub { ok(run(app(["openssl", "ocsp", "-respin", "ocsp-resp-fff.dat",

                           "-partial_chain", @check_time,

                           "-CAfile", catfile($ocspdir, $CAfile),

                           "-verify_other", catfile($ocspdir, $CAfile),

                           "-verify_other", catfile($ocspdir, $untrusted),

                           "-no-CApath"])),

                  $title); });

    unlink "ocsp-resp-fff.dat";
@@ -47,144 +51,146 @@ sub test_ocsp { 
plan tests => 10;



subtest "=== VALID OCSP RESPONSES ===" => sub {

    plan tests => 6;

    plan tests => 7;



    test_ocsp("NON-DELEGATED; Intermediate CA -> EE",

	      "ND1.ors", "ND1_Issuer_ICA.pem", 0);

	      "ND1.ors", "ND1_Issuer_ICA.pem", "", 0);

    test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",

	      "ND2.ors", "ND2_Issuer_Root.pem", 0);

	      "ND2.ors", "ND2_Issuer_Root.pem", "", 0);

    test_ocsp("NON-DELEGATED; Root CA -> EE",

	      "ND3.ors", "ND3_Issuer_Root.pem", 0);

	      "ND3.ors", "ND3_Issuer_Root.pem", "", 0);

    test_ocsp("NON-DELEGATED; 3-level CA hierarchy",

	      "ND1.ors", "ND1_Cross_Root.pem", "ND1_Issuer_ICA-Cross.pem", 0);

    test_ocsp("DELEGATED; Intermediate CA -> EE",

	      "D1.ors", "D1_Issuer_ICA.pem", 0);

	      "D1.ors", "D1_Issuer_ICA.pem", "", 0);

    test_ocsp("DELEGATED; Root CA -> Intermediate CA",

	      "D2.ors", "D2_Issuer_Root.pem", 0);

	      "D2.ors", "D2_Issuer_Root.pem", "", 0);

    test_ocsp("DELEGATED; Root CA -> EE",

	      "D3.ors", "D3_Issuer_Root.pem", 0);

	      "D3.ors", "D3_Issuer_Root.pem", "", 0);

};



subtest "=== INVALID SIGNATURE on the OCSP RESPONSE ===" => sub {

    plan tests => 6;



    test_ocsp("NON-DELEGATED; Intermediate CA -> EE",

	      "ISOP_ND1.ors", "ND1_Issuer_ICA.pem", 1);

	      "ISOP_ND1.ors", "ND1_Issuer_ICA.pem", "", 1);

    test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",

	      "ISOP_ND2.ors", "ND2_Issuer_Root.pem", 1);

	      "ISOP_ND2.ors", "ND2_Issuer_Root.pem", "", 1);

    test_ocsp("NON-DELEGATED; Root CA -> EE",

	      "ISOP_ND3.ors", "ND3_Issuer_Root.pem", 1);

	      "ISOP_ND3.ors", "ND3_Issuer_Root.pem", "", 1);

    test_ocsp("DELEGATED; Intermediate CA -> EE",

	      "ISOP_D1.ors", "D1_Issuer_ICA.pem", 1);

	      "ISOP_D1.ors", "D1_Issuer_ICA.pem", "", 1);

    test_ocsp("DELEGATED; Root CA -> Intermediate CA",

	      "ISOP_D2.ors", "D2_Issuer_Root.pem", 1);

	      "ISOP_D2.ors", "D2_Issuer_Root.pem", "", 1);

    test_ocsp("DELEGATED; Root CA -> EE",

	      "ISOP_D3.ors", "D3_Issuer_Root.pem", 1);

	      "ISOP_D3.ors", "D3_Issuer_Root.pem", "", 1);

};



subtest "=== WRONG RESPONDERID in the OCSP RESPONSE ===" => sub {

    plan tests => 6;



    test_ocsp("NON-DELEGATED; Intermediate CA -> EE",

	      "WRID_ND1.ors", "ND1_Issuer_ICA.pem", 1);

	      "WRID_ND1.ors", "ND1_Issuer_ICA.pem", "", 1);

    test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",

	      "WRID_ND2.ors", "ND2_Issuer_Root.pem", 1);

	      "WRID_ND2.ors", "ND2_Issuer_Root.pem", "", 1);

    test_ocsp("NON-DELEGATED; Root CA -> EE",

	      "WRID_ND3.ors", "ND3_Issuer_Root.pem", 1);

	      "WRID_ND3.ors", "ND3_Issuer_Root.pem", "", 1);

    test_ocsp("DELEGATED; Intermediate CA -> EE",

	      "WRID_D1.ors", "D1_Issuer_ICA.pem", 1);

	      "WRID_D1.ors", "D1_Issuer_ICA.pem", "", 1);

    test_ocsp("DELEGATED; Root CA -> Intermediate CA",

	      "WRID_D2.ors", "D2_Issuer_Root.pem", 1);

