Add code to encode an OCSPRequest.

Bug: 649000
Change-Id: Iad772c39ccd86c9bcc8bf9c9f87b2f1ef12bde57
Reviewed-on: https://chromium-review.googlesource.com/682757
Commit-Queue: Eric Roman <eroman@chromium.org>
Reviewed-by: Steven Valdez <svaldez@chromium.org>
Cr-Commit-Position: refs/heads/master@{#504228}

net/cert/internal/ocsp.cc

@@ -15,7 +15,9 @@
 #include "net/cert/internal/verify_signed_data.h"
 #include "net/cert/x509_util.h"
 #include "net/der/encode_values.h"
+#include "third_party/boringssl/src/include/openssl/bytestring.h"
 #include "third_party/boringssl/src/include/openssl/digest.h"
+#include "third_party/boringssl/src/include/openssl/mem.h"
 #include "third_party/boringssl/src/include/openssl/sha.h"
 
 namespace net {
@@ -152,6 +154,29 @@ bool ParseCertStatus(const der::Input& raw_tlv, OCSPCertStatus* out) {
   return !parser.HasMore();
 }
 
+// DER bytes for a SHA1 AlgorithmIdentifier.
+//
+//     SEQUENCE (2 elem)
+//         OBJECT IDENTIFIER  1.3.14.3.2.26
+//         NULL
+const uint8_t kSha1HashAlgorithm[] = {0x30, 0x09, 0x06, 0x05, 0x2B, 0x0E,
+                                      0x03, 0x02, 0x1A, 0x05, 0x00};
+
+// Writes the hash of |value| as an OCTET STRING to |cbb|, using |hash_type| as
+// the algorithm. Returns true on success.
+bool AppendHashAsOctetString(const EVP_MD* hash_type,
+                             CBB* cbb,
+                             const der::Input& value) {
+  CBB octet_string;
+  unsigned hash_len;
+  uint8_t hash_buffer[EVP_MAX_MD_SIZE];
+
+  return CBB_add_asn1(cbb, &octet_string, CBS_ASN1_OCTETSTRING) &&
+         EVP_Digest(value.UnsafeData(), value.Length(), hash_buffer, &hash_len,
+                    hash_type, nullptr) &&
+         CBB_add_bytes(&octet_string, hash_buffer, hash_len) && CBB_flush(cbb);
+}
+
 }  // namespace
 
 // SingleResponse ::= SEQUENCE {
@@ -821,4 +846,90 @@ bool CheckOCSPDateValid(const OCSPSingleResponse& response,
   return true;
 }
 
+bool CreateOCSPRequest(const ParsedCertificate* cert,
+                       const ParsedCertificate* issuer,
+                       std::vector<uint8_t>* request_der) {
+  request_der->clear();
+
+  bssl::ScopedCBB cbb;
+
+  // This initial buffer size is big enough for 20 octet long serial numbers
+  // (upper bound from RFC 5280) and then a handful of extra bytes. This
+  // number doesn't matter for correctness.
+  const size_t kInitialBufferSize = 100;
+
+  if (!CBB_init(cbb.get(), kInitialBufferSize))
+    return false;
+
+  //   OCSPRequest     ::=     SEQUENCE {
+  //       tbsRequest                  TBSRequest,
+  //       optionalSignature   [0]     EXPLICIT Signature OPTIONAL }
+  //
+  //   TBSRequest      ::=     SEQUENCE {
+  //       version             [0]     EXPLICIT Version DEFAULT v1,
+  //       requestorName       [1]     EXPLICIT GeneralName OPTIONAL,
+  //       requestList                 SEQUENCE OF Request,
+  //       requestExtensions   [2]     EXPLICIT Extensions OPTIONAL }
+  CBB ocsp_request;
+  if (!CBB_add_asn1(cbb.get(), &ocsp_request, CBS_ASN1_SEQUENCE))
+    return false;
+
+  CBB tbs_request;
+  if (!CBB_add_asn1(&ocsp_request, &tbs_request, CBS_ASN1_SEQUENCE))
+    return false;
+
+  // "version", "requestorName", and "requestExtensions" are omitted.
+
+  CBB request_list;
+  if (!CBB_add_asn1(&tbs_request, &request_list, CBS_ASN1_SEQUENCE))
+    return false;
+
+  CBB request;
+  if (!CBB_add_asn1(&request_list, &request, CBS_ASN1_SEQUENCE))
+    return false;
+
+  //   Request         ::=     SEQUENCE {
+  //       reqCert                     CertID,
+  //       singleRequestExtensions     [0] EXPLICIT Extensions OPTIONAL }
+  CBB req_cert;
+  if (!CBB_add_asn1(&request, &req_cert, CBS_ASN1_SEQUENCE))
+    return false;
+
+  //   CertID          ::=     SEQUENCE {
+  //       hashAlgorithm       AlgorithmIdentifier,
+  //       issuerNameHash      OCTET STRING, -- Hash of issuer's DN
+  //       issuerKeyHash       OCTET STRING, -- Hash of issuer's public key
+  //       serialNumber        CertificateSerialNumber }
+
+  // TODO(eroman): Don't use SHA1.
+  if (!CBB_add_bytes(&req_cert, kSha1HashAlgorithm,
+                     arraysize(kSha1HashAlgorithm))) {
+    return false;
+  }
+
+  AppendHashAsOctetString(EVP_sha1(), &req_cert, issuer->tbs().issuer_tlv);
+
+  der::Input key_tlv;
+  if (!GetSubjectPublicKeyBytes(issuer->tbs().spki_tlv, &key_tlv))
+    return false;
+  AppendHashAsOctetString(EVP_sha1(), &req_cert, key_tlv);
+
+  CBB serial_number;
+  if (!CBB_add_asn1(&req_cert, &serial_number, CBS_ASN1_INTEGER))
+    return false;
+  if (!CBB_add_bytes(&serial_number, cert->tbs().serial_number.UnsafeData(),
+                     cert->tbs().serial_number.Length())) {
+    return false;
+  }
+
+  uint8_t* result_bytes;
+  size_t result_bytes_length;
+  if (!CBB_finish(cbb.get(), &result_bytes, &result_bytes_length))
+    return false;
+  bssl::UniquePtr<uint8_t> delete_tbs_cert_bytes(result_bytes);
+
+  request_der->assign(result_bytes, result_bytes + result_bytes_length);
+  return true;
+}
+
 }  // namespace net

net/cert/internal/ocsp.h

@@ -27,6 +27,8 @@ class TimeDelta;
 
 namespace net {
 
+class ParsedCertificate;
+
 // OCSPCertID contains a representation of a DER-encoded RFC 6960 "CertID".
 //
 // CertID ::= SEQUENCE {
@@ -296,6 +298,17 @@ NET_EXPORT_PRIVATE bool CheckOCSPDateValid(const OCSPSingleResponse& response,
                                            const base::Time& verify_time,
                                            const base::TimeDelta& max_age);
 
+// Creates a DER-encoded OCSPRequest for |cert|. The request is fairly basic:
+//  * No signature
+//  * No requestorName
+//  * No extensions
+//  * Uses SHA1 for all hashes.
+//
+// Returns true on success and fills |request_der| with the resulting bytes.
+NET_EXPORT bool CreateOCSPRequest(const ParsedCertificate* cert,
+                                  const ParsedCertificate* issuer,
+                                  std::vector<uint8_t>* request_der);
+
 }  // namespace net
 
 #endif  // NET_CERT_INTERNAL_OCSP_H_

net/cert/internal/ocsp_unittest.cc

@@ -9,6 +9,7 @@
 #include "net/cert/internal/test_helpers.h"
 #include "net/der/encode_values.h"
 #include "testing/gtest/include/gtest/gtest.h"
+#include "third_party/boringssl/src/include/openssl/pool.h"
 
 namespace net {
 
@@ -20,6 +21,14 @@ std::string GetFilePath(const std::string& file_name) {
   return std::string("net/data/ocsp_unittest/") + file_name;
 }
 
