Fix built-in OCSP checking using issuer's issuerName instead of subjectName.

Updates the test data to have the target cert be issued by a non-self-issued certificate so that it can catch this error. Change-Id: I2ea34a3c8c8864fe99a10b9931c8d022ca9de021 Reviewed-on: https://chromium-review.googlesource.com/894740Reviewed-by: Eric Roman <eroman@chromium.org> Commit-Queue: Matt Mueller <mattm@chromium.org> Cr-Commit-Position: refs/heads/master@{#533176}

Fix built-in OCSP checking using issuer's issuerName instead of subjectName.
Updates the test data to have the target cert be issued by a non-self-issued certificate so that it can catch this error. Change-Id: I2ea34a3c8c8864fe99a10b9931c8d022ca9de021 Reviewed-on: https://chromium-review.googlesource.com/894740Reviewed-by: Eric Roman <eroman@chromium.org> Commit-Queue: Matt Mueller <mattm@chromium.org> Cr-Commit-Position: refs/heads/master@{#533176}
f820ff01 · Matt Mueller · Commit Bot · ba4ede2f · f820ff01 · f820ff01
Commit f820ff01 authored Jan 31, 2018 by Matt Mueller Committed by Commit Bot Jan 31, 2018
27 changed files
--- a/net/cert/internal/ocsp.cc
+++ b/net/cert/internal/ocsp.cc
@@ -901,7 +901,7 @@ bool CreateOCSPRequest(const ParsedCertificate* cert,
  if (!EVP_marshal_digest_algorithm(&req_cert, md))
    return false;
-  AppendHashAsOctetString(md, &req_cert, issuer->tbs().issuer_tlv);
+  AppendHashAsOctetString(md, &req_cert, issuer->tbs().subject_tlv);
  der::Input key_tlv;
  if (!GetSubjectPublicKeyBytes(issuer->tbs().spki_tlv, &key_tlv))

--- a/net/data/ocsp_unittest/annotate_test_data.py
+++ b/net/data/ocsp_unittest/annotate_test_data.py
@@ -69,8 +69,8 @@ def GenerateCommentForBlock(block_name, block_data):
  if block_name == "OCSP RESPONSE":
    tmp_file_path = "tmp_ocsp.der"
    WriteStringToFile(block_data, tmp_file_path)
-    p = subprocess.Popen(["openssl", "ocsp", "-resp_text", "-respin",
+    p = subprocess.Popen(["openssl", "ocsp", "-noverify", "-resp_text",
-                          tmp_file_path],
+                          "-respin", tmp_file_path],
                          stdin=subprocess.PIPE,
                          stdout=subprocess.PIPE,
                          stderr=subprocess.PIPE)
@@ -85,6 +85,7 @@ def GenerateCommentForBlock(block_name, block_data):
      stdout_data = stdout_data.replace("-----", "~~~~~")
      return '$ openssl ocsp -resp_text -respin <([%s])\n%s' % (block_name,
                                                                stdout_data)
+    print 'Error pretty printing OCSP response:\n',stderr_data
  # Otherwise try pretty printing using asn1parse.

--- a/net/data/ocsp_unittest/bad_ocsp_type.pem
+++ b/net/data/ocsp_unittest/bad_ocsp_type.pem
--- a/net/data/ocsp_unittest/bad_signature.pem
+++ b/net/data/ocsp_unittest/bad_signature.pem
--- a/net/data/ocsp_unittest/bad_status.pem
+++ b/net/data/ocsp_unittest/bad_status.pem
@@ -10,90 +10,90 @@ $ openssl x509 -text < [CA CERTIFICATE]
 Certificate:
    Data:
        Version: 3 (0x2)
