From c59f97e8229e6b845bc98ec5a373196c96232147 Mon Sep 17 00:00:00 2001
From: bhesh <github@bhmail.me>
Date: Sun, 7 Jan 2024 19:23:51 -0500
Subject: [PATCH] x509-ocsp: implement builder (#1259)

---
 .github/workflows/x509-ocsp.yml               |   2 +-
 Cargo.lock                                    |   2 +
 x509-ocsp/Cargo.toml                          |  14 +-
 x509-ocsp/src/basic.rs                        | 290 +++++----
 x509-ocsp/src/builder.rs                      |  53 ++
 x509-ocsp/src/builder/request.rs              | 165 +++++
 x509-ocsp/src/builder/response.rs             | 184 ++++++
 x509-ocsp/src/cert_id.rs                      |  96 +++
 x509-ocsp/src/cert_status.rs                  | 116 ++++
 x509-ocsp/src/ext.rs                          |  56 +-
 x509-ocsp/src/lib.rs                          |  39 +-
 x509-ocsp/src/request.rs                      |  93 ++-
 x509-ocsp/src/responder_id.rs                 |  48 ++
 x509-ocsp/src/response.rs                     |  47 +-
 x509-ocsp/src/time.rs                         |  45 ++
 x509-ocsp/tests/builder.rs                    | 436 ++++++++++++++
 .../tests/examples/DODEMAILCA_63-resp.der     | Bin 0 -> 3721 bytes
 x509-ocsp/tests/examples/ocsp-by-key-res.der  | Bin 0 -> 511 bytes
 .../tests/examples/ocsp-dtm-no-chain-res.der  | Bin 0 -> 526 bytes
 .../tests/examples/ocsp-internal-error.der    |   2 +
 x509-ocsp/tests/examples/ocsp-malformed.der   |   2 +
 .../examples/ocsp-multiple-exts-clean-req.der | Bin 0 -> 261 bytes
 .../tests/examples/ocsp-multiple-exts-res.der | Bin 0 -> 1453 bytes
 .../ocsp-multiple-requests-nonce-req.der      | Bin 0 -> 777 bytes
 .../examples/ocsp-multiple-requests-req.der   | Bin 0 -> 724 bytes
 .../examples/ocsp-multiple-responses-res.der  | Bin 0 -> 2215 bytes
 .../tests/examples/ocsp-sig-required.der      |   2 +
 x509-ocsp/tests/examples/ocsp-signed-req.der  | Bin 0 -> 1055 bytes
 x509-ocsp/tests/examples/ocsp-try-later.der   |   2 +
 .../tests/examples/ocsp-unauthorized.der      |   2 +
 .../tests/examples/rsa-2048-sha256-ca-crl.der | Bin 0 -> 380 bytes
 .../tests/examples/rsa-2048-sha256-ca-key.der | Bin 0 -> 1217 bytes
 .../tests/examples/rsa-2048-sha256-ca.der     | Bin 0 -> 815 bytes
 .../examples/rsa-2048-sha256-crt-key.der      | Bin 0 -> 1218 bytes
 .../tests/examples/rsa-2048-sha256-crt.der    | Bin 0 -> 691 bytes
 .../examples/rsa-2048-sha256-ocsp-crt-key.der | Bin 0 -> 1218 bytes
 .../examples/rsa-2048-sha256-ocsp-crt.der     | Bin 0 -> 814 bytes
 .../rsa-2048-sha256-revoked-ocsp-res.der      | Bin 0 -> 1310 bytes
 .../tests/examples/sha1-certid-ocsp-req.der   | Bin 0 -> 70 bytes
 .../tests/examples/sha1-certid-ocsp-res.der   | Bin 0 -> 1296 bytes
 .../tests/examples/sha224-certid-ocsp-req.der | Bin 0 -> 90 bytes
 .../tests/examples/sha256-certid-ocsp-req.der | Bin 0 -> 98 bytes
 .../tests/examples/sha256-certid-ocsp-res.der | Bin 0 -> 1326 bytes
 .../tests/examples/sha384-certid-ocsp-req.der | Bin 0 -> 131 bytes
 .../tests/examples/sha512-certid-ocsp-req.der | Bin 0 -> 167 bytes
 .../tests/examples/sha512-certid-ocsp-res.der | Bin 0 -> 1391 bytes
 x509-ocsp/tests/ext.rs                        | 220 +++++++
 x509-ocsp/tests/ocsp.rs                       |  29 +-
 x509-ocsp/tests/requests.rs                   | 444 ++++++++++++++
 x509-ocsp/tests/responses.rs                  | 568 ++++++++++++++++++
 50 files changed, 2758 insertions(+), 199 deletions(-)
 create mode 100644 x509-ocsp/src/builder.rs
 create mode 100644 x509-ocsp/src/builder/request.rs
 create mode 100644 x509-ocsp/src/builder/response.rs
 create mode 100644 x509-ocsp/src/cert_id.rs
 create mode 100644 x509-ocsp/src/cert_status.rs
 create mode 100644 x509-ocsp/src/responder_id.rs
 create mode 100644 x509-ocsp/src/time.rs
 create mode 100644 x509-ocsp/tests/builder.rs
 create mode 100644 x509-ocsp/tests/examples/DODEMAILCA_63-resp.der
 create mode 100644 x509-ocsp/tests/examples/ocsp-by-key-res.der
 create mode 100644 x509-ocsp/tests/examples/ocsp-dtm-no-chain-res.der
 create mode 100644 x509-ocsp/tests/examples/ocsp-internal-error.der
 create mode 100644 x509-ocsp/tests/examples/ocsp-malformed.der
 create mode 100644 x509-ocsp/tests/examples/ocsp-multiple-exts-clean-req.der
 create mode 100644 x509-ocsp/tests/examples/ocsp-multiple-exts-res.der
 create mode 100644 x509-ocsp/tests/examples/ocsp-multiple-requests-nonce-req.der
 create mode 100644 x509-ocsp/tests/examples/ocsp-multiple-requests-req.der
 create mode 100644 x509-ocsp/tests/examples/ocsp-multiple-responses-res.der
 create mode 100644 x509-ocsp/tests/examples/ocsp-sig-required.der
 create mode 100644 x509-ocsp/tests/examples/ocsp-signed-req.der
 create mode 100644 x509-ocsp/tests/examples/ocsp-try-later.der
 create mode 100644 x509-ocsp/tests/examples/ocsp-unauthorized.der
 create mode 100644 x509-ocsp/tests/examples/rsa-2048-sha256-ca-crl.der
 create mode 100644 x509-ocsp/tests/examples/rsa-2048-sha256-ca-key.der
 create mode 100644 x509-ocsp/tests/examples/rsa-2048-sha256-ca.der
 create mode 100644 x509-ocsp/tests/examples/rsa-2048-sha256-crt-key.der
 create mode 100644 x509-ocsp/tests/examples/rsa-2048-sha256-crt.der
 create mode 100644 x509-ocsp/tests/examples/rsa-2048-sha256-ocsp-crt-key.der
 create mode 100644 x509-ocsp/tests/examples/rsa-2048-sha256-ocsp-crt.der
 create mode 100644 x509-ocsp/tests/examples/rsa-2048-sha256-revoked-ocsp-res.der
 create mode 100644 x509-ocsp/tests/examples/sha1-certid-ocsp-req.der
 create mode 100644 x509-ocsp/tests/examples/sha1-certid-ocsp-res.der
 create mode 100644 x509-ocsp/tests/examples/sha224-certid-ocsp-req.der
 create mode 100644 x509-ocsp/tests/examples/sha256-certid-ocsp-req.der
 create mode 100644 x509-ocsp/tests/examples/sha256-certid-ocsp-res.der
 create mode 100644 x509-ocsp/tests/examples/sha384-certid-ocsp-req.der
 create mode 100644 x509-ocsp/tests/examples/sha512-certid-ocsp-req.der
 create mode 100644 x509-ocsp/tests/examples/sha512-certid-ocsp-res.der
 create mode 100644 x509-ocsp/tests/ext.rs
 create mode 100644 x509-ocsp/tests/requests.rs
 create mode 100644 x509-ocsp/tests/responses.rs

