Reject unknown critical OCSP extensions

Process OCSP ResponseData and SingleResponse extensions, and return OCSPRevocationStatus::UNKNOWN if unhandled extensions marked critical are found. Updated PEM-file generation code to explicitly set the OCSP extension's critical flag, which resulted in changes to existing PEM files. Without setting the flag, the code parsing the OCSP extensions appears to see critical=true. Bug: 944269 Change-Id: Ib04a9a5c39aba2edc70a6be7ea98981ec8f5360f Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1732706Reviewed-by: Kinuko Yasuda <kinuko@chromium.org> Reviewed-by: Matt Mueller <mattm@chromium.org> Commit-Queue: Kaustubha Govind <kaustubhag@chromium.org> Cr-Commit-Position: refs/heads/master@{#686394}

Reject unknown critical OCSP extensions
Process OCSP ResponseData and SingleResponse extensions, and return OCSPRevocationStatus::UNKNOWN if unhandled extensions marked critical are found. Updated PEM-file generation code to explicitly set the OCSP extension's critical flag, which resulted in changes to existing PEM files. Without setting the flag, the code parsing the OCSP extensions appears to see critical=true. Bug: 944269 Change-Id: Ib04a9a5c39aba2edc70a6be7ea98981ec8f5360f Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1732706Reviewed-by: Kinuko Yasuda <kinuko@chromium.org> Reviewed-by: Matt Mueller <mattm@chromium.org> Commit-Queue: Kaustubha Govind <kaustubhag@chromium.org> Cr-Commit-Position: refs/heads/master@{#686394}
32f60f7c · Kaustubha Govind · Commit Bot · c8d23a5c · 32f60f7c · 32f60f7c
Commit 32f60f7c authored Aug 13, 2019 by Kaustubha Govind Committed by Commit Bot Aug 13, 2019
33 changed files
--- a/content/browser/web_package/signed_exchange_handler.cc
+++ b/content/browser/web_package/signed_exchange_handler.cc
@@ -141,6 +141,8 @@ std::string OCSPErrorToString(const net::OCSPVerifyResult& ocsp_result) {
      return "OCSPResponse structure could not be parsed.";
    case net::OCSPVerifyResult::PARSE_RESPONSE_DATA_ERROR:
      return "OCSP ResponseData structure could not be parsed.";
+    case net::OCSPVerifyResult::UNHANDLED_CRITICAL_EXTENSION:
+      return "OCSP Response contained unhandled critical extension.";
  }
  switch (ocsp_result.revocation_status) {

--- a/net/BUILD.gn
+++ b/net/BUILD.gn
@@ -3918,6 +3918,9 @@ bundle_data("net_unittests_bundle_data") {
    "data/ocsp_unittest/good_response.pem",
    "data/ocsp_unittest/good_response_next_update.pem",
    "data/ocsp_unittest/good_response_sha256.pem",
+    "data/ocsp_unittest/has_critical_ct_extension.pem",
+    "data/ocsp_unittest/has_critical_response_extension.pem",
+    "data/ocsp_unittest/has_critical_single_extension.pem",
    "data/ocsp_unittest/has_extension.pem",
    "data/ocsp_unittest/has_single_extension.pem",
    "data/ocsp_unittest/has_version.pem",

--- a/net/cert/internal/ocsp.cc
+++ b/net/cert/internal/ocsp.cc
@@ -672,6 +672,65 @@ WARN_UNUSED_RESULT bool VerifyOCSPResponseSignature(
  return false;
 }
+// Parse ResponseData and return false if any unhandled critical extensions are
+// found. No known critical ResponseData extensions exist.
+bool ParseOCSPResponseDataExtensions(
+    const der::Input& response_extensions,
+    OCSPVerifyResult::ResponseStatus* response_details) {
+  std::map<der::Input, ParsedExtension> extensions;
+  if (!ParseExtensions(response_extensions, &extensions)) {
+    *response_details = OCSPVerifyResult::PARSE_RESPONSE_DATA_ERROR;
+    return false;
+  }
+  for (const auto& ext : extensions) {
+    // TODO: handle ResponseData extensions
+    if (ext.second.critical) {
+      *response_details = OCSPVerifyResult::UNHANDLED_CRITICAL_EXTENSION;
+      return false;
+    }
+  }
+  return true;
+}
+// Parse SingleResponse and return false if any unhandled critical extensions
+// (other than the CT extension) are found. The CT-SCT extension is not required
+// to be marked critical, but since it is handled by Chrome, we will overlook
+// the flag setting.
+bool ParseOCSPSingleResponseExtensions(
+    const der::Input& single_extensions,
+    OCSPVerifyResult::ResponseStatus* response_details) {
+  std::map<der::Input, ParsedExtension> extensions;
+  if (!ParseExtensions(single_extensions, &extensions)) {
+    *response_details = OCSPVerifyResult::PARSE_RESPONSE_DATA_ERROR;
+    return false;
+  }
+  // The wire form of the OID 1.3.6.1.4.1.11129.2.4.5 - OCSP SingleExtension for
+  // X.509v3 Certificate Transparency Signed Certificate Timestamp List, see
+  // Section 3.3 of RFC6962.
+  const uint8_t ct_ocsp_ext_oid[] = {0x2B, 0x06, 0x01, 0x04, 0x01,
+                                     0xD6, 0x79, 0x02, 0x04, 0x05};
+  der::Input ct_ext_oid(ct_ocsp_ext_oid);
+  for (const auto& ext : extensions) {
+    // The CT OCSP extension is handled in ct::ExtractSCTListFromOCSPResponse
+    if (ext.second.oid == ct_ext_oid)
+      continue;
+    // TODO: handle SingleResponse extensions
+    if (ext.second.critical) {
+      *response_details = OCSPVerifyResult::UNHANDLED_CRITICAL_EXTENSION;
+      return false;
+    }
+  }
+  return true;
+}
 // Loops through the OCSPSingleResponses to find the best match for |cert|.
 OCSPRevocationStatus GetRevocationStatusForCert(
    const OCSPResponseData& response_data,
@@ -694,6 +753,14 @@ OCSPRevocationStatus GetRevocationStatusForCert(
    OCSPSingleResponse single_response;
    if (!ParseOCSPSingleResponse(single_response_der, &single_response))
      return OCSPRevocationStatus::UNKNOWN;
+    // Reject unhandled critical extensions in SingleResponse
+    if (single_response.has_extensions &&
+        !ParseOCSPSingleResponseExtensions(single_response.extensions,
+                                           response_details)) {
+      return OCSPRevocationStatus::UNKNOWN;
+    }
    OCSPCertID cert_id;
    if (!ParseOCSPCertID(single_response.cert_id_tlv, &cert_id))
      return OCSPRevocationStatus::UNKNOWN;
@@ -781,6 +848,14 @@ OCSPRevocationStatus CheckOCSP(
    return OCSPRevocationStatus::UNKNOWN;
  }
+  // Process the OCSP ResponseData extensions. In particular, must reject if
+  // there are any critical extensions that are not understood.
+  if (response_data.has_extensions &&
+      !ParseOCSPResponseDataExtensions(response_data.extensions,
+                                       response_details)) {
+    return OCSPRevocationStatus::UNKNOWN;
+  }
  scoped_refptr<ParsedCertificate> parsed_certificate;
  scoped_refptr<ParsedCertificate> parsed_issuer_certificate;
  if (!certificate) {
@@ -811,9 +886,6 @@ OCSPRevocationStatus CheckOCSP(
      GetRevocationStatusForCert(response_data, certificate, issuer_certificate,
                                 verify_time, max_age, response_details);
-  // TODO(eroman): Process the OCSP extensions. In particular, must reject if
-  // there are any critical extensions that are not understood.
  // Check that the OCSP response has a valid signature. It must either be
  // signed directly by the issuing certificate, or a valid authorized
  // responder.

--- a/net/cert/internal/ocsp_unittest.cc
+++ b/net/cert/internal/ocsp_unittest.cc
@@ -108,6 +108,15 @@ const TestParams kTestParams[] = {
    {"has_single_extension.pem", OCSPRevocationStatus::GOOD,
     OCSPVerifyResult::PROVIDED},
+    {"has_critical_single_extension.pem", OCSPRevocationStatus::UNKNOWN,
+     OCSPVerifyResult::UNHANDLED_CRITICAL_EXTENSION},
+    {"has_critical_response_extension.pem", OCSPRevocationStatus::UNKNOWN,
+     OCSPVerifyResult::UNHANDLED_CRITICAL_EXTENSION},
+    {"has_critical_ct_extension.pem", OCSPRevocationStatus::GOOD,
+     OCSPVerifyResult::PROVIDED},
    {"missing_response.pem", OCSPRevocationStatus::UNKNOWN,
     OCSPVerifyResult::NO_MATCHING_RESPONSE},
 };

--- a/net/cert/ocsp_verify_result.h
+++ b/net/cert/ocsp_verify_result.h
@@ -58,7 +58,11 @@ struct NET_EXPORT OCSPVerifyResult {
    // The OCSPResponseData structure could not be parsed.