+scoped_refptr<ParsedCertificate> ParseCertificate(base::StringPiece data) {
+  CertErrors errors;
+  return ParsedCertificate::Create(
+      bssl::UniquePtr<CRYPTO_BUFFER>(CRYPTO_BUFFER_new(
+          reinterpret_cast<const uint8_t*>(data.data()), data.size(), nullptr)),
+      {}, &errors);
+}
+
 struct TestParams {
   const char* file_name;
   OCSPRevocationStatus expected_revocation_status;
@@ -122,10 +131,12 @@ TEST_P(CheckOCSPTest, FromFile) {
   std::string ocsp_data;
   std::string ca_data;
   std::string cert_data;
+  std::string request_data;
   const PemBlockMapping mappings[] = {
       {"OCSP RESPONSE", &ocsp_data},
       {"CA CERTIFICATE", &ca_data},
       {"CERTIFICATE", &cert_data},
+      {"OCSP REQUEST", &request_data},
   };
 
   ASSERT_TRUE(ReadTestDataFromPemFile(GetFilePath(params.file_name), mappings));
@@ -134,12 +145,26 @@ TEST_P(CheckOCSPTest, FromFile) {
   base::Time kVerifyTime =
       base::Time::UnixEpoch() + base::TimeDelta::FromSeconds(1488672000);
 
+  // Test that CheckOCSP() works.
   OCSPVerifyResult::ResponseStatus response_status;
   OCSPRevocationStatus revocation_status =
       CheckOCSP(ocsp_data, cert_data, ca_data, kVerifyTime, &response_status);
 
   EXPECT_EQ(params.expected_revocation_status, revocation_status);
   EXPECT_EQ(params.expected_response_status, response_status);
+
+  // Check that CreateOCSPRequest() works.
+  scoped_refptr<ParsedCertificate> cert = ParseCertificate(cert_data);
+  ASSERT_TRUE(cert);
+
+  scoped_refptr<ParsedCertificate> issuer = ParseCertificate(ca_data);
+  ASSERT_TRUE(issuer);
+
+  std::vector<uint8_t> encoded_request;
+  ASSERT_TRUE(CreateOCSPRequest(cert.get(), issuer.get(), &encoded_request));
+
+  EXPECT_EQ(der::Input(encoded_request.data(), encoded_request.size()),
+            der::Input(&request_data));
 }
 
 TEST(OCSPDateTest, Valid) {

net/data/ocsp_unittest/annotate_test_data.py

@@ -118,6 +118,8 @@ def GetUserComment(comment):
   comment = comment.split('$ openssl', 1)[0]
   if IsEntirelyWhiteSpace(comment):
     comment = ''
+  elif not comment.endswith("\n\n"):
+    comment += "\n\n"
   return comment
 
 

net/data/ocsp_unittest/bad_ocsp_type.pem

@@ -128,3 +128,20 @@ BAQUFAAOBgQAEIXDeFJInE+jSsFHwrzR1C6f/hMvGljCAAfXBOsaB7rqJYDPD5Q9DzKyBjQn7Je
 FnQGSjyv29nMRz5LxNjuJw8RfOtKugsmNyJSeu1Y4Ycw3cEloyHLfazSNbyIdYCD6VDP3ISKJ1b
 nnyAIJutcxx43nKaIWbG1xSv6JaceMFtQ==
 -----END CERTIFICATE-----
+
+$ openssl asn1parse -i < [OCSP REQUEST]
+    0:d=0  hl=2 l=  66 cons: SEQUENCE          
+    2:d=1  hl=2 l=  64 cons:  SEQUENCE          
+    4:d=2  hl=2 l=  62 cons:   SEQUENCE          
+    6:d=3  hl=2 l=  60 cons:    SEQUENCE          
+    8:d=4  hl=2 l=  58 cons:     SEQUENCE          
+   10:d=5  hl=2 l=   9 cons:      SEQUENCE          
+   12:d=6  hl=2 l=   5 prim:       OBJECT            :sha1
+   19:d=6  hl=2 l=   0 prim:       NULL              
+   21:d=5  hl=2 l=  20 prim:      OCTET STRING      [HEX DUMP]:02FF75DA24DE8ADD150FAB689DCCE6E6636D0901
+   43:d=5  hl=2 l=  20 prim:      OCTET STRING      [HEX DUMP]:84E1BA52A25C543CA972491224BC8B1ECA8B9FF4
+   65:d=5  hl=2 l=   1 prim:      INTEGER           :03
+-----BEGIN OCSP REQUEST-----
+MEIwQDA+MDwwOjAJBgUrDgMCGgUABBQC/3XaJN6K3RUPq2idzObmY20JAQQUhOG6UqJcVDypckk
+SJLyLHsqLn/QCAQM=
+-----END OCSP REQUEST-----

net/data/ocsp_unittest/bad_signature.pem

@@ -114,3 +114,20 @@ BAQUFAAOBgQAEIXDeFJInE+jSsFHwrzR1C6f/hMvGljCAAfXBOsaB7rqJYDPD5Q9DzKyBjQn7Je
 FnQGSjyv29nMRz5LxNjuJw8RfOtKugsmNyJSeu1Y4Ycw3cEloyHLfazSNbyIdYCD6VDP3ISKJ1b
 nnyAIJutcxx43nKaIWbG1xSv6JaceMFtQ==
 -----END CERTIFICATE-----
+
+$ openssl asn1parse -i < [OCSP REQUEST]
+    0:d=0  hl=2 l=  66 cons: SEQUENCE          
+    2:d=1  hl=2 l=  64 cons:  SEQUENCE          
+    4:d=2  hl=2 l=  62 cons:   SEQUENCE          
+    6:d=3  hl=2 l=  60 cons:    SEQUENCE          
+    8:d=4  hl=2 l=  58 cons:     SEQUENCE          
+   10:d=5  hl=2 l=   9 cons:      SEQUENCE          
+   12:d=6  hl=2 l=   5 prim:       OBJECT            :sha1
+   19:d=6  hl=2 l=   0 prim:       NULL              
+   21:d=5  hl=2 l=  20 prim:      OCTET STRING      [HEX DUMP]:02FF75DA24DE8ADD150FAB689DCCE6E6636D0901
+   43:d=5  hl=2 l=  20 prim:      OCTET STRING      [HEX DUMP]:84E1BA52A25C543CA972491224BC8B1ECA8B9FF4
+   65:d=5  hl=2 l=   1 prim:      INTEGER           :03
+-----BEGIN OCSP REQUEST-----
+MEIwQDA+MDwwOjAJBgUrDgMCGgUABBQC/3XaJN6K3RUPq2idzObmY20JAQQUhOG6UqJcVDypckk
+SJLyLHsqLn/QCAQM=
+-----END OCSP REQUEST-----