-        Serial Number: 0 (0x0)
+        Serial Number: 1 (0x1)
    Signature Algorithm: sha1WithRSAEncryption
-        Issuer: CN=Test CA
+        Issuer: CN = Test CA
        Validity
            Not Before: Jan  1 00:00:00 2017 GMT
            Not After : Jan  1 00:00:00 2018 GMT
-        Subject: CN=Test CA
+        Subject: CN = Test Intermediate CA
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)
                Modulus:
-                    00:b8:25:2b:ee:59:9a:9d:bc:b4:48:ae:09:ce:0d:
+                    00:b9:32:09:de:33:4a:4f:e2:04:73:49:d5:2e:2b:
-                    ba:c5:83:57:03:92:fd:52:32:55:f5:e4:2e:a6:cf:
+                    83:92:3a:94:e4:1b:0c:27:1b:f8:43:83:17:b8:75:
-                    9e:4b:c4:10:af:24:da:d5:dd:44:a8:d6:28:38:9c:
+                    f5:a4:af:e3:4c:84:3e:6c:48:79:76:df:4d:f5:39:
-                    a5:11:c9:0b:70:a1:b5:71:cf:a4:35:c2:6a:17:b1:
+                    af:92:4b:c5:a0:86:ab:35:cc:19:6b:93:82:c0:f8:
-                    b5:c7:cf:74:83:ac:7a:d5:3b:12:66:74:f2:4b:15:
+                    44:4d:1a:14:5d:48:87:65:02:0e:b0:a8:96:d9:06:
-                    b0:c2:59:af:0c:78:2c:42:3c:3f:8b:83:b3:1d:9a:
+                    19:3f:aa:85:2d:84:c0:78:19:a6:96:ab:26:56:f7:
-                    c8:bc:ce:b0:c8:f2:1a:a8:0a:1c:bb:6e:6e:d4:c6:
+                    6f:5a:1a:97:a2:01:88:00:99:10:8a:97:39:c8:22:
-                    10:66:3c:a8:ec:e3:c4:63:40:f6:79:ec:8b:14:ff:
+                    6e:de:e5:56:f4:a6:23:cd:ea:48:0e:65:67:a4:73:
-                    85:9e:2d:1a:e7:e8:31:56:81
+                    a0:50:91:de:ba:cf:54:08:8f
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha1WithRSAEncryption
-         35:fe:ee:96:31:c7:3d:91:eb:22:53:1f:bf:cc:20:cc:aa:f4:
+         48:d5:9f:8d:90:bc:4a:59:38:1d:2b:83:2d:71:1c:74:9d:01:
-         04:92:3c:8b:50:06:ea:a1:cc:b7:c2:4a:d6:02:af:53:a7:a4:
+         73:a0:b6:98:e7:1c:c2:22:66:23:33:0a:8f:64:ff:9c:6b:37:
-         71:81:78:bc:95:f3:2d:46:c4:83:4c:d5:92:11:7c:c7:67:d3:
+         09:12:1c:15:12:cb:c3:61:d9:ab:cd:96:dd:95:fa:a6:02:67:
-         47:f6:06:9f:1c:46:da:d6:20:72:47:c2:57:d7:fb:66:d3:35:
+         3c:4c:ec:98:38:5c:fc:48:cc:85:a9:5b:49:2c:2b:06:66:07:
-         82:07:61:13:4e:4d:e6:0c:93:e6:f3:be:98:ff:e8:de:60:a7:
+         9e:31:0f:93:10:ab:3e:9f:97:60:64:01:61:7e:86:15:bb:5e:
-         06:94:cd:bb:f5:6e:b3:4e:0b:d6:e9:2b:72:bd:6e:ae:86:23:
+         f1:90:31:a3:54:d0:86:0e:80:05:87:09:2e:65:b6:95:89:5c:
-         2d:44:33:c4:3b:a7:52:12:46:d2:76:95:06:3e:69:0f:72:60:
+         c1:e5:80:d9:b8:81:b6:ed:1a:20:b8:9b:22:ce:ef:d0:26:47:
-         16:d6
+         9d:57
 -----BEGIN CA CERTIFICATE-----
-MIIBnDCCAQWgAwIBAgIBADANBgkqhkiG9w0BAQUFADASMRAwDgYDVQQDEwdUZXN0IENBMCIYDzI
+MIIBqTCCARKgAwIBAgIBATANBgkqhkiG9w0BAQUFADASMRAwDgYDVQQDDAdUZXN0IENBMCIYDzI
-wMTcwMTAxMDAwMDAwWhgPMjAxODAxMDEwMDAwMDBaMBIxEDAOBgNVBAMTB1Rlc3QgQ0EwgZ8wDQ
+wMTcwMTAxMDAwMDAwWhgPMjAxODAxMDEwMDAwMDBaMB8xHTAbBgNVBAMMFFRlc3QgSW50ZXJtZW