    PARSE_RESPONSE_DATA_ERROR = 8,
-    RESPONSE_STATUS_MAX = PARSE_RESPONSE_DATA_ERROR
+    // Unhandled critical extension in either OCSPResponseData or
+    // OCSPSingleResponse
+    UNHANDLED_CRITICAL_EXTENSION = 9,
+    RESPONSE_STATUS_MAX = UNHANDLED_CRITICAL_EXTENSION
  };
  ResponseStatus response_status = NOT_CHECKED;

--- a/net/data/ocsp_unittest/bad_ocsp_type.pem
+++ b/net/data/ocsp_unittest/bad_ocsp_type.pem
--- a/net/data/ocsp_unittest/bad_signature.pem
+++ b/net/data/ocsp_unittest/bad_signature.pem
@@ -11,7 +11,7 @@ OCSP Response Data:
    Certificate ID:
      Hash Algorithm: sha1
      Issuer Name Hash: 449B1C5B31C6E9990966523E49C3F773C024190A
-      Issuer Key Hash: FC6D3387CC3B39B049C755C46DF4395548930BCE
+      Issuer Key Hash: 7F765910653BB5704124C41E94AEFCF940431A66
      Serial Number: 04
    Cert Status: good
    This Update: Mar  1 00:00:00 2017 GMT
@@ -19,10 +19,10 @@ OCSP Response Data:
    Signature Algorithm: sha1WithRSAEncryption
         de:ad:be:ef
 -----BEGIN OCSP RESPONSE-----
-MIG4CgEAoIGyMIGvBgkrBgEFBQcwAQEEgaEwgZ4wgYWhITAfMR0wGwYDVQQDDBRUZXN0IEludGV
+MIG2CgEAoIGwMIGtBgkrBgEFBQcwAQEEgZ8wgZwwgYWhITAfMR0wGwYDVQQDDBRUZXN0IEludGV
 ybWVkaWF0ZSBDQRgPMjAxNzAzMDIwMDAwMDBaME8wTTA4MAcGBSsOAwIaBBREmxxbMcbpmQlmUj
-5Jw/dzwCQZCgQU/G0zh8w7ObBJx1XEbfQ5VUiTC84CAQSAABgPMjAxNzAzMDEwMDAwMDBaMA0GC
+5Jw/dzwCQZCgQUf3ZZEGU7tXBBJMQelK78+UBDGmYCAQSAABgPMjAxNzAzMDEwMDAwMDBaMAsGC
-SqGSIb3DQEBBQUAAwUA3q2+7w==
+SqGSIb3DQEBBQMFAN6tvu8=
 -----END OCSP RESPONSE-----
 $ openssl x509 -text < [CA CERTIFICATE]
@@ -30,7 +30,7 @@ Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
-    Signature Algorithm: sha1WithRSAEncryption
+        Signature Algorithm: sha1WithRSAEncryption
        Issuer: CN = Test CA
        Validity
            Not Before: Jan  1 00:00:00 2017 GMT
@@ -38,36 +38,36 @@ Certificate:
        Subject: CN = Test Intermediate CA
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
-                Public-Key: (1024 bit)
+                RSA Public-Key: (1024 bit)
                Modulus:
-                    00:b9:32:09:de:33:4a:4f:e2:04:73:49:d5:2e:2b:
+                    00:c5:fb:81:a7:1b:6a:61:38:1c:6a:de:dd:db:22:
-                    83:92:3a:94:e4:1b:0c:27:1b:f8:43:83:17:b8:75:
+                    61:64:7a:22:a3:3b:1d:e5:92:54:17:ad:39:2e:fe:
-                    f5:a4:af:e3:4c:84:3e:6c:48:79:76:df:4d:f5:39:
+                    81:ff:46:0a:70:d6:84:a5:d5:bd:05:d3:f2:a5:98:
-                    af:92:4b:c5:a0:86:ab:35:cc:19:6b:93:82:c0:f8:
+                    90:fd:e4:ff:d8:d2:cf:7c:d1:f2:78:0d:4a:a1:80:
-                    44:4d:1a:14:5d:48:87:65:02:0e:b0:a8:96:d9:06:
+                    c8:6a:70:75:84:04:c1:c2:4b:af:17:9b:a2:29:2b:
-                    19:3f:aa:85:2d:84:c0:78:19:a6:96:ab:26:56:f7:
+                    a7:be:f1:f9:19:80:f3:6a:d4:10:28:51:38:26:97:
-                    6f:5a:1a:97:a2:01:88:00:99:10:8a:97:39:c8:22:
+                    ed:ad:06:96:85:a7:b7:7c:78:38:90:44:df:d7:10:
-                    6e:de:e5:56:f4:a6:23:cd:ea:48:0e:65:67:a4:73:
+                    e4:52:a2:49:22:6c:98:71:51:f5:b2:13:6a:7f:08:
-                    a0:50:91:de:ba:cf:54:08:8f
+                    34:7c:d0:c6:99:6f:79:98:f9
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha1WithRSAEncryption
-         48:d5:9f:8d:90:bc:4a:59:38:1d:2b:83:2d:71:1c:74:9d:01:
+         7d:67:0f:39:4e:7c:e3:ba:f2:63:b9:ed:6e:ec:61:f2:8a:4f:
-         73:a0:b6:98:e7:1c:c2:22:66:23:33:0a:8f:64:ff:9c:6b:37:
+         1e:82:e2:4b:44:04:f8:a5:a1:5a:bc:8c:72:91:6d:bf:03:27:
-         09:12:1c:15:12:cb:c3:61:d9:ab:cd:96:dd:95:fa:a6:02:67:
+         21:10:9e:5c:8a:cf:4b:87:83:e0:c2:d7:72:55:d5:42:d3:d1:
-         3c:4c:ec:98:38:5c:fc:48:cc:85:a9:5b:49:2c:2b:06:66:07:
+         2b:76:b3:42:84:e0:e8:3b:80:b2:5f:55:e7:e0:f6:b6:21:c6:
-         9e:31:0f:93:10:ab:3e:9f:97:60:64:01:61:7e:86:15:bb:5e:
+         fd:91:b5:c9:ba:fa:d8:ba:5c:8b:e1:f6:de:5d:cf:39:e6:92:
-         f1:90:31:a3:54:d0:86:0e:80:05:87:09:2e:65:b6:95:89:5c:
+         22:85:31:1f:c3:ed:19:db:0a:0b:f9:ef:a7:36:4d:e1:54:af:
-         c1:e5:80:d9:b8:81:b6:ed:1a:20:b8:9b:22:ce:ef:d0:26:47:
+         8e:c0:59:25:43:e5:69:47:c4:e0:00:1e:21:eb:e6:b4:13:8f:
-         9d:57
+         30:01
 -----BEGIN CA CERTIFICATE-----
 MIIBqTCCARKgAwIBAgIBATANBgkqhkiG9w0BAQUFADASMRAwDgYDVQQDDAdUZXN0IENBMCIYDzI
 wMTcwMTAxMDAwMDAwWhgPMjAxODAxMDEwMDAwMDBaMB8xHTAbBgNVBAMMFFRlc3QgSW50ZXJtZW
-RpYXRlIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC5MgneM0pP4gRzSdUuK4OSOpTkG
+RpYXRlIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDF+4GnG2phOBxq3t3bImFkeiKjO
-wwnG/hDgxe4dfWkr+NMhD5sSHl23031Oa+SS8Wghqs1zBlrk4LA+ERNGhRdSIdlAg6wqJbZBhk/
+x3lklQXrTku/oH/Rgpw1oSl1b0F0/KlmJD95P/Y0s980fJ4DUqhgMhqcHWEBMHCS68Xm6IpK6e+
-qoUthMB4GaaWqyZW929aGpeiAYgAmRCKlznIIm7e5Vb0piPN6kgOZWekc6BQkd66z1QIjwIDAQA
+8fkZgPNq1BAoUTgml+2tBpaFp7d8eDiQRN/XEORSokkibJhxUfWyE2p/CDR80MaZb3mY+QIDAQA
-BMA0GCSqGSIb3DQEBBQUAA4GBAEjVn42QvEpZOB0rgy1xHHSdAXOgtpjnHMIiZiMzCo9k/5xrNw
+BMA0GCSqGSIb3DQEBBQUAA4GBAH1nDzlOfOO68mO57W7sYfKKTx6C4ktEBPiloVq8jHKRbb8DJy
-kSHBUSy8Nh2avNlt2V+qYCZzxM7Jg4XPxIzIWpW0ksKwZmB54xD5MQqz6fl2BkAWF+hhW7XvGQM
+EQnlyKz0uHg+DC13JV1ULT0St2s0KE4Og7gLJfVefg9rYhxv2Rtcm6+ti6XIvh9t5dzznmkiKFM
-aNU0IYOgAWHCS5ltpWJXMHlgNm4gbbtGiC4myLO79AmR51X
+R/D7RnbCgv576c2TeFUr47AWSVD5WlHxOAAHiHr5rQTjzAB
 -----END CA CERTIFICATE-----
 $ openssl x509 -text < [CERTIFICATE]
@@ -75,7 +75,7 @@ Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 4 (0x4)
-    Signature Algorithm: sha1WithRSAEncryption
+        Signature Algorithm: sha1WithRSAEncryption
        Issuer: CN = Test Intermediate CA
        Validity
            Not Before: Jan  1 00:00:00 2017 GMT
@@ -83,36 +83,36 @@ Certificate:
        Subject: CN = Test Cert
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
-                Public-Key: (1024 bit)
+                RSA Public-Key: (1024 bit)
                Modulus:
-                    00:bc:4c:d5:b3:8d:92:fa:66:ac:32:43:1a:9e:eb:
+                    00:d1:d2:a7:fd:5f:56:b8:4a:4a:00:c4:f0:36:48:
-                    17:e0:aa:76:35:1b:1d:10:48:4e:3e:22:8b:75:2e:
+                    0d:99:1e:ba:ca:8d:8c:0e:e9:5a:f4:31:94:26:f4:
-                    e8:6f:a4:55:1e:0a:5e:60:c0:61:f1:7d:29:58:7e:
+                    24:77:0c:2d:76:39:fe:1e:51:9c:b1:3a:b2:61:ae:
-                    0b:ef:29:be:ad:f8:f7:43:c8:58:95:14:5b:1d:af:
+                    f6:2b:41:46:92:81:b4:1e:35:73:bb:df:53:d6:63:
-                    4a:b8:90:9e:4e:ec:4e:b3:86:7a:b9:96:c1:34:d3:
+                    a4:07:58:e9:0a:40:7a:b7:71:a3:fd:7d:6a:3f:23:
-                    b9:a6:57:df:9b:bd:d9:dd:67:15:54:d4:9f:65:b8:
+                    ee:5e:76:90:3f:60:ea:85:6b:74:1b:1f:6a:40:27:
-                    33:29:59:ba:9a:c6:75:ea:a5:76:3d:a4:57:0f:e2:
+                    37:7f:ac:6e:97:ee:13:f7:cb:81:44:26:f3:25:48:
-                    e4:c3:91:35:1d:6e:ff:61:7d:c2:53:23:66:b2:a8:
+                    56:40:ef:33:84:c8:d7:52:66:8a:40:35:ed:ec:67:
-                    0b:e1:c7:55:48:c5:2b:4d:7d
+                    95:c1:35:46:9e:db:9b:ce:9b
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha1WithRSAEncryption
-         18:bb:93:d9:2a:e0:34:69:2f:96:57:ac:55:ac:a7:83:04:b4:
+         8e:94:5a:91:44:aa:ab:e4:bf:c4:ca:a3:ee:10:67:2d:3e:d5:
-         bc:22:7f:5f:f7:c0:dc:ac:af:13:9b:86:7e:ac:02:8c:44:83:
+         ac:b8:90:8b:4e:7f:3e:bc:83:bb:b2:c9:0c:a2:ae:fb:6c:b3:
-         2e:c0:fa:a1:77:1d:dd:86:31:7e:98:93:c0:4f:b2:3d:be:30:
+         5d:b7:40:20:9f:9b:7c:3d:5f:67:bc:0e:f9:20:bc:24:67:27:
-         6f:a5:fc:c7:2e:b1:b8:08:d2:17:cb:60:55:bf:5a:e0:94:f3:
+         a9:2e:81:08:e5:3f:ad:e9:b7:eb:a9:c5:58:55:55:f3:26:17:
-         1d:44:fa:b1:2f:1a:24:c5:33:e1:d4:f0:ac:d5:2c:67:da:a7:
+         26:46:5f:ef:20:38:c9:f2:81:ba:39:d9:28:4b:e8:83:ff:d7:
-         5d:ee:eb:d6:7a:a7:41:e8:94:7a:34:43:b2:1f:ab:e9:cf:5d:
+         2e:87:72:36:77:0f:46:9b:a1:fe:d8:d8:20:50:68:c1:7b:66:
-         25:49:56:18:d2:a9:49:1a:37:34:43:c7:06:96:4a:29:38:cc:
+         82:5d:62:94:90:98:71:8b:b9:83:69:a8:65:a4:58:5d:ce:90:
-         f2:1c
+         0a:53
 -----BEGIN CERTIFICATE-----
 MIIBqzCCARSgAwIBAgIBBDANBgkqhkiG9w0BAQUFADAfMR0wGwYDVQQDDBRUZXN0IEludGVybWV
 kaWF0ZSBDQTAiGA8yMDE3MDEwMTAwMDAwMFoYDzIwMTgwMTAxMDAwMDAwWjAUMRIwEAYDVQQDDA
-lUZXN0IENlcnQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALxM1bONkvpmrDJDGp7rF+Cqd
+lUZXN0IENlcnQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANHSp/1fVrhKSgDE8DZIDZkeu
-jUbHRBITj4ii3Uu6G+kVR4KXmDAYfF9KVh+C+8pvq3490PIWJUUWx2vSriQnk7sTrOGermWwTTT
+sqNjA7pWvQxlCb0JHcMLXY5/h5RnLE6smGu9itBRpKBtB41c7vfU9ZjpAdY6QpAerdxo/19aj8j
-uaZX35u92d1nFVTUn2W4MylZuprGdeqldj2kVw/i5MORNR1u/2F9wlMjZrKoC+HHVUjFK019AgM
+7l52kD9g6oVrdBsfakAnN3+sbpfuE/fLgUQm8yVIVkDvM4TI11JmikA17exnlcE1Rp7bm86bAgM
-BAAEwDQYJKoZIhvcNAQEFBQADgYEAGLuT2SrgNGkvllesVayngwS0vCJ/X/fA3KyvE5uGfqwCjE
+BAAEwDQYJKoZIhvcNAQEFBQADgYEAjpRakUSqq+S/xMqj7hBnLT7VrLiQi05/PryDu7LJDKKu+2
-SDLsD6oXcd3YYxfpiTwE+yPb4wb6X8xy6xuAjSF8tgVb9a4JTzHUT6sS8aJMUz4dTwrNUsZ9qnX
+yzXbdAIJ+bfD1fZ7wO+SC8JGcnqS6BCOU/rem366nFWFVV8yYXJkZf7yA4yfKBujnZKEvog//XL
-e7r1nqnQeiUejRDsh+r6c9dJUlWGNKpSRo3NEPHBpZKKTjM8hw=
+odyNncPRpuh/tjYIFBowXtmgl1ilJCYcYu5g2moZaRYXc6QClM=
 -----END CERTIFICATE-----
 $ openssl asn1parse -i < [OCSP REQUEST]
@@ -125,9 +125,9 @@ $ openssl asn1parse -i < [OCSP REQUEST]
   12:d=6  hl=2 l=   5 prim:       OBJECT            :sha1
   19:d=6  hl=2 l=   0 prim:       NULL              
   21:d=5  hl=2 l=  20 prim:      OCTET STRING      [HEX DUMP]:449B1C5B31C6E9990966523E49C3F773C024190A
-   43:d=5  hl=2 l=  20 prim:      OCTET STRING      [HEX DUMP]:FC6D3387CC3B39B049C755C46DF4395548930BCE
+   43:d=5  hl=2 l=  20 prim:      OCTET STRING      [HEX DUMP]:7F765910653BB5704124C41E94AEFCF940431A66
   65:d=5  hl=2 l=   1 prim:      INTEGER           :04
 -----BEGIN OCSP REQUEST-----
-MEIwQDA+MDwwOjAJBgUrDgMCGgUABBREmxxbMcbpmQlmUj5Jw/dzwCQZCgQU/G0zh8w7ObBJx1X
+MEIwQDA+MDwwOjAJBgUrDgMCGgUABBREmxxbMcbpmQlmUj5Jw/dzwCQZCgQUf3ZZEGU7tXBBJMQ
-EbfQ5VUiTC84CAQQ=
+elK78+UBDGmYCAQQ=
 -----END OCSP REQUEST-----
--- a/net/data/ocsp_unittest/bad_status.pem
+++ b/net/data/ocsp_unittest/bad_status.pem
 Has an invalid status larger than the defined Status enumeration
-$ openssl ocsp -resp_text -respin <([OCSP RESPONSE])
+$ openssl asn1parse -i < [OCSP RESPONSE]
-Responder Error: (UNKNOWN) (17)
+    0:d=0  hl=2 l=   3 cons: SEQUENCE          
+    2:d=1  hl=2 l=   1 prim:  ENUMERATED        :11
 -----BEGIN OCSP RESPONSE-----
 MAMKARE=
 -----END OCSP RESPONSE-----
@@ -11,7 +12,7 @@ Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
-    Signature Algorithm: sha1WithRSAEncryption
+        Signature Algorithm: sha1WithRSAEncryption
        Issuer: CN = Test CA
        Validity
            Not Before: Jan  1 00:00:00 2017 GMT
@@ -19,36 +20,36 @@ Certificate:
        Subject: CN = Test Intermediate CA
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
-                Public-Key: (1024 bit)
+                RSA Public-Key: (1024 bit)
                Modulus:
-                    00:b9:32:09:de:33:4a:4f:e2:04:73:49:d5:2e:2b:
+                    00:c5:fb:81:a7:1b:6a:61:38:1c:6a:de:dd:db:22:
-                    83:92:3a:94:e4:1b:0c:27:1b:f8:43:83:17:b8:75:
+                    61:64:7a:22:a3:3b:1d:e5:92:54:17:ad:39:2e:fe:
-                    f5:a4:af:e3:4c:84:3e:6c:48:79:76:df:4d:f5:39:
+                    81:ff:46:0a:70:d6:84:a5:d5:bd:05:d3:f2:a5:98:
-                    af:92:4b:c5:a0:86:ab:35:cc:19:6b:93:82:c0:f8:
+                    90:fd:e4:ff:d8:d2:cf:7c:d1:f2:78:0d:4a:a1:80:
-                    44:4d:1a:14:5d:48:87:65:02:0e:b0:a8:96:d9:06:
+                    c8:6a:70:75:84:04:c1:c2:4b:af:17:9b:a2:29:2b:
-                    19:3f:aa:85:2d:84:c0:78:19:a6:96:ab:26:56:f7:
+                    a7:be:f1:f9:19:80:f3:6a:d4:10:28:51:38:26:97:
-                    6f:5a:1a:97:a2:01:88:00:99:10:8a:97:39:c8:22:
+                    ed:ad:06:96:85:a7:b7:7c:78:38:90:44:df:d7:10:
-                    6e:de:e5:56:f4:a6:23:cd:ea:48:0e:65:67:a4:73:
+                    e4:52:a2:49:22:6c:98:71:51:f5:b2:13:6a:7f:08:
-                    a0:50:91:de:ba:cf:54:08:8f
+                    34:7c:d0:c6:99:6f:79:98:f9
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha1WithRSAEncryption
-         48:d5:9f:8d:90:bc:4a:59:38:1d:2b:83:2d:71:1c:74:9d:01:
+         7d:67:0f:39:4e:7c:e3:ba:f2:63:b9:ed:6e:ec:61:f2:8a:4f:
-         73:a0:b6:98:e7:1c:c2:22:66:23:33:0a:8f:64:ff:9c:6b:37:
+         1e:82:e2:4b:44:04:f8:a5:a1:5a:bc:8c:72:91:6d:bf:03:27:
-         09:12:1c:15:12:cb:c3:61:d9:ab:cd:96:dd:95:fa:a6:02:67:
+         21:10:9e:5c:8a:cf:4b:87:83:e0:c2:d7:72:55:d5:42:d3:d1:
-         3c:4c:ec:98:38:5c:fc:48:cc:85:a9:5b:49:2c:2b:06:66:07:
+         2b:76:b3:42:84:e0:e8:3b:80:b2:5f:55:e7:e0:f6:b6:21:c6:
-         9e:31:0f:93:10:ab:3e:9f:97:60:64:01:61:7e:86:15:bb:5e:
+         fd:91:b5:c9:ba:fa:d8:ba:5c:8b:e1:f6:de:5d:cf:39:e6:92:
-         f1:90:31:a3:54:d0:86:0e:80:05:87:09:2e:65:b6:95:89:5c:
+         22:85:31:1f:c3:ed:19:db:0a:0b:f9:ef:a7:36:4d:e1:54:af:
-         c1:e5:80:d9:b8:81:b6:ed:1a:20:b8:9b:22:ce:ef:d0:26:47:
+         8e:c0:59:25:43:e5:69:47:c4:e0:00:1e:21:eb:e6:b4:13:8f:
-         9d:57
+         30:01
 -----BEGIN CA CERTIFICATE-----
 MIIBqTCCARKgAwIBAgIBATANBgkqhkiG9w0BAQUFADASMRAwDgYDVQQDDAdUZXN0IENBMCIYDzI
 wMTcwMTAxMDAwMDAwWhgPMjAxODAxMDEwMDAwMDBaMB8xHTAbBgNVBAMMFFRlc3QgSW50ZXJtZW
-RpYXRlIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC5MgneM0pP4gRzSdUuK4OSOpTkG
+RpYXRlIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDF+4GnG2phOBxq3t3bImFkeiKjO
-wwnG/hDgxe4dfWkr+NMhD5sSHl23031Oa+SS8Wghqs1zBlrk4LA+ERNGhRdSIdlAg6wqJbZBhk/
+x3lklQXrTku/oH/Rgpw1oSl1b0F0/KlmJD95P/Y0s980fJ4DUqhgMhqcHWEBMHCS68Xm6IpK6e+
-qoUthMB4GaaWqyZW929aGpeiAYgAmRCKlznIIm7e5Vb0piPN6kgOZWekc6BQkd66z1QIjwIDAQA
+8fkZgPNq1BAoUTgml+2tBpaFp7d8eDiQRN/XEORSokkibJhxUfWyE2p/CDR80MaZb3mY+QIDAQA
-BMA0GCSqGSIb3DQEBBQUAA4GBAEjVn42QvEpZOB0rgy1xHHSdAXOgtpjnHMIiZiMzCo9k/5xrNw
+BMA0GCSqGSIb3DQEBBQUAA4GBAH1nDzlOfOO68mO57W7sYfKKTx6C4ktEBPiloVq8jHKRbb8DJy
-kSHBUSy8Nh2avNlt2V+qYCZzxM7Jg4XPxIzIWpW0ksKwZmB54xD5MQqz6fl2BkAWF+hhW7XvGQM
+EQnlyKz0uHg+DC13JV1ULT0St2s0KE4Og7gLJfVefg9rYhxv2Rtcm6+ti6XIvh9t5dzznmkiKFM
-aNU0IYOgAWHCS5ltpWJXMHlgNm4gbbtGiC4myLO79AmR51X
+R/D7RnbCgv576c2TeFUr47AWSVD5WlHxOAAHiHr5rQTjzAB
 -----END CA CERTIFICATE-----
 $ openssl x509 -text < [CERTIFICATE]
@@ -56,7 +57,7 @@ Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 4 (0x4)
-    Signature Algorithm: sha1WithRSAEncryption
+        Signature Algorithm: sha1WithRSAEncryption
        Issuer: CN = Test Intermediate CA
        Validity
            Not Before: Jan  1 00:00:00 2017 GMT
@@ -64,36 +65,36 @@ Certificate:
        Subject: CN = Test Cert
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
-                Public-Key: (1024 bit)
+                RSA Public-Key: (1024 bit)
                Modulus:
-                    00:bc:4c:d5:b3:8d:92:fa:66:ac:32:43:1a:9e:eb:
+                    00:d1:d2:a7:fd:5f:56:b8:4a:4a:00:c4:f0:36:48:
-                    17:e0:aa:76:35:1b:1d:10:48:4e:3e:22:8b:75:2e:
+                    0d:99:1e:ba:ca:8d:8c:0e:e9:5a:f4:31:94:26:f4:
-                    e8:6f:a4:55:1e:0a:5e:60:c0:61:f1:7d:29:58:7e:
+                    24:77:0c:2d:76:39:fe:1e:51:9c:b1:3a:b2:61:ae:
-                    0b:ef:29:be:ad:f8:f7:43:c8:58:95:14:5b:1d:af:
+                    f6:2b:41:46:92:81:b4:1e:35:73:bb:df:53:d6:63:
-                    4a:b8:90:9e:4e:ec:4e:b3:86:7a:b9:96:c1:34:d3:
+                    a4:07:58:e9:0a:40:7a:b7:71:a3:fd:7d:6a:3f:23:
-                    b9:a6:57:df:9b:bd:d9:dd:67:15:54:d4:9f:65:b8:
+                    ee:5e:76:90:3f:60:ea:85:6b:74:1b:1f:6a:40:27:
-                    33:29:59:ba:9a:c6:75:ea:a5:76:3d:a4:57:0f:e2:
+                    37:7f:ac:6e:97:ee:13:f7:cb:81:44:26:f3:25:48:
-                    e4:c3:91:35:1d:6e:ff:61:7d:c2:53:23:66:b2:a8:
+                    56:40:ef:33:84:c8:d7:52:66:8a:40:35:ed:ec:67:
-                    0b:e1:c7:55:48:c5:2b:4d:7d
+                    95:c1:35:46:9e:db:9b:ce:9b
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha1WithRSAEncryption
-         18:bb:93:d9:2a:e0:34:69:2f:96:57:ac:55:ac:a7:83:04:b4:
+         8e:94:5a:91:44:aa:ab:e4:bf:c4:ca:a3:ee:10:67:2d:3e:d5:
-         bc:22:7f:5f:f7:c0:dc:ac:af:13:9b:86:7e:ac:02:8c:44:83:
+         ac:b8:90:8b:4e:7f:3e:bc:83:bb:b2:c9:0c:a2:ae:fb:6c:b3:
-         2e:c0:fa:a1:77:1d:dd:86:31:7e:98:93:c0:4f:b2:3d:be:30:
+         5d:b7:40:20:9f:9b:7c:3d:5f:67:bc:0e:f9:20:bc:24:67:27:
-         6f:a5:fc:c7:2e:b1:b8:08:d2:17:cb:60:55:bf:5a:e0:94:f3:
+         a9:2e:81:08:e5:3f:ad:e9:b7:eb:a9:c5:58:55:55:f3:26:17:
-         1d:44:fa:b1:2f:1a:24:c5:33:e1:d4:f0:ac:d5:2c:67:da:a7:
+         26:46:5f:ef:20:38:c9:f2:81:ba:39:d9:28:4b:e8:83:ff:d7:
-         5d:ee:eb:d6:7a:a7:41:e8:94:7a:34:43:b2:1f:ab:e9:cf:5d:
+         2e:87:72:36:77:0f:46:9b:a1:fe:d8:d8:20:50:68:c1:7b:66:
-         25:49:56:18:d2:a9:49:1a:37:34:43:c7:06:96:4a:29:38:cc:
+         82:5d:62:94:90:98:71:8b:b9:83:69:a8:65:a4:58:5d:ce:90:
-         f2:1c
+         0a:53
 -----BEGIN CERTIFICATE-----
 MIIBqzCCARSgAwIBAgIBBDANBgkqhkiG9w0BAQUFADAfMR0wGwYDVQQDDBRUZXN0IEludGVybWV
 kaWF0ZSBDQTAiGA8yMDE3MDEwMTAwMDAwMFoYDzIwMTgwMTAxMDAwMDAwWjAUMRIwEAYDVQQDDA
-lUZXN0IENlcnQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALxM1bONkvpmrDJDGp7rF+Cqd
+lUZXN0IENlcnQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANHSp/1fVrhKSgDE8DZIDZkeu
-jUbHRBITj4ii3Uu6G+kVR4KXmDAYfF9KVh+C+8pvq3490PIWJUUWx2vSriQnk7sTrOGermWwTTT
+sqNjA7pWvQxlCb0JHcMLXY5/h5RnLE6smGu9itBRpKBtB41c7vfU9ZjpAdY6QpAerdxo/19aj8j
-uaZX35u92d1nFVTUn2W4MylZuprGdeqldj2kVw/i5MORNR1u/2F9wlMjZrKoC+HHVUjFK019AgM
+7l52kD9g6oVrdBsfakAnN3+sbpfuE/fLgUQm8yVIVkDvM4TI11JmikA17exnlcE1Rp7bm86bAgM
-BAAEwDQYJKoZIhvcNAQEFBQADgYEAGLuT2SrgNGkvllesVayngwS0vCJ/X/fA3KyvE5uGfqwCjE
+BAAEwDQYJKoZIhvcNAQEFBQADgYEAjpRakUSqq+S/xMqj7hBnLT7VrLiQi05/PryDu7LJDKKu+2
-SDLsD6oXcd3YYxfpiTwE+yPb4wb6X8xy6xuAjSF8tgVb9a4JTzHUT6sS8aJMUz4dTwrNUsZ9qnX
+yzXbdAIJ+bfD1fZ7wO+SC8JGcnqS6BCOU/rem366nFWFVV8yYXJkZf7yA4yfKBujnZKEvog//XL
-e7r1nqnQeiUejRDsh+r6c9dJUlWGNKpSRo3NEPHBpZKKTjM8hw=
+odyNncPRpuh/tjYIFBowXtmgl1ilJCYcYu5g2moZaRYXc6QClM=
 -----END CERTIFICATE-----
 $ openssl asn1parse -i < [OCSP REQUEST]
@@ -106,9 +107,9 @@ $ openssl asn1parse -i < [OCSP REQUEST]
   12:d=6  hl=2 l=   5 prim:       OBJECT            :sha1
   19:d=6  hl=2 l=   0 prim:       NULL              
   21:d=5  hl=2 l=  20 prim:      OCTET STRING      [HEX DUMP]:449B1C5B31C6E9990966523E49C3F773C024190A
-   43:d=5  hl=2 l=  20 prim:      OCTET STRING      [HEX DUMP]:FC6D3387CC3B39B049C755C46DF4395548930BCE
+   43:d=5  hl=2 l=  20 prim:      OCTET STRING      [HEX DUMP]:7F765910653BB5704124C41E94AEFCF940431A66
   65:d=5  hl=2 l=   1 prim:      INTEGER           :04
 -----BEGIN OCSP REQUEST-----
-MEIwQDA+MDwwOjAJBgUrDgMCGgUABBREmxxbMcbpmQlmUj5Jw/dzwCQZCgQU/G0zh8w7ObBJx1X
+MEIwQDA+MDwwOjAJBgUrDgMCGgUABBREmxxbMcbpmQlmUj5Jw/dzwCQZCgQUf3ZZEGU7tXBBJMQ
-EbfQ5VUiTC84CAQQ=
+elK78+UBDGmYCAQQ=
 -----END OCSP REQUEST-----
--- a/net/data/ocsp_unittest/good_response.pem
+++ b/net/data/ocsp_unittest/good_response.pem
--- a/net/data/ocsp_unittest/good_response_next_update.pem
+++ b/net/data/ocsp_unittest/good_response_next_update.pem
--- a/net/data/ocsp_unittest/good_response_sha256.pem
+++ b/net/data/ocsp_unittest/good_response_sha256.pem
--- a/net/data/ocsp_unittest/has_critical_ct_extension.pem
+++ b/net/data/ocsp_unittest/has_critical_ct_extension.pem
+Has a critical CT extension in the SingleResponse
+$ openssl ocsp -resp_text -respin <([OCSP RESPONSE])
+OCSP Response Data:
+    OCSP Response Status: successful (0x0)
+    Response Type: Basic OCSP Response
+    Version: 1 (0x0)
+    Responder Id: CN = Test Intermediate CA
+    Produced At: Mar  2 00:00:00 2017 GMT
+    Responses:
+    Certificate ID:
+      Hash Algorithm: sha1
+      Issuer Name Hash: 449B1C5B31C6E9990966523E49C3F773C024190A
+      Issuer Key Hash: 7F765910653BB5704124C41E94AEFCF940431A66
+      Serial Number: 04
+    Cert Status: good
+    This Update: Mar  1 00:00:00 2017 GMT
+        Response Single Extensions:
+            CT Certificate SCTs: critical
+                DEADBEEF
+    Signature Algorithm: sha1WithRSAEncryption
+         3f:34:0c:f8:fc:b6:07:21:92:44:93:03:c9:a4:61:01:ba:eb:
+         c9:82:1e:75:e5:60:12:18:70:ac:51:c6:a8:94:a1:6e:25:18:
+         2a:e1:7d:1f:93:4a:04:b0:60:d1:14:2c:85:04:e3:7f:2b:d8:
+         eb:10:24:bd:c1:60:3a:fc:b3:4b:40:e8:46:6e:65:09:0f:d7:
+         d0:30:85:d1:58:c5:a1:56:57:2b:a6:a2:2d:f1:a5:78:27:1f:
+         cf:b5:4f:46:90:50:62:24:c3:9f:8a:30:42:9e:ea:12:70:51:
+         32:86:be:69:34:3b:d9:4b:2c:be:81:70:e3:0a:99:ae:ec:82:
+         53:0f
+-----BEGIN OCSP RESPONSE-----
+MIIBVgoBAKCCAU8wggFLBgkrBgEFBQcwAQEEggE8MIIBODCBpKEhMB8xHTAbBgNVBAMMFFRlc3Q
+gSW50ZXJtZWRpYXRlIENBGA8yMDE3MDMwMjAwMDAwMFowbjBsMDgwBwYFKw4DAhoEFESbHFsxxu
+mZCWZSPknD93PAJBkKBBR/dlkQZTu1cEEkxB6Urvz5QEMaZgIBBIAAGA8yMDE3MDMwMTAwMDAwM
+FqhHTAbMBkGCisGAQQB1nkCBAUBAf8ECERFQURCRUVGMAsGCSqGSIb3DQEBBQOBgQA/NAz4/LYH
+IZJEkwPJpGEBuuvJgh515WASGHCsUcaolKFuJRgq4X0fk0oEsGDRFCyFBON/K9jrECS9wWA6/LN
+LQOhGbmUJD9fQMIXRWMWhVlcrpqIt8aV4Jx/PtU9GkFBiJMOfijBCnuoScFEyhr5pNDvZSyy+gX
+DjCpmu7IJTDw==
+-----END OCSP RESPONSE-----
+$ openssl x509 -text < [CA CERTIFICATE]
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 1 (0x1)
+        Signature Algorithm: sha1WithRSAEncryption
+        Issuer: CN = Test CA
+        Validity
+            Not Before: Jan  1 00:00:00 2017 GMT
+            Not After : Jan  1 00:00:00 2018 GMT
+        Subject: CN = Test Intermediate CA
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                RSA Public-Key: (1024 bit)
+                Modulus:
+                    00:c5:fb:81:a7:1b:6a:61:38:1c:6a:de:dd:db:22:
+                    61:64:7a:22:a3:3b:1d:e5:92:54:17:ad:39:2e:fe:
+                    81:ff:46:0a:70:d6:84:a5:d5:bd:05:d3:f2:a5:98:
+                    90:fd:e4:ff:d8:d2:cf:7c:d1:f2:78:0d:4a:a1:80:
+                    c8:6a:70:75:84:04:c1:c2:4b:af:17:9b:a2:29:2b:
+                    a7:be:f1:f9:19:80:f3:6a:d4:10:28:51:38:26:97:
+                    ed:ad:06:96:85:a7:b7:7c:78:38:90:44:df:d7:10:
+                    e4:52:a2:49:22:6c:98:71:51:f5:b2:13:6a:7f:08:
+                    34:7c:d0:c6:99:6f:79:98:f9
+                Exponent: 65537 (0x10001)
+    Signature Algorithm: sha1WithRSAEncryption
+         7d:67:0f:39:4e:7c:e3:ba:f2:63:b9:ed:6e:ec:61:f2:8a:4f:
+         1e:82:e2:4b:44:04:f8:a5:a1:5a:bc:8c:72:91:6d:bf:03:27:
+         21:10:9e:5c:8a:cf:4b:87:83:e0:c2:d7:72:55:d5:42:d3:d1:
+         2b:76:b3:42:84:e0:e8:3b:80:b2:5f:55:e7:e0:f6:b6:21:c6:
+         fd:91:b5:c9:ba:fa:d8:ba:5c:8b:e1:f6:de:5d:cf:39:e6:92:
+         22:85:31:1f:c3:ed:19:db:0a:0b:f9:ef:a7:36:4d:e1:54:af:
+         8e:c0:59:25:43:e5:69:47:c4:e0:00:1e:21:eb:e6:b4:13:8f:
+         30:01
+-----BEGIN CA CERTIFICATE-----
+MIIBqTCCARKgAwIBAgIBATANBgkqhkiG9w0BAQUFADASMRAwDgYDVQQDDAdUZXN0IENBMCIYDzI
+wMTcwMTAxMDAwMDAwWhgPMjAxODAxMDEwMDAwMDBaMB8xHTAbBgNVBAMMFFRlc3QgSW50ZXJtZW
+RpYXRlIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDF+4GnG2phOBxq3t3bImFkeiKjO
+x3lklQXrTku/oH/Rgpw1oSl1b0F0/KlmJD95P/Y0s980fJ4DUqhgMhqcHWEBMHCS68Xm6IpK6e+
+8fkZgPNq1BAoUTgml+2tBpaFp7d8eDiQRN/XEORSokkibJhxUfWyE2p/CDR80MaZb3mY+QIDAQA
+BMA0GCSqGSIb3DQEBBQUAA4GBAH1nDzlOfOO68mO57W7sYfKKTx6C4ktEBPiloVq8jHKRbb8DJy
+EQnlyKz0uHg+DC13JV1ULT0St2s0KE4Og7gLJfVefg9rYhxv2Rtcm6+ti6XIvh9t5dzznmkiKFM
+R/D7RnbCgv576c2TeFUr47AWSVD5WlHxOAAHiHr5rQTjzAB
+-----END CA CERTIFICATE-----
+$ openssl x509 -text < [CERTIFICATE]
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 4 (0x4)
+        Signature Algorithm: sha1WithRSAEncryption
+        Issuer: CN = Test Intermediate CA
+        Validity
+            Not Before: Jan  1 00:00:00 2017 GMT
+            Not After : Jan  1 00:00:00 2018 GMT
+        Subject: CN = Test Cert
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                RSA Public-Key: (1024 bit)
+                Modulus:
+                    00:d1:d2:a7:fd:5f:56:b8:4a:4a:00:c4:f0:36:48:
+                    0d:99:1e:ba:ca:8d:8c:0e:e9:5a:f4:31:94:26:f4:
+                    24:77:0c:2d:76:39:fe:1e:51:9c:b1:3a:b2:61:ae:
+                    f6:2b:41:46:92:81:b4:1e:35:73:bb:df:53:d6:63:
+                    a4:07:58:e9:0a:40:7a:b7:71:a3:fd:7d:6a:3f:23:
+                    ee:5e:76:90:3f:60:ea:85:6b:74:1b:1f:6a:40:27:
+                    37:7f:ac:6e:97:ee:13:f7:cb:81:44:26:f3:25:48:
+                    56:40:ef:33:84:c8:d7:52:66:8a:40:35:ed:ec:67:
+                    95:c1:35:46:9e:db:9b:ce:9b
+                Exponent: 65537 (0x10001)
+    Signature Algorithm: sha1WithRSAEncryption
+         8e:94:5a:91:44:aa:ab:e4:bf:c4:ca:a3:ee:10:67:2d:3e:d5:
+         ac:b8:90:8b:4e:7f:3e:bc:83:bb:b2:c9:0c:a2:ae:fb:6c:b3:
+         5d:b7:40:20:9f:9b:7c:3d:5f:67:bc:0e:f9:20:bc:24:67:27:
+         a9:2e:81:08:e5:3f:ad:e9:b7:eb:a9:c5:58:55:55:f3:26:17:
+         26:46:5f:ef:20:38:c9:f2:81:ba:39:d9:28:4b:e8:83:ff:d7:
+         2e:87:72:36:77:0f:46:9b:a1:fe:d8:d8:20:50:68:c1:7b:66:
+         82:5d:62:94:90:98:71:8b:b9:83:69:a8:65:a4:58:5d:ce:90:
+         0a:53
+-----BEGIN CERTIFICATE-----
+MIIBqzCCARSgAwIBAgIBBDANBgkqhkiG9w0BAQUFADAfMR0wGwYDVQQDDBRUZXN0IEludGVybWV
+kaWF0ZSBDQTAiGA8yMDE3MDEwMTAwMDAwMFoYDzIwMTgwMTAxMDAwMDAwWjAUMRIwEAYDVQQDDA
+lUZXN0IENlcnQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANHSp/1fVrhKSgDE8DZIDZkeu
+sqNjA7pWvQxlCb0JHcMLXY5/h5RnLE6smGu9itBRpKBtB41c7vfU9ZjpAdY6QpAerdxo/19aj8j
+7l52kD9g6oVrdBsfakAnN3+sbpfuE/fLgUQm8yVIVkDvM4TI11JmikA17exnlcE1Rp7bm86bAgM
+BAAEwDQYJKoZIhvcNAQEFBQADgYEAjpRakUSqq+S/xMqj7hBnLT7VrLiQi05/PryDu7LJDKKu+2
+yzXbdAIJ+bfD1fZ7wO+SC8JGcnqS6BCOU/rem366nFWFVV8yYXJkZf7yA4yfKBujnZKEvog//XL
+odyNncPRpuh/tjYIFBowXtmgl1ilJCYcYu5g2moZaRYXc6QClM=
+-----END CERTIFICATE-----
+$ openssl asn1parse -i < [OCSP REQUEST]
+    0:d=0  hl=2 l=  66 cons: SEQUENCE          
+    2:d=1  hl=2 l=  64 cons:  SEQUENCE          
+    4:d=2  hl=2 l=  62 cons:   SEQUENCE          
+    6:d=3  hl=2 l=  60 cons:    SEQUENCE          
+    8:d=4  hl=2 l=  58 cons:     SEQUENCE          
+   10:d=5  hl=2 l=   9 cons:      SEQUENCE          
+   12:d=6  hl=2 l=   5 prim:       OBJECT            :sha1
+   19:d=6  hl=2 l=   0 prim:       NULL              
+   21:d=5  hl=2 l=  20 prim:      OCTET STRING      [HEX DUMP]:449B1C5B31C6E9990966523E49C3F773C024190A
+   43:d=5  hl=2 l=  20 prim:      OCTET STRING      [HEX DUMP]:7F765910653BB5704124C41E94AEFCF940431A66
+   65:d=5  hl=2 l=   1 prim:      INTEGER           :04
+-----BEGIN OCSP REQUEST-----
+MEIwQDA+MDwwOjAJBgUrDgMCGgUABBREmxxbMcbpmQlmUj5Jw/dzwCQZCgQUf3ZZEGU7tXBBJMQ
+elK78+UBDGmYCAQQ=
+-----END OCSP REQUEST-----
--- a/net/data/ocsp_unittest/has_critical_response_extension.pem
+++ b/net/data/ocsp_unittest/has_critical_response_extension.pem
+Has a critical extension in the ResponseData
+$ openssl ocsp -resp_text -respin <([OCSP RESPONSE])
+OCSP Response Data:
+    OCSP Response Status: successful (0x0)
+    Response Type: Basic OCSP Response
+    Version: 1 (0x0)
+    Responder Id: CN = Test Intermediate CA
+    Produced At: Mar  2 00:00:00 2017 GMT
+    Responses:
+    Certificate ID:
+      Hash Algorithm: sha1
+      Issuer Name Hash: 449B1C5B31C6E9990966523E49C3F773C024190A
+      Issuer Key Hash: 7F765910653BB5704124C41E94AEFCF940431A66
+      Serial Number: 04
+    Cert Status: good
+    This Update: Mar  1 00:00:00 2017 GMT
+    Response Extensions:
+        1.2.3.4: critical
+            DEADBEEF
+    Signature Algorithm: sha1WithRSAEncryption
+         83:54:d0:3f:1a:22:0b:1c:2f:7c:bc:11:ec:74:f9:8f:a4:48:
+         cf:6a:18:95:3c:3f:ba:88:ac:31:cc:fd:e4:b2:0d:6a:d5:ad:
+         97:9f:03:0e:e0:3d:08:4e:4b:ff:77:9d:1d:06:ae:bc:90:09:
+         28:71:78:47:a3:63:e1:75:d3:a6:92:43:8d:60:cf:cc:cf:0b:
+         5f:fe:b1:91:96:1f:81:5a:50:77:b0:c7:e3:be:98:9e:6c:64:
+         44:9d:67:82:d9:87:d8:f6:93:0b:4d:8f:44:d2:51:2d:d1:61:
+         d7:ec:5c:46:ad:9c:6d:f1:c8:61:91:83:2b:d0:83:e8:9c:22:
+         df:e1
+-----BEGIN OCSP RESPONSE-----
+MIIBTwoBAKCCAUgwggFEBgkrBgEFBQcwAQEEggE1MIIBMTCBnaEhMB8xHTAbBgNVBAMMFFRlc3Q
+gSW50ZXJtZWRpYXRlIENBGA8yMDE3MDMwMjAwMDAwMFowTzBNMDgwBwYFKw4DAhoEFESbHFsxxu
+mZCWZSPknD93PAJBkKBBR/dlkQZTu1cEEkxB6Urvz5QEMaZgIBBIAAGA8yMDE3MDMwMTAwMDAwM
+FqhFjAUMBIGAyoDBAEB/wQIREVBREJFRUYwCwYJKoZIhvcNAQEFA4GBAINU0D8aIgscL3y8Eex0
+Y+kSM9qGJU8P7qIrDHM/eSyDWrVrZefAw7gPQhOS/93nR0GrryQCShxeEejY+F106aSQ41gz8z
+PC1/+sZGWH4FaUHewx+O+mJ5sZESdZ4LZh9j2kwtNj0TSUS3RYdfsXEatnG3xyGGRgyvQg+icIt
+/h
+-----END OCSP RESPONSE-----
+$ openssl x509 -text < [CA CERTIFICATE]
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 1 (0x1)
+        Signature Algorithm: sha1WithRSAEncryption
+        Issuer: CN = Test CA
+        Validity
+            Not Before: Jan  1 00:00:00 2017 GMT
+            Not After : Jan  1 00:00:00 2018 GMT
+        Subject: CN = Test Intermediate CA
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                RSA Public-Key: (1024 bit)
+                Modulus:
+                    00:c5:fb:81:a7:1b:6a:61:38:1c:6a:de:dd:db:22:
+                    61:64:7a:22:a3:3b:1d:e5:92:54:17:ad:39:2e:fe:
+                    81:ff:46:0a:70:d6:84:a5:d5:bd:05:d3:f2:a5:98:
+                    90:fd:e4:ff:d8:d2:cf:7c:d1:f2:78:0d:4a:a1:80:
+                    c8:6a:70:75:84:04:c1:c2:4b:af:17:9b:a2:29:2b:
+                    a7:be:f1:f9:19:80:f3:6a:d4:10:28:51:38:26:97:
+                    ed:ad:06:96:85:a7:b7:7c:78:38:90:44:df:d7:10:
+                    e4:52:a2:49:22:6c:98:71:51:f5:b2:13:6a:7f:08:
+                    34:7c:d0:c6:99:6f:79:98:f9
+                Exponent: 65537 (0x10001)
+    Signature Algorithm: sha1WithRSAEncryption
+         7d:67:0f:39:4e:7c:e3:ba:f2:63:b9:ed:6e:ec:61:f2:8a:4f:
+         1e:82:e2:4b:44:04:f8:a5:a1:5a:bc:8c:72:91:6d:bf:03:27:
+         21:10:9e:5c:8a:cf:4b:87:83:e0:c2:d7:72:55:d5:42:d3:d1:
+         2b:76:b3:42:84:e0:e8:3b:80:b2:5f:55:e7:e0:f6:b6:21:c6:
+         fd:91:b5:c9:ba:fa:d8:ba:5c:8b:e1:f6:de:5d:cf:39:e6:92:
+         22:85:31:1f:c3:ed:19:db:0a:0b:f9:ef:a7:36:4d:e1:54:af:
+         8e:c0:59:25:43:e5:69:47:c4:e0:00:1e:21:eb:e6:b4:13:8f:
+         30:01
+-----BEGIN CA CERTIFICATE-----
+MIIBqTCCARKgAwIBAgIBATANBgkqhkiG9w0BAQUFADASMRAwDgYDVQQDDAdUZXN0IENBMCIYDzI
+wMTcwMTAxMDAwMDAwWhgPMjAxODAxMDEwMDAwMDBaMB8xHTAbBgNVBAMMFFRlc3QgSW50ZXJtZW
+RpYXRlIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDF+4GnG2phOBxq3t3bImFkeiKjO
+x3lklQXrTku/oH/Rgpw1oSl1b0F0/KlmJD95P/Y0s980fJ4DUqhgMhqcHWEBMHCS68Xm6IpK6e+
+8fkZgPNq1BAoUTgml+2tBpaFp7d8eDiQRN/XEORSokkibJhxUfWyE2p/CDR80MaZb3mY+QIDAQA
+BMA0GCSqGSIb3DQEBBQUAA4GBAH1nDzlOfOO68mO57W7sYfKKTx6C4ktEBPiloVq8jHKRbb8DJy
