From c502d3c9f4bb111a5ace040f6a22c9738e9670de Mon Sep 17 00:00:00 2001
From: Andres Amaya Garcia <Andres.AmayaGarcia@arm.com>
Date: Thu, 15 Mar 2018 22:44:21 +0000
Subject: [PATCH] Add OCSP response issuer verification tests

---
 tests/data_files/Makefile                     |  23 ++++++++++++++++++
 ...thorized-ocsp-responder-for-server2-ca.crt |  22 +++++++++++++++++
 ...thorized-ocsp-responder-for-server2-ca.csr |  16 ++++++++++++
 .../ocsp-resp-fail-issuer-checks.der          | Bin 0 -> 1363 bytes
 .../ocsp-resp-fail-unauthorized-issuer.der    | Bin 0 -> 1443 bytes
 ...r-server2-ocsp-for-server2-in-database.der | Bin 0 -> 1364 bytes
 tests/data_files/server2-ca.crt               |  21 ++++++++++++++++
 tests/data_files/server2-ca.csr               |  16 ++++++++++++
 tests/data_files/test-ca-index.txt            |   1 +
 tests/data_files/test-ca-serial.txt           |   2 +-
 tests/data_files/test-ca.opensslconf          |   6 +++++
 tests/suites/test_suite_x509parse_ocsp.data   |  15 ++++++++++++
 12 files changed, 121 insertions(+), 1 deletion(-)
 create mode 100644 tests/data_files/authorized-ocsp-responder-for-server2-ca.crt
 create mode 100644 tests/data_files/authorized-ocsp-responder-for-server2-ca.csr
 create mode 100644 tests/data_files/ocsp-resp-fail-issuer-checks.der
 create mode 100644 tests/data_files/ocsp-resp-fail-unauthorized-issuer.der
 create mode 100644 tests/data_files/ocsp-resp-issuer-server2-ocsp-for-server2-in-database.der
 create mode 100644 tests/data_files/server2-ca.crt
 create mode 100644 tests/data_files/server2-ca.csr

diff --git a/tests/data_files/Makefile b/tests/data_files/Makefile
index 2f9c43586e..512c2d2aef 100644
--- a/tests/data_files/Makefile
+++ b/tests/data_files/Makefile
@@ -105,6 +105,20 @@ server2_server2-in-database_server2-in-database-revoked.crt: server2.crt server2
 	cat $^ > $@
 all_final += server2_server2-in-database_server2-in-database-revoked.crt
 
+server2-ca.csr: server2.key
+	$(OPENSSL) req -new -sha256 -key $< -passin "pass:$(test_ca_pwd_rsa)" -subj "/C=NL/O=PolarSSL/CN=PolarSSL Server 2 Test CA" -out $@
+all_intermediate += server2-ca.csr
+server2-ca.crt: server2-ca.csr $(test_ca_key_file_rsa) $(test_ca_config_file)
+	$(OPENSSL) ca -config $(test_ca_config_file) -keyfile $(test_ca_key_file_rsa) -passin "pass:$(test_ca_pwd_rsa)" -cert test-ca-sha256.crt -notext -batch -extensions v3_intermediate_ca -days 3653 -md sha256 -in $< -out $@
+all_final += server2-ca.crt