-YJKoZIhvcNAQEBBQADgY0AMIGJAoGBALglK+5Zmp28tEiuCc4NusWDVwOS/VIyVfXkLqbPnkvEE
+RpYXRlIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC5MgneM0pP4gRzSdUuK4OSOpTkG
-K8k2tXdRKjWKDicpRHJC3ChtXHPpDXCahextcfPdIOsetU7EmZ08ksVsMJZrwx4LEI8P4uDsx2a
+wwnG/hDgxe4dfWkr+NMhD5sSHl23031Oa+SS8Wghqs1zBlrk4LA+ERNGhRdSIdlAg6wqJbZBhk/
-yLzOsMjyGqgKHLtubtTGEGY8qOzjxGNA9nnsixT/hZ4tGufoMVaBAgMBAAEwDQYJKoZIhvcNAQE
+qoUthMB4GaaWqyZW929aGpeiAYgAmRCKlznIIm7e5Vb0piPN6kgOZWekc6BQkd66z1QIjwIDAQA
-FBQADgYEANf7uljHHPZHrIlMfv8wgzKr0BJI8i1AG6qHMt8JK1gKvU6ekcYF4vJXzLUbEg0zVkh
+BMA0GCSqGSIb3DQEBBQUAA4GBAEjVn42QvEpZOB0rgy1xHHSdAXOgtpjnHMIiZiMzCo9k/5xrNw
-F8x2fTR/YGnxxG2tYgckfCV9f7ZtM1ggdhE05N5gyT5vO+mP/o3mCnBpTNu/Vus04L1ukrcr1ur
+kSHBUSy8Nh2avNlt2V+qYCZzxM7Jg4XPxIzIWpW0ksKwZmB54xD5MQqz6fl2BkAWF+hhW7XvGQM
-oYjLUQzxDunUhJG0naVBj5pD3JgFtY=
+aNU0IYOgAWHCS5ltpWJXMHlgNm4gbbtGiC4myLO79AmR51X
 -----END CA CERTIFICATE-----
 $ openssl x509 -text < [CERTIFICATE]
 Certificate:
    Data:
        Version: 3 (0x2)
-        Serial Number: 3 (0x3)
+        Serial Number: 4 (0x4)
    Signature Algorithm: sha1WithRSAEncryption
-        Issuer: CN=Test CA
+        Issuer: CN = Test Intermediate CA
        Validity
            Not Before: Jan  1 00:00:00 2017 GMT
            Not After : Jan  1 00:00:00 2018 GMT
-        Subject: CN=Test Cert
+        Subject: CN = Test Cert
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)
                Modulus:
-                    00:d5:12:3f:22:6f:b0:e1:43:c5:93:b3:c3:5b:70:
+                    00:bc:4c:d5:b3:8d:92:fa:66:ac:32:43:1a:9e:eb:
-                    52:b2:8b:10:ec:11:c4:c4:aa:aa:43:92:c8:d0:f3:
+                    17:e0:aa:76:35:1b:1d:10:48:4e:3e:22:8b:75:2e:
-                    35:23:e3:76:2d:b4:ea:93:26:6f:6a:79:1c:64:51:
+                    e8:6f:a4:55:1e:0a:5e:60:c0:61:f1:7d:29:58:7e:
-                    d3:4d:21:4a:73:83:35:dc:a0:16:74:db:f0:b9:a5:
+                    0b:ef:29:be:ad:f8:f7:43:c8:58:95:14:5b:1d:af:
-                    46:35:8d:53:e8:7d:37:5b:4d:ad:a3:df:d6:ae:01:
+                    4a:b8:90:9e:4e:ec:4e:b3:86:7a:b9:96:c1:34:d3:
-                    38:ad:16:09:6e:fd:65:ad:1c:4b:48:12:1e:48:a7:
+                    b9:a6:57:df:9b:bd:d9:dd:67:15:54:d4:9f:65:b8:
-                    ff:5b:47:c4:c9:3b:74:85:63:1a:0a:06:b2:9f:b9:
+                    33:29:59:ba:9a:c6:75:ea:a5:76:3d:a4:57:0f:e2:
-                    cb:ad:dc:3f:24:8b:a4:a7:8a:13:15:45:89:24:c1:
+                    e4:c3:91:35:1d:6e:ff:61:7d:c2:53:23:66:b2:a8:
-                    a7:3b:c2:a2:c8:74:f1:3f:6f
+                    0b:e1:c7:55:48:c5:2b:4d:7d
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha1WithRSAEncryption
-         04:21:70:de:14:92:27:13:e8:d2:b0:51:f0:af:34:75:0b:a7:
+         18:bb:93:d9:2a:e0:34:69:2f:96:57:ac:55:ac:a7:83:04:b4:
-         ff:84:cb:c6:96:30:80:01:f5:c1:3a:c6:81:ee:ba:89:60:33:
+         bc:22:7f:5f:f7:c0:dc:ac:af:13:9b:86:7e:ac:02:8c:44:83:
-         c3:e5:0f:43:cc:ac:81:8d:09:fb:25:e1:67:40:64:a3:ca:fd:
+         2e:c0:fa:a1:77:1d:dd:86:31:7e:98:93:c0:4f:b2:3d:be:30:
-         bd:9c:c4:73:e4:bc:4d:8e:e2:70:f1:17:ce:b4:ab:a0:b2:63:
+         6f:a5:fc:c7:2e:b1:b8:08:d2:17:cb:60:55:bf:5a:e0:94:f3:
-         72:25:27:ae:d5:8e:18:73:0d:dc:12:5a:32:1c:b7:da:cd:23:
+         1d:44:fa:b1:2f:1a:24:c5:33:e1:d4:f0:ac:d5:2c:67:da:a7:
-         5b:c8:87:58:08:3e:95:0c:fd:c8:48:a2:75:6e:79:f2:00:82:
+         5d:ee:eb:d6:7a:a7:41:e8:94:7a:34:43:b2:1f:ab:e9:cf:5d:
-         6e:b5:cc:71:e3:79:ca:68:85:9b:1b:5c:52:bf:a2:5a:71:e3:
+         25:49:56:18:d2:a9:49:1a:37:34:43:c7:06:96:4a:29:38:cc:
-         05:b5
+         f2:1c
 -----BEGIN CERTIFICATE-----
-MIIBnjCCAQegAwIBAgIBAzANBgkqhkiG9w0BAQUFADASMRAwDgYDVQQDEwdUZXN0IENBMCIYDzI
+MIIBqzCCARSgAwIBAgIBBDANBgkqhkiG9w0BAQUFADAfMR0wGwYDVQQDDBRUZXN0IEludGVybWV
-wMTcwMTAxMDAwMDAwWhgPMjAxODAxMDEwMDAwMDBaMBQxEjAQBgNVBAMTCVRlc3QgQ2VydDCBnz
+kaWF0ZSBDQTAiGA8yMDE3MDEwMTAwMDAwMFoYDzIwMTgwMTAxMDAwMDAwWjAUMRIwEAYDVQQDDA
-ANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA1RI/Im+w4UPFk7PDW3BSsosQ7BHExKqqQ5LI0PM1I
+lUZXN0IENlcnQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALxM1bONkvpmrDJDGp7rF+Cqd
-+N2LbTqkyZvankcZFHTTSFKc4M13KAWdNvwuaVGNY1T6H03W02to9/WrgE4rRYJbv1lrRxLSBIe
+jUbHRBITj4ii3Uu6G+kVR4KXmDAYfF9KVh+C+8pvq3490PIWJUUWx2vSriQnk7sTrOGermWwTTT
-SKf/W0fEyTt0hWMaCgayn7nLrdw/JIukp4oTFUWJJMGnO8KiyHTxP28CAwEAATANBgkqhkiG9w0
+uaZX35u92d1nFVTUn2W4MylZuprGdeqldj2kVw/i5MORNR1u/2F9wlMjZrKoC+HHVUjFK019AgM
-BAQUFAAOBgQAEIXDeFJInE+jSsFHwrzR1C6f/hMvGljCAAfXBOsaB7rqJYDPD5Q9DzKyBjQn7Je
+BAAEwDQYJKoZIhvcNAQEFBQADgYEAGLuT2SrgNGkvllesVayngwS0vCJ/X/fA3KyvE5uGfqwCjE
-FnQGSjyv29nMRz5LxNjuJw8RfOtKugsmNyJSeu1Y4Ycw3cEloyHLfazSNbyIdYCD6VDP3ISKJ1b
+SDLsD6oXcd3YYxfpiTwE+yPb4wb6X8xy6xuAjSF8tgVb9a4JTzHUT6sS8aJMUz4dTwrNUsZ9qnX
-nnyAIJutcxx43nKaIWbG1xSv6JaceMFtQ==
+e7r1nqnQeiUejRDsh+r6c9dJUlWGNKpSRo3NEPHBpZKKTjM8hw=
 -----END CERTIFICATE-----
 $ openssl asn1parse -i < [OCSP REQUEST]
@@ -105,10 +105,10 @@ $ openssl asn1parse -i < [OCSP REQUEST]
   10:d=5  hl=2 l=   9 cons:      SEQUENCE          
   12:d=6  hl=2 l=   5 prim:       OBJECT            :sha1
   19:d=6  hl=2 l=   0 prim:       NULL              
-   21:d=5  hl=2 l=  20 prim:      OCTET STRING      [HEX DUMP]:02FF75DA24DE8ADD150FAB689DCCE6E6636D0901
+   21:d=5  hl=2 l=  20 prim:      OCTET STRING      [HEX DUMP]:449B1C5B31C6E9990966523E49C3F773C024190A
-   43:d=5  hl=2 l=  20 prim:      OCTET STRING      [HEX DUMP]:84E1BA52A25C543CA972491224BC8B1ECA8B9FF4
+   43:d=5  hl=2 l=  20 prim:      OCTET STRING      [HEX DUMP]:FC6D3387CC3B39B049C755C46DF4395548930BCE
-   65:d=5  hl=2 l=   1 prim:      INTEGER           :03
+   65:d=5  hl=2 l=   1 prim:      INTEGER           :04
 -----BEGIN OCSP REQUEST-----
-MEIwQDA+MDwwOjAJBgUrDgMCGgUABBQC/3XaJN6K3RUPq2idzObmY20JAQQUhOG6UqJcVDypckk
+MEIwQDA+MDwwOjAJBgUrDgMCGgUABBREmxxbMcbpmQlmUj5Jw/dzwCQZCgQU/G0zh8w7ObBJx1X
-SJLyLHsqLn/QCAQM=
+EbfQ5VUiTC84CAQQ=
 -----END OCSP REQUEST-----
--- a/net/data/ocsp_unittest/good_response.pem
+++ b/net/data/ocsp_unittest/good_response.pem