diff --git a/.github/workflows/x509-ocsp.yml b/.github/workflows/x509-ocsp.yml
index 893474599..779fccaf6 100644
--- a/.github/workflows/x509-ocsp.yml
+++ b/.github/workflows/x509-ocsp.yml
@@ -38,7 +38,7 @@ jobs:
           toolchain: ${{ matrix.rust }}
           targets: ${{ matrix.target }}
       - uses: RustCrypto/actions/cargo-hack-install@master
-      - run: cargo hack build --target ${{ matrix.target }} --feature-powerset
+      - run: cargo hack build --target ${{ matrix.target }} --feature-powerset --exclude-features std
 
   minimal-versions:
     uses: RustCrypto/actions/.github/workflows/minimal-versions.yml@master
diff --git a/Cargo.lock b/Cargo.lock
index 9dc998c11..d0a015eb0 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -1958,6 +1958,8 @@ dependencies = [
  "const-oid 0.9.6",
  "der 0.7.8",
  "hex-literal 0.4.1",
+ "lazy_static",
+ "rand",
  "rand_core",
  "spki 0.7.3",
  "x509-cert",
diff --git a/x509-ocsp/Cargo.toml b/x509-ocsp/Cargo.toml
index 7930fc96e..41127d59e 100644
--- a/x509-ocsp/Cargo.toml
+++ b/x509-ocsp/Cargo.toml
@@ -20,11 +20,23 @@ der = { version = "0.7.8", features = ["alloc", "derive", "oid"] }
 spki = { version = "0.7.2", features = ["alloc"] }
 x509-cert = { version = "0.2.4", default-features = false }
 
-# optional dependencies
+# Optional
+digest = { version = "0.10.7", optional = true, default-features = false, features = ["oid"] }
 rand_core = { version = "0.6.4", optional = true, default-features = false }
+signature = { version = "2.1.0", optional = true, default-features = false, features = ["digest", "rand_core"] }
 
 [dev-dependencies]
 hex-literal = "0.4.1"
+lazy_static = "1.4.0"
+rand = "0.8.5"
+rsa = { version = "0.9.2", default-features = false, features = ["sha2"] }
+sha1 = { version = "0.10.6", default-features = false, features = ["oid"] }
+sha2 = { version = "0.10.8", default-features = false, features = ["oid"] }
+
+[features]
+rand = ["rand_core"]
+builder = ["digest", "rand", "signature"]
+std = ["der/std", "x509-cert/std"]
 
 [package.metadata.docs.rs]
 all-features = true
diff --git a/x509-ocsp/src/basic.rs b/x509-ocsp/src/basic.rs
index 1b51308fe..876e01563 100644
--- a/x509-ocsp/src/basic.rs
+++ b/x509-ocsp/src/basic.rs
@@ -1,37 +1,20 @@
 //! Basic OCSP Response
 
+use crate::{
+    ext::Nonce, AsResponseBytes, CertId, CertStatus, OcspGeneralizedTime, ResponderId, Version,
+};
 use alloc::vec::Vec;
-use const_oid::AssociatedOid;
+use const_oid::{
+    db::rfc6960::{ID_PKIX_OCSP_BASIC, ID_PKIX_OCSP_NONCE},
+    AssociatedOid,
+};
 use core::{default::Default, option::Option};
 use der::{
-    asn1::{BitString, GeneralizedTime, Null, OctetString},
-    Choice, Decode, Enumerated, Sequence,
+    asn1::{BitString, ObjectIdentifier},
+    Decode, Sequence,
 };
 use spki::AlgorithmIdentifierOwned;
-use x509_cert::{
-    certificate::Certificate,
-    crl::RevokedCert,
-    ext::{pkix::CrlReason, Extensions},
-    name::Name,
-    serial_number::SerialNumber,
-    time::Time,
-};
-
-/// OCSP `Version` as defined in [RFC 6960 Section 4.1.1].
-///
-/// ```text
-/// Version ::= INTEGER { v1(0) }
-/// ```
-///
-/// [RFC 6960 Section 4.1.1]: https://datatracker.ietf.org/doc/html/rfc6960#section-4.1.1
-#[derive(Clone, Debug, Default, Copy, PartialEq, Eq, Enumerated)]
-#[asn1(type = "INTEGER")]
-#[repr(u8)]
-pub enum Version {
-    /// Version 1 (default)
-    #[default]
-    V1 = 0,
-}
+use x509_cert::{certificate::Certificate, ext::Extensions};
 
 /// BasicOcspResponse structure as defined in [RFC 6960 Section 4.2.1].
 ///
@@ -55,6 +38,20 @@ pub struct BasicOcspResponse {
     pub certs: Option<Vec<Certificate>>,
 }
 
+impl BasicOcspResponse {
+    /// Returns the response's nonce value, if any. This method will return `None` if the response
+    /// has no `Nonce` extension or decoding of the `Nonce` extension fails.
+    pub fn nonce(&self) -> Option<Nonce> {
+        self.tbs_response_data.nonce()
+    }
+}
+
+impl AssociatedOid for BasicOcspResponse {
+    const OID: ObjectIdentifier = ID_PKIX_OCSP_BASIC;
+}
+
+impl AsResponseBytes for BasicOcspResponse {}
+
 /// ResponseData structure as defined in [RFC 6960 Section 4.2.1].
 ///
 /// ```text
@@ -77,45 +74,30 @@ pub struct ResponseData {
     )]
     pub version: Version,
     pub responder_id: ResponderId,
-    pub produced_at: GeneralizedTime,
+    pub produced_at: OcspGeneralizedTime,
     pub responses: Vec<SingleResponse>,
 
     #[asn1(context_specific = "1", optional = "true", tag_mode = "EXPLICIT")]
     pub response_extensions: Option<Extensions>,
 }
 
-/// ResponderID structure as defined in [RFC 6960 Section 4.2.1].
-///
-/// ```text
-/// ResponderID ::= CHOICE {
-///    byName              [1] Name,
-///    byKey               [2] KeyHash }
-/// ```
-///
-/// [RFC 6960 Section 4.2.1]: https://datatracker.ietf.org/doc/html/rfc6960#section-4.2.1
-#[derive(Clone, Debug, Eq, PartialEq, Choice)]
-#[allow(missing_docs)]
-pub enum ResponderId {
-    #[asn1(context_specific = "1", tag_mode = "EXPLICIT", constructed = "true")]
-    ByName(Name),
-
-    #[asn1(context_specific = "2", tag_mode = "EXPLICIT", constructed = "true")]
-    ByKey(KeyHash),
+impl ResponseData {
+    /// Returns the response's nonce value, if any. This method will return `None` if the response
+    /// has no `Nonce` extension or decoding of the `Nonce` extension fails.
+    pub fn nonce(&self) -> Option<Nonce> {
+        match &self.response_extensions {
+            Some(extns) => {
+                let mut filter = extns.iter().filter(|e| e.extn_id == ID_PKIX_OCSP_NONCE);
+                match filter.next() {
+                    Some(extn) => Nonce::from_der(extn.extn_value.as_bytes()).ok(),
+                    None => None,
+                }
+            }
+            None => None,
+        }
+    }
 }
 