+
+authorized-ocsp-responder-for-server2-ca.csr: server2.key
+	$(OPENSSL) req -new -sha256 -key $< -passin "pass:$(test_ca_pwd_rsa)" -subj "/C=NL/O=PolarSSL/CN=OCSP Responder for PolarSSL Server 2 Test CA" -out $@
+all_intermediate += authorized-ocsp-responder-for-server2-ca.csr
+authorized-ocsp-responder-for-server2-ca.crt: authorized-ocsp-responder-for-server2-ca.csr server2.key $(cli_crt_extensions_file)
+	$(OPENSSL) x509 -req -extfile $(cli_crt_extensions_file) -CAkey server2.key -passin "pass:$(test_ca_pwd_rsa)" -CA server2-ca.crt -extensions ocsp -days 3653 -set_serial 20 -sha256 -in $< -out $@
+all_final += authorized-ocsp-responder-for-server2-ca.crt
+
 ################################################################
 #### Generate OCSP responses using existing certificates
 ################################################################
@@ -177,6 +191,15 @@ all_final += ocsp-resp-unknown-cert.der
 ocsp-resp-good-revoked-unknown.der: ocsp-req-for-good-revoked-unknown.der test-ca-index.txt test-ca-sha256.crt
 	$(OPENSSL) ocsp -rsigner test-ca-sha256.crt -index test-ca-index.txt -rkey $(test_ca_key_file_rsa) -CA test-ca-sha256.crt -noverify -reqin $< -respout $@
 all_final += ocsp-resp-good-revoked-unknown.der
+ocsp-resp-issuer-server2-ocsp-for-server2-in-database.der: ocsp-req-for-server2-in-database.der server2-ocsp.crt server2.key test-ca-index.txt
+	$(OPENSSL) ocsp -rsigner server2-ocsp.crt -index test-ca-index.txt -rkey server2.key -CA test-ca-sha256.crt -noverify -reqin $< -respout $@
+all_final += ocsp-resp-issuer-server2-ocsp-for-server2-in-database.der
+ocsp-resp-fail-issuer-checks.der: ocsp-req-for-server2-in-database.der test-ca-index.txt test-ca-sha256.crt server2-ca.crt server2.key
+	$(OPENSSL) ocsp -rsigner server2-ca.crt -index test-ca-index.txt -rkey server2.key -CA test-ca-sha256.crt -noverify -reqin $< -respout $@
+all_final += ocsp-resp-fail-issuer-checks.der
+ocsp-resp-fail-unauthorized-issuer.der: ocsp-req-for-server2-in-database.der test-ca-index.txt server2-ca.crt server2.key
+	$(OPENSSL) ocsp -rsigner authorized-ocsp-responder-for-server2-ca.crt -index test-ca-index.txt -rkey server2.key -CA server2-ca.crt -noverify -reqin $< -respout $@
+all_final += ocsp-resp-fail-unauthorized-issuer.der
 
 ################################################################
 #### Meta targets
diff --git a/tests/data_files/authorized-ocsp-responder-for-server2-ca.crt b/tests/data_files/authorized-ocsp-responder-for-server2-ca.crt