net/data/ocsp_unittest/bad_status.pem

@@ -95,3 +95,20 @@ BAQUFAAOBgQAEIXDeFJInE+jSsFHwrzR1C6f/hMvGljCAAfXBOsaB7rqJYDPD5Q9DzKyBjQn7Je
 FnQGSjyv29nMRz5LxNjuJw8RfOtKugsmNyJSeu1Y4Ycw3cEloyHLfazSNbyIdYCD6VDP3ISKJ1b
 nnyAIJutcxx43nKaIWbG1xSv6JaceMFtQ==
 -----END CERTIFICATE-----
+
+$ openssl asn1parse -i < [OCSP REQUEST]
+    0:d=0  hl=2 l=  66 cons: SEQUENCE          
+    2:d=1  hl=2 l=  64 cons:  SEQUENCE          
+    4:d=2  hl=2 l=  62 cons:   SEQUENCE          
+    6:d=3  hl=2 l=  60 cons:    SEQUENCE          
+    8:d=4  hl=2 l=  58 cons:     SEQUENCE          
+   10:d=5  hl=2 l=   9 cons:      SEQUENCE          
+   12:d=6  hl=2 l=   5 prim:       OBJECT            :sha1
+   19:d=6  hl=2 l=   0 prim:       NULL              
+   21:d=5  hl=2 l=  20 prim:      OCTET STRING      [HEX DUMP]:02FF75DA24DE8ADD150FAB689DCCE6E6636D0901
+   43:d=5  hl=2 l=  20 prim:      OCTET STRING      [HEX DUMP]:84E1BA52A25C543CA972491224BC8B1ECA8B9FF4
+   65:d=5  hl=2 l=   1 prim:      INTEGER           :03
+-----BEGIN OCSP REQUEST-----
+MEIwQDA+MDwwOjAJBgUrDgMCGgUABBQC/3XaJN6K3RUPq2idzObmY20JAQQUhOG6UqJcVDypckk
+SJLyLHsqLn/QCAQM=
+-----END OCSP REQUEST-----

net/data/ocsp_unittest/good_response.pem

@@ -123,3 +123,20 @@ BAQUFAAOBgQAEIXDeFJInE+jSsFHwrzR1C6f/hMvGljCAAfXBOsaB7rqJYDPD5Q9DzKyBjQn7Je
 FnQGSjyv29nMRz5LxNjuJw8RfOtKugsmNyJSeu1Y4Ycw3cEloyHLfazSNbyIdYCD6VDP3ISKJ1b
 nnyAIJutcxx43nKaIWbG1xSv6JaceMFtQ==
 -----END CERTIFICATE-----
+
+$ openssl asn1parse -i < [OCSP REQUEST]
+    0:d=0  hl=2 l=  66 cons: SEQUENCE          
+    2:d=1  hl=2 l=  64 cons:  SEQUENCE          
+    4:d=2  hl=2 l=  62 cons:   SEQUENCE          
+    6:d=3  hl=2 l=  60 cons:    SEQUENCE          
+    8:d=4  hl=2 l=  58 cons:     SEQUENCE          
+   10:d=5  hl=2 l=   9 cons:      SEQUENCE          
+   12:d=6  hl=2 l=   5 prim:       OBJECT            :sha1
+   19:d=6  hl=2 l=   0 prim:       NULL              
+   21:d=5  hl=2 l=  20 prim:      OCTET STRING      [HEX DUMP]:02FF75DA24DE8ADD150FAB689DCCE6E6636D0901
+   43:d=5  hl=2 l=  20 prim:      OCTET STRING      [HEX DUMP]:84E1BA52A25C543CA972491224BC8B1ECA8B9FF4
+   65:d=5  hl=2 l=   1 prim:      INTEGER           :03
+-----BEGIN OCSP REQUEST-----
+MEIwQDA+MDwwOjAJBgUrDgMCGgUABBQC/3XaJN6K3RUPq2idzObmY20JAQQUhOG6UqJcVDypckk
+SJLyLHsqLn/QCAQM=
+-----END OCSP REQUEST-----

net/data/ocsp_unittest/good_response_next_update.pem

@@ -124,3 +124,20 @@ BAQUFAAOBgQAEIXDeFJInE+jSsFHwrzR1C6f/hMvGljCAAfXBOsaB7rqJYDPD5Q9DzKyBjQn7Je
 FnQGSjyv29nMRz5LxNjuJw8RfOtKugsmNyJSeu1Y4Ycw3cEloyHLfazSNbyIdYCD6VDP3ISKJ1b
 nnyAIJutcxx43nKaIWbG1xSv6JaceMFtQ==
 -----END CERTIFICATE-----
+
+$ openssl asn1parse -i < [OCSP REQUEST]
+    0:d=0  hl=2 l=  66 cons: SEQUENCE          
+    2:d=1  hl=2 l=  64 cons:  SEQUENCE          
+    4:d=2  hl=2 l=  62 cons:   SEQUENCE          
+    6:d=3  hl=2 l=  60 cons:    SEQUENCE          
+    8:d=4  hl=2 l=  58 cons:     SEQUENCE          
+   10:d=5  hl=2 l=   9 cons:      SEQUENCE          
+   12:d=6  hl=2 l=   5 prim:       OBJECT            :sha1
+   19:d=6  hl=2 l=   0 prim:       NULL              
+   21:d=5  hl=2 l=  20 prim:      OCTET STRING      [HEX DUMP]:02FF75DA24DE8ADD150FAB689DCCE6E6636D0901
+   43:d=5  hl=2 l=  20 prim:      OCTET STRING      [HEX DUMP]:84E1BA52A25C543CA972491224BC8B1ECA8B9FF4
+   65:d=5  hl=2 l=   1 prim:      INTEGER           :03
+-----BEGIN OCSP REQUEST-----
+MEIwQDA+MDwwOjAJBgUrDgMCGgUABBQC/3XaJN6K3RUPq2idzObmY20JAQQUhOG6UqJcVDypckk
+SJLyLHsqLn/QCAQM=
+-----END OCSP REQUEST-----

net/data/ocsp_unittest/good_response_sha256.pem

@@ -123,3 +123,20 @@ BAQUFAAOBgQAEIXDeFJInE+jSsFHwrzR1C6f/hMvGljCAAfXBOsaB7rqJYDPD5Q9DzKyBjQn7Je
 FnQGSjyv29nMRz5LxNjuJw8RfOtKugsmNyJSeu1Y4Ycw3cEloyHLfazSNbyIdYCD6VDP3ISKJ1b
 nnyAIJutcxx43nKaIWbG1xSv6JaceMFtQ==
 -----END CERTIFICATE-----
+
+$ openssl asn1parse -i < [OCSP REQUEST]
+    0:d=0  hl=2 l=  66 cons: SEQUENCE          
+    2:d=1  hl=2 l=  64 cons:  SEQUENCE          
+    4:d=2  hl=2 l=  62 cons:   SEQUENCE          
+    6:d=3  hl=2 l=  60 cons:    SEQUENCE          
+    8:d=4  hl=2 l=  58 cons:     SEQUENCE          
+   10:d=5  hl=2 l=   9 cons:      SEQUENCE          
+   12:d=6  hl=2 l=   5 prim:       OBJECT            :sha1
+   19:d=6  hl=2 l=   0 prim:       NULL              
+   21:d=5  hl=2 l=  20 prim:      OCTET STRING      [HEX DUMP]:02FF75DA24DE8ADD150FAB689DCCE6E6636D0901
+   43:d=5  hl=2 l=  20 prim:      OCTET STRING      [HEX DUMP]:84E1BA52A25C543CA972491224BC8B1ECA8B9FF4
+   65:d=5  hl=2 l=   1 prim:      INTEGER           :03
+-----BEGIN OCSP REQUEST-----
+MEIwQDA+MDwwOjAJBgUrDgMCGgUABBQC/3XaJN6K3RUPq2idzObmY20JAQQUhOG6UqJcVDypckk
+SJLyLHsqLn/QCAQM=
+-----END OCSP REQUEST-----