-/// KeyHash structure as defined in [RFC 6960 Section 4.2.1].
-///
-/// ```text
-/// KeyHash ::= OCTET STRING -- SHA-1 hash of responder's public key
-///                          -- (i.e., the SHA-1 hash of the value of the
-///                          -- BIT STRING subjectPublicKey [excluding
-///                          -- the tag, length, and number of unused
-///                          -- bits] in the responder's certificate)
-/// ```
-///
-/// [RFC 6960 Section 4.2.1]: https://datatracker.ietf.org/doc/html/rfc6960#section-4.2.1
-pub type KeyHash = OctetString;
-
 /// SingleResponse structure as defined in [RFC 6960 Section 4.2.1].
 ///
 /// ```text
@@ -133,112 +115,116 @@ pub type KeyHash = OctetString;
 pub struct SingleResponse {
     pub cert_id: CertId,
     pub cert_status: CertStatus,
-    pub this_update: GeneralizedTime,
+    pub this_update: OcspGeneralizedTime,
 
     #[asn1(context_specific = "0", optional = "true", tag_mode = "EXPLICIT")]
-    pub next_update: Option<GeneralizedTime>,
+    pub next_update: Option<OcspGeneralizedTime>,
 
     #[asn1(context_specific = "1", optional = "true", tag_mode = "EXPLICIT")]
     pub single_extensions: Option<Extensions>,
 }
 
-/// CertID structure as defined in [RFC 6960 Section 4.1.1].
-///
-/// ```text
-/// CertID ::= SEQUENCE {
-///    hashAlgorithm           AlgorithmIdentifier,
-///    issuerNameHash          OCTET STRING, -- Hash of issuer's DN
-///    issuerKeyHash           OCTET STRING, -- Hash of issuer's public key
-///    serialNumber            CertificateSerialNumber }
-/// ```
-///
-/// [RFC 6960 Section 4.1.1]: https://datatracker.ietf.org/doc/html/rfc6960#section-4.1.1
-#[derive(Clone, Debug, Eq, PartialEq, Sequence)]
-#[allow(missing_docs)]
-pub struct CertId {
-    pub hash_algorithm: AlgorithmIdentifierOwned,
-    pub issuer_name_hash: OctetString,
-    pub issuer_key_hash: OctetString,
-    pub serial_number: SerialNumber,
-}
-
-/// CertStatus structure as defined in [RFC 6960 Section 4.2.1].
-///
-/// ```text
-/// CertStatus ::= CHOICE {
-///    good                [0] IMPLICIT NULL,
-///    revoked             [1] IMPLICIT RevokedInfo,
-///    unknown             [2] IMPLICIT UnknownInfo }
-/// ```
-///
-/// [RFC 6960 Section 4.2.1]: https://datatracker.ietf.org/doc/html/rfc6960#section-4.2.1
-#[derive(Clone, Debug, Eq, PartialEq, Choice)]
-#[allow(missing_docs)]
-pub enum CertStatus {
-    #[asn1(context_specific = "0", tag_mode = "IMPLICIT")]
-    Good(Null),
-
-    #[asn1(context_specific = "1", tag_mode = "IMPLICIT", constructed = "true")]
-    Revoked(RevokedInfo),
+#[cfg(feature = "builder")]
+mod builder {
+    use crate::{builder::Error, CertId, CertStatus, OcspGeneralizedTime, SingleResponse};
+    use const_oid::AssociatedOid;
+    use digest::Digest;
+    use x509_cert::{
+        crl::CertificateList, ext::AsExtension, name::Name, serial_number::SerialNumber,
+        Certificate,
+    };
+
+    impl SingleResponse {
+        /// Returns a `SingleResponse` given the `CertID`, `CertStatus`, and `This Update`. `Next
+        /// Update` is set to `None`.
+        pub fn new(
+            cert_id: CertId,
+            cert_status: CertStatus,
+            this_update: OcspGeneralizedTime,
+        ) -> Self {
+            Self {
+                cert_id,
+                cert_status,
+                this_update,
+                next_update: None,
+                single_extensions: None,
+            }
+        }
 
-    #[asn1(context_specific = "2", tag_mode = "IMPLICIT")]
-    Unknown(UnknownInfo),
-}
+        /// Sets `thisUpdate` in the `singleResponse` as defined in [RFC 6960 Section 4.2.1].
+        ///
+        /// [RFC 6960 Section 4.2.1]: https://datatracker.ietf.org/doc/html/rfc6960#section-4.2.1
+        pub fn with_this_update(mut self, this_update: OcspGeneralizedTime) -> Self {
+            self.this_update = this_update;
+            self
+        }
 
-/// RevokedInfo structure as defined in [RFC 6960 Section 4.2.1].
-///
-/// ```text
-/// RevokedInfo ::= SEQUENCE {
-///    revocationTime          GeneralizedTime,
-///    revocationReason        [0] EXPLICIT CRLReason OPTIONAL }
-/// ```
-///
-/// [RFC 6960 Section 4.2.1]: https://datatracker.ietf.org/doc/html/rfc6960#section-4.2.1
-#[derive(Clone, Debug, Eq, PartialEq, Sequence)]
-#[allow(missing_docs)]
-pub struct RevokedInfo {
-    pub revocation_time: GeneralizedTime,
+        /// Sets `nextUpdate` in the `singleResponse` as defined in [RFC 6960 Section 4.2.1].
+        ///
+        /// [RFC 6960 Section 4.2.1]: https://datatracker.ietf.org/doc/html/rfc6960#section-4.2.1
+        pub fn with_next_update(mut self, next_update: OcspGeneralizedTime) -> Self {
+            self.next_update = Some(next_update);
+            self
+        }
 
-    #[asn1(context_specific = "0", optional = "true", tag_mode = "EXPLICIT")]
-    pub revocation_reason: Option<CrlReason>,
-}
+        /// Adds a single response extension as specified in [RFC 6960 Section 4.4]. Errors when the
+        /// extension encoding fails.
+        ///
+        /// [RFC 6960 Section 4.4]: https://datatracker.ietf.org/doc/html/rfc6960#section-4.4
+        pub fn with_extension(mut self, ext: impl AsExtension) -> Result<Self, Error> {
+            let ext = ext.to_extension(&Name::default(), &[])?;
+            match self.single_extensions {
+                Some(ref mut exts) => exts.push(ext),
+                None => self.single_extensions = Some(alloc::vec![ext]),
+            }
+            Ok(self)
+        }
 