new file mode 100644
index 0000000000..bb657be3a3
--- /dev/null
+++ b/tests/data_files/authorized-ocsp-responder-for-server2-ca.crt
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDnjCCAoagAwIBAgIBFDANBgkqhkiG9w0BAQsFADBEMQswCQYDVQQGEwJOTDER
+MA8GA1UEChMIUG9sYXJTU0wxIjAgBgNVBAMTGVBvbGFyU1NMIFNlcnZlciAyIFRl
+c3QgQ0EwHhcNMTgwMzE1MjIzNDEzWhcNMjgwMzE1MjIzNDEzWjBXMQswCQYDVQQG
+EwJOTDERMA8GA1UEChMIUG9sYXJTU0wxNTAzBgNVBAMTLE9DU1AgUmVzcG9uZGVy
+IGZvciBQb2xhclNTTCBTZXJ2ZXIgMiBUZXN0IENBMIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAwU2j3efNHdEE10lyuJmsDnjkOjxKzzoTFtBa5M2jAIin
+7h5rlqdStJDvLXJ6PiSa/LY0rCT1d+AmZIycsCh9odrqjObJHJa8/sEEUrM21KP6
+4bF22JDBYbRmUjaiJlOqq3ReB30Zgtsq2B+g2Q0cLUlm91slc0boC4pPaQy1AJDh
+2oIQZn2uVCuLZXmRoeJhw81ASQjuaAzxi4bSRr/QuKoRAx5/VqgaHkQYDw+Fi9qL
+RF7iGMZiL8dmjfpd2H3zJ4kpAcWQDj8n8TDISg7v1t7HxydrxwU9esQCPJodPg/o
+NJhby3NLUpbYEaIsgIhpOVrTD7DeWS8Rx/fqEgEwlwIDAQABo4GHMIGEMAkGA1Ud
+EwQCMAAwHQYDVR0OBBYEFKUF6GS43N9gD1ASTWCoZK9Ni0OTMB8GA1UdIwQYMBaA
+FKUF6GS43N9gD1ASTWCoZK9Ni0OTMA4GA1UdDwEB/wQEAwIHgDAWBgNVHSUBAf8E
+DDAKBggrBgEFBQcDCTAPBgkrBgEFBQcwAQUEAgUAMA0GCSqGSIb3DQEBCwUAA4IB
+AQBmRotfiFt1dDokwLqN9gl9AI0LUmncxOvQvNReBJYTlQW5DUc2kwC9QutIgyME
+IMwZIvaMSrJBzbfCjmGXo22sdkGFd+Lk9HkzYqsB09njtE7ir+EDmoHf9d8KhZ38
+cDEN7aHTgjM5SE7AI6dOlp/nteY81LX2oP0I2S/5GR8rtUq1euo+lEc4zNXS/VKL
+vNAE0jAvpKNj9xtgDwVbuor497vnjr71ESuwpCFcts85dHsDZ8ahslTlxLzOU/WO
+q7G+orUpacjsluGUJU0duB0Ysk10uNEJyZYZmvYrHs4WeEwZ6WAZOaO1PALgzZtQ
+6xsgD+QAJYM5ek92w7eskZsZ
+-----END CERTIFICATE-----
diff --git a/tests/data_files/authorized-ocsp-responder-for-server2-ca.csr b/tests/data_files/authorized-ocsp-responder-for-server2-ca.csr
new file mode 100644
index 0000000000..cd2755ee61
--- /dev/null
+++ b/tests/data_files/authorized-ocsp-responder-for-server2-ca.csr
@@ -0,0 +1,16 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIICnDCCAYQCAQAwVzELMAkGA1UEBhMCTkwxETAPBgNVBAoTCFBvbGFyU1NMMTUw
+MwYDVQQDEyxPQ1NQIFJlc3BvbmRlciBmb3IgUG9sYXJTU0wgU2VydmVyIDIgVGVz
+dCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMFNo93nzR3RBNdJ
+criZrA545Do8Ss86ExbQWuTNowCIp+4ea5anUrSQ7y1yej4kmvy2NKwk9XfgJmSM
+nLAofaHa6ozmyRyWvP7BBFKzNtSj+uGxdtiQwWG0ZlI2oiZTqqt0Xgd9GYLbKtgf
+oNkNHC1JZvdbJXNG6AuKT2kMtQCQ4dqCEGZ9rlQri2V5kaHiYcPNQEkI7mgM8YuG
+0ka/0LiqEQMef1aoGh5EGA8PhYvai0Re4hjGYi/HZo36Xdh98yeJKQHFkA4/J/Ew
+yEoO79bex8cna8cFPXrEAjyaHT4P6DSYW8tzS1KW2BGiLICIaTla0w+w3lkvEcf3
+6hIBMJcCAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4IBAQAa0QS1/vmGR3Ldol8IHLj5