net/data/ocsp_unittest/has_extension.pem

@@ -129,3 +129,20 @@ BAQUFAAOBgQAEIXDeFJInE+jSsFHwrzR1C6f/hMvGljCAAfXBOsaB7rqJYDPD5Q9DzKyBjQn7Je
 FnQGSjyv29nMRz5LxNjuJw8RfOtKugsmNyJSeu1Y4Ycw3cEloyHLfazSNbyIdYCD6VDP3ISKJ1b
 nnyAIJutcxx43nKaIWbG1xSv6JaceMFtQ==
 -----END CERTIFICATE-----
+
+$ openssl asn1parse -i < [OCSP REQUEST]
+    0:d=0  hl=2 l=  66 cons: SEQUENCE          
+    2:d=1  hl=2 l=  64 cons:  SEQUENCE          
+    4:d=2  hl=2 l=  62 cons:   SEQUENCE          
+    6:d=3  hl=2 l=  60 cons:    SEQUENCE          
+    8:d=4  hl=2 l=  58 cons:     SEQUENCE          
+   10:d=5  hl=2 l=   9 cons:      SEQUENCE          
+   12:d=6  hl=2 l=   5 prim:       OBJECT            :sha1
+   19:d=6  hl=2 l=   0 prim:       NULL              
+   21:d=5  hl=2 l=  20 prim:      OCTET STRING      [HEX DUMP]:02FF75DA24DE8ADD150FAB689DCCE6E6636D0901
+   43:d=5  hl=2 l=  20 prim:      OCTET STRING      [HEX DUMP]:84E1BA52A25C543CA972491224BC8B1ECA8B9FF4
+   65:d=5  hl=2 l=   1 prim:      INTEGER           :03
+-----BEGIN OCSP REQUEST-----
+MEIwQDA+MDwwOjAJBgUrDgMCGgUABBQC/3XaJN6K3RUPq2idzObmY20JAQQUhOG6UqJcVDypckk
+SJLyLHsqLn/QCAQM=
+-----END OCSP REQUEST-----

net/data/ocsp_unittest/has_single_extension.pem

@@ -129,3 +129,20 @@ BAQUFAAOBgQAEIXDeFJInE+jSsFHwrzR1C6f/hMvGljCAAfXBOsaB7rqJYDPD5Q9DzKyBjQn7Je
 FnQGSjyv29nMRz5LxNjuJw8RfOtKugsmNyJSeu1Y4Ycw3cEloyHLfazSNbyIdYCD6VDP3ISKJ1b
 nnyAIJutcxx43nKaIWbG1xSv6JaceMFtQ==
 -----END CERTIFICATE-----
+
+$ openssl asn1parse -i < [OCSP REQUEST]
+    0:d=0  hl=2 l=  66 cons: SEQUENCE          
+    2:d=1  hl=2 l=  64 cons:  SEQUENCE          
+    4:d=2  hl=2 l=  62 cons:   SEQUENCE          
+    6:d=3  hl=2 l=  60 cons:    SEQUENCE          
+    8:d=4  hl=2 l=  58 cons:     SEQUENCE          
+   10:d=5  hl=2 l=   9 cons:      SEQUENCE          
+   12:d=6  hl=2 l=   5 prim:       OBJECT            :sha1
+   19:d=6  hl=2 l=   0 prim:       NULL              
+   21:d=5  hl=2 l=  20 prim:      OCTET STRING      [HEX DUMP]:02FF75DA24DE8ADD150FAB689DCCE6E6636D0901
+   43:d=5  hl=2 l=  20 prim:      OCTET STRING      [HEX DUMP]:84E1BA52A25C543CA972491224BC8B1ECA8B9FF4
+   65:d=5  hl=2 l=   1 prim:      INTEGER           :03
+-----BEGIN OCSP REQUEST-----
+MEIwQDA+MDwwOjAJBgUrDgMCGgUABBQC/3XaJN6K3RUPq2idzObmY20JAQQUhOG6UqJcVDypckk
+SJLyLHsqLn/QCAQM=
+-----END OCSP REQUEST-----

net/data/ocsp_unittest/has_version.pem

@@ -123,3 +123,20 @@ BAQUFAAOBgQAEIXDeFJInE+jSsFHwrzR1C6f/hMvGljCAAfXBOsaB7rqJYDPD5Q9DzKyBjQn7Je
 FnQGSjyv29nMRz5LxNjuJw8RfOtKugsmNyJSeu1Y4Ycw3cEloyHLfazSNbyIdYCD6VDP3ISKJ1b
 nnyAIJutcxx43nKaIWbG1xSv6JaceMFtQ==
 -----END CERTIFICATE-----
+
+$ openssl asn1parse -i < [OCSP REQUEST]
+    0:d=0  hl=2 l=  66 cons: SEQUENCE          
+    2:d=1  hl=2 l=  64 cons:  SEQUENCE          
+    4:d=2  hl=2 l=  62 cons:   SEQUENCE          
+    6:d=3  hl=2 l=  60 cons:    SEQUENCE          
+    8:d=4  hl=2 l=  58 cons:     SEQUENCE          
+   10:d=5  hl=2 l=   9 cons:      SEQUENCE          
+   12:d=6  hl=2 l=   5 prim:       OBJECT            :sha1
+   19:d=6  hl=2 l=   0 prim:       NULL              
+   21:d=5  hl=2 l=  20 prim:      OCTET STRING      [HEX DUMP]:02FF75DA24DE8ADD150FAB689DCCE6E6636D0901
+   43:d=5  hl=2 l=  20 prim:      OCTET STRING      [HEX DUMP]:84E1BA52A25C543CA972491224BC8B1ECA8B9FF4
+   65:d=5  hl=2 l=   1 prim:      INTEGER           :03
+-----BEGIN OCSP REQUEST-----
+MEIwQDA+MDwwOjAJBgUrDgMCGgUABBQC/3XaJN6K3RUPq2idzObmY20JAQQUhOG6UqJcVDypckk
+SJLyLHsqLn/QCAQM=
+-----END OCSP REQUEST-----

net/data/ocsp_unittest/make_ocsp.py

@@ -11,6 +11,8 @@ from pyasn1.codec.der import decoder, encoder
 from pyasn1_modules import rfc2560, rfc2459
 from pyasn1.type import univ, useful
 import hashlib, datetime
+import subprocess
+import os
 
 from OpenSSL import crypto
 
@@ -232,15 +234,64 @@ def Create(signer=None,
   return ocsp
 
 
+def MakePemBlock(der, name):
+  b64 = base64.b64encode(der)
+  wrapped = '\n'.join(b64[pos:pos + 64] for pos in xrange(0, len(b64), 64))
+  return '-----BEGIN %s-----\n%s\n-----END %s-----' % (name, wrapped, name)
+
+
+def WriteStringToFile(data, path):
+  with open(path, "w") as f:
+    f.write(data)
+
+
+def ReadFileToString(path):
+  with open(path, 'r') as f:
+    return f.read()
+
+
+def CreateOCSPRequestDer(issuer_cert_pem, cert_pem):
+  '''Uses OpenSSL to generate a basic OCSPRequest for |cert_pem|.'''
+
+  issuer_path = "tmp_issuer.pem"
+  cert_path = "tmp_cert.pem"
+  request_path = "tmp_request.der"
+
+  WriteStringToFile(issuer_cert_pem, issuer_path)
+  WriteStringToFile(cert_pem, cert_path)
+
+  p = subprocess.Popen(["openssl", "ocsp", "-no_nonce", "-issuer", issuer_path,
+                        "-cert", cert_path, "-reqout", request_path],
+                        stdin=subprocess.PIPE,
+                        stdout=subprocess.PIPE,
+                        stderr=subprocess.PIPE)
+  stdout_data, stderr_data = p.communicate()
+
+  os.remove(issuer_path)
+  os.remove(cert_path)
+
+  result = None
+  if p.returncode == 0:
+    result = ReadFileToString(request_path)
+
+  os.remove(request_path)
+  return result
+
+
 def Store(fname, description, ca, data):
-  ca64 = crypto.dump_certificate(crypto.FILETYPE_PEM, ca[1]).replace(
-      'CERTIFICATE', 'CA CERTIFICATE')
-  c64 = crypto.dump_certificate(crypto.FILETYPE_PEM, CERT[1])
+  ca_cert_pem = crypto.dump_certificate(crypto.FILETYPE_PEM, ca[1])
+  cert_pem = crypto.dump_certificate(crypto.FILETYPE_PEM, CERT[1])
+
+  ocsp_request_der = CreateOCSPRequestDer(ca_cert_pem, cert_pem)
+
   d64 = base64.b64encode(encoder.encode(data))
   wd64 = '\n'.join(d64[pos:pos + 64] for pos in xrange(0, len(d64), 64))
-  out = ('%s\n-----BEGIN OCSP RESPONSE-----\n%s\n'
-         '-----END OCSP RESPONSE-----\n\n%s\n\n%s') % (description, wd64, ca64,
-                                                       c64)
+  out = ('%s\n%s\n%s\n\n%s\n%s') % (
+      description,
+      MakePemBlock(encoder.encode(data), "OCSP RESPONSE"),
+      ca_cert_pem.replace('CERTIFICATE', 'CA CERTIFICATE'),
+      cert_pem,
+      MakePemBlock(ocsp_request_der, "OCSP REQUEST"))
   open('%s.pem' % fname, 'w').write(out)
 
