File 1501-public_key-OCSP-response-verification-code... of Package erlang

Overview Repositories Revisions Requests Users Attributes Meta

File 1501-public_key-OCSP-response-verification-code.patch of Package erlang

From 2b1a742c651b90f8a7a1fb2ddde73f29915ea376 Mon Sep 17 00:00:00 2001
From: Jakub Witczak <kuba@erlang.org>
Date: Mon, 29 Jan 2024 11:11:53 +0100
Subject: [PATCH 1/2] public_key: OCSP response verification code

---
 lib/public_key/doc/src/public_key.xml     |  25 ++
 lib/public_key/src/pubkey_ocsp.erl        | 207 ++++++----
 lib/public_key/src/public_key.erl         | 109 +++--
 lib/public_key/test/Makefile              |   3 +-
 lib/public_key/test/pubkey_ocsp_SUITE.erl | 463 +++++++---------------
 lib/public_key/test/public_key_SUITE.erl  | 101 ++++-
 6 files changed, 457 insertions(+), 451 deletions(-)

diff --git a/lib/public_key/doc/src/public_key.xml b/lib/public_key/doc/src/public_key.xml
index 3e02049bb2..35d0a6e66e 100644
--- a/lib/public_key/doc/src/public_key.xml
+++ b/lib/public_key/doc/src/public_key.xml
@@ -771,6 +771,31 @@ fun(#'DistributionPoint'{}, #'CertificateList'{},
 </desc>
 </func>
 
+ <func>
+ <name name="pkix_ocsp_validate" arity="5" since="OTP 27.0"/>
+ <fsummary>Validate OCSP response.</fsummary>
+ <desc>
+ Perform OCSP response validation according to RFC
+ 6960. Returns 'ok' when OCSP response is successfully
+ validated and {error, {bad_cert, Reason}} otherwise.
+
+ Available options:
+ <taglist>
+	<tag>{is_trusted_responder_fun, fun()}</tag>
+	<item>
+	 The fun has the following type specification:
+	 <code> fun(#cert{}) ->
+	 boolean()</code>
+	 The fun returns the <c>true</c> if certificate in the
+	 argument is trusted. If this fun is not specified, Public
+	 Key uses the default implementation:
+	 
+	 <code> fun(_) -> false end</code>
+	</item>
+ </taglist>
+ </desc>
+ </func>
+
 <func>
 <name name="pkix_sign" arity="2" since="OTP R14B"/>
 <fsummary>Signs certificate.</fsummary>
diff --git a/lib/public_key/src/pubkey_ocsp.erl b/lib/public_key/src/pubkey_ocsp.erl
index 6bdb9a563f..fa4254fd8e 100644
--- a/lib/public_key/src/pubkey_ocsp.erl
+++ b/lib/public_key/src/pubkey_ocsp.erl
@@ -19,23 +19,18 @@
 %%
 
 -module(pubkey_ocsp).
+-feature(maybe_expr,enable).
 -include("public_key.hrl").
 
 -export([find_single_response/3,
 get_acceptable_response_types_extn/0,
 get_nonce_extn/1,
- get_ocsp_responder_id/1,
- ocsp_status/1,
- verify_ocsp_response/3,
- decode_ocsp_response/1]).
+ status/1,
+ verify_response/5,
+ decode_response/1]).
 %% Tracing
 -export([handle_trace/3]).
 
--spec get_ocsp_responder_id(#'Certificate'{}) -> binary().
-get_ocsp_responder_id(#'Certificate'{tbsCertificate = TbsCert}) ->
- public_key:der_encode(
- 'ResponderID', {byName, TbsCert#'TBSCertificate'.subject}).
-
 -spec get_nonce_extn(undefined | binary()) -> undefined | #'Extension'{}.
 get_nonce_extn(undefined) ->
 undefined;
@@ -45,10 +40,29 @@ get_nonce_extn(Nonce) when is_binary(Nonce) ->
 extnValue = Nonce
 }.
 
--spec verify_ocsp_response(#'BasicOCSPResponse'{}, list(), undefined | binary()) ->
+-spec verify_response(#'BasicOCSPResponse'{}, list(), undefined | binary(),
+ public_key:cert(), fun()) ->
 {ok, term()} | {error, term()}.
-verify_ocsp_response(OCSPResponse, ResponderCerts, Nonce) ->
- do_verify_ocsp_response(OCSPResponse, ResponderCerts, Nonce).
+verify_response(#'BasicOCSPResponse'{
+ tbsResponseData = ResponseData,
+ signatureAlgorithm = SignatureAlgo,
+ signature = Signature},
+ ResponderCerts, Nonce, IssuerCert,
+ IsTrustedResponderFun) ->
+ #'ResponseData'{responderID = ResponderID,
+ producedAt = ProducedAt} = ResponseData,
+ maybe
+ ok ?= verify_past_timestamp(ProducedAt),
+ ok ?= verify_signature(
+ public_key:der_encode('ResponseData', ResponseData),
+ SignatureAlgo#'AlgorithmIdentifier'.algorithm,
+ Signature, ResponderCerts,
+ ResponderID, IssuerCert, IsTrustedResponderFun),
+ verify_nonce(ResponseData, Nonce)
+ else
+ {error, Reason} ->
+ {error, Reason}
+ end.
 
 -spec get_acceptable_response_types_extn() -> #'Extension'{}.
 get_acceptable_response_types_extn() ->
@@ -67,15 +81,15 @@ find_single_response(Cert, IssuerCert, SingleResponseList) ->
 SerialNum = get_serial_num(Cert),
 match_single_response(IssuerName, IssuerKey, SerialNum, SingleResponseList).
 
--spec ocsp_status({atom(), term()}) -> atom() | {atom(), {atom(), term()}}.
-ocsp_status({good, _}) ->
- valid;
-ocsp_status({unknown, Reason}) ->
- {bad_cert, {revocation_status_undetermined, Reason}};
-ocsp_status({revoked, Reason}) ->
- {bad_cert, {revoked, Reason}}.
+-spec status({atom(), term()}) -> ok | {error, {bad_cert, term()}}.
+status({good, _}) ->
+ ok;
+status({unknown, Reason}) ->
+ {error, {bad_cert, {revocation_status_undetermined, Reason}}};
+status({revoked, Reason}) ->
+ {error, {bad_cert, {revoked, Reason}}}.
 
-decode_ocsp_response(ResponseDer) ->
+decode_response(ResponseDer) ->
 Resp = public_key:der_decode('OCSPResponse', ResponseDer),
 case Resp#'OCSPResponse'.responseStatus of
 successful ->
@@ -92,16 +106,23 @@ match_single_response(_IssuerName, _IssuerKey, _SerialNum, []) ->
 match_single_response(IssuerName, IssuerKey, SerialNum,
 [#'SingleResponse'{
 certID = #'CertID'{hashAlgorithm = Algo} = CertID} =
- Response | Responses]) ->
+ SingleResponse | Tail]) ->
+ #'SingleResponse'{thisUpdate = ThisUpdate,
+ nextUpdate = NextUpdate} = SingleResponse,
 HashType = public_key:pkix_hash_type(Algo#'AlgorithmIdentifier'.algorithm),
 case (SerialNum == CertID#'CertID'.serialNumber) andalso
 (crypto:hash(HashType, IssuerName) == CertID#'CertID'.issuerNameHash) andalso
- (crypto:hash(HashType, IssuerKey) == CertID#'CertID'.issuerKeyHash) of
+ (crypto:hash(HashType, IssuerKey) == CertID#'CertID'.issuerKeyHash) andalso
+ verify_past_timestamp(ThisUpdate) == ok andalso
+ verify_next_update(NextUpdate) == ok of
 true ->
- {ok, Response};
+ {ok, SingleResponse};
 false ->
- match_single_response(IssuerName, IssuerKey, SerialNum, Responses)
- end.
+ match_single_response(IssuerName, IssuerKey, SerialNum, Tail)
+ end;
+match_single_response(IssuerName, IssuerKey, SerialNum,
+ [_BadSingleResponse | Tail]) ->
+ match_single_response(IssuerName, IssuerKey, SerialNum, Tail).
 
 get_serial_num(#'OTPCertificate'{tbsCertificate = TbsCert}) ->
 TbsCert#'OTPTBSCertificate'.serialNumber.
@@ -113,24 +134,7 @@ decode_response_bytes(#'ResponseBytes'{
 decode_response_bytes(#'ResponseBytes'{responseType = RespType}) ->
 {error, {ocsp_response_type_not_supported, RespType}}.
 
-do_verify_ocsp_response(#'BasicOCSPResponse'{
- tbsResponseData = ResponseData,
- signatureAlgorithm = SignatureAlgo,
- signature = Signature},
- ResponderCerts, Nonce) ->
- #'ResponseData'{responderID = ResponderID} = ResponseData,
- case verify_ocsp_signature(
- public_key:der_encode('ResponseData', ResponseData),
- SignatureAlgo#'AlgorithmIdentifier'.algorithm,
- Signature, ResponderCerts,
- ResponderID) of
- ok ->
- verify_ocsp_nonce(ResponseData, Nonce);
- {error, Reason} ->
- {error, Reason}
- end.
-
-verify_ocsp_nonce(ResponseData, Nonce) ->
+verify_nonce(ResponseData, Nonce) ->
 #'ResponseData'{responses = Responses, responseExtensions = ResponseExtns} =
 ResponseData,
 case get_nonce_value(ResponseExtns) of
@@ -153,31 +157,91 @@ get_nonce_value([#'Extension'{
 get_nonce_value([_Extn | Rest]) ->
 get_nonce_value(Rest).
 
-verify_ocsp_signature(ResponseDataDer, SignatureAlgo, Signature,
- Certs, ResponderID) ->
- case find_responder_cert(ResponderID, Certs) of
- {ok, Cert} ->
- do_verify_ocsp_signature(
- ResponseDataDer, Signature, SignatureAlgo, Cert);
- {error, Reason} ->
- {error, Reason}
+verify_signature(_, _, _, [], _, _, _) ->
+ {error, ocsp_responder_cert_not_found};
+verify_signature(ResponseDataDer, SignatureAlgo, Signature,
+ [ResponderCert | RCs], ResponderID, IssuerCert,
+ IsTrustedResponderFun) ->
+ maybe
+ true ?= is_responder_cert(ResponderID, ResponderCert),
+ true ?= is_authorized_responder(ResponderCert, IssuerCert,
+ IsTrustedResponderFun),
+ ok ?= do_verify_signature(ResponseDataDer, Signature, SignatureAlgo,
+ ResponderCert)
+ else
+ _->
+ verify_signature(ResponseDataDer, SignatureAlgo, Signature,
+ RCs, ResponderID, IssuerCert,
+ IsTrustedResponderFun)
 end.
 
-find_responder_cert(_ResponderID, []) ->
- {error, ocsp_responder_cert_not_found};
-find_responder_cert(ResponderID, [Cert | TCerts]) ->
- case is_responder(ResponderID, Cert) of
+verify_past_timestamp(Timestamp) ->
+ {Now, TimestampSec} = get_time_in_sec(Timestamp),
+ verify_timestamp(Now, TimestampSec, past_timestamp).
+
+verify_future_timestamp(Timestamp) ->
+ {Now, TimestampSec} = get_time_in_sec(Timestamp),
+ verify_timestamp(Now, TimestampSec, future_timestamp).
+
+verify_timestamp(Now, Timestamp, past_timestamp) when Timestamp =< Now ->
+ ok;
+verify_timestamp(Now, Timestamp, future_timestamp) when Now =< Timestamp ->
+ ok;
+verify_timestamp(_, _, _) ->
+ {error, ocsp_stale_response}.
+
+get_time_in_sec(Timestamp) ->
+ Now = calendar:datetime_to_gregorian_seconds(calendar:universal_time()),
+ TimestampSec = pubkey_cert:time_str_2_gregorian_sec(
+ {generalTime, Timestamp}),
+ {Now, TimestampSec}.
+
+verify_next_update(asn1_NOVALUE) ->
+ ok;
+verify_next_update(NextUpdate) ->
+ verify_future_timestamp(NextUpdate).
+
+is_responder_cert({byName, Name}, #cert{otp = Cert}) ->
+ public_key:der_encode('Name', Name) == get_subject_name(Cert);
+is_responder_cert({byKey, Key}, #cert{otp = Cert}) ->
+ Key == crypto:hash(sha, get_public_key(Cert)).
+
+is_authorized_responder(CombinedResponderCert = #cert{otp = ResponderCert},
+ IssuerCert, IsTrustedResponderFun) ->
+ Case1 =
+ %% the CA who issued the certificate in question signed the
+ %% response
+ fun() ->
+ ResponderCert == IssuerCert
+ end,
+ Case2 =
+ %% a CA Designated Responder (Authorized Responder, defined in
+ %% Section 4.2.2.2) who holds a specially marked certificate
+ %% issued directly by the CA, indicating that the responder may
+ %% issue OCSP responses for that CA (id-kp-OCSPSigning)
+ fun() ->
+ public_key:pkix_is_issuer(ResponderCert, IssuerCert) andalso
+ designated_for_ocsp_signing(ResponderCert)
+ end,
+ Case3 =
+ %% a Trusted Responder whose public key is trusted by the requestor
+ fun() ->
+ IsTrustedResponderFun(CombinedResponderCert)
+ end,
+
+ case lists:any(fun(E) -> E() end, [Case1, Case2, Case3]) of
 true ->
- {ok, Cert};
+ true;
 false ->
- find_responder_cert(ResponderID, TCerts)
+ not_authorized_responder
 end.
 