-impl From<&RevokedCert> for RevokedInfo {
-    fn from(rc: &RevokedCert) -> Self {
-        Self {
-            revocation_time: match rc.revocation_date {
-                Time::UtcTime(t) => GeneralizedTime::from_date_time(t.to_date_time()),
-                Time::GeneralTime(t) => t,
-            },
-            revocation_reason: if let Some(extensions) = &rc.crl_entry_extensions {
-                let mut filter = extensions
-                    .iter()
-                    .filter(|ext| ext.extn_id == CrlReason::OID);
-                match filter.next() {
-                    None => None,
-                    Some(ext) => match CrlReason::from_der(ext.extn_value.as_bytes()) {
-                        Ok(reason) => Some(reason),
-                        Err(_) => None,
-                    },
+        /// Returns a `SingleResponse` by searching through the CRL to see if `serial` is revoked. If
+        /// not, the `CertStatus` is set to good. The `CertID` is built from the issuer and serial
+        /// number. This method does not ensure the CRL is issued by the issuer and only asserts the
+        /// serial is not revoked in the provided CRL.
+        ///
+        /// `thisUpdate` and `nextUpdate` will be pulled from the CRL.
+        ///
+        /// NOTE: this method complies with [RFC 2560 Section 2.2] and not [RFC 6960 Section 2.2].
+        /// [RFC 6960] limits the `good` status to only issued certificates. [RFC 2560] only asserts
+        /// the serial was not revoked and makes no assertion the serial was ever issued.
+        ///
+        /// [RFC 2560]: https://datatracker.ietf.org/doc/html/rfc2560
+        /// [RFC 2560 Section 2.2]: https://datatracker.ietf.org/doc/html/rfc2560#section-2.2
+        /// [RFC 6960]: https://datatracker.ietf.org/doc/html/rfc6960
+        /// [RFC 6960 Section 2.2]: https://datatracker.ietf.org/doc/html/rfc6960#section-2.2
+        pub fn from_crl<D>(
+            issuer: &Certificate,
+            crl: &CertificateList,
+            serial_number: SerialNumber,
+        ) -> Result<Self, Error>
+        where
+            D: Digest + AssociatedOid,
+        {
+            let cert_status = match &crl.tbs_cert_list.revoked_certificates {
+                Some(revoked_certs) => {
+                    let mut filter = revoked_certs
+                        .iter()
+                        .filter(|rc| rc.serial_number == serial_number);
+                    match filter.next() {
+                        None => CertStatus::good(),
+                        Some(rc) => CertStatus::revoked(rc),
+                    }
                 }
-            } else {
-                None
-            },
+                None => CertStatus::good(),
+            };
+            let cert_id = CertId::from_issuer::<D>(issuer, serial_number)?;
+            let this_update = crl.tbs_cert_list.this_update.into();
+            let next_update = crl.tbs_cert_list.next_update.map(|t| t.into());
+            Ok(Self {
+                cert_id,
+                cert_status,
+                this_update,
+                next_update,
+                single_extensions: None,
+            })
         }
     }
 }
-
-impl From<RevokedCert> for RevokedInfo {
-    fn from(rc: RevokedCert) -> Self {
-        Self::from(&rc)
-    }
-}
-
-/// RevokedInfo structure as defined in [RFC 6960 Section 4.2.1].
-///
-/// ```text
-/// UnknownInfo ::= NULL
-/// ```
-///
-/// [RFC 6960 Section 4.2.1]: https://datatracker.ietf.org/doc/html/rfc6960#section-4.2.1
-pub type UnknownInfo = Null;
diff --git a/x509-ocsp/src/builder.rs b/x509-ocsp/src/builder.rs
new file mode 100644
index 000000000..d46389619
--- /dev/null
+++ b/x509-ocsp/src/builder.rs
@@ -0,0 +1,53 @@
+//! OCSP builder module
+
+use alloc::fmt;
+
+mod request;
+mod response;
+
+pub use self::request::OcspRequestBuilder;
+pub use self::response::OcspResponseBuilder;
+
+/// Error type
+#[derive(Debug)]
+pub enum Error {
+    /// ASN.1 DER-related errors
+    Asn1(der::Error),
+
+    /// Public key errors
+    PublicKey(spki::Error),
+
+    /// Signing errors
+    Signature(signature::Error),
+}
+
+#[cfg(feature = "std")]
+impl std::error::Error for Error {}
+
+impl fmt::Display for Error {
+    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+        match self {
+            Error::Asn1(err) => write!(f, "ASN.1 error: {}", err),
+            Error::PublicKey(err) => write!(f, "public key error: {}", err),
+            Error::Signature(err) => write!(f, "signature error: {}", err),
+        }
+    }
+}
+
+impl From<der::Error> for Error {
+    fn from(other: der::Error) -> Self {
+        Self::Asn1(other)
+    }
+}
+
+impl From<spki::Error> for Error {
+    fn from(other: spki::Error) -> Self {
+        Self::PublicKey(other)
+    }
+}
+
+impl From<signature::Error> for Error {
+    fn from(other: signature::Error) -> Self {
+        Self::Signature(other)
+    }
+}
diff --git a/x509-ocsp/src/builder/request.rs b/x509-ocsp/src/builder/request.rs
new file mode 100644
index 000000000..eb7902d92
--- /dev/null
+++ b/x509-ocsp/src/builder/request.rs
@@ -0,0 +1,165 @@
+//! OCSP request builder
+
+use crate::{builder::Error, OcspRequest, Request, Signature, TbsRequest, Version};
+use alloc::vec::Vec;
+use der::Encode;
+use rand_core::CryptoRngCore;
+use signature::{RandomizedSigner, Signer};
+use spki::{DynSignatureAlgorithmIdentifier, SignatureBitStringEncoding};
+use x509_cert::{
+    ext::{pkix::name::GeneralName, AsExtension},
+    name::Name,
+    Certificate,
+};
+
+/// X509 OCSP Request builder
+///
+/// ```
+/// use der::Decode;
+/// use sha1::Sha1;
+/// use x509_cert::{serial_number::SerialNumber, Certificate};
+/// use x509_ocsp::builder::OcspRequestBuilder;
+/// use x509_ocsp::{ext::Nonce, Request};
+///
+/// # const ISSUER_DER: &[u8] = include_bytes!("../../tests/examples/rsa-2048-sha256-ca.der");
+/// # const CERT_DER: &[u8] = include_bytes!("../../tests/examples/rsa-2048-sha256-crt.der");
+/// # const KEY_DER: &[u8] = include_bytes!("../../tests/examples/rsa-2048-sha256-crt-key.der");
+/// # use rsa::{pkcs1v15::SigningKey, pkcs8::DecodePrivateKey};
+/// # use sha2::Sha256;
+/// # fn rsa_signer() -> SigningKey<Sha256> {
+/// #     let private_key = rsa::RsaPrivateKey::from_pkcs8_der(KEY_DER).unwrap();
+/// #     let signing_key = SigningKey::<Sha256>::new(private_key);
+/// #     signing_key
+/// # }
+/// let issuer = Certificate::from_der(ISSUER_DER).unwrap();
+/// let cert = Certificate::from_der(CERT_DER).unwrap();
+///
+/// let req = OcspRequestBuilder::default()
+///     .with_request(Request::from_cert::<Sha1>(&issuer, &cert).unwrap())
+///     .build();
+///
+/// let mut rng = rand::thread_rng();
+///
+/// let req = OcspRequestBuilder::default()
+///     .with_request(Request::from_issuer::<Sha1>(&issuer, SerialNumber::from(2usize)).unwrap())
+///     .with_request(Request::from_issuer::<Sha1>(&issuer, SerialNumber::from(3usize)).unwrap())
+///     .with_request(Request::from_issuer::<Sha1>(&issuer, SerialNumber::from(4usize)).unwrap())
+///     .with_extension(Nonce::generate(&mut rng, 32).unwrap())
+///     .unwrap()
+///     .build();
+///
+/// let mut signer = rsa_signer();
+/// let signer_cert_chain = vec![cert.clone()];
+/// let req = OcspRequestBuilder::default()
+///     .with_request(Request::from_cert::<Sha1>(&issuer, &cert).unwrap())
+///     .with_extension(Nonce::generate(&mut rng, 32).unwrap())
+///     .unwrap()
+///     .sign(&mut signer, Some(signer_cert_chain))
+///     .unwrap();
+/// ```
+#[derive(Clone, Debug, Default)]
+pub struct OcspRequestBuilder {
+    tbs: TbsRequest,
+}
+
+impl OcspRequestBuilder {
+    /// Returns an `OcspRequestBuilder` with the specified [`Version`]
+    pub fn new(version: Version) -> Self {
+        Self {
+            tbs: TbsRequest {
+                version,
+                requestor_name: None,
+                request_list: Vec::new(),
+                request_extensions: None,
+            },
+        }
+    }
+
+    /// Sets the requestor name as specified in [RFC 6960 Section 4.1.1]
+    ///
+    /// [RFC 6960 Section 4.1.1]: https://datatracker.ietf.org/doc/html/rfc6960#section-4.1.1
+    pub fn with_requestor_name(mut self, requestor_name: GeneralName) -> Self {
+        self.tbs.requestor_name = Some(requestor_name);
+        self
+    }
+
+    /// Adds a [`Request`] to the builder as defined in [RFC 6960 Section 4.1.1].
+    ///
+    /// [RFC 6960 Section 4.1.1]: https://datatracker.ietf.org/doc/html/rfc6960#section-4.1.1
+    pub fn with_request(mut self, request: Request) -> Self {
+        self.tbs.request_list.push(request);
+        self
+    }
+
+    /// Adds a request extension as specified in [RFC 6960 Section 4.4]. Errors when the