+EB6ZOYymdkywvDoZ4ALGnkKDin7yI6CO1S3kx4QT6lhwemaLwEiZVK9+H8WZJGXZ
+x+fskjFrkdSs5hsTGyvHlGt4pRYL/DYpoG67ePwkLIkusRWUTGVMDJEDQZtleEAv
+XaYGLg+nkbCRzoSdEfkQB+rkTSxN5DdgTywXOdGIpNGsMxevY4fxh5M69+cDt+xF
+0CU2P+LWxY+LvInIAOfxNG8T4WkkX5uq+pLahWVK2s3oGANVvAO03y6cs+o0ue8d
+yLEsI1W9ANFYTlI2hdqwY4ZW9LwERarQpYjf4yvxWVnenhKvJb6Nq3k/sswwD2kn
+-----END CERTIFICATE REQUEST-----
diff --git a/tests/data_files/ocsp-resp-fail-issuer-checks.der b/tests/data_files/ocsp-resp-fail-issuer-checks.der
new file mode 100644
index 0000000000000000000000000000000000000000..3ef744b410b6e1ba33359f1c71bee81ca4d1d49f
GIT binary patch
literal 1363
zcmXqLV)f@@WLVI|>S55t>cYmU&Bn;e%5K2O$kN1W3KTLlXk5F{&A`Qw+klgeIh2J>
zn90w_P|$!M#NiU=2*}S#ED8?xF;p^800}V*OTvT{f>VpiQi~Lf6hcyqOB9?PCHRdD
z3@r?d4NZ-V3``6Rq6~rz0t~Ey2D57OF*8ZAGO&nniDoRj*e;*EcHZ4>8_(yuePZHd
zXA#*F^<?ShdzXT~?Yz2dD*tP{J;(q4XJQgyXkfrJlb4NCtIebBJ1-;9Ck)I@jEoH0
zMdGG>%Nv`wecO0p-i;HdzwXaq*zwEl^0D3ha#tkoo0MjsJMdsrdCJo~v(}HLKi1cJ
z?Oik3&qD5*(<a?-dzXA?m#>MLcx1!Fq)spIv@5=6-c|*s%$VMN?uzdXgI%uqvRhBw
zEjz;S*CB7uWl7gFKC?XPcALC#*!c9t?g!uQxcpuqu|t5-eI0wgW&YEvPjodJ7RxQ`
zGUxg>?e9eH7t{9bJDsDer_HHVC|%w>edj)xO<UE@-v0j9BJF<my+iw-a~ycT?P1QP
z=S_>3uCY#CHP<_3O7g1LJo7!5M{sgq>heyE?iDNDP|~)l!?V(95u<k5$36D9o%UN@
za@;$~bCJgW;&X2nG%;ryG%=?FaiT#Jljj0vCPpS;_%RtE1r|3egMl^nXy!pgv!sDI
zIGT9`;L!|?T?09BUU=*p8=FLl^BTb-8^onf8Zu~NR6=$&BRGor8GzzkOrW?v=)3st
z^Ru!SS+08)?U=cSui}Z7jn{cAVX+HQPtGo8=ve+vE_>SYpe+;L>lRhnsm%Jb&18+r
z*YXEyDLr#GXw)ve^{VIDNttPT{vBiq+H7`Z@vny)%Wh0Kn7Ab^$ZU~X@T%1%aqP8{
zO}Djf$S=6bE2Ha~_B~p)*zE;(mwzVDR)z@=Z#4;|)vgQC?oO?oxbRWp;j<2&9PcuC
zK6bZVa@&7l$0|W)x%#jbQgSX5{QRxmx4K>89!VTa(m$To`z!WF?Pv8)O~#`W`0Uj`
z8l3Rrdw=cT@#E^*$60NwjxgEGlC|T1VKO87bg_5Pv>SqpbQ(G`Eu${;Z@3q!FL?a>
zD<MXM=}gRw42+A@3{nhafe|Ik$0EievXu2j%8ont6Ziv!d=plrtoQA9o@^iwl2&Gs
zFc53Nn!gN$KnjEz8UM3z7_b2;CPoGWK9CqcNQ?!ThT4#00+@clnT^M-ckv(ZClj)+
z?|T%k@3xk0x4|6V{x!9_>!rN(6KB>PzLl+KdFxE2kiOfcb<5kXN!r}J^mDeg=(9Ba
z;N!mKXJzJ1v){+YCV3#_>XMSjs<zgxi$a!7jcB(nDex@*D|Fez*KdOEwfDzQG+&nW
zpDJ+Y;=4~43x&S!@7xeJhhgag{WP5!w<9bI4t+eSE!5hv=Ahiuve^vB9KFr#W*O;w
zol#U-v%UE8>++X3IzQ#k;{IN~Nujy0jH{;QfnJL*f6cws-d`pex=$9nJ~w0D*$B&(
zMlRX&iWjY!Hg#ocd7~VMZ-I=~hi9+!E?qdw_&6?DZ_lb%YN@7XH-cAw6YKh&s<m)8
E09q#zbpQYW

literal 0
HcmV?d00001

diff --git a/tests/data_files/ocsp-resp-fail-unauthorized-issuer.der b/tests/data_files/ocsp-resp-fail-unauthorized-issuer.der
new file mode 100644
index 0000000000000000000000000000000000000000..5d6cc1cb2880d172e7430732f13e82982c231d0c