+EQnlyKz0uHg+DC13JV1ULT0St2s0KE4Og7gLJfVefg9rYhxv2Rtcm6+ti6XIvh9t5dzznmkiKFM
+R/D7RnbCgv576c2TeFUr47AWSVD5WlHxOAAHiHr5rQTjzAB
+-----END CA CERTIFICATE-----
+$ openssl x509 -text < [CERTIFICATE]
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 4 (0x4)
+        Signature Algorithm: sha1WithRSAEncryption
+        Issuer: CN = Test Intermediate CA
+        Validity
+            Not Before: Jan  1 00:00:00 2017 GMT
+            Not After : Jan  1 00:00:00 2018 GMT
+        Subject: CN = Test Cert
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                RSA Public-Key: (1024 bit)
+                Modulus:
+                    00:d1:d2:a7:fd:5f:56:b8:4a:4a:00:c4:f0:36:48:
+                    0d:99:1e:ba:ca:8d:8c:0e:e9:5a:f4:31:94:26:f4:
+                    24:77:0c:2d:76:39:fe:1e:51:9c:b1:3a:b2:61:ae:
+                    f6:2b:41:46:92:81:b4:1e:35:73:bb:df:53:d6:63:
+                    a4:07:58:e9:0a:40:7a:b7:71:a3:fd:7d:6a:3f:23:
+                    ee:5e:76:90:3f:60:ea:85:6b:74:1b:1f:6a:40:27:
+                    37:7f:ac:6e:97:ee:13:f7:cb:81:44:26:f3:25:48:
+                    56:40:ef:33:84:c8:d7:52:66:8a:40:35:ed:ec:67:
+                    95:c1:35:46:9e:db:9b:ce:9b
+                Exponent: 65537 (0x10001)
+    Signature Algorithm: sha1WithRSAEncryption
+         8e:94:5a:91:44:aa:ab:e4:bf:c4:ca:a3:ee:10:67:2d:3e:d5:
+         ac:b8:90:8b:4e:7f:3e:bc:83:bb:b2:c9:0c:a2:ae:fb:6c:b3:
+         5d:b7:40:20:9f:9b:7c:3d:5f:67:bc:0e:f9:20:bc:24:67:27:
+         a9:2e:81:08:e5:3f:ad:e9:b7:eb:a9:c5:58:55:55:f3:26:17:
+         26:46:5f:ef:20:38:c9:f2:81:ba:39:d9:28:4b:e8:83:ff:d7:
+         2e:87:72:36:77:0f:46:9b:a1:fe:d8:d8:20:50:68:c1:7b:66:
+         82:5d:62:94:90:98:71:8b:b9:83:69:a8:65:a4:58:5d:ce:90:
+         0a:53
+-----BEGIN CERTIFICATE-----
+MIIBqzCCARSgAwIBAgIBBDANBgkqhkiG9w0BAQUFADAfMR0wGwYDVQQDDBRUZXN0IEludGVybWV
+kaWF0ZSBDQTAiGA8yMDE3MDEwMTAwMDAwMFoYDzIwMTgwMTAxMDAwMDAwWjAUMRIwEAYDVQQDDA
+lUZXN0IENlcnQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANHSp/1fVrhKSgDE8DZIDZkeu
+sqNjA7pWvQxlCb0JHcMLXY5/h5RnLE6smGu9itBRpKBtB41c7vfU9ZjpAdY6QpAerdxo/19aj8j
+7l52kD9g6oVrdBsfakAnN3+sbpfuE/fLgUQm8yVIVkDvM4TI11JmikA17exnlcE1Rp7bm86bAgM
+BAAEwDQYJKoZIhvcNAQEFBQADgYEAjpRakUSqq+S/xMqj7hBnLT7VrLiQi05/PryDu7LJDKKu+2
+yzXbdAIJ+bfD1fZ7wO+SC8JGcnqS6BCOU/rem366nFWFVV8yYXJkZf7yA4yfKBujnZKEvog//XL
+odyNncPRpuh/tjYIFBowXtmgl1ilJCYcYu5g2moZaRYXc6QClM=
+-----END CERTIFICATE-----
+$ openssl asn1parse -i < [OCSP REQUEST]
+    0:d=0  hl=2 l=  66 cons: SEQUENCE          
+    2:d=1  hl=2 l=  64 cons:  SEQUENCE          
+    4:d=2  hl=2 l=  62 cons:   SEQUENCE          
+    6:d=3  hl=2 l=  60 cons:    SEQUENCE          
+    8:d=4  hl=2 l=  58 cons:     SEQUENCE          
+   10:d=5  hl=2 l=   9 cons:      SEQUENCE          
+   12:d=6  hl=2 l=   5 prim:       OBJECT            :sha1
+   19:d=6  hl=2 l=   0 prim:       NULL              
+   21:d=5  hl=2 l=  20 prim:      OCTET STRING      [HEX DUMP]:449B1C5B31C6E9990966523E49C3F773C024190A
+   43:d=5  hl=2 l=  20 prim:      OCTET STRING      [HEX DUMP]:7F765910653BB5704124C41E94AEFCF940431A66
+   65:d=5  hl=2 l=   1 prim:      INTEGER           :04
+-----BEGIN OCSP REQUEST-----
+MEIwQDA+MDwwOjAJBgUrDgMCGgUABBREmxxbMcbpmQlmUj5Jw/dzwCQZCgQUf3ZZEGU7tXBBJMQ
+elK78+UBDGmYCAQQ=
+-----END OCSP REQUEST-----
--- a/net/data/ocsp_unittest/has_critical_single_extension.pem
+++ b/net/data/ocsp_unittest/has_critical_single_extension.pem
+Has a critical extension in the SingleResponse
+$ openssl ocsp -resp_text -respin <([OCSP RESPONSE])
+OCSP Response Data:
+    OCSP Response Status: successful (0x0)
+    Response Type: Basic OCSP Response
+    Version: 1 (0x0)
+    Responder Id: CN = Test Intermediate CA
+    Produced At: Mar  2 00:00:00 2017 GMT
+    Responses:
+    Certificate ID:
+      Hash Algorithm: sha1
+      Issuer Name Hash: 449B1C5B31C6E9990966523E49C3F773C024190A
+      Issuer Key Hash: 7F765910653BB5704124C41E94AEFCF940431A66
+      Serial Number: 04
+    Cert Status: good
+    This Update: Mar  1 00:00:00 2017 GMT
+        Response Single Extensions:
+            1.2.3.4: critical
+                DEADBEEF
+    Signature Algorithm: sha1WithRSAEncryption
+         5e:15:92:5e:47:1d:c2:7f:86:2f:46:d2:54:24:5f:0e:ad:a0:
+         04:9f:0b:10:e9:46:95:5d:90:10:50:d8:40:5b:2e:25:64:cb:
+         43:34:c9:90:49:a8:27:39:1d:f4:e8:42:d7:50:70:54:d4:fd:
+         8f:3a:b6:fe:52:00:4d:b9:52:f8:c8:7f:d0:94:2f:03:21:d9:
+         0f:5a:21:94:77:3c:86:f9:c3:34:ec:7e:4c:56:10:dd:0c:af:
+         87:3e:da:68:c6:98:72:97:62:5a:71:1a:84:a0:a1:79:9f:ff:
+         ec:76:c1:0e:24:03:21:9f:76:42:39:83:25:af:a1:93:a0:62:
+         20:b6
+-----BEGIN OCSP RESPONSE-----
+MIIBTwoBAKCCAUgwggFEBgkrBgEFBQcwAQEEggE1MIIBMTCBnaEhMB8xHTAbBgNVBAMMFFRlc3Q
+gSW50ZXJtZWRpYXRlIENBGA8yMDE3MDMwMjAwMDAwMFowZzBlMDgwBwYFKw4DAhoEFESbHFsxxu
+mZCWZSPknD93PAJBkKBBR/dlkQZTu1cEEkxB6Urvz5QEMaZgIBBIAAGA8yMDE3MDMwMTAwMDAwM
+FqhFjAUMBIGAyoDBAEB/wQIREVBREJFRUYwCwYJKoZIhvcNAQEFA4GBAF4Vkl5HHcJ/hi9G0lQk
+Xw6toASfCxDpRpVdkBBQ2EBbLiVky0M0yZBJqCc5HfToQtdQcFTU/Y86tv5SAE25UvjIf9CULwM
+h2Q9aIZR3PIb5wzTsfkxWEN0Mr4c+2mjGmHKXYlpxGoSgoXmf/+x2wQ4kAyGfdkI5gyWvoZOgYi
+C2
+-----END OCSP RESPONSE-----
+$ openssl x509 -text < [CA CERTIFICATE]
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 1 (0x1)
+        Signature Algorithm: sha1WithRSAEncryption
+        Issuer: CN = Test CA
+        Validity
+            Not Before: Jan  1 00:00:00 2017 GMT
+            Not After : Jan  1 00:00:00 2018 GMT
+        Subject: CN = Test Intermediate CA
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                RSA Public-Key: (1024 bit)
+                Modulus:
+                    00:c5:fb:81:a7:1b:6a:61:38:1c:6a:de:dd:db:22:
+                    61:64:7a:22:a3:3b:1d:e5:92:54:17:ad:39:2e:fe:
+                    81:ff:46:0a:70:d6:84:a5:d5:bd:05:d3:f2:a5:98:
+                    90:fd:e4:ff:d8:d2:cf:7c:d1:f2:78:0d:4a:a1:80:
+                    c8:6a:70:75:84:04:c1:c2:4b:af:17:9b:a2:29:2b:
+                    a7:be:f1:f9:19:80:f3:6a:d4:10:28:51:38:26:97:
+                    ed:ad:06:96:85:a7:b7:7c:78:38:90:44:df:d7:10:
+                    e4:52:a2:49:22:6c:98:71:51:f5:b2:13:6a:7f:08:
+                    34:7c:d0:c6:99:6f:79:98:f9
+                Exponent: 65537 (0x10001)
+    Signature Algorithm: sha1WithRSAEncryption
+         7d:67:0f:39:4e:7c:e3:ba:f2:63:b9:ed:6e:ec:61:f2:8a:4f:
+         1e:82:e2:4b:44:04:f8:a5:a1:5a:bc:8c:72:91:6d:bf:03:27:
+         21:10:9e:5c:8a:cf:4b:87:83:e0:c2:d7:72:55:d5:42:d3:d1:
+         2b:76:b3:42:84:e0:e8:3b:80:b2:5f:55:e7:e0:f6:b6:21:c6:
+         fd:91:b5:c9:ba:fa:d8:ba:5c:8b:e1:f6:de:5d:cf:39:e6:92:
+         22:85:31:1f:c3:ed:19:db:0a:0b:f9:ef:a7:36:4d:e1:54:af:
+         8e:c0:59:25:43:e5:69:47:c4:e0:00:1e:21:eb:e6:b4:13:8f:
+         30:01
+-----BEGIN CA CERTIFICATE-----
+MIIBqTCCARKgAwIBAgIBATANBgkqhkiG9w0BAQUFADASMRAwDgYDVQQDDAdUZXN0IENBMCIYDzI
+wMTcwMTAxMDAwMDAwWhgPMjAxODAxMDEwMDAwMDBaMB8xHTAbBgNVBAMMFFRlc3QgSW50ZXJtZW
+RpYXRlIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDF+4GnG2phOBxq3t3bImFkeiKjO
+x3lklQXrTku/oH/Rgpw1oSl1b0F0/KlmJD95P/Y0s980fJ4DUqhgMhqcHWEBMHCS68Xm6IpK6e+
+8fkZgPNq1BAoUTgml+2tBpaFp7d8eDiQRN/XEORSokkibJhxUfWyE2p/CDR80MaZb3mY+QIDAQA
+BMA0GCSqGSIb3DQEBBQUAA4GBAH1nDzlOfOO68mO57W7sYfKKTx6C4ktEBPiloVq8jHKRbb8DJy
+EQnlyKz0uHg+DC13JV1ULT0St2s0KE4Og7gLJfVefg9rYhxv2Rtcm6+ti6XIvh9t5dzznmkiKFM
+R/D7RnbCgv576c2TeFUr47AWSVD5WlHxOAAHiHr5rQTjzAB
+-----END CA CERTIFICATE-----
+$ openssl x509 -text < [CERTIFICATE]
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 4 (0x4)
+        Signature Algorithm: sha1WithRSAEncryption
+        Issuer: CN = Test Intermediate CA