 

net/data/ocsp_unittest/malformed_request.pem

@@ -95,3 +95,20 @@ BAQUFAAOBgQCQ9pKLQf2eKY9UHsKYJX4Z7Y6eN5quzoNeVn5IvnXUXGHOB6cMRO3tZhAgLqw+ky
 9CYnahB+sHY8PnWCYLZ3Ix0Sywtf0b7rXQEZlVBgIXjOX3RhJWJj9rRlimxgIvuLyNyr1X886Op
 KatgE40Pzx2HtB1OSws5/yLg9AhHQRiUQ==
 -----END CERTIFICATE-----
+
+$ openssl asn1parse -i < [OCSP REQUEST]
+    0:d=0  hl=2 l=  66 cons: SEQUENCE          
+    2:d=1  hl=2 l=  64 cons:  SEQUENCE          
+    4:d=2  hl=2 l=  62 cons:   SEQUENCE          
+    6:d=3  hl=2 l=  60 cons:    SEQUENCE          
+    8:d=4  hl=2 l=  58 cons:     SEQUENCE          
+   10:d=5  hl=2 l=   9 cons:      SEQUENCE          
+   12:d=6  hl=2 l=   5 prim:       OBJECT            :sha1
+   19:d=6  hl=2 l=   0 prim:       NULL              
+   21:d=5  hl=2 l=  20 prim:      OCTET STRING      [HEX DUMP]:02FF75DA24DE8ADD150FAB689DCCE6E6636D0901
+   43:d=5  hl=2 l=  20 prim:      OCTET STRING      [HEX DUMP]:4661D5C5F8D956FD3D871758F8A42950F5BCF498
+   65:d=5  hl=2 l=   1 prim:      INTEGER           :03
+-----BEGIN OCSP REQUEST-----
+MEIwQDA+MDwwOjAJBgUrDgMCGgUABBQC/3XaJN6K3RUPq2idzObmY20JAQQURmHVxfjZVv09hxd
+Y+KQpUPW89JgCAQM=
+-----END OCSP REQUEST-----

net/data/ocsp_unittest/missing_response.pem

@@ -113,3 +113,20 @@ BAQUFAAOBgQAEIXDeFJInE+jSsFHwrzR1C6f/hMvGljCAAfXBOsaB7rqJYDPD5Q9DzKyBjQn7Je
 FnQGSjyv29nMRz5LxNjuJw8RfOtKugsmNyJSeu1Y4Ycw3cEloyHLfazSNbyIdYCD6VDP3ISKJ1b
 nnyAIJutcxx43nKaIWbG1xSv6JaceMFtQ==
 -----END CERTIFICATE-----
+
+$ openssl asn1parse -i < [OCSP REQUEST]
+    0:d=0  hl=2 l=  66 cons: SEQUENCE          
+    2:d=1  hl=2 l=  64 cons:  SEQUENCE          
+    4:d=2  hl=2 l=  62 cons:   SEQUENCE          
+    6:d=3  hl=2 l=  60 cons:    SEQUENCE          
+    8:d=4  hl=2 l=  58 cons:     SEQUENCE          
+   10:d=5  hl=2 l=   9 cons:      SEQUENCE          
+   12:d=6  hl=2 l=   5 prim:       OBJECT            :sha1
+   19:d=6  hl=2 l=   0 prim:       NULL              
+   21:d=5  hl=2 l=  20 prim:      OCTET STRING      [HEX DUMP]:02FF75DA24DE8ADD150FAB689DCCE6E6636D0901
+   43:d=5  hl=2 l=  20 prim:      OCTET STRING      [HEX DUMP]:84E1BA52A25C543CA972491224BC8B1ECA8B9FF4
+   65:d=5  hl=2 l=   1 prim:      INTEGER           :03
+-----BEGIN OCSP REQUEST-----
+MEIwQDA+MDwwOjAJBgUrDgMCGgUABBQC/3XaJN6K3RUPq2idzObmY20JAQQUhOG6UqJcVDypckk
+SJLyLHsqLn/QCAQM=
+-----END OCSP REQUEST-----

net/data/ocsp_unittest/multiple_response.pem

@@ -132,3 +132,20 @@ BAQUFAAOBgQAEIXDeFJInE+jSsFHwrzR1C6f/hMvGljCAAfXBOsaB7rqJYDPD5Q9DzKyBjQn7Je
 FnQGSjyv29nMRz5LxNjuJw8RfOtKugsmNyJSeu1Y4Ycw3cEloyHLfazSNbyIdYCD6VDP3ISKJ1b
 nnyAIJutcxx43nKaIWbG1xSv6JaceMFtQ==
 -----END CERTIFICATE-----
+
+$ openssl asn1parse -i < [OCSP REQUEST]
+    0:d=0  hl=2 l=  66 cons: SEQUENCE          
+    2:d=1  hl=2 l=  64 cons:  SEQUENCE          
+    4:d=2  hl=2 l=  62 cons:   SEQUENCE          
+    6:d=3  hl=2 l=  60 cons:    SEQUENCE          
+    8:d=4  hl=2 l=  58 cons:     SEQUENCE          
+   10:d=5  hl=2 l=   9 cons:      SEQUENCE          
+   12:d=6  hl=2 l=   5 prim:       OBJECT            :sha1
+   19:d=6  hl=2 l=   0 prim:       NULL              
+   21:d=5  hl=2 l=  20 prim:      OCTET STRING      [HEX DUMP]:02FF75DA24DE8ADD150FAB689DCCE6E6636D0901
+   43:d=5  hl=2 l=  20 prim:      OCTET STRING      [HEX DUMP]:84E1BA52A25C543CA972491224BC8B1ECA8B9FF4
+   65:d=5  hl=2 l=   1 prim:      INTEGER           :03
+-----BEGIN OCSP REQUEST-----
+MEIwQDA+MDwwOjAJBgUrDgMCGgUABBQC/3XaJN6K3RUPq2idzObmY20JAQQUhOG6UqJcVDypckk
+SJLyLHsqLn/QCAQM=
+-----END OCSP REQUEST-----