+    /// extension encoding fails.
+    ///
+    /// [RFC 6960 Section 4.4]: https://datatracker.ietf.org/doc/html/rfc6960#section-4.4
+    pub fn with_extension(mut self, ext: impl AsExtension) -> Result<Self, Error> {
+        let ext = ext.to_extension(&Name::default(), &[])?;
+        match self.tbs.request_extensions {
+            Some(ref mut exts) => exts.push(ext),
+            None => self.tbs.request_extensions = Some(alloc::vec![ext]),
+        }
+        Ok(self)
+    }
+
+    /// Consumes the builder and returns an [`OcspRequest`]
+    pub fn build(self) -> OcspRequest {
+        OcspRequest {
+            tbs_request: self.tbs,
+            optional_signature: None,
+        }
+    }
+
+    /// Consumes the builder and returns a signed [`OcspRequest`]. Errors when the algorithm
+    /// identifier encoding, message encoding, or signature generation fails.
+    pub fn sign<S, Sig>(
+        self,
+        signer: &mut S,
+        certificate_chain: Option<Vec<Certificate>>,
+    ) -> Result<OcspRequest, Error>
+    where
+        S: Signer<Sig> + DynSignatureAlgorithmIdentifier,
+        Sig: SignatureBitStringEncoding,
+    {
+        let signature_algorithm = signer.signature_algorithm_identifier()?;
+        let signature = signer.try_sign(&self.tbs.to_der()?)?.to_bitstring()?;
+        let optional_signature = Some(Signature {
+            signature_algorithm,
+            signature,
+            certs: certificate_chain,
+        });
+        Ok(OcspRequest {
+            tbs_request: self.tbs,
+            optional_signature,
+        })
+    }
+
+    /// Consumes the builder and returns a signed [`OcspRequest`]. Errors when the algorithm
+    /// identifier encoding, message encoding, or signature generation fails.
+    pub fn sign_with_rng<S, Sig>(
+        self,
+        signer: &mut S,
+        rng: &mut impl CryptoRngCore,
+        certificate_chain: Option<Vec<Certificate>>,
+    ) -> Result<OcspRequest, Error>
+    where
+        S: RandomizedSigner<Sig> + DynSignatureAlgorithmIdentifier,
+        Sig: SignatureBitStringEncoding,
+    {
+        let signature_algorithm = signer.signature_algorithm_identifier()?;
+        let signature = signer
+            .try_sign_with_rng(rng, &self.tbs.to_der()?)?
+            .to_bitstring()?;
+        let optional_signature = Some(Signature {
+            signature_algorithm,
+            signature,
+            certs: certificate_chain,
+        });
+        Ok(OcspRequest {
+            tbs_request: self.tbs,
+            optional_signature,
+        })
+    }
+}
diff --git a/x509-ocsp/src/builder/response.rs b/x509-ocsp/src/builder/response.rs
new file mode 100644
index 000000000..d77349d8d
--- /dev/null
+++ b/x509-ocsp/src/builder/response.rs
@@ -0,0 +1,184 @@
+//! OCSP response builder
+
+use crate::{
+    builder::Error, BasicOcspResponse, OcspGeneralizedTime, OcspResponse, ResponderId,
+    ResponseData, SingleResponse, Version,
+};
+use alloc::vec::Vec;
+use der::Encode;
+use rand_core::CryptoRngCore;
+use signature::{RandomizedSigner, Signer};
+use spki::{DynSignatureAlgorithmIdentifier, SignatureBitStringEncoding};
+use x509_cert::{
+    ext::{AsExtension, Extensions},
+    name::Name,
+    Certificate,
+};
+
+/// X509 OCSP Response builder
+///
+/// ```
+/// use der::{asn1::ObjectIdentifier, DateTime, Decode};
+/// use x509_cert::Certificate;
+/// use x509_ocsp::builder::OcspResponseBuilder;
+/// use x509_ocsp::{ext::Nonce, CertStatus, OcspGeneralizedTime, OcspRequest, OcspResponse,
+///     SingleResponse,
+/// };
+///
+/// # const OCSP_REQ_DER: &[u8] = include_bytes!(
+/// #     "../../tests/examples/ocsp-multiple-requests-nonce-req.der"
+/// # );
+/// # const CA_DER: &[u8] = include_bytes!("../../tests/examples/rsa-2048-sha256-ca.der");
+/// # const CA_KEY_DER: &[u8] = include_bytes!("../../tests/examples/rsa-2048-sha256-ca-key.der");
+/// # use rsa::{pkcs1v15::SigningKey, pkcs8::DecodePrivateKey};
+/// # use sha2::Sha256;
+/// # fn rsa_signer() -> SigningKey<Sha256> {
+/// #     let private_key = rsa::RsaPrivateKey::from_pkcs8_der(CA_KEY_DER).unwrap();
+/// #     let signing_key = SigningKey::<Sha256>::new(private_key);
+/// #     signing_key
+/// # }
+/// let req = OcspRequest::from_der(OCSP_REQ_DER).unwrap();
+/// let ca = Certificate::from_der(CA_DER).unwrap();
+///
+/// let mut builder = OcspResponseBuilder::new(ca.tbs_certificate.subject.clone())
+///     .with_single_response(
+///         SingleResponse::new(
+///             req.tbs_request.request_list[0].req_cert.clone(),
+///             CertStatus::good(),
+///             OcspGeneralizedTime::from(DateTime::new(2023, 10, 31, 0, 0, 0).unwrap()),
+///         )
+///         .with_next_update(OcspGeneralizedTime::from(
+///             DateTime::new(2024, 1, 1, 0, 0, 0).unwrap()
+///         )),
+///     );
+///
+/// if let Some(nonce) = req.nonce() {
+///     builder = builder.with_extension(nonce).unwrap();
+/// }
+///
+/// #[cfg(feature = "std")]
+/// let now = OcspGeneralizedTime::try_from(std::time::SystemTime::now()).unwrap();
+///
+/// #[cfg(not(feature = "std"))]
+/// let now = OcspGeneralizedTime::from(
+///     DateTime::new(2023, 11, 1, 0, 0, 0).unwrap()
+/// );
+///
+/// let mut signer = rsa_signer();
+/// let signer_cert_chain = vec![ca.clone()];
+/// let resp = builder
+///     .sign(&mut signer, Some(signer_cert_chain), now)
+///     .unwrap();
+/// ```
+#[derive(Clone, Debug)]
+pub struct OcspResponseBuilder {
+    responder_id: ResponderId,
+    responses: Vec<SingleResponse>,
+    response_extensions: Option<Extensions>,
+}
+
+impl OcspResponseBuilder {
+    /// Returns a `OcspResponseBuilder` given the [`Version`], [`ResponderId`], and `Produced
+    /// At` values.
+    pub fn new(responder_id: impl Into<ResponderId>) -> Self {
+        let responder_id = responder_id.into();
+        Self {
+            responder_id,
+            responses: Vec::new(),
+            response_extensions: None,
+        }
+    }
+
+    /// Adds a [`SingleResponse`] to the builder as defined in [RFC 6960 Section 4.2.1].
+    ///
+    /// [RFC 6960 Section 4.2.1]: https://datatracker.ietf.org/doc/html/rfc6960#section-4.2.1
+    pub fn with_single_response(mut self, single_response: SingleResponse) -> Self {
+        self.responses.push(single_response);
+        self
+    }
+
+    /// Adds a response extension as specified in [RFC 6960 Section 4.4]. Errors when the
+    /// extension encoding fails.
+    ///
+    /// [RFC 6960 Section 4.4]: https://datatracker.ietf.org/doc/html/rfc6960#section-4.4
+    pub fn with_extension(mut self, ext: impl AsExtension) -> Result<Self, Error> {
+        let ext = ext.to_extension(&Name::default(), &[])?;
+        match self.response_extensions {
+            Some(ref mut exts) => exts.push(ext),
+            None => self.response_extensions = Some(alloc::vec![ext]),
+        }
+        Ok(self)
+    }
+
+    /// Consume the builder and returns [`ResponseData`]
+    fn into_response_data(self, produced_at: OcspGeneralizedTime) -> ResponseData {
+        ResponseData {
+            version: Version::default(),
+            responder_id: self.responder_id,
+            produced_at,
+            responses: self.responses,
+            response_extensions: self.response_extensions,
+        }
+    }
+
+    /// Consumes the builder and returns a signed [`OcspResponse`]. Errors when the algorithm
+    /// identifier encoding, message encoding, or signature generation fails.
+    ///
+    /// Per [RFC 6960 Section 2.4], the `producedAt` value must be the time the request was
+    /// signed.
+    ///
+    /// [RFC 6960 Section 2.4]: https://datatracker.ietf.org/doc/html/rfc6960#section-2.4
+    pub fn sign<S, Sig>(
+        self,
+        signer: &mut S,
+        certificate_chain: Option<Vec<Certificate>>,
+        produced_at: OcspGeneralizedTime,
+    ) -> Result<OcspResponse, Error>
+    where
+        S: Signer<Sig> + DynSignatureAlgorithmIdentifier,
+        Sig: SignatureBitStringEncoding,
+    {
+        let tbs_response_data = self.into_response_data(produced_at);
+        let signature_algorithm = signer.signature_algorithm_identifier()?;
+        let signature = signer
+            .try_sign(&tbs_response_data.to_der()?)?
+            .to_bitstring()?;
+        Ok(OcspResponse::successful(BasicOcspResponse {
+            tbs_response_data,
+            signature_algorithm,
+            signature,
+            certs: certificate_chain,
+        })?)
+    }
+
+    /// Consumes the builder and returns a signed [`OcspResponse`]. Errors when the algorithm
+    /// identifier encoding, message encoding, or signature generation fails.
+    ///
+    /// Per [RFC 6960 Section 2.4], the `producedAt` value must be the time the request was