GIT binary patch
literal 1443
zcmXqLVx7;$$grS^b%sF`>l8LlZ8k<$R(1nMMwTYlR-jO$LF0jikp|(0+y<O%%%Lo7
z!c2ZXhJptCAP$!>M?ii~Vo`9gkD;l7F-VA6SjXQvI6xsNwYVTZFD11|AuYd10j5eJ
zIJKw@C}yM(l3HA%;Or>DZ)9L-VPI@%YGh<=VPX<x5M&TwU=6g3Rhy5QNs5($MTAQ<
zW7)-a`Q)|p?rz(7KG*FN6DK>1$d;%lOE=%U6!dN9)n!xpU)$|D{`Wr<lK?{#1E!h0
zY@Awc9&O)w8G)W-U~Xb$WatSjm5&W6yzMu2O1*AP%c_d^-<DnVi<@}6`Bh2U^!?pC
zqFpB!{Fc8sCq-iRt)Hh{=C|K<*<4z^;H1wZuA4^8vMV&YgT+>CYf+ImIGH0X@!^5N
ztiUzBvoa>CeZ0k*GC!bw!a-fV-B({XN>_<1H3V^8Jg5Bm6Wj9l?-!lDpRY0VQrTC_
zo*iej(_I7fvO8@baFn`96ueo+)VKcnHJhU5-n2{2r#fHEto4z5cVU;x&dpOND|TN`
zDA=wjxbQ|WPl?y8jg@S-UzR2I+UoFh>hAC3`ofmh{G`2Gt81yj<~POq6Hbab$!uu&
z@z=<_)?oH3;SI6V((@b7-CDcz^y6D>?g4WaG%+tTXkuOj#PbZAnA#RFGchtTF^U)<
zg%vj|gMkadh*vUDfJD3`&R8~(6X%7;vWcN_lsK;uEYd+-nk6rTCPpP>A2EVspPvCJ
z&cy^u1_yl?-+g{o_9Dx5&!QbO*YH(5v9j?xZzU{tA?nH5#S9(G-^pc9TOPD!!h7AK
zDm#@~f3}&dQTbZ_KrN+b&IXOzg|}YyJUb~fZO^}hEJ2&it}OobaAVnx2?rCmqy?ER
zQVU+Sx+IRhR<h}~)(!auH+f}rJ=4BNs}{Sx;O_Fz<k`wF;o+?&fwbCnA==%kl@k{}
zN<4hl!IR@%2G7Utwo7jNFYH()$ShYMwn9qIMS`Edwfk1LOWY%gV@dkQ(|Ui!-l+Yo
z-l@rWbON8f`bUEkUVQJb-8+6<J^MJTZPgJbn_04U{4Y#qM4vA94w`mDaFI?!N2X=e
zW&REKBJ~B2e}5&!XfU0LnUR5UabvqdV+%Nc%L=nF888^g0%KH`k420{WGU;5lpS~O
zC-4Ud`6jGLS?}BJJlQ}VB(2OMVIbCkT>&3R0Y4+-e-;*ICiVscF%VxB#OE>KV&i}m
zGR&O7QUqS$u(B`#lN)O41LxE<x9<3k=+Y7^l>@tazj4+w^l}Gf-Z}F6!k#N}EYpOi
zvhL({H=E3`*XgxKvoedq8A+vYJzkp}&u%}|mpFZK?wT^k*78SBzEm0~t!BJ@^YIqH
zN9!Ll&uYB?^*&eY+&=||yl)p?ZZfv?@H?Qq+;7_a=UboIT-o|<!C#J>`adP*wYPe0
zt$JlQ#ogk})k}Yay7ydQxn!WfWO4F$=>&e(=v`euzVCkCx9_W<_J$>jG26~tmQ*vR
zA6vL7<mr(;=YqfXt=_nA(N@jO6K|$HoTBP0yF*rDlW)n6i<~E?NzVGFEq6|=!bkFD
jf~4i*tu{;#&dv^aEv>-+gh930vdX{g@b)zmXG;PA{!$+0

literal 0
HcmV?d00001

diff --git a/tests/data_files/ocsp-resp-issuer-server2-ocsp-for-server2-in-database.der b/tests/data_files/ocsp-resp-issuer-server2-ocsp-for-server2-in-database.der
new file mode 100644
index 0000000000000000000000000000000000000000..5beab0b33f873af0aff09448cf17bd1021eb164c
GIT binary patch
literal 1364
zcmXqLVh!M8WLVI|>S@r#>dMBc&Bn;e%5K2O$kN1W1{5+fXq>yy%)rEu+klgeIh2J>
zn90w_P|$!M#Np!M2*}S#ED8?xF%&Wo00}YkaOUJEC+1}27nexz8yOf{7#JIx8d@5g
z8yiL$1Q`SvSOX1W)#hVnl450G5#bWeSaz{pK6&lDyW2LN&vpC6#L3PgvL))t(#`iS
z1%2Cjb=g$@*LHi3|NYOzB*4(XfN3T#8>d#AN85K^Mxe_Xn41_G8Pc>{!WVk3oA%o7
z-rBfNOM1+8jjB)i?Op!-L{$Lq&94{KWF%K!^QeCFP=v*Amg|$Y-kzY{@kwvKcSp|O
za+h!B`OFhW$9QBF_B?&=D4h4s>3Pk~>Xt(~x-sd?p1+8a-aYN%M46Q-pEDh8r><U^
zG4HCx%JdhzgA9JJ)^s?O&DyAMpT!kE=fFAJ&F{12Zd^<{uGPD~RP)L;*}1D^U+4DK
zX3X6bVLd^m@MLt%oR1}cW~BJ|7K?f<wEoH2xahp%l$i`uIDS`4-TU`+cJG|`m+Ias