-do_verify_ocsp_signature(ResponseDataDer, Signature, AlgorithmID, Cert) ->
+do_verify_signature(ResponseDataDer, Signature, AlgorithmID,
+ #cert{otp = ResponderCert}) ->
 {DigestType, _SignatureType} = public_key:pkix_sign_types(AlgorithmID),
 case public_key:verify(
 ResponseDataDer, DigestType, Signature,
- get_public_key_rec(Cert)) of
+ get_public_key_rec(ResponderCert)) of
 true ->
 ok;
 false ->
@@ -188,11 +252,6 @@ get_public_key_rec(#'OTPCertificate'{tbsCertificate = TbsCert}) ->
 PKInfo = TbsCert#'OTPTBSCertificate'.subjectPublicKeyInfo,
 PKInfo#'OTPSubjectPublicKeyInfo'.subjectPublicKey.
 
-is_responder({byName, Name}, Cert) ->
- public_key:der_encode('Name', Name) == get_subject_name(Cert);
-is_responder({byKey, Key}, Cert) ->
- Key == crypto:hash(sha, get_public_key(Cert)).
-
 get_subject_name(#'OTPCertificate'{tbsCertificate = TbsCert}) ->
 public_key:pkix_encode('Name', TbsCert#'OTPTBSCertificate'.subject, otp).
 
@@ -207,22 +266,26 @@ enc_pub_key({DsaInt, #'Dss-Parms'{}}) when is_integer(DsaInt) ->
 enc_pub_key({#'ECPoint'{point = Key}, _ECParam}) ->
 Key.
 
+designated_for_ocsp_signing(OtpCert) ->
+ TBSCert = OtpCert#'OTPCertificate'.tbsCertificate,
+ TBSExtensions = TBSCert#'OTPTBSCertificate'.extensions,
+ Extensions = pubkey_cert:extensions_list(TBSExtensions),
+ case pubkey_cert:select_extension(?'id-ce-extKeyUsage', Extensions) of
+	undefined ->
+	 false;
+	#'Extension'{extnValue = KeyUses} ->
+ lists:member(?'id-kp-OCSPSigning', KeyUses)
+ end.
+
 %%%################################################################
 %%%#
 %%%# Tracing
 %%%#
-handle_trace(csp,
- {call, {?MODULE, do_verify_ocsp_response, [BasicOcspResponse | _]}}, Stack) ->
- #'BasicOCSPResponse'{
- tbsResponseData =
- #'ResponseData'{responderID = ResponderID,
- producedAt = ProducedAt}} = BasicOcspResponse,
- {io_lib:format("ResponderId = ~W producedAt = ~p", [ResponderID, 5, ProducedAt]), Stack};
 handle_trace(csp,
 {call, {?MODULE, match_single_response,
 [_IssuerName, _IssuerKey, _SerialNum,
 [#'SingleResponse'{thisUpdate = ThisUpdate,
- nextUpdate = NextUpdate}]]}}, Stack) ->
+ nextUpdate = NextUpdate} | _]]}}, Stack) ->
 {io_lib:format("ThisUpdate = ~p NextUpdate = ~p", [ThisUpdate, NextUpdate]), Stack};
 handle_trace(csp,
 {call, {?MODULE, is_responder, [Id, Cert]}}, Stack) ->
diff --git a/lib/public_key/src/public_key.erl b/lib/public_key/src/public_key.erl
index ee27a7b8a4..93d217cb98 100644
--- a/lib/public_key/src/public_key.erl
+++ b/lib/public_key/src/public_key.erl
@@ -21,7 +21,7 @@
 %%
 
 -module(public_key).
-
+-feature(maybe_expr,enable).
 -include("public_key.hrl").
 
 -export([pem_decode/1, pem_encode/1, 
@@ -62,7 +62,6 @@
 pkix_test_data/1,
 pkix_test_root_cert/2,
 pkix_ocsp_validate/5,
- ocsp_responder_id/1,
 ocsp_extensions/1,
 cacerts_get/0,
 cacerts_load/0,
@@ -174,8 +173,11 @@
 -type oid() :: tuple().
 -type cert_id() :: {SerialNr::integer(), issuer_name()} .
 -type issuer_name() :: {rdnSequence,[[#'AttributeTypeAndValue'{}]]} .
--type bad_cert_reason() :: cert_expired | invalid_issuer | invalid_signature | name_not_permitted | missing_basic_constraint | invalid_key_usage | duplicate_cert_in_path |
- {'policy_requirement_not_met', term()} | {'invalid_policy_mapping', term()} | {revoked, crl_reason()} | invalid_validity_dates | atom().
+-type bad_cert_reason() :: cert_expired | invalid_issuer | invalid_signature | name_not_permitted |
+ missing_basic_constraint | invalid_key_usage | duplicate_cert_in_path |
+ {'policy_requirement_not_met', term()} | {'invalid_policy_mapping', term()} |
+ {revoked, crl_reason()} | invalid_validity_dates |
+ {revocation_status_undetermined, term()} | atom().
 
 -type combined_cert() :: #cert{}.
 -type cert() :: der_cert() | otp_cert().
@@ -1387,52 +1389,47 @@ pkix_test_data(#{} = Chain) ->
 
 pkix_test_root_cert(Name, Opts) ->
 pubkey_cert:root_cert(Name, Opts).
- 
+
 %%--------------------------------------------------------------------
--spec pkix_ocsp_validate(Cert, IssuerCert, OcspRespDer, 
- ResponderCerts, NonceExt) -> valid | {bad_cert, Reason}
- when Cert:: cert(),
- IssuerCert:: cert(),
+-spec pkix_ocsp_validate(Cert, IssuerCert, OcspRespDer, NonceExt, Options) ->
+ ok | {error, {bad_cert, Reason}}
+ when Cert::cert(),
+ IssuerCert::cert(),
 OcspRespDer::der_encoded(),
- ResponderCerts::[der_cert()],
 NonceExt::undefined | binary(),
- Reason::term().
-
-%% Description: Validate OCSP staple response
+ Options::[{is_trusted_responder_fun,
+ fun((combined_cert()) -> boolean)}],
+ Reason::bad_cert_reason().
+%% Description: Validate OCSP response
 %%--------------------------------------------------------------------
-pkix_ocsp_validate(DerCert, IssuerCert, OcspRespDer, ResponderCerts, NonceExt)
+pkix_ocsp_validate(DerCert, IssuerCert, OcspRespDer, NonceExt, Options)
 when is_binary(DerCert) ->
- pkix_ocsp_validate(pkix_decode_cert(DerCert, otp), IssuerCert, OcspRespDer,
- ResponderCerts, NonceExt);
-pkix_ocsp_validate(Cert, DerIssuerCert, OcspRespDer, ResponderCerts, NonceExt)
+ pkix_ocsp_validate(
+ pkix_decode_cert(DerCert, otp), IssuerCert, OcspRespDer, NonceExt, Options);
+pkix_ocsp_validate(Cert, DerIssuerCert, OcspRespDer, NonceExt, Options)
 when is_binary(DerIssuerCert) ->
- pkix_ocsp_validate(Cert, pkix_decode_cert(DerIssuerCert, otp), OcspRespDer,
- ResponderCerts, NonceExt);
-pkix_ocsp_validate(Cert, IssuerCert, OcspRespDer, ResponderCerts, NonceExt) ->
- OcspResponse = pubkey_ocsp:decode_ocsp_response(OcspRespDer),
- OcspCertResponses =
- case OcspResponse of
- {ok, BasicOcspResponse = #'BasicOCSPResponse'{certs = Certs}} ->
- OcspResponseCerts = [otp_cert(C) || C <- Certs],
- UserResponderCerts =
- [otp_cert(pkix_decode_cert(C, plain)) || C <- ResponderCerts],
- pubkey_ocsp:verify_ocsp_response(
- BasicOcspResponse, OcspResponseCerts ++ UserResponderCerts,
- NonceExt);
- {error, _} = Error ->
- Error
- end,
- case OcspCertResponses of
- {ok, Responses} ->
- case pubkey_ocsp:find_single_response(
- otp_cert(Cert), otp_cert(IssuerCert), Responses) of
- {ok, #'SingleResponse'{certStatus = CertStatus}} ->
- pubkey_ocsp:ocsp_status(CertStatus);
- {error, no_matched_response = Reason} ->
- {bad_cert, {revocation_status_undetermined, Reason}}
- end;
+ pkix_ocsp_validate(
+ Cert, pkix_decode_cert(DerIssuerCert, otp), OcspRespDer, NonceExt, Options);
+pkix_ocsp_validate(Cert, IssuerCert, OcspRespDer, NonceExt, Options)
+ when is_record(Cert, 'OTPCertificate'),
+ is_record(IssuerCert, 'OTPCertificate') ->
+ IsTrustedResponderFun =
+	proplists:get_value(is_trusted_responder_fun, Options,
+ fun(_) -> false end),
+ maybe
+ {ok, BasicOcspResponse = #'BasicOCSPResponse'{certs = Certs}} ?=
+ pubkey_ocsp:decode_response(OcspRespDer),
+ OcspResponseCerts = [combined_cert(C) || C <- Certs],
+ {ok, Responses} ?=
+ pubkey_ocsp:verify_response(
+ BasicOcspResponse, OcspResponseCerts, NonceExt, IssuerCert,
+ IsTrustedResponderFun),
+ {ok, #'SingleResponse'{certStatus = CertStatus}} ?=
+ pubkey_ocsp:find_single_response(Cert, IssuerCert, Responses),
+ pubkey_ocsp:status(CertStatus)
+ else
 {error, Reason} ->
- {bad_cert, {revocation_status_undetermined, Reason}}
+ {error, {bad_cert, {revocation_status_undetermined, Reason}}}
 end.
 
 %%--------------------------------------------------------------------
@@ -1444,14 +1441,6 @@ ocsp_extensions(Nonce) ->
 pubkey_ocsp:get_acceptable_response_types_extn()],
 erlang:is_record(Extn, 'Extension')].
 
-%%--------------------------------------------------------------------
--spec ocsp_responder_id(binary()) -> binary().
-%%
-%% Description: Get the OCSP responder ID der
-%%--------------------------------------------------------------------
-ocsp_responder_id(CertDer) ->
- pubkey_ocsp:get_ocsp_responder_id(pkix_decode_cert(CertDer, plain)).
-
 %%--------------------------------------------------------------------
 -spec cacerts_get() -> [combined_cert()].
 %%
@@ -1700,9 +1689,12 @@ otp_cert(Der) when is_binary(Der) ->
 otp_cert(#'OTPCertificate'{} = Cert) ->
 Cert;
 otp_cert(#cert{otp = OtpCert}) ->
- OtpCert;
-otp_cert(#'Certificate'{} = Cert) ->
- pkix_decode_cert(der_encode('Certificate', Cert), otp).
+ OtpCert.
+
+combined_cert(#'Certificate'{} = Cert) ->
+ Der = der_encode('Certificate', Cert),
+ Otp = pkix_decode_cert(Der, otp),
+ #cert{der = Der, otp = Otp}.
 
 der_cert(#'OTPCertificate'{} = Cert) ->
 pkix_encode('OTPCertificate', Cert, otp);
@@ -2119,15 +2111,6 @@ subject_public_key_info(Alg, PubKey) ->
 %%%#
 %%%# Tracing
 %%%#
-handle_trace(csp,
- {call, {?MODULE, ocsp_responder_id, [Cert]}}, Stack) ->
- {io_lib:format("pkix_decode_cert(Cert, plain) = ~W", [Cert, 5]),
- %% {io_lib:format("pkix_decode_cert(Cert, plain) = ~s", [ssl_test_lib:format_cert(Cert)]),
- Stack};
-handle_trace(csp,
- {return_from, {?MODULE, ocsp_responder_id, 1}, Return},
- Stack) ->
- {io_lib:format("OCSP Responder ID = ~P", [Return, 10]), Stack};
 handle_trace(crt,
 {call, {?MODULE, pkix_decode_cert, [Cert, _Type]}}, Stack) ->
 {io_lib:format("Cert = ~W", [Cert, 5]), Stack};
diff --git a/lib/public_key/test/Makefile b/lib/public_key/test/Makefile
index 79dcacb6ce..c0bbed3af7 100644
--- a/lib/public_key/test/Makefile
+++ b/lib/public_key/test/Makefile
@@ -34,7 +34,8 @@ MODULES= \
 	pbe_SUITE \
 	pkits_SUITE \
 	pubkey_cert_SUITE \
-	pubkey_policy_tree_SUITE
+	pubkey_policy_tree_SUITE \
+	pubkey_ocsp_SUITE
 