+        Validity
+            Not Before: Jan  1 00:00:00 2017 GMT
+            Not After : Jan  1 00:00:00 2018 GMT
+        Subject: CN = Test Cert
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                RSA Public-Key: (1024 bit)
+                Modulus:
+                    00:d1:d2:a7:fd:5f:56:b8:4a:4a:00:c4:f0:36:48:
+                    0d:99:1e:ba:ca:8d:8c:0e:e9:5a:f4:31:94:26:f4:
+                    24:77:0c:2d:76:39:fe:1e:51:9c:b1:3a:b2:61:ae:
+                    f6:2b:41:46:92:81:b4:1e:35:73:bb:df:53:d6:63:
+                    a4:07:58:e9:0a:40:7a:b7:71:a3:fd:7d:6a:3f:23:
+                    ee:5e:76:90:3f:60:ea:85:6b:74:1b:1f:6a:40:27:
+                    37:7f:ac:6e:97:ee:13:f7:cb:81:44:26:f3:25:48:
+                    56:40:ef:33:84:c8:d7:52:66:8a:40:35:ed:ec:67:
+                    95:c1:35:46:9e:db:9b:ce:9b
+                Exponent: 65537 (0x10001)
+    Signature Algorithm: sha1WithRSAEncryption
+         8e:94:5a:91:44:aa:ab:e4:bf:c4:ca:a3:ee:10:67:2d:3e:d5:
+         ac:b8:90:8b:4e:7f:3e:bc:83:bb:b2:c9:0c:a2:ae:fb:6c:b3:
+         5d:b7:40:20:9f:9b:7c:3d:5f:67:bc:0e:f9:20:bc:24:67:27:
+         a9:2e:81:08:e5:3f:ad:e9:b7:eb:a9:c5:58:55:55:f3:26:17:
+         26:46:5f:ef:20:38:c9:f2:81:ba:39:d9:28:4b:e8:83:ff:d7:
+         2e:87:72:36:77:0f:46:9b:a1:fe:d8:d8:20:50:68:c1:7b:66:
+         82:5d:62:94:90:98:71:8b:b9:83:69:a8:65:a4:58:5d:ce:90:
+         0a:53
+-----BEGIN CERTIFICATE-----
+MIIBqzCCARSgAwIBAgIBBDANBgkqhkiG9w0BAQUFADAfMR0wGwYDVQQDDBRUZXN0IEludGVybWV
+kaWF0ZSBDQTAiGA8yMDE3MDEwMTAwMDAwMFoYDzIwMTgwMTAxMDAwMDAwWjAUMRIwEAYDVQQDDA
+lUZXN0IENlcnQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANHSp/1fVrhKSgDE8DZIDZkeu
+sqNjA7pWvQxlCb0JHcMLXY5/h5RnLE6smGu9itBRpKBtB41c7vfU9ZjpAdY6QpAerdxo/19aj8j
+7l52kD9g6oVrdBsfakAnN3+sbpfuE/fLgUQm8yVIVkDvM4TI11JmikA17exnlcE1Rp7bm86bAgM
+BAAEwDQYJKoZIhvcNAQEFBQADgYEAjpRakUSqq+S/xMqj7hBnLT7VrLiQi05/PryDu7LJDKKu+2
+yzXbdAIJ+bfD1fZ7wO+SC8JGcnqS6BCOU/rem366nFWFVV8yYXJkZf7yA4yfKBujnZKEvog//XL
+odyNncPRpuh/tjYIFBowXtmgl1ilJCYcYu5g2moZaRYXc6QClM=
+-----END CERTIFICATE-----
+$ openssl asn1parse -i < [OCSP REQUEST]
+    0:d=0  hl=2 l=  66 cons: SEQUENCE          
+    2:d=1  hl=2 l=  64 cons:  SEQUENCE          
+    4:d=2  hl=2 l=  62 cons:   SEQUENCE          
+    6:d=3  hl=2 l=  60 cons:    SEQUENCE          
+    8:d=4  hl=2 l=  58 cons:     SEQUENCE          
+   10:d=5  hl=2 l=   9 cons:      SEQUENCE          
+   12:d=6  hl=2 l=   5 prim:       OBJECT            :sha1
+   19:d=6  hl=2 l=   0 prim:       NULL              
+   21:d=5  hl=2 l=  20 prim:      OCTET STRING      [HEX DUMP]:449B1C5B31C6E9990966523E49C3F773C024190A
+   43:d=5  hl=2 l=  20 prim:      OCTET STRING      [HEX DUMP]:7F765910653BB5704124C41E94AEFCF940431A66
+   65:d=5  hl=2 l=   1 prim:      INTEGER           :04
+-----BEGIN OCSP REQUEST-----
+MEIwQDA+MDwwOjAJBgUrDgMCGgUABBREmxxbMcbpmQlmUj5Jw/dzwCQZCgQUf3ZZEGU7tXBBJMQ
+elK78+UBDGmYCAQQ=
+-----END OCSP REQUEST-----
--- a/net/data/ocsp_unittest/has_extension.pem
+++ b/net/data/ocsp_unittest/has_extension.pem
--- a/net/data/ocsp_unittest/has_single_extension.pem
+++ b/net/data/ocsp_unittest/has_single_extension.pem
--- a/net/data/ocsp_unittest/has_version.pem
+++ b/net/data/ocsp_unittest/has_version.pem
--- a/net/data/ocsp_unittest/make_ocsp.py
+++ b/net/data/ocsp_unittest/make_ocsp.py
@@ -74,10 +74,14 @@ def CreateCert(name, signer=None, ocsp=False):
  return (asn1cert, cert, pkey, signer[0])
-def CreateExtension():
+def CreateExtension(oid='1.2.3.4', critical=False):
  ext = rfc2459.Extension()
-  ext.setComponentByName('extnID', univ.ObjectIdentifier('1.2.3.4'))
+  ext.setComponentByName('extnID', univ.ObjectIdentifier(oid))
  ext.setComponentByName('extnValue', 'DEADBEEF')
+  if critical:
+    ext.setComponentByName('critical', univ.Boolean('True'))
+  else:
+    ext.setComponentByName('critical', univ.Boolean('False'))
  return ext
@@ -413,6 +417,30 @@ Store(
    Create(responses=[
        CreateSingleResponse(CERT, 0, extensions=[CreateExtension()])
    ]))
+Store(
+    'has_critical_single_extension',
+    'Has a critical extension in the SingleResponse', CA,
+    Create(responses=[
+        CreateSingleResponse(
+            CERT, 0, extensions=[CreateExtension('1.2.3.4', critical=True)])
+    ]))
+Store(
+    'has_critical_response_extension',
+    'Has a critical extension in the ResponseData', CA,
+    Create(
+        responses=[CreateSingleResponse(CERT, 0)],
+        extensions=[CreateExtension('1.2.3.4', critical=True)]))
+Store(
+    'has_critical_ct_extension',
+    'Has a critical CT extension in the SingleResponse', CA,
+    Create(responses=[
+        CreateSingleResponse(
+            CERT,
+            0,
+            extensions=[
+                CreateExtension('1.3.6.1.4.1.11129.2.4.5', critical=True)
+            ])
+    ]))
 Store('missing_response', 'Missing a response for the cert', CA,
      Create(response_status=0, responses=[]))
--- a/net/data/ocsp_unittest/malformed_request.pem
+++ b/net/data/ocsp_unittest/malformed_request.pem
 Has a status of MALFORMED_REQUEST
-$ openssl ocsp -resp_text -respin <([OCSP RESPONSE])
+$ openssl asn1parse -i < [OCSP RESPONSE]
-Responder Error: malformedrequest (1)
+    0:d=0  hl=2 l=   3 cons: SEQUENCE          
+    2:d=1  hl=2 l=   1 prim:  ENUMERATED        :01
 -----BEGIN OCSP RESPONSE-----
 MAMKAQE=
 -----END OCSP RESPONSE-----
@@ -11,7 +12,7 @@ Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
-    Signature Algorithm: sha1WithRSAEncryption
+        Signature Algorithm: sha1WithRSAEncryption
        Issuer: CN = Test CA
        Validity
            Not Before: Jan  1 00:00:00 2017 GMT
@@ -19,36 +20,36 @@ Certificate:
        Subject: CN = Test Intermediate CA
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
-                Public-Key: (1024 bit)
+                RSA Public-Key: (1024 bit)
                Modulus:
-                    00:b9:32:09:de:33:4a:4f:e2:04:73:49:d5:2e:2b:
+                    00:c5:fb:81:a7:1b:6a:61:38:1c:6a:de:dd:db:22:
-                    83:92:3a:94:e4:1b:0c:27:1b:f8:43:83:17:b8:75:
+                    61:64:7a:22:a3:3b:1d:e5:92:54:17:ad:39:2e:fe:
-                    f5:a4:af:e3:4c:84:3e:6c:48:79:76:df:4d:f5:39:
+                    81:ff:46:0a:70:d6:84:a5:d5:bd:05:d3:f2:a5:98:
-                    af:92:4b:c5:a0:86:ab:35:cc:19:6b:93:82:c0:f8:
+                    90:fd:e4:ff:d8:d2:cf:7c:d1:f2:78:0d:4a:a1:80:
-                    44:4d:1a:14:5d:48:87:65:02:0e:b0:a8:96:d9:06:
+                    c8:6a:70:75:84:04:c1:c2:4b:af:17:9b:a2:29:2b:
-                    19:3f:aa:85:2d:84:c0:78:19:a6:96:ab:26:56:f7:
+                    a7:be:f1:f9:19:80:f3:6a:d4:10:28:51:38:26:97:
-                    6f:5a:1a:97:a2:01:88:00:99:10:8a:97:39:c8:22:
+                    ed:ad:06:96:85:a7:b7:7c:78:38:90:44:df:d7:10:
-                    6e:de:e5:56:f4:a6:23:cd:ea:48:0e:65:67:a4:73:
+                    e4:52:a2:49:22:6c:98:71:51:f5:b2:13:6a:7f:08:
-                    a0:50:91:de:ba:cf:54:08:8f
+                    34:7c:d0:c6:99:6f:79:98:f9
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha1WithRSAEncryption
-         48:d5:9f:8d:90:bc:4a:59:38:1d:2b:83:2d:71:1c:74:9d:01:
+         7d:67:0f:39:4e:7c:e3:ba:f2:63:b9:ed:6e:ec:61:f2:8a:4f:
-         73:a0:b6:98:e7:1c:c2:22:66:23:33:0a:8f:64:ff:9c:6b:37:
+         1e:82:e2:4b:44:04:f8:a5:a1:5a:bc:8c:72:91:6d:bf:03:27:
-         09:12:1c:15:12:cb:c3:61:d9:ab:cd:96:dd:95:fa:a6:02:67:
+         21:10:9e:5c:8a:cf:4b:87:83:e0:c2:d7:72:55:d5:42:d3:d1:
-         3c:4c:ec:98:38:5c:fc:48:cc:85:a9:5b:49:2c:2b:06:66:07:
+         2b:76:b3:42:84:e0:e8:3b:80:b2:5f:55:e7:e0:f6:b6:21:c6:
-         9e:31:0f:93:10:ab:3e:9f:97:60:64:01:61:7e:86:15:bb:5e:
+         fd:91:b5:c9:ba:fa:d8:ba:5c:8b:e1:f6:de:5d:cf:39:e6:92:
-         f1:90:31:a3:54:d0:86:0e:80:05:87:09:2e:65:b6:95:89:5c:
+         22:85:31:1f:c3:ed:19:db:0a:0b:f9:ef:a7:36:4d:e1:54:af:
-         c1:e5:80:d9:b8:81:b6:ed:1a:20:b8:9b:22:ce:ef:d0:26:47:
+         8e:c0:59:25:43:e5:69:47:c4:e0:00:1e:21:eb:e6:b4:13:8f:
-         9d:57
+         30:01
 -----BEGIN CA CERTIFICATE-----
 MIIBqTCCARKgAwIBAgIBATANBgkqhkiG9w0BAQUFADASMRAwDgYDVQQDDAdUZXN0IENBMCIYDzI
 wMTcwMTAxMDAwMDAwWhgPMjAxODAxMDEwMDAwMDBaMB8xHTAbBgNVBAMMFFRlc3QgSW50ZXJtZW
-RpYXRlIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC5MgneM0pP4gRzSdUuK4OSOpTkG
+RpYXRlIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDF+4GnG2phOBxq3t3bImFkeiKjO
-wwnG/hDgxe4dfWkr+NMhD5sSHl23031Oa+SS8Wghqs1zBlrk4LA+ERNGhRdSIdlAg6wqJbZBhk/
+x3lklQXrTku/oH/Rgpw1oSl1b0F0/KlmJD95P/Y0s980fJ4DUqhgMhqcHWEBMHCS68Xm6IpK6e+
-qoUthMB4GaaWqyZW929aGpeiAYgAmRCKlznIIm7e5Vb0piPN6kgOZWekc6BQkd66z1QIjwIDAQA
+8fkZgPNq1BAoUTgml+2tBpaFp7d8eDiQRN/XEORSokkibJhxUfWyE2p/CDR80MaZb3mY+QIDAQA
-BMA0GCSqGSIb3DQEBBQUAA4GBAEjVn42QvEpZOB0rgy1xHHSdAXOgtpjnHMIiZiMzCo9k/5xrNw
+BMA0GCSqGSIb3DQEBBQUAA4GBAH1nDzlOfOO68mO57W7sYfKKTx6C4ktEBPiloVq8jHKRbb8DJy
-kSHBUSy8Nh2avNlt2V+qYCZzxM7Jg4XPxIzIWpW0ksKwZmB54xD5MQqz6fl2BkAWF+hhW7XvGQM
+EQnlyKz0uHg+DC13JV1ULT0St2s0KE4Og7gLJfVefg9rYhxv2Rtcm6+ti6XIvh9t5dzznmkiKFM
-aNU0IYOgAWHCS5ltpWJXMHlgNm4gbbtGiC4myLO79AmR51X
+R/D7RnbCgv576c2TeFUr47AWSVD5WlHxOAAHiHr5rQTjzAB
 -----END CA CERTIFICATE-----
 $ openssl x509 -text < [CERTIFICATE]
@@ -56,7 +57,7 @@ Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 4 (0x4)
-    Signature Algorithm: sha1WithRSAEncryption
+        Signature Algorithm: sha1WithRSAEncryption
        Issuer: CN = Test Intermediate CA
        Validity
            Not Before: Jan  1 00:00:00 2017 GMT
@@ -64,36 +65,36 @@ Certificate:
        Subject: CN = Test Cert
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
-                Public-Key: (1024 bit)
+                RSA Public-Key: (1024 bit)
                Modulus:
-                    00:bc:4c:d5:b3:8d:92:fa:66:ac:32:43:1a:9e:eb:
+                    00:d1:d2:a7:fd:5f:56:b8:4a:4a:00:c4:f0:36:48:
-                    17:e0:aa:76:35:1b:1d:10:48:4e:3e:22:8b:75:2e:
+                    0d:99:1e:ba:ca:8d:8c:0e:e9:5a:f4:31:94:26:f4:
-                    e8:6f:a4:55:1e:0a:5e:60:c0:61:f1:7d:29:58:7e:
+                    24:77:0c:2d:76:39:fe:1e:51:9c:b1:3a:b2:61:ae:
-                    0b:ef:29:be:ad:f8:f7:43:c8:58:95:14:5b:1d:af:
+                    f6:2b:41:46:92:81:b4:1e:35:73:bb:df:53:d6:63:
-                    4a:b8:90:9e:4e:ec:4e:b3:86:7a:b9:96:c1:34:d3:
+                    a4:07:58:e9:0a:40:7a:b7:71:a3:fd:7d:6a:3f:23:
-                    b9:a6:57:df:9b:bd:d9:dd:67:15:54:d4:9f:65:b8:
+                    ee:5e:76:90:3f:60:ea:85:6b:74:1b:1f:6a:40:27:
-                    33:29:59:ba:9a:c6:75:ea:a5:76:3d:a4:57:0f:e2:
+                    37:7f:ac:6e:97:ee:13:f7:cb:81:44:26:f3:25:48:
-                    e4:c3:91:35:1d:6e:ff:61:7d:c2:53:23:66:b2:a8:
+                    56:40:ef:33:84:c8:d7:52:66:8a:40:35:ed:ec:67:
-                    0b:e1:c7:55:48:c5:2b:4d:7d
+                    95:c1:35:46:9e:db:9b:ce:9b
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha1WithRSAEncryption
-         18:bb:93:d9:2a:e0:34:69:2f:96:57:ac:55:ac:a7:83:04:b4:
+         8e:94:5a:91:44:aa:ab:e4:bf:c4:ca:a3:ee:10:67:2d:3e:d5:
-         bc:22:7f:5f:f7:c0:dc:ac:af:13:9b:86:7e:ac:02:8c:44:83:
+         ac:b8:90:8b:4e:7f:3e:bc:83:bb:b2:c9:0c:a2:ae:fb:6c:b3:
-         2e:c0:fa:a1:77:1d:dd:86:31:7e:98:93:c0:4f:b2:3d:be:30:
+         5d:b7:40:20:9f:9b:7c:3d:5f:67:bc:0e:f9:20:bc:24:67:27:
-         6f:a5:fc:c7:2e:b1:b8:08:d2:17:cb:60:55:bf:5a:e0:94:f3:
+         a9:2e:81:08:e5:3f:ad:e9:b7:eb:a9:c5:58:55:55:f3:26:17:
-         1d:44:fa:b1:2f:1a:24:c5:33:e1:d4:f0:ac:d5:2c:67:da:a7:
+         26:46:5f:ef:20:38:c9:f2:81:ba:39:d9:28:4b:e8:83:ff:d7:
-         5d:ee:eb:d6:7a:a7:41:e8:94:7a:34:43:b2:1f:ab:e9:cf:5d:
+         2e:87:72:36:77:0f:46:9b:a1:fe:d8:d8:20:50:68:c1:7b:66:
-         25:49:56:18:d2:a9:49:1a:37:34:43:c7:06:96:4a:29:38:cc:
+         82:5d:62:94:90:98:71:8b:b9:83:69:a8:65:a4:58:5d:ce:90:
-         f2:1c
+         0a:53
 -----BEGIN CERTIFICATE-----
 MIIBqzCCARSgAwIBAgIBBDANBgkqhkiG9w0BAQUFADAfMR0wGwYDVQQDDBRUZXN0IEludGVybWV
 kaWF0ZSBDQTAiGA8yMDE3MDEwMTAwMDAwMFoYDzIwMTgwMTAxMDAwMDAwWjAUMRIwEAYDVQQDDA
-lUZXN0IENlcnQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALxM1bONkvpmrDJDGp7rF+Cqd
+lUZXN0IENlcnQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANHSp/1fVrhKSgDE8DZIDZkeu
-jUbHRBITj4ii3Uu6G+kVR4KXmDAYfF9KVh+C+8pvq3490PIWJUUWx2vSriQnk7sTrOGermWwTTT
+sqNjA7pWvQxlCb0JHcMLXY5/h5RnLE6smGu9itBRpKBtB41c7vfU9ZjpAdY6QpAerdxo/19aj8j
-uaZX35u92d1nFVTUn2W4MylZuprGdeqldj2kVw/i5MORNR1u/2F9wlMjZrKoC+HHVUjFK019AgM
+7l52kD9g6oVrdBsfakAnN3+sbpfuE/fLgUQm8yVIVkDvM4TI11JmikA17exnlcE1Rp7bm86bAgM
-BAAEwDQYJKoZIhvcNAQEFBQADgYEAGLuT2SrgNGkvllesVayngwS0vCJ/X/fA3KyvE5uGfqwCjE
+BAAEwDQYJKoZIhvcNAQEFBQADgYEAjpRakUSqq+S/xMqj7hBnLT7VrLiQi05/PryDu7LJDKKu+2
-SDLsD6oXcd3YYxfpiTwE+yPb4wb6X8xy6xuAjSF8tgVb9a4JTzHUT6sS8aJMUz4dTwrNUsZ9qnX
+yzXbdAIJ+bfD1fZ7wO+SC8JGcnqS6BCOU/rem366nFWFVV8yYXJkZf7yA4yfKBujnZKEvog//XL
-e7r1nqnQeiUejRDsh+r6c9dJUlWGNKpSRo3NEPHBpZKKTjM8hw=
+odyNncPRpuh/tjYIFBowXtmgl1ilJCYcYu5g2moZaRYXc6QClM=
 -----END CERTIFICATE-----
 $ openssl asn1parse -i < [OCSP REQUEST]
@@ -106,9 +107,9 @@ $ openssl asn1parse -i < [OCSP REQUEST]
   12:d=6  hl=2 l=   5 prim:       OBJECT            :sha1
   19:d=6  hl=2 l=   0 prim:       NULL              
   21:d=5  hl=2 l=  20 prim:      OCTET STRING      [HEX DUMP]:449B1C5B31C6E9990966523E49C3F773C024190A
-   43:d=5  hl=2 l=  20 prim:      OCTET STRING      [HEX DUMP]:FC6D3387CC3B39B049C755C46DF4395548930BCE
+   43:d=5  hl=2 l=  20 prim:      OCTET STRING      [HEX DUMP]:7F765910653BB5704124C41E94AEFCF940431A66
   65:d=5  hl=2 l=   1 prim:      INTEGER           :04
 -----BEGIN OCSP REQUEST-----
-MEIwQDA+MDwwOjAJBgUrDgMCGgUABBREmxxbMcbpmQlmUj5Jw/dzwCQZCgQU/G0zh8w7ObBJx1X
+MEIwQDA+MDwwOjAJBgUrDgMCGgUABBREmxxbMcbpmQlmUj5Jw/dzwCQZCgQUf3ZZEGU7tXBBJMQ
-EbfQ5VUiTC84CAQQ=
+elK78+UBDGmYCAQQ=
 -----END OCSP REQUEST-----
--- a/net/data/ocsp_unittest/missing_response.pem
+++ b/net/data/ocsp_unittest/missing_response.pem
--- a/net/data/ocsp_unittest/multiple_response.pem
+++ b/net/data/ocsp_unittest/multiple_response.pem
--- a/net/data/ocsp_unittest/no_response.pem
+++ b/net/data/ocsp_unittest/no_response.pem
--- a/net/data/ocsp_unittest/ocsp_extra_certs.pem
+++ b/net/data/ocsp_unittest/ocsp_extra_certs.pem
--- a/net/data/ocsp_unittest/ocsp_sign_bad_indirect.pem
+++ b/net/data/ocsp_unittest/ocsp_sign_bad_indirect.pem
--- a/net/data/ocsp_unittest/ocsp_sign_direct.pem
+++ b/net/data/ocsp_unittest/ocsp_sign_direct.pem
--- a/net/data/ocsp_unittest/ocsp_sign_indirect.pem
+++ b/net/data/ocsp_unittest/ocsp_sign_indirect.pem
--- a/net/data/ocsp_unittest/ocsp_sign_indirect_missing.pem
+++ b/net/data/ocsp_unittest/ocsp_sign_indirect_missing.pem
--- a/net/data/ocsp_unittest/other_response.pem
+++ b/net/data/ocsp_unittest/other_response.pem
--- a/net/data/ocsp_unittest/responder_id.pem
+++ b/net/data/ocsp_unittest/responder_id.pem
--- a/net/data/ocsp_unittest/responder_name.pem
+++ b/net/data/ocsp_unittest/responder_name.pem
--- a/net/data/ocsp_unittest/revoke_response.pem
+++ b/net/data/ocsp_unittest/revoke_response.pem
--- a/net/data/ocsp_unittest/revoke_response_reason.pem
+++ b/net/data/ocsp_unittest/revoke_response_reason.pem
--- a/net/data/ocsp_unittest/unknown_response.pem
+++ b/net/data/ocsp_unittest/unknown_response.pem