--- a/net/data/ocsp_unittest/good_response_next_update.pem
+++ b/net/data/ocsp_unittest/good_response_next_update.pem
--- a/net/data/ocsp_unittest/good_response_sha256.pem
+++ b/net/data/ocsp_unittest/good_response_sha256.pem
--- a/net/data/ocsp_unittest/has_extension.pem
+++ b/net/data/ocsp_unittest/has_extension.pem
--- a/net/data/ocsp_unittest/has_single_extension.pem
+++ b/net/data/ocsp_unittest/has_single_extension.pem
--- a/net/data/ocsp_unittest/has_version.pem
+++ b/net/data/ocsp_unittest/has_version.pem
--- a/net/data/ocsp_unittest/make_ocsp.py
+++ b/net/data/ocsp_unittest/make_ocsp.py
@@ -82,7 +82,8 @@ def CreateExtension():
  return ext
-CA = CreateCert('Test CA', None)
+ROOT_CA = CreateCert('Test CA', None)
+CA = CreateCert('Test Intermediate CA', ROOT_CA)
 CA_LINK = CreateCert('Test OCSP Signer', CA, True)
 CA_BADLINK = CreateCert('Test False OCSP Signer', CA, False)
 CERT = CreateCert('Test Cert', CA)
@@ -211,6 +212,10 @@ def Create(signer=None,
  sa = rfc2459.AlgorithmIdentifier()
  sa.setComponentByName('algorithm', SigAlgOid(sigAlg))
+  # TODO(mattm): If pyasn1 gives an error
+  # "Component value is tag-incompatible: Null() vs Any()", try hacking
+  # pyasn1_modules/rfc2459.py's AlgorithmIdentifier to specify univ.Null as the
+  # type for 'parameters'. (Which is an ugly hack, but lets the script work.)
  sa.setComponentByName('parameters', univ.Null())
  basic = rfc2560.BasicOCSPResponse()

--- a/net/data/ocsp_unittest/malformed_request.pem
+++ b/net/data/ocsp_unittest/malformed_request.pem
@@ -10,90 +10,90 @@ $ openssl x509 -text < [CA CERTIFICATE]
 Certificate:
    Data:
        Version: 3 (0x2)
-        Serial Number: 0 (0x0)
+        Serial Number: 1 (0x1)
    Signature Algorithm: sha1WithRSAEncryption
-        Issuer: CN=Test CA
+        Issuer: CN = Test CA
        Validity
            Not Before: Jan  1 00:00:00 2017 GMT
            Not After : Jan  1 00:00:00 2018 GMT
-        Subject: CN=Test CA
+        Subject: CN = Test Intermediate CA
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)
                Modulus:
-                    00:d4:aa:31:f4:1a:0d:9c:8d:de:4f:1b:34:72:2b:
+                    00:b9:32:09:de:33:4a:4f:e2:04:73:49:d5:2e:2b:
-                    63:23:a4:87:4f:55:b2:b0:c0:cb:27:89:18:77:2e:
+                    83:92:3a:94:e4:1b:0c:27:1b:f8:43:83:17:b8:75:
-                    0e:d3:11:90:3e:62:23:b5:ab:34:6d:5f:7a:34:56:
+                    f5:a4:af:e3:4c:84:3e:6c:48:79:76:df:4d:f5:39:
-                    dd:65:86:ed:07:c2:3b:73:fc:e9:7d:a8:64:ce:9b:
+                    af:92:4b:c5:a0:86:ab:35:cc:19:6b:93:82:c0:f8:
-                    8a:09:e1:ed:08:7d:04:5f:b1:cf:3d:fd:ff:37:35:
+                    44:4d:1a:14:5d:48:87:65:02:0e:b0:a8:96:d9:06:
-                    d3:c2:fe:02:ab:d8:f6:1f:a5:58:9e:4e:43:b4:e7:
+                    19:3f:aa:85:2d:84:c0:78:19:a6:96:ab:26:56:f7:
-                    8d:f9:6c:4c:71:14:32:5d:86:1d:ea:1a:3d:34:ad:
+                    6f:5a:1a:97:a2:01:88:00:99:10:8a:97:39:c8:22:
-                    b4:1a:a0:13:c0:7c:cb:8e:f2:f3:d1:ec:fd:5f:ad:
+                    6e:de:e5:56:f4:a6:23:cd:ea:48:0e:65:67:a4:73:
-                    db:13:c9:2e:9c:3a:39:02:a3
+                    a0:50:91:de:ba:cf:54:08:8f
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha1WithRSAEncryption
-         5e:9b:eb:b0:e8:7d:c6:e8:24:e3:b3:8f:3f:cd:4e:80:3e:77:
+         48:d5:9f:8d:90:bc:4a:59:38:1d:2b:83:2d:71:1c:74:9d:01:
-         58:c5:60:bc:40:e0:16:e2:17:ce:81:fd:0f:19:36:56:c5:a3:
+         73:a0:b6:98:e7:1c:c2:22:66:23:33:0a:8f:64:ff:9c:6b:37:
-         df:49:5f:b7:a1:4c:44:d0:3e:06:e2:42:57:b7:be:fd:b7:bb:
+         09:12:1c:15:12:cb:c3:61:d9:ab:cd:96:dd:95:fa:a6:02:67:
-         31:79:db:eb:ed:a3:c5:66:36:45:cb:4b:ba:6c:8d:53:89:98:
+         3c:4c:ec:98:38:5c:fc:48:cc:85:a9:5b:49:2c:2b:06:66:07:
-         c5:e0:ee:48:ef:97:ce:4d:14:33:bf:24:61:29:b9:7d:4e:7e:
+         9e:31:0f:93:10:ab:3e:9f:97:60:64:01:61:7e:86:15:bb:5e:
-         cf:14:cc:c9:fa:0b:9e:68:34:9c:34:79:08:36:e0:ed:4f:a1:
+         f1:90:31:a3:54:d0:86:0e:80:05:87:09:2e:65:b6:95:89:5c:
-         9a:ac:c2:73:d3:2c:67:0e:23:5e:e0:9f:7f:05:ed:9a:b0:e1:
+         c1:e5:80:d9:b8:81:b6:ed:1a:20:b8:9b:22:ce:ef:d0:26:47:
-         b7:93
+         9d:57
 -----BEGIN CA CERTIFICATE-----
-MIIBnDCCAQWgAwIBAgIBADANBgkqhkiG9w0BAQUFADASMRAwDgYDVQQDEwdUZXN0IENBMCIYDzI
+MIIBqTCCARKgAwIBAgIBATANBgkqhkiG9w0BAQUFADASMRAwDgYDVQQDDAdUZXN0IENBMCIYDzI
-wMTcwMTAxMDAwMDAwWhgPMjAxODAxMDEwMDAwMDBaMBIxEDAOBgNVBAMTB1Rlc3QgQ0EwgZ8wDQ
+wMTcwMTAxMDAwMDAwWhgPMjAxODAxMDEwMDAwMDBaMB8xHTAbBgNVBAMMFFRlc3QgSW50ZXJtZW
-YJKoZIhvcNAQEBBQADgY0AMIGJAoGBANSqMfQaDZyN3k8bNHIrYyOkh09VsrDAyyeJGHcuDtMRk
+RpYXRlIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC5MgneM0pP4gRzSdUuK4OSOpTkG
-D5iI7WrNG1fejRW3WWG7QfCO3P86X2oZM6bignh7Qh9BF+xzz39/zc108L+AqvY9h+lWJ5OQ7Tn
+wwnG/hDgxe4dfWkr+NMhD5sSHl23031Oa+SS8Wghqs1zBlrk4LA+ERNGhRdSIdlAg6wqJbZBhk/
-jflsTHEUMl2GHeoaPTSttBqgE8B8y47y89Hs/V+t2xPJLpw6OQKjAgMBAAEwDQYJKoZIhvcNAQE
+qoUthMB4GaaWqyZW929aGpeiAYgAmRCKlznIIm7e5Vb0piPN6kgOZWekc6BQkd66z1QIjwIDAQA
-FBQADgYEAXpvrsOh9xugk47OPP81OgD53WMVgvEDgFuIXzoH9Dxk2VsWj30lft6FMRNA+BuJCV7
+BMA0GCSqGSIb3DQEBBQUAA4GBAEjVn42QvEpZOB0rgy1xHHSdAXOgtpjnHMIiZiMzCo9k/5xrNw
-e+/be7MXnb6+2jxWY2RctLumyNU4mYxeDuSO+Xzk0UM78kYSm5fU5+zxTMyfoLnmg0nDR5CDbg7
+kSHBUSy8Nh2avNlt2V+qYCZzxM7Jg4XPxIzIWpW0ksKwZmB54xD5MQqz6fl2BkAWF+hhW7XvGQM
-U+hmqzCc9MsZw4jXuCffwXtmrDht5M=
+aNU0IYOgAWHCS5ltpWJXMHlgNm4gbbtGiC4myLO79AmR51X
 -----END CA CERTIFICATE-----
 $ openssl x509 -text < [CERTIFICATE]
 Certificate:
    Data:
        Version: 3 (0x2)
-        Serial Number: 3 (0x3)
+        Serial Number: 4 (0x4)
    Signature Algorithm: sha1WithRSAEncryption
-        Issuer: CN=Test CA
+        Issuer: CN = Test Intermediate CA
        Validity
            Not Before: Jan  1 00:00:00 2017 GMT
            Not After : Jan  1 00:00:00 2018 GMT
-        Subject: CN=Test Cert
+        Subject: CN = Test Cert