 ERL_FILES= $(MODULES:%=%.erl)
 
diff --git a/lib/public_key/test/pubkey_ocsp_SUITE.erl b/lib/public_key/test/pubkey_ocsp_SUITE.erl
index 006741e81a..b2f42d7c09 100644
--- a/lib/public_key/test/pubkey_ocsp_SUITE.erl
+++ b/lib/public_key/test/pubkey_ocsp_SUITE.erl
@@ -22,17 +22,92 @@
 
 -include_lib("common_test/include/ct.hrl").
 -include_lib("public_key/include/public_key.hrl").
-
 %% Note: This directive should only be used in test suites.
--compile(export_all).
+-compile([export_all, nowarn_export_all]).
+
+-define(NONCE,
+ <<4,8,93,33,1,52,187,3,12,142>>).
+-define(OCSP_RESPONSE_DER,
+ <<48,130,7,36,10,1,0,160,130,7,29,48,130,7,25,6,9,43,6,1,5,5,7,48,1,1,4,130,7,10,48,130,7,6,48,130,1,10,161,129,134,48,129,131,49,14,48,12,6,3,85,4,3,12,5,111,116,112,67,65,49,19,48,17,6,3,85,4,11,12,10,69,114,108,97,110,103,32,79,84,80,49,20,48,18,6,3,85,4,10,12,11,69,114,105,99,115,115,111,110,32,65,66,49,11,48,9,6,3,85,4,6,19,2,83,69,49,18,48,16,6,3,85,4,7,12,9,83,116,111,99,107,104,111,108,109,49,37,48,35,6,9,42,134,72,134,247,13,1,9,1,22,22,112,101,116,101,114,64,101,114,105,120,46,101,
+ 114,105,99,115,115,111,110,46,115,101,24,15,50,48,50,51,48,55,50,48,49,50,50,57,52,57,90,48,81,48,79,48,58,48,9,6,5,43,14,3,2,26,5,0,4,20,227,147,252,182,155,101,129,45,194,162,22,93,127,46,112,193,196,28,241,232,4,20,34,25,129,87,115,255,155,246,200,97,92,7,51,110,152,61,97,155,164,171,2,1,9,128,0,24,15,50,48,50,51,48,55,50,48,49,50,50,57,52,57,90,161,27,48,25,48,23,6,9,43,6,1,5,5,7,48,1,2,4,10,4,8,93,33,1,52,187,3,12,142,48,13,6,9,42,134,72,134,247,13,1,1,11,5,0,3,130,1,1,0,182,228,165,33,
+ 173,232,46,125,152,237,37,120,186,223,188,231,181,61,72,89,210,75,38,182,146,218,223,53,38,104,100,89,19,79,48,159,109,70,25,34,143,253,199,92,162,248,245,240,61,82,39,44,243,148,109,21,112,74,206,246,5,146,12,175,235,170,225,206,115,148,109,1,216,194,98,149,105,106,232,83,95,229,196,237,246,6,177,167,177,52,242,63,56,93,74,92,28,246,138,137,99,28,239,68,130,184,182,140,50,206,10,166,243,118,11,153,79,178,220,166,161,45,83,90,58,152,78,229,27,54,147,125,106,199,192,182,242,242,98,69,94,148,
+ 163,130,154,168,134,24,7,211,176,133,1,156,206,22,197,139,59,66,110,121,187,101,221,16,11,114,106,56,178,21,3,189,89,233,228,8,127,150,247,151,97,145,204,117,80,120,174,191,12,150,148,180,86,16,86,82,170,184,185,10,182,252,210,66,238,144,233,244,94,144,143,200,0,172,179,194,109,137,186,95,180,111,242,81,132,254,70,174,168,9,181,145,154,180,7,78,17,56,24,195,236,80,46,1,241,0,52,172,84,154,43,117,130,153,160,130,4,224,48,130,4,220,48,130,4,216,48,130,3,192,160,3,2,1,2,2,1,1,48,13,6,9,42,134,
+ 72,134,247,13,1,1,11,5,0,48,129,134,49,17,48,15,6,3,85,4,3,12,8,101,114,108,97,110,103,67,65,49,19,48,17,6,3,85,4,11,12,10,69,114,108,97,110,103,32,79,84,80,49,20,48,18,6,3,85,4,10,12,11,69,114,105,99,115,115,111,110,32,65,66,49,18,48,16,6,3,85,4,7,12,9,83,116,111,99,107,104,111,108,109,49,11,48,9,6,3,85,4,6,19,2,83,69,49,37,48,35,6,9,42,134,72,134,247,13,1,9,1,22,22,112,101,116,101,114,64,101,114,105,120,46,101,114,105,99,115,115,111,110,46,115,101,48,30,23,13,50,51,48,55,50,48,49,50,50,57,
+ 52,52,90,23,13,51,51,48,53,50,56,49,50,50,57,52,52,90,48,129,131,49,14,48,12,6,3,85,4,3,12,5,111,116,112,67,65,49,19,48,17,6,3,85,4,11,12,10,69,114,108,97,110,103,32,79,84,80,49,20,48,18,6,3,85,4,10,12,11,69,114,105,99,115,115,111,110,32,65,66,49,11,48,9,6,3,85,4,6,19,2,83,69,49,18,48,16,6,3,85,4,7,12,9,83,116,111,99,107,104,111,108,109,49,37,48,35,6,9,42,134,72,134,247,13,1,9,1,22,22,112,101,116,101,114,64,101,114,105,120,46,101,114,105,99,115,115,111,110,46,115,101,48,130,1,34,48,13,6,9,42,
+ 134,72,134,247,13,1,1,1,5,0,3,130,1,15,0,48,130,1,10,2,130,1,1,0,224,126,14,188,23,118,17,120,117,2,151,131,96,96,81,128,52,8,219,111,48,52,116,100,176,30,58,84,47,206,254,180,60,112,107,216,0,213,16,164,57,110,181,88,62,78,208,125,127,255,36,56,29,37,165,108,64,115,95,46,212,88,172,92,20,177,247,84,13,124,142,41,248,131,77,91,114,228,157,125,20,155,64,70,60,206,180,54,12,80,153,230,208,10,189,163,140,22,146,156,99,21,213,182,98,144,208,94,71,69,249,100,109,104,226,169,55,210,194,244,111,92,
+ 16,87,6,93,42,174,62,243,175,60,139,134,67,116,107,208,120,214,103,12,182,22,229,195,60,133,235,228,230,17,0,101,185,117,3,52,252,75,173,144,14,30,36,132,251,47,0,161,159,183,230,201,93,76,82,202,66,213,34,44,88,148,92,240,21,152,135,102,160,212,173,100,225,227,143,229,74,120,120,147,179,228,80,127,246,118,213,141,122,209,29,48,47,188,130,179,111,83,234,203,22,0,167,15,53,193,172,80,117,62,98,63,233,161,102,96,21,10,72,179,86,205,96,124,62,133,9,28,197,39,190,23,72,49,2,3,1,0,1,163,130,1,80,
+ 48,130,1,76,48,15,6,3,85,29,19,1,1,255,4,5,48,3,1,1,255,48,11,6,3,85,29,15,4,4,3,2,1,6,48,29,6,3,85,29,14,4,22,4,20,34,25,129,87,115,255,155,246,200,97,92,7,51,110,152,61,97,155,164,171,48,129,198,6,3,85,29,35,4,129,190,48,129,187,128,20,196,35,212,128,180,55,39,81,140,96,141,212,14,41,206,56,214,196,133,175,161,129,140,164,129,137,48,129,134,49,17,48,15,6,3,85,4,3,12,8,101,114,108,97,110,103,67,65,49,19,48,17,6,3,85,4,11,12,10,69,114,108,97,110,103,32,79,84,80,49,20,48,18,6,3,85,4,10,12,11,
+ 69,114,105,99,115,115,111,110,32,65,66,49,18,48,16,6,3,85,4,7,12,9,83,116,111,99,107,104,111,108,109,49,11,48,9,6,3,85,4,6,19,2,83,69,49,37,48,35,6,9,42,134,72,134,247,13,1,9,1,22,22,112,101,116,101,114,64,101,114,105,120,46,101,114,105,99,115,115,111,110,46,115,101,130,20,43,178,6,127,40,48,98,119,68,20,137,15,178,249,179,119,3,205,202,41,48,33,6,3,85,29,17,4,26,48,24,129,22,112,101,116,101,114,64,101,114,105,120,46,101,114,105,99,115,115,111,110,46,115,101,48,33,6,3,85,29,18,4,26,48,24,129,
+ 22,112,101,116,101,114,64,101,114,105,120,46,101,114,105,99,115,115,111,110,46,115,101,48,13,6,9,42,134,72,134,247,13,1,1,11,5,0,3,130,1,1,0,2,39,149,225,217,60,119,245,177,96,137,169,49,169,0,163,164,218,40,228,230,193,142,138,206,47,0,176,80,99,16,226,79,124,237,230,91,57,148,49,250,208,42,193,106,53,86,163,205,254,245,90,45,240,172,107,162,160,59,7,246,245,41,106,44,239,47,78,197,79,123,55,217,87,181,221,73,88,47,122,30,195,225,6,28,237,49,250,105,85,214,69,86,243,73,81,101,192,31,250,31,
+ 55,111,63,11,1,147,63,144,241,132,32,161,92,168,152,19,29,233,88,234,4,134,144,26,70,162,219,31,125,205,202,94,45,111,3,17,66,62,208,17,188,179,94,222,238,248,79,102,80,138,217,80,233,100,152,240,11,81,36,130,175,152,182,221,2,26,24,33,180,242,63,33,223,18,131,11,52,51,1,193,24,222,91,47,100,131,173,32,69,159,13,94,246,193,182,127,242,164,131,112,92,179,65,79,235,174,161,194,201,255,119,2,251,215,203,135,16,154,55,69,82,33,69,60,223,118,35,56,22,228,106,80,57,180,62,124,121,244,121,197,123,
+ 242,190,55,26,32,214,176,53,28,117,171,162,76,160>>).
+-define(ISSUER_CERT,
+ {'OTPCertificate',{'OTPTBSCertificate',v3,1,
+ {'SignatureAlgorithm',{1,2,840,113549,1,1,11},'NULL'},
+ {rdnSequence,[[{'AttributeTypeAndValue',{2,5,4,3},{utf8String,<<"erlangCA">>}}],[{'AttributeTypeAndValue',{2,5,4,11},{utf8String,<<"Erlang OTP">>}}],[{'AttributeTypeAndValue',{2,5,4,10},{utf8String,<<"Ericsson AB">>}}],[{'AttributeTypeAndValue',{2,5,4,7},{utf8String,<<"Stockholm">>}}],[{'AttributeTypeAndValue',{2,5,4,6},"SE"}],[{'AttributeTypeAndValue',{1,2,840,113549,1,9,1},"peter@erix.ericsson.se"}]]},
+ {'Validity',{utcTime,"230720122944Z"},{utcTime,"330528122944Z"}},
+ {rdnSequence,[[{'AttributeTypeAndValue',{2,5,4,3},{utf8String,<<"otpCA">>}}],[{'AttributeTypeAndValue',{2,5,4,11},{utf8String,<<"Erlang OTP">>}}],[{'AttributeTypeAndValue',{2,5,4,10},{utf8String,<<"Ericsson AB">>}}],[{'AttributeTypeAndValue',{2,5,4,6},"SE"}],[{'AttributeTypeAndValue',{2,5,4,7},{utf8String,<<"Stockholm">>}}],[{'AttributeTypeAndValue',{1,2,840,113549,1,9,1},"peter@erix.ericsson.se"}]]},
+ {'OTPSubjectPublicKeyInfo',{'PublicKeyAlgorithm',{1,2,840,113549,1,1,1},'NULL'},
+ {'RSAPublicKey',28339541610808720697355110173776661351591299627563886520724840524156173758352096851973677497931775737934761046080070714946146799362954032218057107079242015447767834113919294749723734648362271942219510034694564267611067362221363996274084106982740657802072527220370548608128815474010110407985824336936761317435951968068792959040741225688753787656107492053262271328711261658605960823613199135109317800726834363235926476527282638847781232871073244485999722937494811217769991698287040924806827188498324716317026838449695477777978536565396172198805249805405552866638039988130119465502001541293012996469049417900821835106353,
+ 65537}},
+ asn1_NOVALUE,asn1_NOVALUE,
+ [{'Extension',{2,5,29,19},true,{'BasicConstraints',true,asn1_NOVALUE}},
+ {'Extension',{2,5,29,15},false,[keyCertSign,cRLSign]},
+ {'Extension',{2,5,29,14},false,<<34,25,129,87,115,255,155,246,200,97,92,7,51,110,152,61,97,155,164,171>>},
+ {'Extension',{2,5,29,35},
+ false,
+ {'AuthorityKeyIdentifier',<<196,35,212,128,180,55,39,81,140,96,141,212,14,41,206,56,214,196,133,175>>,
+ [{directoryName,{rdnSequence,[[{'AttributeTypeAndValue',{2,5,4,3},{utf8String,<<"erlangCA">>}}],
+ [{'AttributeTypeAndValue',{2,5,4,11},{utf8String,<<"Erlang OTP">>}}],
+ [{'AttributeTypeAndValue',{2,5,4,10},{utf8String,<<"Ericsson AB">>}}],
+ [{'AttributeTypeAndValue',{2,5,4,7},{utf8String,<<"Stockholm">>}}],
+ [{'AttributeTypeAndValue',{2,5,4,6},"SE"}],
+ [{'AttributeTypeAndValue',{1,2,840,113549,1,9,1},"peter@erix.ericsson.se"}]]}}],
+ 249456701733760087187851894331345805369320262185}},
+ {'Extension',{2,5,29,17},false,[{rfc822Name,"peter@erix.ericsson.se"}]},
+ {'Extension',{2,5,29,18},false,[{rfc822Name,"peter@erix.ericsson.se"}]}]},
+ {'SignatureAlgorithm',{1,2,840,113549,1,1,11},'NULL'},
+ <<2,39,149,225,217,60,119,245,177,96,137,169,49,169,0,163,164,218,40,228,230,193,142,138,206,47,0,176,80,99,16,226,79,124,237,230,91,57,148,49,250,208,42,193,106,53,86,163,205,254,245,90,45,240,172,107,162,160,59,7,246,245,41,106,44,239,47,78,197,79,123,55,217,87,181,221,73,88,47,122,30,195,225,6,28,237,49,250,105,85,214,69,86,243,73,81,101,192,31,250,31,55,111,63,11,1,147,63,144,241,132,32,161,92,168,152,19,29,233,88,234,4,134,144,26,70,162,219,31,125,205,202,94,45,111,3,17,
+ 66,62,208,17,188,179,94,222,238,248,79,102,80,138,217,80,233,100,152,240,11,81,36,130,175,152,182,221,2,26,24,33,180,242,63,33,223,18,131,11,52,51,1,193,24,222,91,47,100,131,173,32,69,159,13,94,246,193,182,127,242,164,131,112,92,179,65,79,235,174,161,194,201,255,119,2,251,215,203,135,16,154,55,69,82,33,69,60,223,118,35,56,22,228,106,80,57,180,62,124,121,244,121,197,123,242,190,55,26,32,214,176,53,28,117,171,162,76,160>>}
+ ).
+-define(RESPONDER_CERT, #cert{otp = ?ISSUER_CERT}).
+-define(A_SERVER_CERT,
+ {'OTPCertificate',{'OTPTBSCertificate',v3,9,
+ {'SignatureAlgorithm',{1,2,840,113549,1,1,11},'NULL'},
+ {rdnSequence,[[{'AttributeTypeAndValue',{2,5,4,3},{utf8String,<<"otpCA">>}}],[{'AttributeTypeAndValue',{2,5,4,11},{utf8String,<<"Erlang OTP">>}}],[{'AttributeTypeAndValue',{2,5,4,10},{utf8String,<<"Ericsson AB">>}}],[{'AttributeTypeAndValue',{2,5,4,6},"SE"}],[{'AttributeTypeAndValue',{2,5,4,7},{utf8String,<<"Stockholm">>}}],[{'AttributeTypeAndValue',{1,2,840,113549,1,9,1},"peter@erix.ericsson.se"}]]},
+ {'Validity',{utcTime,"230720133137Z"},{utcTime,"330528133137Z"}},
+ {rdnSequence,[[{'AttributeTypeAndValue',{2,5,4,3},{utf8String,<<"a.server">>}}],[{'AttributeTypeAndValue',{2,5,4,11},{utf8String,<<"Erlang OTP">>}}],[{'AttributeTypeAndValue',{2,5,4,10},{utf8String,<<"Ericsson AB">>}}],[{'AttributeTypeAndValue',{2,5,4,6},"SE"}],[{'AttributeTypeAndValue',{2,5,4,7},{utf8String,<<"Stockholm">>}}],[{'AttributeTypeAndValue',{1,2,840,113549,1,9,1},"peter@erix.ericsson.se"}]]},
+ {'OTPSubjectPublicKeyInfo',{'PublicKeyAlgorithm',{1,2,840,113549,1,1,1},'NULL'},
+ {'RSAPublicKey',21289228001579879261333836287004823332222603265803194664536540127079242843046558012638236832904402369325784443025964406623777246658832921141960060475804229950419927075126320682148878633948860170628231809668072735203197673472127901696952853229103382707195692260834407944629128675563945194876045436588557031550105450845916227210816469918126215406473272174435113136059751668904728646605321836951857481644376964329827326510385947455341932553729402879301386590388317914766820519616318357183422565964994898098302388155119056040428369731559112404176013041801429296771966314089067058782535413289830323744573459011210321571511,
+ 65537}},
+ asn1_NOVALUE,asn1_NOVALUE,
+ [{'Extension',{2,5,29,19},false,{'BasicConstraints',false,asn1_NOVALUE}},
+ {'Extension',{2,5,29,15},false,[digitalSignature,nonRepudiation,keyEncipherment]},
+ {'Extension',{2,5,29,14},false,<<135,115,253,182,154,247,175,77,237,3,215,88,195,15,182,214,248,144,201,202>>},
+ {'Extension',{2,5,29,35},
+ false,
+ {'AuthorityKeyIdentifier',<<63,22,3,246,66,83,233,142,103,82,105,230,175,132,130,192,87,79,122,232>>,
+ [{directoryName,{rdnSequence,[[{'AttributeTypeAndValue',{2,5,4,3},{utf8String,<<"erlangCA">>}}],
+ [{'AttributeTypeAndValue',{2,5,4,11},{utf8String,<<"Erlang OTP">>}}],
+ [{'AttributeTypeAndValue',{2,5,4,10},{utf8String,<<"Ericsson AB">>}}],
+ [{'AttributeTypeAndValue',{2,5,4,7},{utf8String,<<"Stockholm">>}}],
+ [{'AttributeTypeAndValue',{2,5,4,6},"SE"}],
+ [{'AttributeTypeAndValue',{1,2,840,113549,1,9,1},"peter@erix.ericsson.se"}]]}}],
+ 1}},
+ {'Extension',{2,5,29,17},false,[{dNSName,"host.example.com"}]},
+ {'Extension',{2,5,29,18},false,[{rfc822Name,"peter@erix.ericsson.se"}]}]},
+ {'SignatureAlgorithm',{1,2,840,113549,1,1,11},'NULL'},
+ <<194,57,242,156,210,120,172,248,208,88,233,168,205,61,179,61,2,85,56,96,136,83,210,119,125,103,192,129,116,221,161,132,108,92,219,163,233,228,179,34,47,164,22,72,45,203,239,245,155,67,137,138,191,142,152,135,233,57,229,36,0,69,149,197,54,204,25,147,4,223,251,99,183,6,158,247,67,220,83,177,77,117,131,196,144,151,105,108,83,227,69,84,143,238,81,189,141,167,155,224,8,199,237,102,62,92,133,120,118,133,41,142,45,9,195,211,95,49,101,226,51,225,78,198,255,142,182,113,179,20,36,214,
+ 62,56,147,108,248,95,132,193,0,194,102,78,45,7,102,167,183,146,79,108,190,65,108,0,92,40,164,29,81,63,204,59,252,170,33,209,139,181,226,35,136,229,147,190,3,119,238,178,83,203,7,92,103,21,22,171,75,199,87,255,171,219,146,122,207,235,188,254,247,58,64,1,31,190,233,135,232,47,71,117,82,107,254,74,23,178,186,85,110,204,185,51,113,160,41,145,190,52,63,103,210,54,235,206,82,160,188,238,209,99,90,100,138,147,84,20,30,47,253,73,245,168,13,222>>}
+ ).
 