z-gtGVPr~o3d`|d<#nZ~d;tu)fuRPe8$15SO^6vUSPvIh?|IIda>D{ZRA8;-@s2uly
zK@)S8K@)Qs5EmIVF-0w4W@2PwVq`Hu3M+0_1_Nt?u_|dG4vAF(SVSv?q!yPbI6E51
ziSrto8(0__8X6iI8yH22^BRG;Kt7mDUXn3rVpKwQB_lXS`5A!XTuh*-J?Ojm?(?&<
z7g?@*7VVh1hOgp@m5tYVD`Bw<QBTe;X6RV{PA+@e@}Mmf-s=`s*{RI>v(03U%GdG-
zYAHQ)HfYo?y!EQ**-4pcd;T3{3EFISW$~|v8_RA?IGDI4Ey!$<TJWmXC2{Pvl1;a@
zZpbgV$t$Dlnf5(ewb<<icb9)A&sK&B4{tRIq}8qq(e6&IoVf5&;^DIno*eHocs_Qw
zU2@xhVaF;#X1V&X6;g6868!wF-M6}3;vPvHOVU4{*83~=M(t<yPEE$66Zq`aKN_6y
z;(LGX-tpt=*~eLJtBx?)%#yX^e_=8s`gE~((6k$Zi*y<~GA*Mn^KZBpsV{i^`zs+v
zgXv7nj0}v68`}*UTfiAoR+xp!fWbf(7)!EzEMhDoOIcr}?6`A3fj>aVH(^D}df#s6
z$p-QuX=N4(1F;6IdCPzgq=281@jnX-GZTA*ff$Id3gYt^aItYfN(E+4V77;s5Uear
zz$Ap4qQJS&VzKwkv}p@;57-`Pow&6?;nu$DxF^%q%tFiEo;rRO^1c1g#&@%M596O#
z@5Ht#+)S_gz`tz6roJZ|dtR5kSz!K{LAg$JVc4_jCXeHGK6RSxFlme9Gu?TT=Z@K0
zY$*A=YZi-du`1_^w{Nd5h<9uLdC6(6#d}`2X(=fsmUA`>uK(J1Y-)Pzs&y7GSI4i}
zRV3V~rs1M|^s#{Ln(0@*Wm`_zG-siX*OV8n3y=1CoOq^LV$DA*Qo8Bn65%Cw&POi2
zoq6+2mE1N1p`*e9ZeiliYYz)cz4)lO|I^}>WxHLC7+G3w7|l7fVgIA+$9mM3f0ntq
Yh3iYGx0K?gZ+sppZOIeT)X%m804-w)CjbBd

literal 0
HcmV?d00001

diff --git a/tests/data_files/server2-ca.crt b/tests/data_files/server2-ca.crt
new file mode 100644
index 0000000000..15a7e24535
--- /dev/null
+++ b/tests/data_files/server2-ca.crt
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDYTCCAkmgAwIBAgICEAIwDQYJKoZIhvcNAQELBQAwOzELMAkGA1UEBhMCTkwx
+ETAPBgNVBAoMCFBvbGFyU1NMMRkwFwYDVQQDDBBQb2xhclNTTCBUZXN0IENBMB4X
+DTE4MDMxNTIyMDMzNFoXDTI4MDMxNTIyMDMzNFowRDELMAkGA1UEBhMCTkwxETAP
+BgNVBAoTCFBvbGFyU1NMMSIwIAYDVQQDExlQb2xhclNTTCBTZXJ2ZXIgMiBUZXN0
+IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwU2j3efNHdEE10ly
+uJmsDnjkOjxKzzoTFtBa5M2jAIin7h5rlqdStJDvLXJ6PiSa/LY0rCT1d+AmZIyc
+sCh9odrqjObJHJa8/sEEUrM21KP64bF22JDBYbRmUjaiJlOqq3ReB30Zgtsq2B+g
+2Q0cLUlm91slc0boC4pPaQy1AJDh2oIQZn2uVCuLZXmRoeJhw81ASQjuaAzxi4bS
+Rr/QuKoRAx5/VqgaHkQYDw+Fi9qLRF7iGMZiL8dmjfpd2H3zJ4kpAcWQDj8n8TDI
+Sg7v1t7HxydrxwU9esQCPJodPg/oNJhby3NLUpbYEaIsgIhpOVrTD7DeWS8Rx/fq
+EgEwlwIDAQABo2YwZDAdBgNVHQ4EFgQUpQXoZLjc32APUBJNYKhkr02LQ5MwHwYD
+VR0jBBgwFoAUtFrkpbPe0lL2udWmlQ/rPrzH/f8wEgYDVR0TAQH/BAgwBgEB/wIB
+ADAOBgNVHQ8BAf8EBAMCAYYwDQYJKoZIhvcNAQELBQADggEBAAxGjaP8S+SQate+
+4lcvRq0GuzCcDY+sfS2vGkovYZl+w9prLjnazHkSL0bSrqeG1hk82dL5mzsV5mYv
+U8dNd80cnpY/vgYGGcBU1aR04yU9O4WiVKaVWIc7dHBJc/0S00hNTpAt1u/HyIPT
+HU+VENzR7vI4oRL1v4mwVpwApaAvZiyY21g5cMLxySsShYiswR7ldpsAxkFLNj6a
+Mi9KzCEkrLdz0+t36diJ8m2aC/d3siCDcXYKfITgLoRND3zeq0v0kjFHkxbXnWie
