OCSP-stapling enhancement and testing.

Server:
  Honor environment variable as well as running_in_test_harness in permitting bogus staplings
  Update server tests
  Add "-ocsp" option to client-ssl.
  Server side: add verification of stapled status.
  First cut server-mode ocsp testing.
  Fix some uninitialized ocsp-related data.

Client (new):
  Verify stapling using only the chain that verified the server cert, not any acceptable chain.
  Add check for multiple responses in a stapling, which is not handled
  Refuse verification on expired and revoking staplings.
  Handle OCSP client refusal on lack of stapling from server.
  More fixing in client OCSP: use the server cert signing chain to verify the OCSP info.
  Add transport hosts_require_ocsp option.
  Log stapling responses.
  Start on tests for client-side.

Testing support:
    Add CRL generation code and documentation update
    Initial CA & certificate set for testing.

BUGFIX:
    Once a single OCSP response has been extracted the validation
    routine return code is no longer about the structure, but the actual
    returned OCSP status.

14 files changed, 119 insertions, 0 deletions

diff --git a/test/aux-fixed/exim-ca/example.org/server1.example.org/ca_chain.pem b/test/aux-fixed/exim-ca/example.org/server1.example.org/ca_chain.pem
new file mode 100644
index 000000000..6cdbee1d5
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.org/server1.example.org/ca_chain.pem
@@ -0,0 +1,47 @@
+Bag Attributes
+    friendlyName: Signing Cert
+subject=/O=example.org/CN=clica Signing Cert
+issuer=/O=example.org/CN=clica CA
+-----BEGIN CERTIFICATE-----
+MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAyWhcNMzgw
+MTAxMTIzNDAyWjAzMRQwEgYDVQQKEwtleGFtcGxlLm9yZzEbMBkGA1UEAxMSY2xp
+Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJ2Y6E5WBXQE
+zFsWgxK4JXrpPWGEQZ+KNy3iXgmupAA6Yy0umCLu+eGCekkwZ0WfFhhd+Qy7P+qo
+F0mre7VDDHECAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB
+Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLm9yZy9s
+YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EATmemAFFWLNA8natXhFyhrDYmTv8X
+PEJ3UVt0DmOMxmEBahIeDfplfTfj/NYvy/on7YCZO7F5PwVY2pNJqm8Tmw==
+-----END CERTIFICATE-----
+Bag Attributes
+    friendlyName: Certificate Authority
+subject=/O=example.org/CN=clica CA
+issuer=/O=example.org/CN=clica CA
+-----BEGIN CERTIFICATE-----
+MIIBaTCCAROgAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAyWhcNMzgw
+MTAxMTIzNDAyWjApMRQwEgYDVQQKEwtleGFtcGxlLm9yZzERMA8GA1UEAxMIY2xp
+Y2EgQ0EwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAxY7JyBAI+e4vb4bz0HcjtE+O
+x0nLBB19Kz04yNARj1z/ZvY2c+uvOR3muHROCgFUQxGobP3n2HaTS/cmv2SVPwID
+AQABoyYwJDASBgNVHRMBAf8ECDAGAQH/AgEBMA4GA1UdDwEB/wQEAwIBBjANBgkq
+hkiG9w0BAQUFAANBAJLhs/m5Jx4oV++aylcAvIHa0vHSK4eh3zX1HqWwqK9I0/nl
+LqwwPgtgHQOpe7nd2g2B9wPZ82i6LiqY76A+9hI=
+-----END CERTIFICATE-----
+Bag Attributes
+    friendlyName: server1.example.org
+    localKeyID: 5E 7F 83 85 31 F1 CA DC 88 07 2C 58 95 FA 36 16 65 F6 BB 8D 
+subject=/CN=server1.example.org
+issuer=/O=example.org/CN=clica Signing Cert
+-----BEGIN CERTIFICATE-----
+MIICAjCCAaygAwIBAgIBZTANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt
+cGxlLm9yZzEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy
+MzQwMloXDTM4MDEwMTEyMzQwMlowHjEcMBoGA1UEAxMTc2VydmVyMS5leGFtcGxl
+Lm9yZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQDFIpfEcK4d3IEq3F7B6AIpepZk
+mKln9pcCm0RbAxm77YlhHucDzyVu9rmW7XSW/c4Dv3clwzHLpaoF2KURKLZ7AgMB
+AAGjgb8wgbwwDgYDVR0PAQH/BAQDAgTwMCAGA1UdJQEB/wQWMBQGCCsGAQUFBwMB
+BggrBgEFBQcDAjAyBgNVHR8EKzApMCegJaAjhiFodHRwOi8vY3JsLmV4YW1wbGUu
+b3JnL2xhdGVzdC5jcmwwNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRw
+Oi8vb3NjcC9leGFtcGxlLm9yZy8wHgYDVR0RBBcwFYITc2VydmVyMS5leGFtcGxl
+Lm9yZzANBgkqhkiG9w0BAQUFAANBACfk1MYCSbT2gbaT1Dv9FrMEybkFZtxUfz69
+Gnx/55Wfw936z2en+RImD3qF1qQxUwIMlWGm6SaitfmlQ5qVJ1A=
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.org/server1.example.org/cert8.db b/test/aux-fixed/exim-ca/example.org/server1.example.org/cert8.db
new file mode 100644
index 000000000..c9c908afb
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.org/server1.example.org/cert8.db
diff --git a/test/aux-fixed/exim-ca/example.org/server1.example.org/key3.db b/test/aux-fixed/exim-ca/example.org/server1.example.org/key3.db
new file mode 100644
index 000000000..db816ef71
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.org/server1.example.org/key3.db
diff --git a/test/aux-fixed/exim-ca/example.org/server1.example.org/pwdfile b/test/aux-fixed/exim-ca/example.org/server1.example.org/pwdfile
new file mode 100644
index 000000000..f3097ab13
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.org/server1.example.org/pwdfile
@@ -0,0 +1 @@
+password
diff --git a/test/aux-fixed/exim-ca/example.org/server1.example.org/secmod.db b/test/aux-fixed/exim-ca/example.org/server1.example.org/secmod.db
new file mode 100644
index 000000000..ac46b4820
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.org/server1.example.org/secmod.db
diff --git a/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.chain.pem b/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.chain.pem
new file mode 100644
index 000000000..da4304077
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.chain.pem
@@ -0,0 +1,29 @@
+Bag Attributes
+    friendlyName: server1.example.org
+    localKeyID: 5E 7F 83 85 31 F1 CA DC 88 07 2C 58 95 FA 36 16 65 F6 BB 8D 
+subject=/CN=server1.example.org
+issuer=/O=example.org/CN=clica Signing Cert
+-----BEGIN CERTIFICATE-----
+MIICAjCCAaygAwIBAgIBZTANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt
+cGxlLm9yZzEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy
+MzQwMloXDTM4MDEwMTEyMzQwMlowHjEcMBoGA1UEAxMTc2VydmVyMS5leGFtcGxl
+Lm9yZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQDFIpfEcK4d3IEq3F7B6AIpepZk
+mKln9pcCm0RbAxm77YlhHucDzyVu9rmW7XSW/c4Dv3clwzHLpaoF2KURKLZ7AgMB
+AAGjgb8wgbwwDgYDVR0PAQH/BAQDAgTwMCAGA1UdJQEB/wQWMBQGCCsGAQUFBwMB
+BggrBgEFBQcDAjAyBgNVHR8EKzApMCegJaAjhiFodHRwOi8vY3JsLmV4YW1wbGUu
+b3JnL2xhdGVzdC5jcmwwNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRw
+Oi8vb3NjcC9leGFtcGxlLm9yZy8wHgYDVR0RBBcwFYITc2VydmVyMS5leGFtcGxl
+Lm9yZzANBgkqhkiG9w0BAQUFAANBACfk1MYCSbT2gbaT1Dv9FrMEybkFZtxUfz69
+Gnx/55Wfw936z2en+RImD3qF1qQxUwIMlWGm6SaitfmlQ5qVJ1A=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt

+cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAyWhcNMzgw

+MTAxMTIzNDAyWjAzMRQwEgYDVQQKEwtleGFtcGxlLm9yZzEbMBkGA1UEAxMSY2xp

+Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJ2Y6E5WBXQE

+zFsWgxK4JXrpPWGEQZ+KNy3iXgmupAA6Yy0umCLu+eGCekkwZ0WfFhhd+Qy7P+qo

+F0mre7VDDHECAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB

+Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLm9yZy9s

+YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EATmemAFFWLNA8natXhFyhrDYmTv8X

+PEJ3UVt0DmOMxmEBahIeDfplfTfj/NYvy/on7YCZO7F5PwVY2pNJqm8Tmw==
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.key b/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.key
new file mode 100644
index 000000000..6e41e5008
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.key
@@ -0,0 +1,15 @@
+Bag Attributes
+    friendlyName: server1.example.org
+    localKeyID: 5E 7F 83 85 31 F1 CA DC 88 07 2C 58 95 FA 36 16 65 F6 BB 8D 
+Key Attributes: <No Attributes>
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIBpjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIhfu7ElRn7TUCAggA
+MBQGCCqGSIb3DQMHBAggde7b8jzc2ASCAWCNar4Td+ZM5Elbb16QeDTfzMoKoScb
+jQo/GS7f5h4An9vh/aTaKBoWDQ8gLcvbTUlpGxRznGt9mmOk9AOWsd03rTJ3TUud
++Cm4GfyEslvF8zXSPgJOz4YMiMMNZF3sEGGxs+D6Dav7isMrAIE/Se4Uh3pBY3Fg
+kio9fZfJSWorb3XO6LY9wyg33sz0ZxfhLfhenpeuveQfGuwc9l/DtYuhorqa4xXv
++T5W6HQ7g7nB/GMQF0rkm7BUSqawuLPK7ippBjpNg07iGOYNvQ5GKPahuBTbKyDc
+7LYzGNjZ+mNyL8vDNkwcdnUUqIbYsdMqmEZX+cu2wugXF1GshI9krcDHBXGcZH4G
+sogntcL8qR5KpPfBQCcp9An7TfLJkJtZOH6IYVZVy3/wb+OEou3UNckMe7PF8PWa
+T6/N9/zs49U6RxiYn+Vz/x0hQmRbLvLEsbotT1WStJq8LkcI0Zu9cJab
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.ocsp.dated.resp b/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.ocsp.dated.resp
new file mode 100644
index 000000000..43bb173cc
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.ocsp.dated.resp
diff --git a/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.ocsp.good.resp b/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.ocsp.good.resp
new file mode 100644
index 000000000..752147977
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.ocsp.good.resp
diff --git a/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.ocsp.req b/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.ocsp.req
new file mode 100644
index 000000000..6ec207d4f
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.ocsp.req
diff --git a/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.ocsp.revoked.resp b/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.ocsp.revoked.resp
new file mode 100644
index 000000000..90cd6fad1
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.ocsp.revoked.resp
diff --git a/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.p12 b/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.p12
new file mode 100644
index 000000000..585738ec8
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.p12
diff --git a/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.pem b/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.pem
new file mode 100644
index 000000000..81679f826
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.pem
@@ -0,0 +1,18 @@
+Bag Attributes
+    friendlyName: server1.example.org
+    localKeyID: 5E 7F 83 85 31 F1 CA DC 88 07 2C 58 95 FA 36 16 65 F6 BB 8D 
+subject=/CN=server1.example.org
+issuer=/O=example.org/CN=clica Signing Cert
+-----BEGIN CERTIFICATE-----
+MIICAjCCAaygAwIBAgIBZTANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt
+cGxlLm9yZzEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy
+MzQwMloXDTM4MDEwMTEyMzQwMlowHjEcMBoGA1UEAxMTc2VydmVyMS5leGFtcGxl
+Lm9yZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQDFIpfEcK4d3IEq3F7B6AIpepZk
+mKln9pcCm0RbAxm77YlhHucDzyVu9rmW7XSW/c4Dv3clwzHLpaoF2KURKLZ7AgMB
+AAGjgb8wgbwwDgYDVR0PAQH/BAQDAgTwMCAGA1UdJQEB/wQWMBQGCCsGAQUFBwMB
+BggrBgEFBQcDAjAyBgNVHR8EKzApMCegJaAjhiFodHRwOi8vY3JsLmV4YW1wbGUu
+b3JnL2xhdGVzdC5jcmwwNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRw
+Oi8vb3NjcC9leGFtcGxlLm9yZy8wHgYDVR0RBBcwFYITc2VydmVyMS5leGFtcGxl
+Lm9yZzANBgkqhkiG9w0BAQUFAANBACfk1MYCSbT2gbaT1Dv9FrMEybkFZtxUfz69
+Gnx/55Wfw936z2en+RImD3qF1qQxUwIMlWGm6SaitfmlQ5qVJ1A=
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.unlocked.key b/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.unlocked.key
new file mode 100644
index 000000000..1b83abc63
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.unlocked.key
@@ -0,0 +1,9 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIBPQIBAAJBAMUil8Rwrh3cgSrcXsHoAil6lmSYqWf2lwKbRFsDGbvtiWEe5wPP
+JW72uZbtdJb9zgO/dyXDMculqgXYpREotnsCAwEAAQJBAKDzsX4NkduHoV5hNmyT
+BNDg6dGQYyAi0QCrzI+SZHxt8ZYksM//or03aXE7xUUAeFmlSQYc9KfhADAB+mL8
+3YECIQDi4Q5nPCDr99odHTguDlTDi9vEEIiY2N7g8jsGAZH6KwIhAN5wME90eCX/
+oIzlAVqCbq9JuO8Zt3lxvqbasOGT3pzxAiEAwXcifhvDAxUGNF9vQa7Mzzca/vUO
+VjBQ1kcY18VNAqMCIQCxMe/aK67WnldYRcmZP1RLANB4cCUPcoPsyUOkvzXUEQIh
+AJEKAaavDZzn70+xnPw/8QPzHExNxIRtYrxBnc0Kv74r
+-----END RSA PRIVATE KEY-----