 %%--------------------------------------------------------------------
 %% Common Test interface functions -----------------------------------
 %%--------------------------------------------------------------------
-all() -> 
+all() ->
 [ocsp_test].
 
-groups() -> 
+groups() ->
 [].
 
 %%--------------------------------------------------------------------
@@ -63,314 +138,76 @@ end_per_testcase(_TestCase, _Config) ->
 ocsp_test() ->
 [{doc, "Test functions in pubkey_ocsp"}].
 ocsp_test(Config) when is_list(Config) ->
- %% Feeding data
- SingleResponseGood =
- [#'SingleResponse'{
- certID = {'CertID',
- {'AlgorithmIdentifier',{1,3,14,3,2,26},<<5,0>>},
- <<227,147,252,182,155,101,129,45,194,162,
- 22,93,127,46,112,193,196,28,241,232>>,
- <<99,34,37,88,164,188,98,22,125,252,71,72,
- 246,115,141,222,108,19,122,168>>,7},
- certStatus = {good,'NULL'},
- thisUpdate = "20200428083205Z",
- nextUpdate = asn1_NOVALUE,
- singleExtensions = asn1_NOVALUE}],
-
- Nonce = <<226,210,104,247,153,233,71,246>>,
-
- NonceExtension =
- #'Extension'{
- extnID = ?'id-pkix-ocsp-nonce',
- extnValue = Nonce
- },
-
- OCSPResponseDer =
- <<48,130,7,6,10,1,0,160,130,6,255,48,130,6,251,6,9,43,6,1,5,5,7,48,1,1,4,130,6,
- 236,48,130,6,232,48,130,1,11,161,129,137,48,129,134,49,17,48,15,6,3,85,4,3,
- 12,8,98,46,115,101,114,118,101,114,49,19,48,17,6,3,85,4,11,12,10,69,114,108,
- 97,110,103,32,79,84,80,49,20,48,18,6,3,85,4,10,12,11,69,114,105,99,115,115,
- 111,110,32,65,66,49,11,48,9,6,3,85,4,6,19,2,83,69,49,18,48,16,6,3,85,4,7,12,
- 9,83,116,111,99,107,104,111,108,109,49,37,48,35,6,9,42,134,72,134,247,13,1,9,
- 1,22,22,112,101,116,101,114,64,101,114,105,120,46,101,114,105,99,115,115,111,
- 110,46,115,101,24,15,50,48,50,48,48,52,50,56,48,56,51,50,48,53,90,48,81,48,
- 79,48,58,48,9,6,5,43,14,3,2,26,5,0,4,20,227,147,252,182,155,101,129,45,194,
- 162,22,93,127,46,112,193,196,28,241,232,4,20,99,34,37,88,164,188,98,22,125,
- 252,71,72,246,115,141,222,108,19,122,168,2,1,7,128,0,24,15,50,48,50,48,48,52,
- 50,56,48,56,51,50,48,53,90,161,25,48,23,48,21,6,9,43,6,1,5,5,7,48,1,2,4,8,
- 226,210,104,247,153,233,71,246,48,13,6,9,42,134,72,134,247,13,1,1,11,5,0,3,
- 130,1,1,0,85,82,43,226,38,172,139,105,77,248,24,250,244,154,2,174,232,141,52,
- 93,102,37,177,31,59,105,104,242,117,238,102,93,61,56,24,47,69,169,184,234,
- 109,204,5,64,109,101,23,197,234,6,250,223,95,175,131,138,227,66,123,199,182,
- 57,102,47,221,72,112,208,1,4,128,209,235,108,64,209,31,128,37,130,176,132,
- 203,119,24,188,187,254,8,167,54,80,28,208,26,118,236,149,184,182,25,236,252,
- 158,253,167,143,114,14,184,198,144,51,195,44,16,38,255,112,124,81,201,255,
- 132,143,98,119,135,23,232,10,184,54,150,227,131,212,81,101,158,152,82,252,
- 156,28,30,163,203,145,11,179,105,230,187,132,119,186,189,67,198,165,48,106,
- 114,75,151,128,108,28,44,121,195,162,222,25,45,99,46,84,116,125,51,72,191,
- 250,186,71,78,21,222,219,232,143,233,226,56,163,23,51,170,69,152,223,0,63,8,
- 236,219,175,18,165,88,166,125,71,31,53,40,12,133,64,250,30,190,113,10,187,38,
- 171,17,210,170,126,198,232,195,224,228,1,246,75,140,139,121,229,17,153,115,
- 199,68,227,171,176,163,117,171,160,130,4,193,48,130,4,189,48,130,4,185,48,
- 130,3,161,160,3,2,1,2,2,1,9,48,13,6,9,42,134,72,134,247,13,1,1,5,5,0,48,129,
- 131,49,14,48,12,6,3,85,4,3,12,5,111,116,112,67,65,49,19,48,17,6,3,85,4,11,12,
- 10,69,114,108,97,110,103,32,79,84,80,49,20,48,18,6,3,85,4,10,12,11,69,114,
- 105,99,115,115,111,110,32,65,66,49,11,48,9,6,3,85,4,6,19,2,83,69,49,18,48,16,
- 6,3,85,4,7,12,9,83,116,111,99,107,104,111,108,109,49,37,48,35,6,9,42,134,72,
- 134,247,13,1,9,1,22,22,112,101,116,101,114,64,101,114,105,120,46,101,114,105,
- 99,115,115,111,110,46,115,101,48,30,23,13,50,48,48,52,50,56,48,56,51,50,48,
- 53,90,23,13,51,48,48,51,48,55,48,56,51,50,48,53,90,48,129,134,49,17,48,15,6,
- 3,85,4,3,12,8,98,46,115,101,114,118,101,114,49,19,48,17,6,3,85,4,11,12,10,69,
- 114,108,97,110,103,32,79,84,80,49,20,48,18,6,3,85,4,10,12,11,69,114,105,99,
- 115,115,111,110,32,65,66,49,11,48,9,6,3,85,4,6,19,2,83,69,49,18,48,16,6,3,85,
- 4,7,12,9,83,116,111,99,107,104,111,108,109,49,37,48,35,6,9,42,134,72,134,247,
- 13,1,9,1,22,22,112,101,116,101,114,64,101,114,105,120,46,101,114,105,99,115,
- 115,111,110,46,115,101,48,130,1,34,48,13,6,9,42,134,72,134,247,13,1,1,1,5,0,
- 3,130,1,15,0,48,130,1,10,2,130,1,1,0,188,248,42,161,172,252,200,52,180,217,
- 145,59,193,72,33,176,213,106,37,81,119,251,205,254,70,196,171,127,79,157,147,
- 235,14,61,25,162,207,134,25,239,35,62,57,10,214,115,231,71,203,226,198,73,
- 223,222,199,165,82,67,33,78,176,116,241,192,97,169,143,164,219,152,40,115,
- 229,242,128,97,98,183,217,199,35,127,146,94,20,115,0,250,200,39,9,255,230,
- 216,80,140,6,133,251,39,96,240,176,184,34,1,134,247,126,237,255,130,170,98,
- 242,140,104,105,95,48,75,115,135,229,89,191,180,179,123,198,232,228,220,249,
- 113,86,186,212,176,194,66,14,164,236,219,138,254,80,57,118,232,163,192,94,78,
- 224,100,124,206,199,81,105,54,222,26,245,170,147,184,192,237,77,143,154,180,
- 79,42,107,75,77,81,215,19,75,8,160,106,199,196,66,53,16,233,184,175,85,167,
- 148,12,232,248,113,61,89,14,156,199,128,83,40,214,228,83,9,36,72,188,25,29,
- 47,172,78,114,191,120,240,227,234,255,194,61,132,57,1,141,131,227,64,152,209,
- 205,63,24,172,223,194,254,97,133,255,192,133,148,237,178,115,2,3,1,0,1,163,
- 130,1,49,48,130,1,45,48,9,6,3,85,29,19,4,2,48,0,48,11,6,3,85,29,15,4,4,3,2,5,
- 224,48,29,6,3,85,29,14,4,22,4,20,63,72,140,0,84,13,114,48,50,31,9,241,231,
- 177,20,184,8,114,244,29,48,129,179,6,3,85,29,35,4,129,171,48,129,168,128,20,
- 99,34,37,88,164,188,98,22,125,252,71,72,246,115,141,222,108,19,122,168,161,
- 129,140,164,129,137,48,129,134,49,17,48,15,6,3,85,4,3,12,8,101,114,108,97,
- 110,103,67,65,49,19,48,17,6,3,85,4,11,12,10,69,114,108,97,110,103,32,79,84,
- 80,49,20,48,18,6,3,85,4,10,12,11,69,114,105,99,115,115,111,110,32,65,66,49,
- 18,48,16,6,3,85,4,7,12,9,83,116,111,99,107,104,111,108,109,49,11,48,9,6,3,85,
- 4,6,19,2,83,69,49,37,48,35,6,9,42,134,72,134,247,13,1,9,1,22,22,112,101,116,
- 101,114,64,101,114,105,120,46,101,114,105,99,115,115,111,110,46,115,101,130,
- 1,1,48,27,6,3,85,29,17,4,20,48,18,130,16,104,111,115,116,46,101,120,97,109,
- 112,108,101,46,99,111,109,48,33,6,3,85,29,18,4,26,48,24,129,22,112,101,116,
- 101,114,64,101,114,105,120,46,101,114,105,99,115,115,111,110,46,115,101,48,
- 13,6,9,42,134,72,134,247,13,1,1,5,5,0,3,130,1,1,0,86,112,29,225,102,143,193,
- 55,126,115,187,208,118,153,111,177,160,121,55,33,184,60,27,111,40,7,93,241,9,
- 226,40,125,181,36,173,116,190,43,187,52,254,50,229,222,56,215,132,67,217,174,
- 121,24,94,240,163,56,12,36,212,2,40,94,102,126,206,52,40,32,218,59,86,166,
- 238,137,144,90,57,211,141,81,32,102,215,180,59,133,125,208,199,166,81,35,49,
- 24,88,100,127,90,145,237,150,249,227,123,120,98,230,12,106,72,201,127,54,94,
- 164,204,23,158,3,230,232,181,95,251,98,6,28,115,46,153,241,233,254,152,176,
- 114,12,148,24,234,185,204,177,189,70,14,73,181,232,245,63,226,14,138,249,101,
- 56,222,188,78,127,191,174,232,182,207,67,162,111,248,192,202,65,96,237,206,
- 52,220,63,50,108,82,185,169,29,148,30,75,74,16,156,229,166,96,102,214,145,77,
- 225,218,180,54,109,61,62,119,144,231,72,105,61,201,245,219,192,63,160,242,
- 247,112,64,199,65,248,252,59,145,150,212,151,166,223,237,121,135,13,122,111,
- 22,117,115,166,64,143,10,40,13,5,240,22,38,235,32,107,194,41>>,
-
- MalOCSPResponseDer =
- <<48,130,7,6,10,1,0,160,130,6,255,48,130,6,251,6,9,43,6,1,5,5,7,48,1,1,4,130,6,
- 236,48,130,6,232,48,130,1,11,161,129,137,48,129,134,49,17,48,15,6,3,85,4,3,
- 12,8,98,46,115,101,114,118,101,114,49,19,48,17,6,3,85,4,11,12,10,69,114,108,
- 97,110,103,32,79,84,80,49,20,48,18,6,3,85,4,10,12,11,69,114,105,99,115,115,
- 111,110,32,65,66,49,11,48,9,6,3,85,4,6,19,2,83,69,49,18,48,16,6,3,85,4,7,12,
- 9,83,116,111,99,107,104,111,108,109,49,37,48,35,6,9,42,134,72,134,247,13,1,9,
- 1,22,22,112,101,116,101,114,64,101,114,105,120,46,101,114,105,99,115,115,111,
- 110,46,115,101,24,15,50,48,50,48,48,52,50,56,48,56,51,50,48,53,90,48,81,48,