+    /// signed.
+    ///
+    /// [RFC 6960 Section 2.4]: https://datatracker.ietf.org/doc/html/rfc6960#section-2.4
+    pub fn sign_with_rng<S, Sig>(
+        self,
+        signer: &mut S,
+        rng: &mut impl CryptoRngCore,
+        certificate_chain: Option<Vec<Certificate>>,
+        produced_at: OcspGeneralizedTime,
+    ) -> Result<OcspResponse, Error>
+    where
+        S: RandomizedSigner<Sig> + DynSignatureAlgorithmIdentifier,
+        Sig: SignatureBitStringEncoding,
+    {
+        let tbs_response_data = self.into_response_data(produced_at);
+        let signature_algorithm = signer.signature_algorithm_identifier()?;
+        let signature = signer
+            .try_sign_with_rng(rng, &tbs_response_data.to_der()?)?
+            .to_bitstring()?;
+        Ok(OcspResponse::successful(BasicOcspResponse {
+            tbs_response_data,
+            signature_algorithm,
+            signature,
+            certs: certificate_chain,
+        })?)
+    }
+}
diff --git a/x509-ocsp/src/cert_id.rs b/x509-ocsp/src/cert_id.rs
new file mode 100644
index 000000000..c8681f206
--- /dev/null
+++ b/x509-ocsp/src/cert_id.rs
@@ -0,0 +1,96 @@
+//! X.509 OCSP CertID
+
+use der::{asn1::OctetString, Sequence};
+use spki::AlgorithmIdentifierOwned;
+use x509_cert::serial_number::SerialNumber;
+
+/// CertID structure as defined in [RFC 6960 Section 4.1.1].
+///
+/// ```text
+/// CertID ::= SEQUENCE {
+///    hashAlgorithm           AlgorithmIdentifier,
+///    issuerNameHash          OCTET STRING, -- Hash of issuer's DN
+///    issuerKeyHash           OCTET STRING, -- Hash of issuer's public key
+///    serialNumber            CertificateSerialNumber }
+/// ```
+///
+/// [RFC 6960 Section 4.1.1]: https://datatracker.ietf.org/doc/html/rfc6960#section-4.1.1
+#[derive(Clone, Debug, Eq, PartialEq, Sequence)]
+#[allow(missing_docs)]
+pub struct CertId {
+    pub hash_algorithm: AlgorithmIdentifierOwned,
+    pub issuer_name_hash: OctetString,
+    pub issuer_key_hash: OctetString,
+    pub serial_number: SerialNumber,
+}
+
+impl From<&CertId> for CertId {
+    /// Clones the referenced `CertID`
+    fn from(other: &CertId) -> Self {
+        other.clone()
+    }
+}
+
+#[cfg(feature = "builder")]
+mod builder {
+    use crate::{builder::Error, CertId};
+    use const_oid::AssociatedOid;
+    use der::{
+        asn1::{Null, OctetString},
+        Encode,
+    };
+    use digest::Digest;
+    use spki::AlgorithmIdentifierOwned;
+    use x509_cert::{serial_number::SerialNumber, Certificate};
+
+    impl CertId {
+        /// Generates a `CertID` by running the issuer's subject and key through the specified
+        /// [`Digest`].
+        ///
+        /// [RFC 6960 Section 4.1.1]
+        ///
+        /// [RFC 6960 Section 4.1.1]: https://datatracker.ietf.org/doc/html/rfc6960#section-4.1.1
+        pub fn from_issuer<D>(
+            issuer: &Certificate,
+            serial_number: SerialNumber,
+        ) -> Result<Self, Error>
+        where
+            D: Digest + AssociatedOid,
+        {
+            Ok(Self {
+                hash_algorithm: AlgorithmIdentifierOwned {
+                    oid: D::OID,
+                    parameters: Some(Null.into()),
+                },
+                issuer_name_hash: OctetString::new(
+                    D::digest(issuer.tbs_certificate.subject.to_der()?).to_vec(),
+                )?,
+                issuer_key_hash: OctetString::new(
+                    D::digest(
+                        issuer
+                            .tbs_certificate
+                            .subject_public_key_info
+                            .subject_public_key
+                            .raw_bytes(),
+                    )
+                    .to_vec(),
+                )?,
+                serial_number,
+            })
+        }
+
+        /// Generates a `CertID` by running the issuer's subject and key through the specified
+        /// [`Digest`] and pulls the serial from `cert`. This does not ensure that `cert` is actually
+        /// issued by `issuer`.
+        ///
+        /// [RFC 6960 Section 4.1.1]
+        ///
+        /// [RFC 6960 Section 4.1.1]: https://datatracker.ietf.org/doc/html/rfc6960#section-4.1.1
+        pub fn from_cert<D>(issuer: &Certificate, cert: &Certificate) -> Result<Self, Error>
+        where
+            D: Digest + AssociatedOid,
+        {
+            Self::from_issuer::<D>(issuer, cert.tbs_certificate.serial_number.clone())
+        }
+    }
+}
diff --git a/x509-ocsp/src/cert_status.rs b/x509-ocsp/src/cert_status.rs
new file mode 100644
index 000000000..e66d03fb5
--- /dev/null
+++ b/x509-ocsp/src/cert_status.rs
@@ -0,0 +1,116 @@
+//! X.509 OCSP CertStatus
+
+use crate::OcspGeneralizedTime;
+use const_oid::AssociatedOid;
+use core::option::Option;
+use der::{asn1::Null, Choice, Decode, Sequence};
+use x509_cert::{crl::RevokedCert, ext::pkix::CrlReason};
+
+/// CertStatus structure as defined in [RFC 6960 Section 4.2.1].
+///
+/// ```text
+/// CertStatus ::= CHOICE {
+///    good                [0] IMPLICIT NULL,
+///    revoked             [1] IMPLICIT RevokedInfo,
+///    unknown             [2] IMPLICIT UnknownInfo }
+/// ```
+///
+/// [RFC 6960 Section 4.2.1]: https://datatracker.ietf.org/doc/html/rfc6960#section-4.2.1
+#[derive(Copy, Clone, Debug, Eq, PartialEq, Choice)]
+#[allow(missing_docs)]
+pub enum CertStatus {
+    #[asn1(context_specific = "0", tag_mode = "IMPLICIT")]
+    Good(Null),
+
+    #[asn1(context_specific = "1", tag_mode = "IMPLICIT", constructed = "true")]
+    Revoked(RevokedInfo),
+
+    #[asn1(context_specific = "2", tag_mode = "IMPLICIT")]
+    Unknown(UnknownInfo),
+}
+
+impl CertStatus {
+    /// Returns `CertStatus` set to `good` as defined in [RFC 6960 Section 4.2.1]
+    ///
+    /// [RFC 6960 Section 4.2.1]: https://datatracker.ietf.org/doc/html/rfc6960#section-4.2.1
+    pub fn good() -> Self {
+        Self::Good(Null)
+    }
+
+    /// Returns `CertStatus` set to `revoked` as defined in [RFC 6960 Section 4.2.1]
+    ///
+    /// [RFC 6960 Section 4.2.1]: https://datatracker.ietf.org/doc/html/rfc6960#section-4.2.1
+    pub fn revoked(info: impl Into<RevokedInfo>) -> Self {
+        Self::Revoked(info.into())
+    }
+
+    /// Returns `CertStatus` set to `unknown` as defined in [RFC 6960 Section 4.2.1]
+    ///
+    /// [RFC 6960 Section 4.2.1]: https://datatracker.ietf.org/doc/html/rfc6960#section-4.2.1
+    pub fn unknown() -> Self {
+        Self::Unknown(Null)
+    }
+}
+
+/// RevokedInfo structure as defined in [RFC 6960 Section 4.2.1].
+///
+/// ```text
+/// RevokedInfo ::= SEQUENCE {
+///    revocationTime          GeneralizedTime,
+///    revocationReason        [0] EXPLICIT CRLReason OPTIONAL }
+/// ```
+///
+/// [RFC 6960 Section 4.2.1]: https://datatracker.ietf.org/doc/html/rfc6960#section-4.2.1
+#[derive(Copy, Clone, Debug, Eq, PartialEq, Sequence)]
+#[allow(missing_docs)]
+pub struct RevokedInfo {
+    pub revocation_time: OcspGeneralizedTime,
+
+    #[asn1(context_specific = "0", optional = "true", tag_mode = "EXPLICIT")]
+    pub revocation_reason: Option<CrlReason>,
+}
+
+/// RevokedInfo structure as defined in [RFC 6960 Section 4.2.1].
+///
+/// ```text
+/// UnknownInfo ::= NULL
+/// ```
+///
+/// [RFC 6960 Section 4.2.1]: https://datatracker.ietf.org/doc/html/rfc6960#section-4.2.1
+pub type UnknownInfo = Null;
+
+impl From<&RevokedInfo> for RevokedInfo {
+    fn from(info: &RevokedInfo) -> Self {
+        *info
+    }
+}
+
+impl From<&RevokedCert> for RevokedInfo {
+    /// Converts [`RevokedCert`] to [`RevokedInfo`].
+    ///
+    /// Attempts to extract the [`CrlReason`]. If it fails, the `CrlReason` is set to `None`.
+    fn from(rc: &RevokedCert) -> Self {
+        Self {
+            revocation_time: rc.revocation_date.into(),
+            revocation_reason: match &rc.crl_entry_extensions {
+                Some(extns) => {
+                    let mut filter = extns.iter().filter(|extn| extn.extn_id == CrlReason::OID);
+                    match filter.next() {
+                        Some(extn) => CrlReason::from_der(extn.extn_value.as_bytes()).ok(),
+                        None => None,
+                    }
+                }
+                None => None,
+            },
+        }
+    }
+}
+
+impl From<RevokedCert> for RevokedInfo {
+    /// Converts [`RevokedCert`] to [`RevokedInfo`].
+    ///
+    /// Attempts to extract the [`CrlReason`]. If it fails, the `CrlReason` is set to `None`.
+    fn from(rc: RevokedCert) -> Self {
+        Self::from(&rc)
+    }
+}
diff --git a/x509-ocsp/src/ext.rs b/x509-ocsp/src/ext.rs
index 7d8a97207..ea76258b0 100644
--- a/x509-ocsp/src/ext.rs
+++ b/x509-ocsp/src/ext.rs
@@ -1,5 +1,6 @@
 //! OCSP Extensions
 