	      "WRID_D2.ors", "D2_Issuer_Root.pem", "", 1);

    test_ocsp("DELEGATED; Root CA -> EE",

	      "WRID_D3.ors", "D3_Issuer_Root.pem", 1);

	      "WRID_D3.ors", "D3_Issuer_Root.pem", "", 1);

};



subtest "=== WRONG ISSUERNAMEHASH in the OCSP RESPONSE ===" => sub {

    plan tests => 6;



    test_ocsp("NON-DELEGATED; Intermediate CA -> EE",

	      "WINH_ND1.ors", "ND1_Issuer_ICA.pem", 1);

	      "WINH_ND1.ors", "ND1_Issuer_ICA.pem", "", 1);

    test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",

	      "WINH_ND2.ors", "ND2_Issuer_Root.pem", 1);

	      "WINH_ND2.ors", "ND2_Issuer_Root.pem", "", 1);

    test_ocsp("NON-DELEGATED; Root CA -> EE",

	      "WINH_ND3.ors", "ND3_Issuer_Root.pem", 1);

	      "WINH_ND3.ors", "ND3_Issuer_Root.pem", "", 1);

    test_ocsp("DELEGATED; Intermediate CA -> EE",

	      "WINH_D1.ors", "D1_Issuer_ICA.pem", 1);

	      "WINH_D1.ors", "D1_Issuer_ICA.pem", "", 1);

    test_ocsp("DELEGATED; Root CA -> Intermediate CA",

	      "WINH_D2.ors", "D2_Issuer_Root.pem", 1);

	      "WINH_D2.ors", "D2_Issuer_Root.pem", "", 1);

    test_ocsp("DELEGATED; Root CA -> EE",

	      "WINH_D3.ors", "D3_Issuer_Root.pem", 1);

	      "WINH_D3.ors", "D3_Issuer_Root.pem", "", 1);

};



subtest "=== WRONG ISSUERKEYHASH in the OCSP RESPONSE ===" => sub {

    plan tests => 6;



    test_ocsp("NON-DELEGATED; Intermediate CA -> EE",

	      "WIKH_ND1.ors", "ND1_Issuer_ICA.pem", 1);

	      "WIKH_ND1.ors", "ND1_Issuer_ICA.pem", "", 1);

    test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",

	      "WIKH_ND2.ors", "ND2_Issuer_Root.pem", 1);

	      "WIKH_ND2.ors", "ND2_Issuer_Root.pem", "", 1);

    test_ocsp("NON-DELEGATED; Root CA -> EE",

	      "WIKH_ND3.ors", "ND3_Issuer_Root.pem", 1);

	      "WIKH_ND3.ors", "ND3_Issuer_Root.pem", "", 1);

    test_ocsp("DELEGATED; Intermediate CA -> EE",

	      "WIKH_D1.ors", "D1_Issuer_ICA.pem", 1);

	      "WIKH_D1.ors", "D1_Issuer_ICA.pem", "", 1);

    test_ocsp("DELEGATED; Root CA -> Intermediate CA",

	      "WIKH_D2.ors", "D2_Issuer_Root.pem", 1);

	      "WIKH_D2.ors", "D2_Issuer_Root.pem", "", 1);

    test_ocsp("DELEGATED; Root CA -> EE",

	      "WIKH_D3.ors", "D3_Issuer_Root.pem", 1);

	      "WIKH_D3.ors", "D3_Issuer_Root.pem", "", 1);

};



subtest "=== WRONG KEY in the DELEGATED OCSP SIGNING CERTIFICATE ===" => sub {

    plan tests => 3;



    test_ocsp("DELEGATED; Intermediate CA -> EE",

	      "WKDOSC_D1.ors", "D1_Issuer_ICA.pem", 1);

	      "WKDOSC_D1.ors", "D1_Issuer_ICA.pem", "", 1);

    test_ocsp("DELEGATED; Root CA -> Intermediate CA",

	      "WKDOSC_D2.ors", "D2_Issuer_Root.pem", 1);

	      "WKDOSC_D2.ors", "D2_Issuer_Root.pem", "", 1);

    test_ocsp("DELEGATED; Root CA -> EE",

	      "WKDOSC_D3.ors", "D3_Issuer_Root.pem", 1);

	      "WKDOSC_D3.ors", "D3_Issuer_Root.pem", "", 1);

};



subtest "=== INVALID SIGNATURE on the DELEGATED OCSP SIGNING CERTIFICATE ===" => sub {

    plan tests => 3;



    test_ocsp("DELEGATED; Intermediate CA -> EE",

	      "ISDOSC_D1.ors", "D1_Issuer_ICA.pem", 1);

	      "ISDOSC_D1.ors", "D1_Issuer_ICA.pem", "", 1);

    test_ocsp("DELEGATED; Root CA -> Intermediate CA",

	      "ISDOSC_D2.ors", "D2_Issuer_Root.pem", 1);

	      "ISDOSC_D2.ors", "D2_Issuer_Root.pem", "", 1);

    test_ocsp("DELEGATED; Root CA -> EE",

	      "ISDOSC_D3.ors", "D3_Issuer_Root.pem", 1);