- 79,48,58,48,9,6,5,43,14,3,2,26,5,0,4,20,227,147,252,182,155,101,129,45,194,
- 162,22,93,127,46,112,193,196,28,241,232,4,20,99,34,37,88,164,188,98,22,125,
- 252,71,72,246,115,141,222,108,19,122,168,2,1,7,128,0,24,15,50,48,50,48,48,52,
- 50,56,48,56,51,50,48,53,90,161,25,48,23,48,21,6,9,43,6,1,5,5,7,48,1,2,4,8,
- 226,210,104,247,153,233,71,246,48,13,6,9,42,134,72,134,247,13,1,1,11,5,0,3,
- 130,1,1,0,85,82,43,226,38,172,139,105,77,248,24,250,244,154,2,174,232,141,52,
- 93,102,37,177,31,59,105,104,242,117,238,102,93,61,56,24,47,69,169,184,234,
- 109,204,5,64,109,101,23,197,234,6,250,223,95,175,131,138,227,66,123,199,182,
- 57,102,47,221,72,112,208,1,4,128,209,235,108,64,209,31,128,37,130,176,132,
- 203,119,24,188,187,254,8,167,54,80,28,208,26,118,236,149,184,182,25,236,252,
- 158,253,167,143,114,14,184,198,168,56,195,44,16,38,255,112,124,81,201,255,
- 132,143,98,119,135,23,232,10,184,54,150,227,131,212,81,101,158,152,82,252,
- 156,28,30,163,203,145,11,179,105,230,187,132,119,186,189,67,198,165,48,106,
- 114,75,151,128,108,28,44,121,195,162,222,25,45,99,46,84,116,125,51,72,191,
- 250,186,71,78,21,222,219,232,143,233,226,56,163,23,51,170,69,152,223,0,63,8,
- 236,219,175,18,165,88,166,125,71,31,53,40,12,133,64,250,30,190,113,10,187,38,
- 171,17,210,170,126,198,232,195,224,228,1,246,75,140,139,121,229,17,153,115,
- 199,68,227,171,176,163,117,171,160,130,4,193,48,130,4,189,48,130,4,185,48,
- 130,3,161,160,3,2,1,2,2,1,9,48,13,6,9,42,134,72,134,247,13,1,1,5,5,0,48,129,
- 131,49,14,48,12,6,3,85,4,3,12,5,111,116,112,67,65,49,19,48,17,6,3,85,4,11,12,
- 10,69,114,108,97,110,103,32,79,84,80,49,20,48,18,6,3,85,4,10,12,11,69,114,
- 105,99,115,115,111,110,32,65,66,49,11,48,9,6,3,85,4,6,19,2,83,69,49,18,48,16,
- 6,3,85,4,7,12,9,83,116,111,99,107,104,111,108,109,49,37,48,35,6,9,42,134,72,
- 134,247,13,1,9,1,22,22,112,101,116,101,114,64,101,114,105,120,46,101,114,105,
- 99,115,115,111,110,46,115,101,48,30,23,13,50,48,48,52,50,56,48,56,51,50,48,
- 53,90,23,13,51,48,48,51,48,55,48,56,51,50,48,53,90,48,129,134,49,17,48,15,6,
- 3,85,4,3,12,8,98,46,115,101,114,118,101,114,49,19,48,17,6,3,85,4,11,12,10,69,
- 114,108,97,110,103,32,79,84,80,49,20,48,18,6,3,85,4,10,12,11,69,114,105,99,
- 115,115,111,110,32,65,66,49,11,48,9,6,3,85,4,6,19,2,83,69,49,18,48,16,6,3,85,
- 4,7,12,9,83,116,111,99,107,104,111,108,109,49,37,48,35,6,9,42,134,72,134,247,
- 13,1,9,1,22,22,112,101,116,101,114,64,101,114,105,120,46,101,114,105,99,115,
- 115,111,110,46,115,101,48,130,1,34,48,13,6,9,42,134,72,134,247,13,1,1,1,5,0,
- 3,130,1,15,0,48,130,1,10,2,130,1,1,0,188,248,42,161,172,252,200,52,180,217,
- 145,59,193,72,33,176,213,106,37,81,119,251,205,254,70,196,171,127,79,157,147,
- 235,14,61,25,162,207,134,25,239,35,62,57,10,214,115,231,71,203,226,198,73,
- 223,222,199,165,82,67,33,78,176,116,241,192,97,169,143,164,219,152,40,115,
- 229,242,128,97,98,183,217,199,35,127,146,94,20,115,0,250,200,39,9,255,230,
- 216,80,140,6,133,251,39,96,240,176,184,34,1,134,247,126,237,255,130,170,98,
- 242,140,104,105,95,48,75,115,135,229,89,191,180,179,123,198,232,228,220,249,
- 113,86,186,212,176,194,66,14,164,236,219,138,254,80,57,118,232,163,192,94,78,
- 224,100,124,206,199,81,105,54,222,26,245,170,147,184,192,237,77,143,154,180,
- 79,42,107,75,77,81,215,19,75,8,160,106,199,196,66,53,16,233,184,175,85,167,
- 148,12,232,248,113,61,89,14,156,199,128,83,40,214,228,83,9,36,72,188,25,29,
- 47,172,78,114,191,120,240,227,234,255,194,61,132,57,1,141,131,227,64,152,209,
- 205,63,24,172,223,194,254,97,133,255,192,133,148,237,178,115,2,3,1,0,1,163,
- 130,1,49,48,130,1,45,48,9,6,3,85,29,19,4,2,48,0,48,11,6,3,85,29,15,4,4,3,2,5,
- 224,48,29,6,3,85,29,14,4,22,4,20,63,72,140,0,84,13,114,48,50,31,9,241,231,
- 177,20,184,8,114,244,29,48,129,179,6,3,85,29,35,4,129,171,48,129,168,128,20,
- 99,34,37,88,164,188,98,22,125,252,71,72,246,115,141,222,108,19,122,168,161,
- 129,140,164,129,137,48,129,134,49,17,48,15,6,3,85,4,3,12,8,101,114,108,97,
- 110,103,67,65,49,19,48,17,6,3,85,4,11,12,10,69,114,108,97,110,103,32,79,84,
- 80,49,20,48,18,6,3,85,4,10,12,11,69,114,105,99,115,115,111,110,32,65,66,49,
- 18,48,16,6,3,85,4,7,12,9,83,116,111,99,107,104,111,108,109,49,11,48,9,6,3,85,
- 4,6,19,2,83,69,49,37,48,35,6,9,42,134,72,134,247,13,1,9,1,22,22,112,101,116,
- 101,114,64,101,114,105,120,46,101,114,105,99,115,115,111,110,46,115,101,130,
- 1,1,48,27,6,3,85,29,17,4,20,48,18,130,16,104,111,115,116,46,101,120,97,109,
- 112,108,101,46,99,111,109,48,33,6,3,85,29,18,4,26,48,24,129,22,112,101,116,
- 101,114,64,101,114,105,120,46,101,114,105,99,115,115,111,110,46,115,101,48,
- 13,6,9,42,134,72,134,247,13,1,1,5,5,0,3,130,1,1,0,86,112,29,225,102,143,193,
- 55,126,115,187,208,118,153,111,177,160,121,55,33,184,60,27,111,40,7,93,241,9,
- 226,40,125,181,36,173,116,190,43,187,52,254,50,229,222,56,215,132,67,217,174,
- 121,24,94,240,163,56,12,36,212,2,40,94,102,126,206,52,40,32,218,59,86,166,
- 238,137,144,90,57,211,141,81,32,102,215,180,59,133,125,208,199,166,81,35,49,
- 24,88,100,127,90,145,237,150,249,227,123,120,98,230,12,106,72,201,127,54,94,
- 164,204,23,158,3,230,232,181,95,251,98,6,28,115,46,153,241,233,254,152,176,
- 114,12,148,24,234,185,204,177,189,70,14,73,181,232,245,63,226,14,138,249,101,
- 56,222,188,78,127,191,174,232,182,207,67,162,111,248,192,202,65,96,237,206,
- 52,220,63,50,108,82,185,169,29,148,30,75,74,16,156,229,166,96,102,214,145,77,
- 225,218,180,54,109,61,62,119,144,231,72,105,61,201,245,219,192,63,160,242,
- 247,112,64,199,65,248,252,59,145,150,212,151,166,223,237,121,135,13,122,111,
- 22,117,115,166,64,143,10,40,13,5,240,22,38,235,32,107,194,41>>,
-
- ResponderIDer =
- <<161,129,135,48,129,132,49,17,48,15,6,3,85,4,3,12,8,98,46,
- 115,101,114,118,101,114,49,18,48,16,6,3,85,4,11,12,10,69,
- 114,108,97,110,103,79,84,80,49,19,48,17,6,3,85,4,10,12,11,
- 69,114,105,99,115,115,111,110,65,66,49,11,48,9,6,3,85,4,6,
- 19,2,83,69,49,18,48,16,6,3,85,4,7,12,9,83,116,111,99,107,
- 104,111,108,109,49,37,48,35,6,9,42,134,72,134,247,13,1,9,1,
- 22,22,112,101,116,101,114,64,101,114,105,120,46,101,114,105,
- 99,115,115,111,110,46,115,101>>,
+ undefined = pubkey_ocsp:get_nonce_extn(undefined),
+ #'Extension'{extnID = ?'id-pkix-ocsp-nonce',
+ extnValue = ?NONCE} = pubkey_ocsp:get_nonce_extn(?NONCE),
+
+ {ok, OcspResponse = #'BasicOCSPResponse'{}} =
+ pubkey_ocsp:decode_response(?OCSP_RESPONSE_DER),
+
+ IsTrustedReponderFun = fun(_) -> true end,
+ {ok, [SingleResponse]} =
+ pubkey_ocsp:verify_response(OcspResponse,
+ [?RESPONDER_CERT],
+ ?NONCE,
+ ?ISSUER_CERT,
+ IsTrustedReponderFun),
+ {'SingleResponse',
+ {'CertID',
+ {'AlgorithmIdentifier',
+ {1,3,14,3,2,26},<<5,0>>},
+ <<227,147,252,182,155,101,129,45,194,162,22,93,127,46,112,193,196,28,241,232>>,
+ <<34,25,129,87,115,255,155,246,200,97,92,7,51,110,152,61,97,155,164,171>>,9},
+ {good,'NULL'},"20230720122949Z",asn1_NOVALUE,asn1_NOVALUE} =
+ SingleResponse,
+
+ CertId = SingleResponse#'SingleResponse'.certID,
+ WrongNameHashSingleResponse =
+ SingleResponse#'SingleResponse'{
+ certID = CertId#'CertID'{issuerNameHash = <<"rubbish_hash">>}},
+ NextUpdateFromPast = SingleResponse#'SingleResponse'{nextUpdate = "19820720122949Z"},
+ ThisUpdateFromFuture = SingleResponse#'SingleResponse'{thisUpdate = "21230720122949Z"},
+ {ok, SingleResponse} =
+ pubkey_ocsp:find_single_response(
+ ?A_SERVER_CERT, ?ISSUER_CERT,
+ [rubbish_single_response,
+ WrongNameHashSingleResponse,
+ NextUpdateFromPast,
+ ThisUpdateFromFuture,
+ SingleResponse, rubbish_single_response]),
+
+ %% invalid responses
+ IsNotTrustedReponderFun = fun(_) -> false end,
+ %% passing A_SERVER_CERT to get into Case3 in pubkey_oscp:is_authorized_responder
+ {error,ocsp_responder_cert_not_found} =
+ pubkey_ocsp:verify_response(OcspResponse,
+ [#cert{otp = ?A_SERVER_CERT}],
+ ?NONCE,
+ ?ISSUER_CERT,
+ IsNotTrustedReponderFun),
+ OcspResponseWrongSignature =
+ OcspResponse#'BasicOCSPResponse'{signature = <<"rubbish_signature">>},
+ {error, ocsp_responder_cert_not_found} =
+ pubkey_ocsp:verify_response(OcspResponseWrongSignature,
+ [?RESPONDER_CERT],
+ ?NONCE,
+ ?ISSUER_CERT,
+ IsTrustedReponderFun),
 