net/data/ocsp_unittest/no_response.pem

@@ -113,3 +113,20 @@ BAQUFAAOBgQAEIXDeFJInE+jSsFHwrzR1C6f/hMvGljCAAfXBOsaB7rqJYDPD5Q9DzKyBjQn7Je
 FnQGSjyv29nMRz5LxNjuJw8RfOtKugsmNyJSeu1Y4Ycw3cEloyHLfazSNbyIdYCD6VDP3ISKJ1b
 nnyAIJutcxx43nKaIWbG1xSv6JaceMFtQ==
 -----END CERTIFICATE-----
+
+$ openssl asn1parse -i < [OCSP REQUEST]
+    0:d=0  hl=2 l=  66 cons: SEQUENCE          
+    2:d=1  hl=2 l=  64 cons:  SEQUENCE          
+    4:d=2  hl=2 l=  62 cons:   SEQUENCE          
+    6:d=3  hl=2 l=  60 cons:    SEQUENCE          
+    8:d=4  hl=2 l=  58 cons:     SEQUENCE          
+   10:d=5  hl=2 l=   9 cons:      SEQUENCE          
+   12:d=6  hl=2 l=   5 prim:       OBJECT            :sha1
+   19:d=6  hl=2 l=   0 prim:       NULL              
+   21:d=5  hl=2 l=  20 prim:      OCTET STRING      [HEX DUMP]:02FF75DA24DE8ADD150FAB689DCCE6E6636D0901
+   43:d=5  hl=2 l=  20 prim:      OCTET STRING      [HEX DUMP]:84E1BA52A25C543CA972491224BC8B1ECA8B9FF4
+   65:d=5  hl=2 l=   1 prim:      INTEGER           :03
+-----BEGIN OCSP REQUEST-----
+MEIwQDA+MDwwOjAJBgUrDgMCGgUABBQC/3XaJN6K3RUPq2idzObmY20JAQQUhOG6UqJcVDypckk
+SJLyLHsqLn/QCAQM=
+-----END OCSP REQUEST-----

net/data/ocsp_unittest/ocsp_extra_certs.pem

@@ -230,3 +230,20 @@ BAQUFAAOBgQAEIXDeFJInE+jSsFHwrzR1C6f/hMvGljCAAfXBOsaB7rqJYDPD5Q9DzKyBjQn7Je
 FnQGSjyv29nMRz5LxNjuJw8RfOtKugsmNyJSeu1Y4Ycw3cEloyHLfazSNbyIdYCD6VDP3ISKJ1b
 nnyAIJutcxx43nKaIWbG1xSv6JaceMFtQ==
 -----END CERTIFICATE-----
+
+$ openssl asn1parse -i < [OCSP REQUEST]
+    0:d=0  hl=2 l=  66 cons: SEQUENCE          
+    2:d=1  hl=2 l=  64 cons:  SEQUENCE          
+    4:d=2  hl=2 l=  62 cons:   SEQUENCE          
+    6:d=3  hl=2 l=  60 cons:    SEQUENCE          
+    8:d=4  hl=2 l=  58 cons:     SEQUENCE          
+   10:d=5  hl=2 l=   9 cons:      SEQUENCE          
+   12:d=6  hl=2 l=   5 prim:       OBJECT            :sha1
+   19:d=6  hl=2 l=   0 prim:       NULL              
+   21:d=5  hl=2 l=  20 prim:      OCTET STRING      [HEX DUMP]:02FF75DA24DE8ADD150FAB689DCCE6E6636D0901
+   43:d=5  hl=2 l=  20 prim:      OCTET STRING      [HEX DUMP]:84E1BA52A25C543CA972491224BC8B1ECA8B9FF4
+   65:d=5  hl=2 l=   1 prim:      INTEGER           :03
+-----BEGIN OCSP REQUEST-----
+MEIwQDA+MDwwOjAJBgUrDgMCGgUABBQC/3XaJN6K3RUPq2idzObmY20JAQQUhOG6UqJcVDypckk
+SJLyLHsqLn/QCAQM=
+-----END OCSP REQUEST-----

net/data/ocsp_unittest/ocsp_sign_bad_indirect.pem

@@ -175,3 +175,20 @@ BAQUFAAOBgQAEIXDeFJInE+jSsFHwrzR1C6f/hMvGljCAAfXBOsaB7rqJYDPD5Q9DzKyBjQn7Je
 FnQGSjyv29nMRz5LxNjuJw8RfOtKugsmNyJSeu1Y4Ycw3cEloyHLfazSNbyIdYCD6VDP3ISKJ1b
 nnyAIJutcxx43nKaIWbG1xSv6JaceMFtQ==
 -----END CERTIFICATE-----
+
+$ openssl asn1parse -i < [OCSP REQUEST]
+    0:d=0  hl=2 l=  66 cons: SEQUENCE          
+    2:d=1  hl=2 l=  64 cons:  SEQUENCE          
+    4:d=2  hl=2 l=  62 cons:   SEQUENCE          
+    6:d=3  hl=2 l=  60 cons:    SEQUENCE          
+    8:d=4  hl=2 l=  58 cons:     SEQUENCE          
+   10:d=5  hl=2 l=   9 cons:      SEQUENCE          
+   12:d=6  hl=2 l=   5 prim:       OBJECT            :sha1
+   19:d=6  hl=2 l=   0 prim:       NULL              
+   21:d=5  hl=2 l=  20 prim:      OCTET STRING      [HEX DUMP]:02FF75DA24DE8ADD150FAB689DCCE6E6636D0901
+   43:d=5  hl=2 l=  20 prim:      OCTET STRING      [HEX DUMP]:84E1BA52A25C543CA972491224BC8B1ECA8B9FF4
+   65:d=5  hl=2 l=   1 prim:      INTEGER           :03
+-----BEGIN OCSP REQUEST-----
+MEIwQDA+MDwwOjAJBgUrDgMCGgUABBQC/3XaJN6K3RUPq2idzObmY20JAQQUhOG6UqJcVDypckk
+SJLyLHsqLn/QCAQM=
+-----END OCSP REQUEST-----

net/data/ocsp_unittest/ocsp_sign_direct.pem

@@ -123,3 +123,20 @@ BAQUFAAOBgQAEIXDeFJInE+jSsFHwrzR1C6f/hMvGljCAAfXBOsaB7rqJYDPD5Q9DzKyBjQn7Je
 FnQGSjyv29nMRz5LxNjuJw8RfOtKugsmNyJSeu1Y4Ycw3cEloyHLfazSNbyIdYCD6VDP3ISKJ1b
 nnyAIJutcxx43nKaIWbG1xSv6JaceMFtQ==
 -----END CERTIFICATE-----
+
+$ openssl asn1parse -i < [OCSP REQUEST]
+    0:d=0  hl=2 l=  66 cons: SEQUENCE          
+    2:d=1  hl=2 l=  64 cons:  SEQUENCE          
+    4:d=2  hl=2 l=  62 cons:   SEQUENCE          
+    6:d=3  hl=2 l=  60 cons:    SEQUENCE          
+    8:d=4  hl=2 l=  58 cons:     SEQUENCE          
+   10:d=5  hl=2 l=   9 cons:      SEQUENCE          
+   12:d=6  hl=2 l=   5 prim:       OBJECT            :sha1
+   19:d=6  hl=2 l=   0 prim:       NULL              
+   21:d=5  hl=2 l=  20 prim:      OCTET STRING      [HEX DUMP]:02FF75DA24DE8ADD150FAB689DCCE6E6636D0901
+   43:d=5  hl=2 l=  20 prim:      OCTET STRING      [HEX DUMP]:84E1BA52A25C543CA972491224BC8B1ECA8B9FF4
+   65:d=5  hl=2 l=   1 prim:      INTEGER           :03
+-----BEGIN OCSP REQUEST-----
+MEIwQDA+MDwwOjAJBgUrDgMCGgUABBQC/3XaJN6K3RUPq2idzObmY20JAQQUhOG6UqJcVDypckk
+SJLyLHsqLn/QCAQM=
+-----END OCSP REQUEST-----