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)
                Modulus:
-                    00:ad:b1:4c:76:1c:d3:13:a5:62:e3:c9:2a:a0:18:
+                    00:bc:4c:d5:b3:8d:92:fa:66:ac:32:43:1a:9e:eb:
-                    88:8a:10:5b:37:0f:32:24:33:0b:db:9d:8c:96:e5:
+                    17:e0:aa:76:35:1b:1d:10:48:4e:3e:22:8b:75:2e:
-                    4d:c2:d5:ca:47:1f:19:a5:c8:27:b4:42:bf:fe:ad:
+                    e8:6f:a4:55:1e:0a:5e:60:c0:61:f1:7d:29:58:7e:
-                    96:8e:a0:73:50:2e:f2:35:d7:d1:9f:ba:41:59:8b:
+                    0b:ef:29:be:ad:f8:f7:43:c8:58:95:14:5b:1d:af:
-                    83:3d:2c:ab:68:7f:73:df:18:f1:ff:f4:3b:9c:68:
+                    4a:b8:90:9e:4e:ec:4e:b3:86:7a:b9:96:c1:34:d3:
-                    d9:8a:f0:df:c0:97:5c:e8:43:5f:14:fd:59:52:c2:
+                    b9:a6:57:df:9b:bd:d9:dd:67:15:54:d4:9f:65:b8:
-                    91:62:5e:e9:e8:a8:22:07:b9:5b:b4:46:60:b4:ee:
+                    33:29:59:ba:9a:c6:75:ea:a5:76:3d:a4:57:0f:e2:
-                    62:29:0e:df:35:4c:41:e0:5c:89:9e:9c:b3:d8:fb:
+                    e4:c3:91:35:1d:6e:ff:61:7d:c2:53:23:66:b2:a8:
-                    6d:c3:02:61:31:a4:e8:86:af
+                    0b:e1:c7:55:48:c5:2b:4d:7d
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha1WithRSAEncryption
-         90:f6:92:8b:41:fd:9e:29:8f:54:1e:c2:98:25:7e:19:ed:8e:
+         18:bb:93:d9:2a:e0:34:69:2f:96:57:ac:55:ac:a7:83:04:b4:
-         9e:37:9a:ae:ce:83:5e:56:7e:48:be:75:d4:5c:61:ce:07:a7:
+         bc:22:7f:5f:f7:c0:dc:ac:af:13:9b:86:7e:ac:02:8c:44:83:
-         0c:44:ed:ed:66:10:20:2e:ac:3e:93:2f:42:62:76:a1:07:eb:
+         2e:c0:fa:a1:77:1d:dd:86:31:7e:98:93:c0:4f:b2:3d:be:30:
-         07:63:c3:e7:58:26:0b:67:72:31:d1:2c:b0:b5:fd:1b:ee:b5:
+         6f:a5:fc:c7:2e:b1:b8:08:d2:17:cb:60:55:bf:5a:e0:94:f3:
-         d0:11:99:55:06:02:17:8c:e5:f7:46:12:56:26:3f:6b:46:58:
+         1d:44:fa:b1:2f:1a:24:c5:33:e1:d4:f0:ac:d5:2c:67:da:a7:
-         a6:c6:02:2f:b8:bc:8d:ca:bd:57:f3:ce:8e:a4:a6:ad:80:4e:
+         5d:ee:eb:d6:7a:a7:41:e8:94:7a:34:43:b2:1f:ab:e9:cf:5d:
-         34:3f:3c:76:1e:d0:75:39:2c:2c:e7:fc:8b:83:d0:21:1d:04:
+         25:49:56:18:d2:a9:49:1a:37:34:43:c7:06:96:4a:29:38:cc:
-         62:51
+         f2:1c
 -----BEGIN CERTIFICATE-----
-MIIBnjCCAQegAwIBAgIBAzANBgkqhkiG9w0BAQUFADASMRAwDgYDVQQDEwdUZXN0IENBMCIYDzI
+MIIBqzCCARSgAwIBAgIBBDANBgkqhkiG9w0BAQUFADAfMR0wGwYDVQQDDBRUZXN0IEludGVybWV
-wMTcwMTAxMDAwMDAwWhgPMjAxODAxMDEwMDAwMDBaMBQxEjAQBgNVBAMTCVRlc3QgQ2VydDCBnz
+kaWF0ZSBDQTAiGA8yMDE3MDEwMTAwMDAwMFoYDzIwMTgwMTAxMDAwMDAwWjAUMRIwEAYDVQQDDA
-ANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEArbFMdhzTE6Vi48kqoBiIihBbNw8yJDML252MluVNw
+lUZXN0IENlcnQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALxM1bONkvpmrDJDGp7rF+Cqd
-tXKRx8ZpcgntEK//q2WjqBzUC7yNdfRn7pBWYuDPSyraH9z3xjx//Q7nGjZivDfwJdc6ENfFP1Z
+jUbHRBITj4ii3Uu6G+kVR4KXmDAYfF9KVh+C+8pvq3490PIWJUUWx2vSriQnk7sTrOGermWwTTT
-UsKRYl7p6KgiB7lbtEZgtO5iKQ7fNUxB4FyJnpyz2PttwwJhMaTohq8CAwEAATANBgkqhkiG9w0