- Cert =
- #'Certificate'{
- tbsCertificate = #'TBSCertificate'{
- version = v3,
- serialNumber = 9,
- signature = {'AlgorithmIdentifier',{1,2,840,113549,1,1,5},<<5,0>>},
- issuer = {rdnSequence,
- [[{'AttributeTypeAndValue',{2,5,4,3},<<12,5,111,116,112,67,65>>}],
- [{'AttributeTypeAndValue',{2,5,4,11},<<"\f\nErlangOTP">>}],
- [{'AttributeTypeAndValue',{2,5,4,10},<<"\f\vEricssonAB">>}],
- [{'AttributeTypeAndValue',{2,5,4,6},<<19,2,83,69>>}],
- [{'AttributeTypeAndValue',{2,5,4,7},<<"\f\tStockholm">>}],
- [{'AttributeTypeAndValue',
- {1,2,840,113549,1,9,1},
- <<22,22,112,101,116,101,114,64,101,114,105,120,46,101,
- 114,105,99,115,115,111,110,46,115,101>>}]]},
- validity = {'Validity',{utcTime,"200428083205Z"},{utcTime,"300307083205Z"}},
- subject = {rdnSequence,
- [[{'AttributeTypeAndValue',{2,5,4,3},<<"\f\bb.server">>}],
- [{'AttributeTypeAndValue',{2,5,4,11},<<"\f\nErlangOTP">>}],
- [{'AttributeTypeAndValue',{2,5,4,10},<<"\f\vEricssonAB">>}],
- [{'AttributeTypeAndValue',{2,5,4,6},<<19,2,83,69>>}],
- [{'AttributeTypeAndValue',{2,5,4,7},<<"\f\tStockholm">>}],
- [{'AttributeTypeAndValue',
- {1,2,840,113549,1,9,1},
- <<22,22,112,101,116,101,114,64,101,114,105,120,46,101,
- 114,105,99,115,115,111,110,46,115,101>>}]]},
- subjectPublicKeyInfo = {'SubjectPublicKeyInfo',
- {'AlgorithmIdentifier',{1,2,840,113549,1,1,1},<<5,0>>},
- <<48,130,1,10,2,130,1,1,0,188,248,42,161,172,252,200,52,180,217,
- 145,59,193,72,33,176,213,106,37,81,119,251,205,254,70,196,171,
- 127,79,157,147,235,14,61,25,162,207,134,25,239,35,62,57,10,214,
- 115,231,71,203,226,198,73,223,222,199,165,82,67,33,78,176,116,
- 241,192,97,169,143,164,219,152,40,115,229,242,128,97,98,183,217,
- 199,35,127,146,94,20,115,0,250,200,39,9,255,230,216,80,140,6,
- 133,251,39,96,240,176,184,34,1,134,247,126,237,255,130,170,98,
- 242,140,104,105,95,48,75,115,135,229,89,191,180,179,123,198,232,
- 228,220,249,113,86,186,212,176,194,66,14,164,236,219,138,254,80,
- 57,118,232,163,192,94,78,224,100,124,206,199,81,105,54,222,26,
- 245,170,147,184,192,237,77,143,154,180,79,42,107,75,77,81,215,
- 19,75,8,160,106,199,196,66,53,16,233,184,175,85,167,148,12,232,
- 248,113,61,89,14,156,199,128,83,40,214,228,83,9,36,72,188,25,29,
- 47,172,78,114,191,120,240,227,234,255,194,61,132,57,1,141,131,
- 227,64,152,209,205,63,24,172,223,194,254,97,133,255,192,133,148,
- 237,178,115,2,3,1,0,1>>},
- issuerUniqueID = asn1_NOVALUE,
- subjectUniqueID = asn1_NOVALUE,
- extensions = [{'Extension',{2,5,29,19},false,<<48,0>>},
- {'Extension',{2,5,29,15},false,<<3,2,5,224>>},
- {'Extension',
- {2,5,29,14},
- false,
- <<4,20,63,72,140,0,84,13,114,48,50,31,9,241,231,177,20,184,8,114,
- 244,29>>},
- {'Extension',
- {2,5,29,35},
- false,
- <<48,129,168,128,20,99,34,37,88,164,188,98,22,125,252,71,72,246,
- 115,141,222,108,19,122,168,161,129,140,164,129,137,48,129,134,
- 49,17,48,15,6,3,85,4,3,12,8,101,114,108,97,110,103,67,65,49,19,
- 48,17,6,3,85,4,11,12,10,69,114,108,97,110,103,32,79,84,80,49,
- 20,48,18,6,3,85,4,10,12,11,69,114,105,99,115,115,111,110,32,65,
- 66,49,18,48,16,6,3,85,4,7,12,9,83,116,111,99,107,104,111,108,
- 109,49,11,48,9,6,3,85,4,6,19,2,83,69,49,37,48,35,6,9,42,134,72,
- 134,247,13,1,9,1,22,22,112,101,116,101,114,64,101,114,105,120,
- 46,101,114,105,99,115,115,111,110,46,115,101,130,1,1>>},
- {'Extension',
- {2,5,29,17},
- false,
- <<48,18,130,16,104,111,115,116,46,101,120,97,109,112,108,101,46,
- 99,111,109>>},
- {'Extension',
- {2,5,29,18},
- false,
- <<48,24,129,22,112,101,116,101,114,64,101,114,105,120,46,101,
- 114,105,99,115,115,111,110,46,115,101>>}]},
- signatureAlgorithm = {'AlgorithmIdentifier',{1,2,840,113549,1,1,5},<<5,0>>},
- signature = <<86,112,29,225,102,143,193,55,126,115,187,208,118,153,111,177,160,121,55,
- 33,184,60,27,111,40,7,93,241,9,226,40,125,181,36,173,116,190,43,187,52,
- 254,50,229,222,56,215,132,67,217,174,121,24,94,240,163,56,12,36,212,2,
- 40,94,102,126,206,52,40,32,218,59,86,166,238,137,144,90,57,211,141,81,
- 32,102,215,180,59,133,125,208,199,166,81,35,49,24,88,100,127,90,145,237,
- 150,249,227,123,120,98,230,12,106,72,201,127,54,94,164,204,23,158,3,230,
- 232,181,95,251,98,6,28,115,46,153,241,233,254,152,176,114,12,148,24,234,
- 185,204,177,189,70,14,73,181,232,245,63,226,14,138,249,101,56,222,188,
- 78,127,191,174,232,182,207,67,162,111,248,192,202,65,96,237,206,52,220,
- 63,50,108,82,185,169,29,148,30,75,74,16,156,229,166,96,102,214,145,77,
- 225,218,180,54,109,61,62,119,144,231,72,105,61,201,245,219,192,63,160,
- 242,247,112,64,199,65,248,252,59,145,150,212,151,166,223,237,121,135,13,
- 122,111,22,117,115,166,64,143,10,40,13,5,240,22,38,235,32,107,194,41>>},
-
- %% test of the exported functions
- ct:pal("Check pubkey_ocsp:verify_ocsp_response/3~n"),
- {ok, SingleResponseGood} =
- pubkey_ocsp:verify_ocsp_response(OCSPResponseDer, [Cert], Nonce),
- {error, ocsp_response_bad_signature} =
- pubkey_ocsp:verify_ocsp_response(MalOCSPResponseDer, [Cert], Nonce),
 {error, nonce_mismatch} =
- pubkey_ocsp:verify_ocsp_response(OCSPResponseDer, [Cert], <<1,2,3>>),
- ct:pal("pubkey_ocsp:verify_ocsp_response/3...ok~n"),
-
- ct:pal("Check pubkey_ocsp:decode_ocsp_response/1~n"),
- {ok, #'BasicOCSPResponse'{}} =
- pubkey_ocsp:decode_ocsp_response(OCSPResponseDer),
- ct:pal("pubkey_ocsp:decode_ocsp_response/1...ok~n"),
-
- ct:pal("Check pubkey_ocsp:get_ocsp_responder_id/1~n"),
- ResponderIDer =
- pubkey_ocsp:get_ocsp_responder_id(Cert),
- ct:pal("pubkey_ocsp:get_ocsp_responder_id/1...ok~n"),
-
- ct:pal("Check pubkey_ocsp:get_nonce_extn/1~n"),
- undefined =
- pubkey_ocsp:get_nonce_extn(undefined),
- NonceExtension =
- pubkey_ocsp:get_nonce_extn(Nonce),
- ct:pal("pubkey_ocsp:get_nonce_extn/1...ok~n").
\ No newline at end of file
+ pubkey_ocsp:verify_response(OcspResponse,
+ [?RESPONDER_CERT],
+ <<"rubbish_nonce">>,
+ ?ISSUER_CERT,
+ IsTrustedReponderFun),
+
+ OcspResponseProducedAt22ndCentury = % Year AD 2123
+ OcspResponse#'BasicOCSPResponse'{
+ tbsResponseData = #'ResponseData'{producedAt = "21230720122949Z"}},
+ {error,ocsp_stale_response} =
+ pubkey_ocsp:verify_response(OcspResponseProducedAt22ndCentury,
+ [?RESPONDER_CERT],
+ ?NONCE,
+ ?ISSUER_CERT,
+ IsTrustedReponderFun),
+ ok.
diff --git a/lib/public_key/test/public_key_SUITE.erl b/lib/public_key/test/public_key_SUITE.erl
index ec14647c2f..f2c2fd557a 100644
--- a/lib/public_key/test/public_key_SUITE.erl
+++ b/lib/public_key/test/public_key_SUITE.erl
@@ -127,6 +127,7 @@
 pkix_test_data/1,
 pkix_is_issuer/0,
 pkix_is_issuer/1,
+ pkix_ocsp_validate/0, pkix_ocsp_validate/1,
 short_cert_issuer_hash/0,
 short_cert_issuer_hash/1,
 short_crl_issuer_hash/0,
@@ -135,7 +136,8 @@
 gen_ec_param_prime_field/1,
 gen_ec_param_char_2_field/0,
 gen_ec_param_char_2_field/1,
- cacerts_load/0, cacerts_load/1
+ cacerts_load/0, cacerts_load/1,
+ ocsp_extensions/0, ocsp_extensions/1
 ]).
 