net/data/ocsp_unittest/ocsp_sign_indirect.pem

@@ -179,3 +179,20 @@ BAQUFAAOBgQAEIXDeFJInE+jSsFHwrzR1C6f/hMvGljCAAfXBOsaB7rqJYDPD5Q9DzKyBjQn7Je
 FnQGSjyv29nMRz5LxNjuJw8RfOtKugsmNyJSeu1Y4Ycw3cEloyHLfazSNbyIdYCD6VDP3ISKJ1b
 nnyAIJutcxx43nKaIWbG1xSv6JaceMFtQ==
 -----END CERTIFICATE-----
+
+$ openssl asn1parse -i < [OCSP REQUEST]
+    0:d=0  hl=2 l=  66 cons: SEQUENCE          
+    2:d=1  hl=2 l=  64 cons:  SEQUENCE          
+    4:d=2  hl=2 l=  62 cons:   SEQUENCE          
+    6:d=3  hl=2 l=  60 cons:    SEQUENCE          
+    8:d=4  hl=2 l=  58 cons:     SEQUENCE          
+   10:d=5  hl=2 l=   9 cons:      SEQUENCE          
+   12:d=6  hl=2 l=   5 prim:       OBJECT            :sha1
+   19:d=6  hl=2 l=   0 prim:       NULL              
+   21:d=5  hl=2 l=  20 prim:      OCTET STRING      [HEX DUMP]:02FF75DA24DE8ADD150FAB689DCCE6E6636D0901
+   43:d=5  hl=2 l=  20 prim:      OCTET STRING      [HEX DUMP]:84E1BA52A25C543CA972491224BC8B1ECA8B9FF4
+   65:d=5  hl=2 l=   1 prim:      INTEGER           :03
+-----BEGIN OCSP REQUEST-----
+MEIwQDA+MDwwOjAJBgUrDgMCGgUABBQC/3XaJN6K3RUPq2idzObmY20JAQQUhOG6UqJcVDypckk
+SJLyLHsqLn/QCAQM=
+-----END OCSP REQUEST-----

net/data/ocsp_unittest/ocsp_sign_indirect_missing.pem

@@ -123,3 +123,20 @@ BAQUFAAOBgQAEIXDeFJInE+jSsFHwrzR1C6f/hMvGljCAAfXBOsaB7rqJYDPD5Q9DzKyBjQn7Je
 FnQGSjyv29nMRz5LxNjuJw8RfOtKugsmNyJSeu1Y4Ycw3cEloyHLfazSNbyIdYCD6VDP3ISKJ1b
 nnyAIJutcxx43nKaIWbG1xSv6JaceMFtQ==
 -----END CERTIFICATE-----
+
+$ openssl asn1parse -i < [OCSP REQUEST]
+    0:d=0  hl=2 l=  66 cons: SEQUENCE          
+    2:d=1  hl=2 l=  64 cons:  SEQUENCE          
+    4:d=2  hl=2 l=  62 cons:   SEQUENCE          
+    6:d=3  hl=2 l=  60 cons:    SEQUENCE          
+    8:d=4  hl=2 l=  58 cons:     SEQUENCE          
+   10:d=5  hl=2 l=   9 cons:      SEQUENCE          
+   12:d=6  hl=2 l=   5 prim:       OBJECT            :sha1
+   19:d=6  hl=2 l=   0 prim:       NULL              
+   21:d=5  hl=2 l=  20 prim:      OCTET STRING      [HEX DUMP]:02FF75DA24DE8ADD150FAB689DCCE6E6636D0901
+   43:d=5  hl=2 l=  20 prim:      OCTET STRING      [HEX DUMP]:84E1BA52A25C543CA972491224BC8B1ECA8B9FF4
+   65:d=5  hl=2 l=   1 prim:      INTEGER           :03
+-----BEGIN OCSP REQUEST-----
+MEIwQDA+MDwwOjAJBgUrDgMCGgUABBQC/3XaJN6K3RUPq2idzObmY20JAQQUhOG6UqJcVDypckk
+SJLyLHsqLn/QCAQM=
+-----END OCSP REQUEST-----

net/data/ocsp_unittest/other_response.pem

@@ -134,3 +134,20 @@ BAQUFAAOBgQAEIXDeFJInE+jSsFHwrzR1C6f/hMvGljCAAfXBOsaB7rqJYDPD5Q9DzKyBjQn7Je
 FnQGSjyv29nMRz5LxNjuJw8RfOtKugsmNyJSeu1Y4Ycw3cEloyHLfazSNbyIdYCD6VDP3ISKJ1b
 nnyAIJutcxx43nKaIWbG1xSv6JaceMFtQ==
 -----END CERTIFICATE-----
+
+$ openssl asn1parse -i < [OCSP REQUEST]
+    0:d=0  hl=2 l=  66 cons: SEQUENCE          
+    2:d=1  hl=2 l=  64 cons:  SEQUENCE          
+    4:d=2  hl=2 l=  62 cons:   SEQUENCE          
+    6:d=3  hl=2 l=  60 cons:    SEQUENCE          
+    8:d=4  hl=2 l=  58 cons:     SEQUENCE          
+   10:d=5  hl=2 l=   9 cons:      SEQUENCE          
+   12:d=6  hl=2 l=   5 prim:       OBJECT            :sha1
+   19:d=6  hl=2 l=   0 prim:       NULL              
+   21:d=5  hl=2 l=  20 prim:      OCTET STRING      [HEX DUMP]:02FF75DA24DE8ADD150FAB689DCCE6E6636D0901
+   43:d=5  hl=2 l=  20 prim:      OCTET STRING      [HEX DUMP]:84E1BA52A25C543CA972491224BC8B1ECA8B9FF4
+   65:d=5  hl=2 l=   1 prim:      INTEGER           :03
+-----BEGIN OCSP REQUEST-----
+MEIwQDA+MDwwOjAJBgUrDgMCGgUABBQC/3XaJN6K3RUPq2idzObmY20JAQQUhOG6UqJcVDypckk
+SJLyLHsqLn/QCAQM=
+-----END OCSP REQUEST-----

net/data/ocsp_unittest/responder_id.pem

@@ -123,3 +123,20 @@ BAQUFAAOBgQAEIXDeFJInE+jSsFHwrzR1C6f/hMvGljCAAfXBOsaB7rqJYDPD5Q9DzKyBjQn7Je
 FnQGSjyv29nMRz5LxNjuJw8RfOtKugsmNyJSeu1Y4Ycw3cEloyHLfazSNbyIdYCD6VDP3ISKJ1b
 nnyAIJutcxx43nKaIWbG1xSv6JaceMFtQ==
 -----END CERTIFICATE-----
+
+$ openssl asn1parse -i < [OCSP REQUEST]
+    0:d=0  hl=2 l=  66 cons: SEQUENCE          
+    2:d=1  hl=2 l=  64 cons:  SEQUENCE          
+    4:d=2  hl=2 l=  62 cons:   SEQUENCE          
+    6:d=3  hl=2 l=  60 cons:    SEQUENCE          
+    8:d=4  hl=2 l=  58 cons:     SEQUENCE          
+   10:d=5  hl=2 l=   9 cons:      SEQUENCE          
+   12:d=6  hl=2 l=   5 prim:       OBJECT            :sha1
+   19:d=6  hl=2 l=   0 prim:       NULL              
+   21:d=5  hl=2 l=  20 prim:      OCTET STRING      [HEX DUMP]:02FF75DA24DE8ADD150FAB689DCCE6E6636D0901
+   43:d=5  hl=2 l=  20 prim:      OCTET STRING      [HEX DUMP]:84E1BA52A25C543CA972491224BC8B1ECA8B9FF4
+   65:d=5  hl=2 l=   1 prim:      INTEGER           :03
+-----BEGIN OCSP REQUEST-----
+MEIwQDA+MDwwOjAJBgUrDgMCGgUABBQC/3XaJN6K3RUPq2idzObmY20JAQQUhOG6UqJcVDypckk
+SJLyLHsqLn/QCAQM=
+-----END OCSP REQUEST-----