+uaZX35u92d1nFVTUn2W4MylZuprGdeqldj2kVw/i5MORNR1u/2F9wlMjZrKoC+HHVUjFK019AgM
-BAQUFAAOBgQCQ9pKLQf2eKY9UHsKYJX4Z7Y6eN5quzoNeVn5IvnXUXGHOB6cMRO3tZhAgLqw+ky
+BAAEwDQYJKoZIhvcNAQEFBQADgYEAGLuT2SrgNGkvllesVayngwS0vCJ/X/fA3KyvE5uGfqwCjE
-9CYnahB+sHY8PnWCYLZ3Ix0Sywtf0b7rXQEZlVBgIXjOX3RhJWJj9rRlimxgIvuLyNyr1X886Op
+SDLsD6oXcd3YYxfpiTwE+yPb4wb6X8xy6xuAjSF8tgVb9a4JTzHUT6sS8aJMUz4dTwrNUsZ9qnX
-KatgE40Pzx2HtB1OSws5/yLg9AhHQRiUQ==
+e7r1nqnQeiUejRDsh+r6c9dJUlWGNKpSRo3NEPHBpZKKTjM8hw=
 -----END CERTIFICATE-----
 $ openssl asn1parse -i < [OCSP REQUEST]
@@ -105,10 +105,10 @@ $ openssl asn1parse -i < [OCSP REQUEST]
   10:d=5  hl=2 l=   9 cons:      SEQUENCE          
   12:d=6  hl=2 l=   5 prim:       OBJECT            :sha1
   19:d=6  hl=2 l=   0 prim:       NULL              
-   21:d=5  hl=2 l=  20 prim:      OCTET STRING      [HEX DUMP]:02FF75DA24DE8ADD150FAB689DCCE6E6636D0901
+   21:d=5  hl=2 l=  20 prim:      OCTET STRING      [HEX DUMP]:449B1C5B31C6E9990966523E49C3F773C024190A
-   43:d=5  hl=2 l=  20 prim:      OCTET STRING      [HEX DUMP]:4661D5C5F8D956FD3D871758F8A42950F5BCF498
+   43:d=5  hl=2 l=  20 prim:      OCTET STRING      [HEX DUMP]:FC6D3387CC3B39B049C755C46DF4395548930BCE
-   65:d=5  hl=2 l=   1 prim:      INTEGER           :03
+   65:d=5  hl=2 l=   1 prim:      INTEGER           :04
 -----BEGIN OCSP REQUEST-----
-MEIwQDA+MDwwOjAJBgUrDgMCGgUABBQC/3XaJN6K3RUPq2idzObmY20JAQQURmHVxfjZVv09hxd
+MEIwQDA+MDwwOjAJBgUrDgMCGgUABBREmxxbMcbpmQlmUj5Jw/dzwCQZCgQU/G0zh8w7ObBJx1X
-Y+KQpUPW89JgCAQM=
+EbfQ5VUiTC84CAQQ=
 -----END OCSP REQUEST-----
--- a/net/data/ocsp_unittest/missing_response.pem
+++ b/net/data/ocsp_unittest/missing_response.pem
--- a/net/data/ocsp_unittest/multiple_response.pem
+++ b/net/data/ocsp_unittest/multiple_response.pem
--- a/net/data/ocsp_unittest/no_response.pem
+++ b/net/data/ocsp_unittest/no_response.pem
--- a/net/data/ocsp_unittest/ocsp_extra_certs.pem
+++ b/net/data/ocsp_unittest/ocsp_extra_certs.pem
--- a/net/data/ocsp_unittest/ocsp_sign_bad_indirect.pem
+++ b/net/data/ocsp_unittest/ocsp_sign_bad_indirect.pem
--- a/net/data/ocsp_unittest/ocsp_sign_direct.pem
+++ b/net/data/ocsp_unittest/ocsp_sign_direct.pem
--- a/net/data/ocsp_unittest/ocsp_sign_indirect.pem
+++ b/net/data/ocsp_unittest/ocsp_sign_indirect.pem
--- a/net/data/ocsp_unittest/ocsp_sign_indirect_missing.pem
+++ b/net/data/ocsp_unittest/ocsp_sign_indirect_missing.pem
--- a/net/data/ocsp_unittest/other_response.pem
+++ b/net/data/ocsp_unittest/other_response.pem
--- a/net/data/ocsp_unittest/responder_id.pem
+++ b/net/data/ocsp_unittest/responder_id.pem
--- a/net/data/ocsp_unittest/responder_name.pem
+++ b/net/data/ocsp_unittest/responder_name.pem
--- a/net/data/ocsp_unittest/revoke_response.pem
+++ b/net/data/ocsp_unittest/revoke_response.pem
--- a/net/data/ocsp_unittest/revoke_response_reason.pem
+++ b/net/data/ocsp_unittest/revoke_response_reason.pem
--- a/net/data/ocsp_unittest/unknown_response.pem
+++ b/net/data/ocsp_unittest/unknown_response.pem