 -export([list_cacerts/0]). % debug exports
@@ -183,7 +185,9 @@ all() ->
 pkix_is_issuer,
 short_cert_issuer_hash, 
 short_crl_issuer_hash,
- cacerts_load
+ cacerts_load,
+ ocsp_extensions,
+ pkix_ocsp_validate
 ].
 
 groups() -> 
@@ -1477,6 +1481,99 @@ gen_ec_param_char_2_field(Config) when is_list(Config) ->
 Datadir = proplists:get_value(data_dir, Config),
 do_gen_ec_param(filename:join(Datadir, "ec_key_param1.pem")).
 
+%%--------------------------------------------------------------------
+ocsp_extensions() ->
+ [{doc, "Check OCSP extensions"}].
+ocsp_extensions(_Config) ->
+ Nonce = <<4,8,66,243,220,236,16,118,51,215>>,
+ ExpectedExtentions =
+ [{'Extension',
+ ?'id-pkix-ocsp-nonce',
+ asn1_DEFAULT,
+ <<4,8,66,243,220,236,16,118,51,215>>},
+ {'Extension',
+ ?'id-pkix-ocsp-response',
+ asn1_DEFAULT,
+ <<48,11,6,9,43,6,1,5,5,7,48,1,1>>}],
+ ExpectedExtentions = public_key:ocsp_extensions(Nonce).
+
+pkix_ocsp_validate() ->
+ [{doc, "Check OCSP extensions"}].
+pkix_ocsp_validate(_Config) ->
+ Cert =
+ {'OTPCertificate',{'OTPTBSCertificate',v3,9,
+ {'SignatureAlgorithm',{1,2,840,113549,1,1,11},'NULL'},
+ {rdnSequence,[[{'AttributeTypeAndValue',{2,5,4,3},{utf8String,<<"otpCA">>}}],[{'AttributeTypeAndValue',{2,5,4,11},{utf8String,<<"Erlang OTP">>}}],[{'AttributeTypeAndValue',{2,5,4,10},{utf8String,<<"Ericsson AB">>}}],[{'AttributeTypeAndValue',{2,5,4,6},"SE"}],[{'AttributeTypeAndValue',{2,5,4,7},{utf8String,<<"Stockholm">>}}],[{'AttributeTypeAndValue',{1,2,840,113549,1,9,1},"peter@erix.ericsson.se"}]]},
+ {'Validity',{utcTime,"230721110721Z"},{utcTime,"330529110721Z"}},
+ {rdnSequence,[[{'AttributeTypeAndValue',{2,5,4,3},{utf8String,<<"a.server">>}}],[{'AttributeTypeAndValue',{2,5,4,11},{utf8String,<<"Erlang OTP">>}}],[{'AttributeTypeAndValue',{2,5,4,10},{utf8String,<<"Ericsson AB">>}}],[{'AttributeTypeAndValue',{2,5,4,6},"SE"}],[{'AttributeTypeAndValue',{2,5,4,7},{utf8String,<<"Stockholm">>}}],[{'AttributeTypeAndValue',{1,2,840,113549,1,9,1},"peter@erix.ericsson.se"}]]},
+ {'OTPSubjectPublicKeyInfo',{'PublicKeyAlgorithm',{1,2,840,113549,1,1,1},'NULL'},
+ {'RSAPublicKey',19254743747256260264207569423711759377779938665145630924415701722071839009286238971264967781043993434178803001083069740412920664146137571550852074547463946025114390093775800702438227109245066854329070921351832849321692114677809046259034306196616912261365770291322044071697789183279204771685063580949070504947864713748039312242300503875879444809664605423001542854874228001872895975468648787616073960661286876663709764410812833966560999459482926236332297043685455899393823175706646393051956438518613689798667608292659880957737510004003274559865311466147775473832468655042097383293967251824412697382839864114388741712057,
+ 65537}},
+ asn1_NOVALUE,asn1_NOVALUE,
+ [{'Extension',{2,5,29,19},false,{'BasicConstraints',false,asn1_NOVALUE}},
+ {'Extension',{2,5,29,15},false,[digitalSignature,nonRepudiation,keyEncipherment]},
+ {'Extension',{2,5,29,14},false,<<175,14,85,35,212,170,133,20,114,234,90,223,163,49,255,87,86,93,165,56>>},
+ {'Extension',{2,5,29,35},
+ false,
+ {'AuthorityKeyIdentifier',<<123,93,133,100,41,175,227,134,140,47,217,84,132,181,89,186,102,41,30,255>>,
+ [{directoryName,{rdnSequence,[[{'AttributeTypeAndValue',{2,5,4,3},{utf8String,<<"erlangCA">>}}],
+ [{'AttributeTypeAndValue',{2,5,4,11},{utf8String,<<"Erlang OTP">>}}],
+ [{'AttributeTypeAndValue',{2,5,4,10},{utf8String,<<"Ericsson AB">>}}],
+ [{'AttributeTypeAndValue',{2,5,4,7},{utf8String,<<"Stockholm">>}}],
+ [{'AttributeTypeAndValue',{2,5,4,6},"SE"}],
+ [{'AttributeTypeAndValue',{1,2,840,113549,1,9,1},"peter@erix.ericsson.se"}]]}}],
+ 1}},
+ {'Extension',{2,5,29,17},false,[{dNSName,"host.example.com"}]},
+ {'Extension',{2,5,29,18},false,[{rfc822Name,"peter@erix.ericsson.se"}]}]},
+ {'SignatureAlgorithm',{1,2,840,113549,1,1,11},'NULL'},
+ <<23,196,208,23,144,187,135,84,233,168,123,81,115,112,33,52,77,238,239,70,248,131,119,160,178,216,252,166,176,20,252,211,108,160,202,140,96,84,98,209,7,149,30,184,0,196,139,48,122,36,45,10,198,106,98,33,183,254,48,11,88,64,93,232,152,233,133,216,191,128,35,96,183,221,122,87,230,30,191,199,226,203,164,217,236,101,83,158,113,211,177,52,217,39,96,108,242,87,70,44,246,68,124,122,121,88,188,254,22,48,98,121,238,158,4,160,141,249,255,93,147,83,42,86,62,5,118,164,54,75,87,49,111,
+ 126,197,89,32,226,89,40,154,70,165,118,239,26,249,59,48,52,237,152,240,131,100,187,14,157,201,103,102,27,81,198,226,121,221,68,244,119,130,149,231,179,35,64,96,254,245,5,199,112,145,65,69,80,87,235,140,137,20,220,148,157,94,123,177,186,187,66,99,92,150,213,147,129,36,126,93,4,10,123,70,238,175,247,102,91,42,201,27,123,76,212,45,115,11,31,114,173,124,27,156,248,36,37,195,111,206,236,43,224,157,50,98,109,179,87,223,187,8,204,197,202,155,60>>},
+ IssuerCert =
+ {'OTPCertificate',{'OTPTBSCertificate',v3,1,
+ {'SignatureAlgorithm',{1,2,840,113549,1,1,11},'NULL'},
+ {rdnSequence,[[{'AttributeTypeAndValue',{2,5,4,3},{utf8String,<<"erlangCA">>}}],[{'AttributeTypeAndValue',{2,5,4,11},{utf8String,<<"Erlang OTP">>}}],[{'AttributeTypeAndValue',{2,5,4,10},{utf8String,<<"Ericsson AB">>}}],[{'AttributeTypeAndValue',{2,5,4,7},{utf8String,<<"Stockholm">>}}],[{'AttributeTypeAndValue',{2,5,4,6},"SE"}],[{'AttributeTypeAndValue',{1,2,840,113549,1,9,1},"peter@erix.ericsson.se"}]]},
+ {'Validity',{utcTime,"230721110720Z"},{utcTime,"330529110720Z"}},
+ {rdnSequence,[[{'AttributeTypeAndValue',{2,5,4,3},{utf8String,<<"otpCA">>}}],[{'AttributeTypeAndValue',{2,5,4,11},{utf8String,<<"Erlang OTP">>}}],[{'AttributeTypeAndValue',{2,5,4,10},{utf8String,<<"Ericsson AB">>}}],[{'AttributeTypeAndValue',{2,5,4,6},"SE"}],[{'AttributeTypeAndValue',{2,5,4,7},{utf8String,<<"Stockholm">>}}],[{'AttributeTypeAndValue',{1,2,840,113549,1,9,1},"peter@erix.ericsson.se"}]]},
+ {'OTPSubjectPublicKeyInfo',{'PublicKeyAlgorithm',{1,2,840,113549,1,1,1},'NULL'},
+ {'RSAPublicKey',21858379260819365313885475389172639523863567481982302063462584029790343874819317972475546206568963022785252583910194728269078148431804871680312638323851125861707159230343297343111968246731095811513561212201088276841624533346998017512000090901290490304174895932870845288899008429347052837949441312958652271962356020302617279856538736007013593572768976262766464136388094144122584736630529987720049486299302127652434926700165727330943325372510516379103006575448279898129379834740761468401572505064753618409945975591285059206889943804512145915054818226570266582909516966602868100682823910151957272535898084374557112395143,
+ 65537}},
+ asn1_NOVALUE,asn1_NOVALUE,
+ [{'Extension',{2,5,29,19},true,{'BasicConstraints',true,asn1_NOVALUE}},
+ {'Extension',{2,5,29,15},false,[keyCertSign,cRLSign]},
+ {'Extension',{2,5,29,14},false,<<123,93,133,100,41,175,227,134,140,47,217,84,132,181,89,186,102,41,30,255>>},
+ {'Extension',{2,5,29,35},
+ false,
+ {'AuthorityKeyIdentifier',<<229,159,14,81,153,72,30,27,33,37,234,91,103,205,230,72,95,185,112,95>>,
+ [{directoryName,{rdnSequence,[[{'AttributeTypeAndValue',{2,5,4,3},{utf8String,<<"erlangCA">>}}],
+ [{'AttributeTypeAndValue',{2,5,4,11},{utf8String,<<"Erlang OTP">>}}],
+ [{'AttributeTypeAndValue',{2,5,4,10},{utf8String,<<"Ericsson AB">>}}],
+ [{'AttributeTypeAndValue',{2,5,4,7},{utf8String,<<"Stockholm">>}}],
+ [{'AttributeTypeAndValue',{2,5,4,6},"SE"}],
+ [{'AttributeTypeAndValue',{1,2,840,113549,1,9,1},"peter@erix.ericsson.se"}]]}}],
+ 674805639123712796695508479052504582494838106155}},
+ {'Extension',{2,5,29,17},false,[{rfc822Name,"peter@erix.ericsson.se"}]},