+zVg5qTJEa55zoqyWlalld4EeCE1wHCrw5uou0tDNAeNeUy68quomZTU22FOp9haK
++2Uqobs=
+-----END CERTIFICATE-----
diff --git a/tests/data_files/server2-ca.csr b/tests/data_files/server2-ca.csr
new file mode 100644
index 0000000000..0d9a98c95b
--- /dev/null
+++ b/tests/data_files/server2-ca.csr
@@ -0,0 +1,16 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIICiTCCAXECAQAwRDELMAkGA1UEBhMCTkwxETAPBgNVBAoTCFBvbGFyU1NMMSIw
+IAYDVQQDExlQb2xhclNTTCBTZXJ2ZXIgMiBUZXN0IENBMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAwU2j3efNHdEE10lyuJmsDnjkOjxKzzoTFtBa5M2j
+AIin7h5rlqdStJDvLXJ6PiSa/LY0rCT1d+AmZIycsCh9odrqjObJHJa8/sEEUrM2
+1KP64bF22JDBYbRmUjaiJlOqq3ReB30Zgtsq2B+g2Q0cLUlm91slc0boC4pPaQy1
+AJDh2oIQZn2uVCuLZXmRoeJhw81ASQjuaAzxi4bSRr/QuKoRAx5/VqgaHkQYDw+F
+i9qLRF7iGMZiL8dmjfpd2H3zJ4kpAcWQDj8n8TDISg7v1t7HxydrxwU9esQCPJod
+Pg/oNJhby3NLUpbYEaIsgIhpOVrTD7DeWS8Rx/fqEgEwlwIDAQABoAAwDQYJKoZI
+hvcNAQELBQADggEBACvv/JLX4bK7C9XI24LkImA4My+KXQg4uGzhoN/pBYeKRsv5
+dxZ+bvVT7DBlHeoJhzr2a1XGJiLB/kpllzlHy2oEiA/6qs7LC9VhAa/9wjjntraA
+gwF9oxQXxuQ1IYfWaFmvHx9A0kOAhO36zDzEJXsM0L7LHTxpfjIJNCumRsH8oBpr
+xkvFw34DBxyB6DATNStbM4UlGGzumOz0+rWkoJ2adjLT1jDRyJJIBgCaVB8+i1JH
+Ckn/XDKLl8XQv0O4twFD0bjfKQvRLah086M3s2YeGQwrHuyPAk3+1LzQxra0HkEG
+ecM4D68G+ZImdm1DPaHKq3AXd7M1es9xfYnMrIs=
+-----END CERTIFICATE REQUEST-----
diff --git a/tests/data_files/test-ca-index.txt b/tests/data_files/test-ca-index.txt
index 5dcc043a37..84695584a3 100644
--- a/tests/data_files/test-ca-index.txt
+++ b/tests/data_files/test-ca-index.txt
@@ -1,2 +1,3 @@
 V	280301220605Z		1000	unknown	/C=NL/O=PolarSSL/CN=Mbed TLS OCSP test cert
 R	280306220741Z	180306220741Z	1001	unknown	/C=NL/O=PolarSSL/CN=Mbed TLS OCSP revoked test cert
+V	280315220334Z		1002	unknown	/C=NL/O=PolarSSL/CN=PolarSSL Server 2 Test CA
diff --git a/tests/data_files/test-ca-serial.txt b/tests/data_files/test-ca-serial.txt
index 7d802a3e71..baccd0398f 100644
--- a/tests/data_files/test-ca-serial.txt
+++ b/tests/data_files/test-ca-serial.txt
@@ -1 +1 @@
-1002
+1003
diff --git a/tests/data_files/test-ca.opensslconf b/tests/data_files/test-ca.opensslconf
index ec6d9856a0..3e812ce7bf 100644
--- a/tests/data_files/test-ca.opensslconf
+++ b/tests/data_files/test-ca.opensslconf
@@ -47,3 +47,9 @@ commonName = PolarSSL Test CA
 subjectKeyIdentifier=hash
 authorityKeyIdentifier=keyid:always,issuer:always
 basicConstraints = CA:true
+
+[ v3_intermediate_ca ]
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true, pathlen:0