+use crate::OcspGeneralizedTime;
 use alloc::vec::Vec;
 use const_oid::{
     db::rfc6960::{
@@ -9,7 +10,7 @@ use const_oid::{
     AssociatedOid,
 };
 use der::{
-    asn1::{GeneralizedTime, Ia5String, ObjectIdentifier, OctetString, Uint},
+    asn1::{Ia5String, ObjectIdentifier, OctetString, Uint},
     Sequence, ValueOrd,
 };
 use spki::AlgorithmIdentifierOwned;
@@ -19,7 +20,7 @@ use x509_cert::{
     name::Name,
 };
 
-#[cfg(feature = "rand_core")]
+#[cfg(feature = "rand")]
 use rand_core::CryptoRngCore;
 
 // x509-cert's is not exported
@@ -60,8 +61,11 @@ impl Nonce {
     /// ```text
     /// Nonce ::= OCTET STRING(SIZE(1..32))
     /// ```
-    #[cfg(feature = "rand_core")]
-    pub fn generate<R: CryptoRngCore>(rng: &mut R, length: usize) -> Result<Self, der::Error> {
+    #[cfg(feature = "rand")]
+    pub fn generate<R>(rng: &mut R, length: usize) -> Result<Self, der::Error>
+    where
+        R: CryptoRngCore,
+    {
         let mut bytes = alloc::vec![0; length];
         rng.fill_bytes(&mut bytes);
         Self::new(bytes)
@@ -69,23 +73,11 @@ impl Nonce {
 }
 