+ {'Extension',{2,5,29,18},false,[{rfc822Name,"peter@erix.ericsson.se"}]}]},
+ {'SignatureAlgorithm',{1,2,840,113549,1,1,11},'NULL'},
+ <<44,128,75,220,253,223,223,77,33,57,30,205,101,103,200,211,254,81,122,195,123,239,98,5,118,58,179,193,24,93,12,243,124,194,160,163,206,243,199,49,143,11,73,192,218,193,154,93,146,232,1,191,99,201,129,94,131,59,107,227,216,17,31,101,67,153,177,189,164,194,224,164,78,160,42,79,131,65,37,78,226,201,200,180,128,38,101,164,193,72,82,196,88,204,145,94,235,84,13,243,0,149,99,175,203,211,108,177,156,17,27,40,87,195,19,56,39,102,103,42,27,60,30,44,204,157,107,121,128,68,93,216,123,
+ 106,112,105,74,7,142,155,171,1,8,31,123,245,78,142,111,142,178,127,169,202,110,125,35,192,199,23,203,201,103,44,99,100,192,156,214,62,109,71,205,66,32,81,252,124,138,238,225,88,247,85,255,65,141,131,234,184,248,20,51,81,71,19,98,102,114,96,49,77,1,79,27,18,218,79,37,232,194,204,172,54,124,167,188,158,43,54,183,230,40,230,152,216,12,27,56,66,104,238,235,52,176,110,159,88,151,7,228,201,248,195,82,131,220,31,104,44,239,147,61,71,35,245>>},
+ OcspRespDer =
+ <<48,130,7,36,10,1,0,160,130,7,29,48,130,7,25,6,9,43,6,1,5,5,7,48,1,1,4,130,7,10,48,130,7,6,48,130,1,10,161,129,134,48,129,131,49,14,48,12,6,3,85,4,3,12,5,111,116,112,67,65,49,19,48,17,6,3,85,4,11,12,10,69,114,108,97,110,103,32,79,84,80,49,20,48,18,6,3,85,4,10,12,11,69,114,105,99,115,115,111,110,32,65,66,49,11,48,9,6,3,85,4,6,19,2,83,69,49,18,48,16,6,3,85,4,7,12,9,83,116,111,99,107,104,111,108,109,49,37,48,35,6,9,42,134,72,134,247,13,1,9,1,22,22,112,101,116,101,114,64,101,114,105,120,46,101,
+ 114,105,99,115,115,111,110,46,115,101,24,15,50,48,50,51,48,55,50,49,49,49,48,55,50,53,90,48,81,48,79,48,58,48,9,6,5,43,14,3,2,26,5,0,4,20,227,147,252,182,155,101,129,45,194,162,22,93,127,46,112,193,196,28,241,232,4,20,123,93,133,100,41,175,227,134,140,47,217,84,132,181,89,186,102,41,30,255,2,1,9,128,0,24,15,50,48,50,51,48,55,50,49,49,49,48,55,50,53,90,161,27,48,25,48,23,6,9,43,6,1,5,5,7,48,1,2,4,10,4,8,244,183,192,191,230,8,236,82,48,13,6,9,42,134,72,134,247,13,1,1,11,5,0,3,130,1,1,0,151,99,
+ 102,238,65,164,80,97,143,115,223,2,201,56,75,220,145,150,17,27,9,169,149,158,40,226,29,109,8,35,234,24,59,113,1,26,123,144,32,68,235,210,36,55,61,215,0,183,49,156,52,153,132,237,180,231,43,45,18,138,126,118,173,130,246,213,225,216,15,85,248,146,35,220,27,100,93,232,234,91,206,224,98,18,48,52,95,213,129,117,11,174,228,48,220,235,82,141,157,179,13,119,17,244,189,21,77,102,114,166,227,25,160,113,148,244,142,33,232,161,77,189,187,72,196,144,82,70,200,250,222,68,154,153,20,33,60,4,252,151,16,64,
+ 207,109,4,30,49,47,75,150,122,24,90,22,226,156,91,30,83,141,79,29,116,58,13,185,66,215,89,19,64,194,190,72,113,112,136,61,75,5,138,239,108,222,87,212,193,155,108,150,47,180,73,3,110,216,68,189,146,8,179,94,110,147,207,86,2,65,251,193,111,254,43,200,77,72,154,214,13,40,48,209,104,42,105,175,163,52,160,39,92,238,240,174,145,3,33,49,33,231,26,14,5,32,33,220,74,149,25,163,131,65,30,63,134,148,160,130,4,224,48,130,4,220,48,130,4,216,48,130,3,192,160,3,2,1,2,2,1,1,48,13,6,9,42,134,72,134,247,13,1,
+ 1,11,5,0,48,129,134,49,17,48,15,6,3,85,4,3,12,8,101,114,108,97,110,103,67,65,49,19,48,17,6,3,85,4,11,12,10,69,114,108,97,110,103,32,79,84,80,49,20,48,18,6,3,85,4,10,12,11,69,114,105,99,115,115,111,110,32,65,66,49,18,48,16,6,3,85,4,7,12,9,83,116,111,99,107,104,111,108,109,49,11,48,9,6,3,85,4,6,19,2,83,69,49,37,48,35,6,9,42,134,72,134,247,13,1,9,1,22,22,112,101,116,101,114,64,101,114,105,120,46,101,114,105,99,115,115,111,110,46,115,101,48,30,23,13,50,51,48,55,50,49,49,49,48,55,50,48,90,23,13,
+ 51,51,48,53,50,57,49,49,48,55,50,48,90,48,129,131,49,14,48,12,6,3,85,4,3,12,5,111,116,112,67,65,49,19,48,17,6,3,85,4,11,12,10,69,114,108,97,110,103,32,79,84,80,49,20,48,18,6,3,85,4,10,12,11,69,114,105,99,115,115,111,110,32,65,66,49,11,48,9,6,3,85,4,6,19,2,83,69,49,18,48,16,6,3,85,4,7,12,9,83,116,111,99,107,104,111,108,109,49,37,48,35,6,9,42,134,72,134,247,13,1,9,1,22,22,112,101,116,101,114,64,101,114,105,120,46,101,114,105,99,115,115,111,110,46,115,101,48,130,1,34,48,13,6,9,42,134,72,134,247,
+ 13,1,1,1,5,0,3,130,1,15,0,48,130,1,10,2,130,1,1,0,173,38,214,237,131,195,86,49,85,177,225,21,254,222,227,229,5,62,193,131,224,141,51,233,36,68,108,11,164,68,95,160,243,171,55,43,32,228,15,5,179,194,124,9,53,219,33,15,243,77,206,104,255,63,250,231,185,218,111,190,98,34,71,38,139,51,202,112,110,85,248,177,207,156,210,51,28,18,236,236,4,188,58,33,169,250,181,59,114,133,246,82,217,36,166,28,3,70,49,82,68,36,134,32,57,142,168,231,193,73,219,102,49,13,97,199,40,138,118,250,244,41,206,121,115,208,
+ 19,230,5,243,38,239,1,36,41,13,232,86,191,182,144,86,6,211,57,117,243,216,229,51,99,224,126,39,125,40,127,104,11,72,234,205,113,200,92,92,16,19,136,114,193,132,13,94,240,242,21,211,46,12,85,64,205,36,26,63,69,187,206,233,0,170,217,10,160,20,147,236,233,244,66,234,133,95,84,34,109,40,107,163,119,22,202,156,112,153,240,188,17,145,105,157,23,239,140,106,7,155,196,161,187,21,174,181,169,137,91,242,134,9,35,52,159,36,160,30,169,36,130,60,61,61,245,235,229,135,2,3,1,0,1,163,130,1,80,48,130,1,76,48,
+ 15,6,3,85,29,19,1,1,255,4,5,48,3,1,1,255,48,11,6,3,85,29,15,4,4,3,2,1,6,48,29,6,3,85,29,14,4,22,4,20,123,93,133,100,41,175,227,134,140,47,217,84,132,181,89,186,102,41,30,255,48,129,198,6,3,85,29,35,4,129,190,48,129,187,128,20,229,159,14,81,153,72,30,27,33,37,234,91,103,205,230,72,95,185,112,95,161,129,140,164,129,137,48,129,134,49,17,48,15,6,3,85,4,3,12,8,101,114,108,97,110,103,67,65,49,19,48,17,6,3,85,4,11,12,10,69,114,108,97,110,103,32,79,84,80,49,20,48,18,6,3,85,4,10,12,11,69,114,105,99,
+ 115,115,111,110,32,65,66,49,18,48,16,6,3,85,4,7,12,9,83,116,111,99,107,104,111,108,109,49,11,48,9,6,3,85,4,6,19,2,83,69,49,37,48,35,6,9,42,134,72,134,247,13,1,9,1,22,22,112,101,116,101,114,64,101,114,105,120,46,101,114,105,99,115,115,111,110,46,115,101,130,20,118,51,84,213,187,124,136,133,219,84,17,35,72,97,52,24,238,100,168,43,48,33,6,3,85,29,17,4,26,48,24,129,22,112,101,116,101,114,64,101,114,105,120,46,101,114,105,99,115,115,111,110,46,115,101,48,33,6,3,85,29,18,4,26,48,24,129,22,112,101,
+ 116,101,114,64,101,114,105,120,46,101,114,105,99,115,115,111,110,46,115,101,48,13,6,9,42,134,72,134,247,13,1,1,11,5,0,3,130,1,1,0,44,128,75,220,253,223,223,77,33,57,30,205,101,103,200,211,254,81,122,195,123,239,98,5,118,58,179,193,24,93,12,243,124,194,160,163,206,243,199,49,143,11,73,192,218,193,154,93,146,232,1,191,99,201,129,94,131,59,107,227,216,17,31,101,67,153,177,189,164,194,224,164,78,160,42,79,131,65,37,78,226,201,200,180,128,38,101,164,193,72,82,196,88,204,145,94,235,84,13,243,0,149,
+ 99,175,203,211,108,177,156,17,27,40,87,195,19,56,39,102,103,42,27,60,30,44,204,157,107,121,128,68,93,216,123,106,112,105,74,7,142,155,171,1,8,31,123,245,78,142,111,142,178,127,169,202,110,125,35,192,199,23,203,201,103,44,99,100,192,156,214,62,109,71,205,66,32,81,252,124,138,238,225,88,247,85,255,65,141,131,234,184,248,20,51,81,71,19,98,102,114,96,49,77,1,79,27,18,218,79,37,232,194,204,172,54,124,167,188,158,43,54,183,230,40,230,152,216,12,27,56,66,104,238,235,52,176,110,159,88,151,7,228,201,
+ 248,195,82,131,220,31,104,44,239,147,61,71,35,245>>,
+ NonceExt = <<4,8,244,183,192,191,230,8,236,82>>,
+ ok =
+ public_key:pkix_ocsp_validate(Cert, IssuerCert, OcspRespDer, NonceExt, []).
+
 %%--------------------------------------------------------------------
 cacerts_load() ->
 [{doc, "Basic tests of cacerts functionality"}].
-- 
2.35.3

Places

File 1501-public_key-OCSP-response-verification-code.patch of Package erlang

Places