net/data/ocsp_unittest/responder_name.pem

@@ -123,3 +123,20 @@ BAQUFAAOBgQAEIXDeFJInE+jSsFHwrzR1C6f/hMvGljCAAfXBOsaB7rqJYDPD5Q9DzKyBjQn7Je
 FnQGSjyv29nMRz5LxNjuJw8RfOtKugsmNyJSeu1Y4Ycw3cEloyHLfazSNbyIdYCD6VDP3ISKJ1b
 nnyAIJutcxx43nKaIWbG1xSv6JaceMFtQ==
 -----END CERTIFICATE-----
+
+$ openssl asn1parse -i < [OCSP REQUEST]
+    0:d=0  hl=2 l=  66 cons: SEQUENCE          
+    2:d=1  hl=2 l=  64 cons:  SEQUENCE          
+    4:d=2  hl=2 l=  62 cons:   SEQUENCE          
+    6:d=3  hl=2 l=  60 cons:    SEQUENCE          
+    8:d=4  hl=2 l=  58 cons:     SEQUENCE          
+   10:d=5  hl=2 l=   9 cons:      SEQUENCE          
+   12:d=6  hl=2 l=   5 prim:       OBJECT            :sha1
+   19:d=6  hl=2 l=   0 prim:       NULL              
+   21:d=5  hl=2 l=  20 prim:      OCTET STRING      [HEX DUMP]:02FF75DA24DE8ADD150FAB689DCCE6E6636D0901
+   43:d=5  hl=2 l=  20 prim:      OCTET STRING      [HEX DUMP]:84E1BA52A25C543CA972491224BC8B1ECA8B9FF4
+   65:d=5  hl=2 l=   1 prim:      INTEGER           :03
+-----BEGIN OCSP REQUEST-----
+MEIwQDA+MDwwOjAJBgUrDgMCGgUABBQC/3XaJN6K3RUPq2idzObmY20JAQQUhOG6UqJcVDypckk
+SJLyLHsqLn/QCAQM=
+-----END OCSP REQUEST-----

net/data/ocsp_unittest/revoke_response.pem

@@ -124,3 +124,20 @@ BAQUFAAOBgQAEIXDeFJInE+jSsFHwrzR1C6f/hMvGljCAAfXBOsaB7rqJYDPD5Q9DzKyBjQn7Je
 FnQGSjyv29nMRz5LxNjuJw8RfOtKugsmNyJSeu1Y4Ycw3cEloyHLfazSNbyIdYCD6VDP3ISKJ1b
 nnyAIJutcxx43nKaIWbG1xSv6JaceMFtQ==
 -----END CERTIFICATE-----
+
+$ openssl asn1parse -i < [OCSP REQUEST]
+    0:d=0  hl=2 l=  66 cons: SEQUENCE          
+    2:d=1  hl=2 l=  64 cons:  SEQUENCE          
+    4:d=2  hl=2 l=  62 cons:   SEQUENCE          
+    6:d=3  hl=2 l=  60 cons:    SEQUENCE          
+    8:d=4  hl=2 l=  58 cons:     SEQUENCE          
+   10:d=5  hl=2 l=   9 cons:      SEQUENCE          
+   12:d=6  hl=2 l=   5 prim:       OBJECT            :sha1
+   19:d=6  hl=2 l=   0 prim:       NULL              
+   21:d=5  hl=2 l=  20 prim:      OCTET STRING      [HEX DUMP]:02FF75DA24DE8ADD150FAB689DCCE6E6636D0901
+   43:d=5  hl=2 l=  20 prim:      OCTET STRING      [HEX DUMP]:84E1BA52A25C543CA972491224BC8B1ECA8B9FF4
+   65:d=5  hl=2 l=   1 prim:      INTEGER           :03
+-----BEGIN OCSP REQUEST-----
+MEIwQDA+MDwwOjAJBgUrDgMCGgUABBQC/3XaJN6K3RUPq2idzObmY20JAQQUhOG6UqJcVDypckk
+SJLyLHsqLn/QCAQM=
+-----END OCSP REQUEST-----

net/data/ocsp_unittest/revoke_response_reason.pem

@@ -125,3 +125,20 @@ BAQUFAAOBgQAEIXDeFJInE+jSsFHwrzR1C6f/hMvGljCAAfXBOsaB7rqJYDPD5Q9DzKyBjQn7Je
 FnQGSjyv29nMRz5LxNjuJw8RfOtKugsmNyJSeu1Y4Ycw3cEloyHLfazSNbyIdYCD6VDP3ISKJ1b
 nnyAIJutcxx43nKaIWbG1xSv6JaceMFtQ==
 -----END CERTIFICATE-----
+
+$ openssl asn1parse -i < [OCSP REQUEST]
+    0:d=0  hl=2 l=  66 cons: SEQUENCE          
+    2:d=1  hl=2 l=  64 cons:  SEQUENCE          
+    4:d=2  hl=2 l=  62 cons:   SEQUENCE          
+    6:d=3  hl=2 l=  60 cons:    SEQUENCE          
+    8:d=4  hl=2 l=  58 cons:     SEQUENCE          
+   10:d=5  hl=2 l=   9 cons:      SEQUENCE          
+   12:d=6  hl=2 l=   5 prim:       OBJECT            :sha1
+   19:d=6  hl=2 l=   0 prim:       NULL              
+   21:d=5  hl=2 l=  20 prim:      OCTET STRING      [HEX DUMP]:02FF75DA24DE8ADD150FAB689DCCE6E6636D0901
+   43:d=5  hl=2 l=  20 prim:      OCTET STRING      [HEX DUMP]:84E1BA52A25C543CA972491224BC8B1ECA8B9FF4
+   65:d=5  hl=2 l=   1 prim:      INTEGER           :03
+-----BEGIN OCSP REQUEST-----
+MEIwQDA+MDwwOjAJBgUrDgMCGgUABBQC/3XaJN6K3RUPq2idzObmY20JAQQUhOG6UqJcVDypckk
+SJLyLHsqLn/QCAQM=
+-----END OCSP REQUEST-----

net/data/ocsp_unittest/unknown_response.pem

@@ -123,3 +123,20 @@ BAQUFAAOBgQAEIXDeFJInE+jSsFHwrzR1C6f/hMvGljCAAfXBOsaB7rqJYDPD5Q9DzKyBjQn7Je
 FnQGSjyv29nMRz5LxNjuJw8RfOtKugsmNyJSeu1Y4Ycw3cEloyHLfazSNbyIdYCD6VDP3ISKJ1b
 nnyAIJutcxx43nKaIWbG1xSv6JaceMFtQ==
 -----END CERTIFICATE-----
+
+$ openssl asn1parse -i < [OCSP REQUEST]
+    0:d=0  hl=2 l=  66 cons: SEQUENCE          
+    2:d=1  hl=2 l=  64 cons:  SEQUENCE          
+    4:d=2  hl=2 l=  62 cons:   SEQUENCE          
+    6:d=3  hl=2 l=  60 cons:    SEQUENCE          
+    8:d=4  hl=2 l=  58 cons:     SEQUENCE          
+   10:d=5  hl=2 l=   9 cons:      SEQUENCE          
+   12:d=6  hl=2 l=   5 prim:       OBJECT            :sha1
+   19:d=6  hl=2 l=   0 prim:       NULL              
+   21:d=5  hl=2 l=  20 prim:      OCTET STRING      [HEX DUMP]:02FF75DA24DE8ADD150FAB689DCCE6E6636D0901
+   43:d=5  hl=2 l=  20 prim:      OCTET STRING      [HEX DUMP]:84E1BA52A25C543CA972491224BC8B1ECA8B9FF4
+   65:d=5  hl=2 l=   1 prim:      INTEGER           :03
+-----BEGIN OCSP REQUEST-----
+MEIwQDA+MDwwOjAJBgUrDgMCGgUABBQC/3XaJN6K3RUPq2idzObmY20JAQQUhOG6UqJcVDypckk
+SJLyLHsqLn/QCAQM=
+-----END OCSP REQUEST-----