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
diff --git a/tests/suites/test_suite_x509parse_ocsp.data b/tests/suites/test_suite_x509parse_ocsp.data
index 6fb21c9989..38ea4361dd 100644
--- a/tests/suites/test_suite_x509parse_ocsp.data
+++ b/tests/suites/test_suite_x509parse_ocsp.data
@@ -285,3 +285,18 @@ x509_ocsp_response_verify:"data_files/ocsp-resp-unknown-cert.der":"data_files/se
 
 X509 OCSP Response verification (SingleResponse cert status good, revoked and unknown)
 x509_ocsp_response_verify:"data_files/ocsp-resp-good-revoked-unknown.der":"data_files/server2_server2-in-database_server2-in-database-revoked.crt":"data_files/test-ca-sha256.crt":"data_files/test-ca-sha256.crt":MBEDTLS_ERR_X509_OCSP_RESPONSE_VERIFY_FAILED:MBEDTLS_X509_BADOCSP_RESPONSE_UNKNOWN_CERT | MBEDTLS_X509_BADOCSP_RESPONSE_REVOKED_CERT
+
+X509 OCSP Response verification (Issuer has id-pk-OCSPSigning and common parent in trusted CA chain)
+x509_ocsp_response_verify:"data_files/ocsp-resp-issuer-server2-ocsp-for-server2-in-database.der":"data_files/server2-in-database.crt":"":"data_files/test-ca-sha256.crt":0:0
+
+X509 OCSP Response verification (Issuer has id-pk-OCSPSigning and common parent in untrusted chain)
+x509_ocsp_response_verify:"data_files/ocsp-resp-issuer-server2-ocsp-for-server2-in-database.der":"data_files/server2-in-database.crt":"data_files/test-ca-sha256.crt":"":0:0
+
+X509 OCSP Response verification (Issuer has id-pk-OCSPSigning, but no common parent)
+x509_ocsp_response_verify:"data_files/ocsp-resp-issuer-server2-ocsp-for-server2-in-database.der":"data_files/server2-in-database.crt":"":"":MBEDTLS_ERR_X509_OCSP_RESPONSE_VERIFY_FAILED:MBEDTLS_X509_BADOCSP_RESPONSE_ISSUER_NOT_TRUSTED
+
+X509 OCSP Response verification (Issuer has common parent, but does not have id-kp-OCSPSigning)
+x509_ocsp_response_verify:"data_files/ocsp-resp-fail-issuer-checks.der":"data_files/server2-in-database.crt":"data_files/server2-ca.crt":"data_files/test-ca-sha256.crt":MBEDTLS_ERR_X509_BAD_INPUT_DATA:MBEDTLS_X509_BADOCSP_RESPONSE_ISSUER_NOT_TRUSTED
+
+X509 OCSP Response verification (Issuer has id-pk-OCSPSigning, but no common parent with queried certificate)
+x509_ocsp_response_verify:"data_files/ocsp-resp-fail-unauthorized-issuer.der":"data_files/server2-in-database.crt":"data_files/server2-ca.crt":"data_files/test-ca-sha256.crt":MBEDTLS_ERR_X509_OCSP_RESPONSE_VERIFY_FAILED:MBEDTLS_X509_BADOCSP_RESPONSE_ISSUER_NOT_TRUSTED | MBEDTLS_X509_BADOCSP_RESPONSE_UNKNOWN_CERT