	      "ISDOSC_D3.ors", "D3_Issuer_Root.pem", "", 1);

};



subtest "=== WRONG SUBJECT NAME in the ISSUER CERTIFICATE ===" => sub {

    plan tests => 6;



    test_ocsp("NON-DELEGATED; Intermediate CA -> EE",

	      "ND1.ors", "WSNIC_ND1_Issuer_ICA.pem", 1);

	      "ND1.ors", "WSNIC_ND1_Issuer_ICA.pem", "", 1);

    test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",

	      "ND2.ors", "WSNIC_ND2_Issuer_Root.pem", 1);

	      "ND2.ors", "WSNIC_ND2_Issuer_Root.pem", "", 1);

    test_ocsp("NON-DELEGATED; Root CA -> EE",

	      "ND3.ors", "WSNIC_ND3_Issuer_Root.pem", 1);

	      "ND3.ors", "WSNIC_ND3_Issuer_Root.pem", "", 1);

    test_ocsp("DELEGATED; Intermediate CA -> EE",

	      "D1.ors", "WSNIC_D1_Issuer_ICA.pem", 1);

	      "D1.ors", "WSNIC_D1_Issuer_ICA.pem", "", 1);

    test_ocsp("DELEGATED; Root CA -> Intermediate CA",

	      "D2.ors", "WSNIC_D2_Issuer_Root.pem", 1);

	      "D2.ors", "WSNIC_D2_Issuer_Root.pem", "", 1);

    test_ocsp("DELEGATED; Root CA -> EE",

	      "D3.ors", "WSNIC_D3_Issuer_Root.pem", 1);

	      "D3.ors", "WSNIC_D3_Issuer_Root.pem", "", 1);

};



subtest "=== WRONG KEY in the ISSUER CERTIFICATE ===" => sub {

    plan tests => 6;



    test_ocsp("NON-DELEGATED; Intermediate CA -> EE",

	      "ND1.ors", "WKIC_ND1_Issuer_ICA.pem", 1);

	      "ND1.ors", "WKIC_ND1_Issuer_ICA.pem", "", 1);

    test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",

	      "ND2.ors", "WKIC_ND2_Issuer_Root.pem", 1);

	      "ND2.ors", "WKIC_ND2_Issuer_Root.pem", "", 1);

    test_ocsp("NON-DELEGATED; Root CA -> EE",

	      "ND3.ors", "WKIC_ND3_Issuer_Root.pem", 1);

	      "ND3.ors", "WKIC_ND3_Issuer_Root.pem", "", 1);

    test_ocsp("DELEGATED; Intermediate CA -> EE",

	      "D1.ors", "WKIC_D1_Issuer_ICA.pem", 1);

	      "D1.ors", "WKIC_D1_Issuer_ICA.pem", "", 1);

    test_ocsp("DELEGATED; Root CA -> Intermediate CA",

	      "D2.ors", "WKIC_D2_Issuer_Root.pem", 1);

	      "D2.ors", "WKIC_D2_Issuer_Root.pem", "", 1);

    test_ocsp("DELEGATED; Root CA -> EE",

	      "D3.ors", "WKIC_D3_Issuer_Root.pem", 1);

	      "D3.ors", "WKIC_D3_Issuer_Root.pem", "", 1);

};



subtest "=== INVALID SIGNATURE on the ISSUER CERTIFICATE ===" => sub {
@@ -192,15 +198,15 @@ subtest "=== INVALID SIGNATURE on the ISSUER CERTIFICATE ===" => sub { 


    # Expect success, because we're explicitly trusting the issuer certificate.

    test_ocsp("NON-DELEGATED; Intermediate CA -> EE",

	      "ND1.ors", "ISIC_ND1_Issuer_ICA.pem", 0);

	      "ND1.ors", "ISIC_ND1_Issuer_ICA.pem", "", 0);

    test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",

	      "ND2.ors", "ISIC_ND2_Issuer_Root.pem", 0);

	      "ND2.ors", "ISIC_ND2_Issuer_Root.pem", "", 0);

    test_ocsp("NON-DELEGATED; Root CA -> EE",

	      "ND3.ors", "ISIC_ND3_Issuer_Root.pem", 0);

	      "ND3.ors", "ISIC_ND3_Issuer_Root.pem", "", 0);

    test_ocsp("DELEGATED; Intermediate CA -> EE",

	      "D1.ors", "ISIC_D1_Issuer_ICA.pem", 0);

	      "D1.ors", "ISIC_D1_Issuer_ICA.pem", "", 0);

    test_ocsp("DELEGATED; Root CA -> Intermediate CA",

	      "D2.ors", "ISIC_D2_Issuer_Root.pem", 0);

	      "D2.ors", "ISIC_D2_Issuer_Root.pem", "", 0);

    test_ocsp("DELEGATED; Root CA -> EE",

	      "D3.ors", "ISIC_D3_Issuer_Root.pem", 0);

	      "D3.ors", "ISIC_D3_Issuer_Root.pem", "", 0);

};