 /// CrlReferences extension as defined in [RFC 6960 Section 4.4.2]
-pub struct CrlReferences(pub Vec<CrlId>);
-
-impl_newtype!(CrlReferences, Vec<CrlId>);
-
-// It may be desirable for the OCSP responder to indicate the CRL on
-// which a revoked or onHold certificate is found.  This can be useful
-// where OCSP is used between repositories, and also as an auditing
-// mechanism.  The CRL may be specified by a URL (the URL at which the
-// CRL is available), a number (CRL number), or a time (the time at
-// which the relevant CRL was created).  These extensions will be
-// specified as singleExtensions.  The identifier for this extension
-// will be id-pkix-ocsp-crl, while the value will be CrlID.
-impl_extension!(CrlReferences, critical = false);
-
-impl AssociatedOid for CrlReferences {
-    const OID: ObjectIdentifier = ID_PKIX_OCSP_CRL;
-}
+///
+/// This does not seem to be its own type and just another name for CrlID
+///
+/// [RFC 6960 Section 4.4.2]: https://datatracker.ietf.org/doc/html/rfc6960#section-4.4.2
+pub type CrlReferences = CrlId;
 
 /// CrlID structure as defined in [RFC 6960 Section 4.4.2].
 ///
@@ -107,7 +99,21 @@ pub struct CrlId {
     pub crl_num: Option<Uint>,
 
     #[asn1(context_specific = "2", optional = "true", tag_mode = "EXPLICIT")]
-    pub crl_time: Option<GeneralizedTime>,
+    pub crl_time: Option<OcspGeneralizedTime>,
+}
+
+// It may be desirable for the OCSP responder to indicate the CRL on
+// which a revoked or onHold certificate is found.  This can be useful
+// where OCSP is used between repositories, and also as an auditing
+// mechanism.  The CRL may be specified by a URL (the URL at which the
+// CRL is available), a number (CRL number), or a time (the time at
+// which the relevant CRL was created).  These extensions will be
+// specified as singleExtensions.  The identifier for this extension
+// will be id-pkix-ocsp-crl, while the value will be CrlID.
+impl_extension!(CrlId, critical = false);
+
+impl AssociatedOid for CrlId {
+    const OID: ObjectIdentifier = ID_PKIX_OCSP_CRL;
 }
 
 /// AcceptableResponses structure as defined in [RFC 6960 Section 4.4.3].
@@ -117,6 +123,7 @@ pub struct CrlId {
 /// ```
 ///
 /// [RFC 6960 Section 4.4.3]: https://datatracker.ietf.org/doc/html/rfc6960#section-4.4.3
+#[derive(Clone, Debug, Eq, PartialEq)]
 pub struct AcceptableResponses(pub Vec<ObjectIdentifier>);
 
 impl_newtype!(AcceptableResponses, Vec<ObjectIdentifier>);
@@ -138,9 +145,9 @@ impl AssociatedOid for AcceptableResponses {
 /// ```
 ///
 /// [RFC 6960 Section 4.4.4]: https://datatracker.ietf.org/doc/html/rfc6960#section-4.4.4
-pub struct ArchiveCutoff(GeneralizedTime);
+pub struct ArchiveCutoff(pub OcspGeneralizedTime);
 
-impl_newtype!(ArchiveCutoff, GeneralizedTime);
+impl_newtype!(ArchiveCutoff, OcspGeneralizedTime);
 impl_extension!(ArchiveCutoff, critical = false);
 
 impl AssociatedOid for ArchiveCutoff {
@@ -176,6 +183,7 @@ impl_extension!(ServiceLocator, critical = false);
 /// ```
 ///
 /// [RFC 6960 Section 4.4.7.1]: https://datatracker.ietf.org/doc/html/rfc6960#section-4.4.7.1
+#[derive(Clone, Debug, Eq, PartialEq)]
 pub struct PreferredSignatureAlgorithms(pub Vec<PreferredSignatureAlgorithm>);
 
 impl_newtype!(
diff --git a/x509-ocsp/src/lib.rs b/x509-ocsp/src/lib.rs
index bf0070f8f..69e5376b7 100644
--- a/x509-ocsp/src/lib.rs
+++ b/x509-ocsp/src/lib.rs
@@ -14,14 +14,43 @@
 extern crate alloc;
 
 mod basic;
+mod cert_id;
+mod cert_status;
 mod request;
+mod responder_id;
 mod response;
+mod time;
 
 pub mod ext;
 
-pub use basic::{
-    BasicOcspResponse, CertId, CertStatus, KeyHash, ResponderId, ResponseData, RevokedInfo,
-    SingleResponse, UnknownInfo, Version,
-};
+pub use basic::{BasicOcspResponse, ResponseData, SingleResponse};
+pub use cert_id::CertId;
+pub use cert_status::{CertStatus, RevokedInfo, UnknownInfo};
 pub use request::{OcspRequest, Request, Signature, TbsRequest};
-pub use response::{OcspNoCheck, OcspResponse, OcspResponseStatus, ResponseBytes};
+pub use responder_id::ResponderId;
+pub use response::{AsResponseBytes, OcspNoCheck, OcspResponse, OcspResponseStatus, ResponseBytes};
+pub use time::OcspGeneralizedTime;
+
+#[cfg(feature = "std")]
+extern crate std;
+
+#[cfg(feature = "builder")]
+pub mod builder;
+
+use der::Enumerated;
+
+/// OCSP `Version` as defined in [RFC 6960 Section 4.1.1].
+///
+/// ```text
+/// Version ::= INTEGER { v1(0) }
+/// ```
+///
+/// [RFC 6960 Section 4.1.1]: https://datatracker.ietf.org/doc/html/rfc6960#section-4.1.1
+#[derive(Clone, Debug, Default, Copy, PartialEq, Eq, Enumerated)]
+#[asn1(type = "INTEGER")]
+#[repr(u8)]
+pub enum Version {
+    /// Version 1 (default)
+    #[default]
+    V1 = 0,
+}
diff --git a/x509-ocsp/src/request.rs b/x509-ocsp/src/request.rs
index adb4f87c1..cdc608318 100644
--- a/x509-ocsp/src/request.rs
+++ b/x509-ocsp/src/request.rs
@@ -1,9 +1,10 @@
 //! OCSP Request
 
-use crate::{CertId, Version};
+use crate::{ext::Nonce, CertId, Version};
 use alloc::vec::Vec;
+use const_oid::db::rfc6960::ID_PKIX_OCSP_NONCE;
 use core::{default::Default, option::Option};
-use der::{asn1::BitString, Sequence};
+use der::{asn1::BitString, Decode, Sequence};
 use spki::AlgorithmIdentifierOwned;
 use x509_cert::{
     certificate::Certificate,
@@ -28,6 +29,14 @@ pub struct OcspRequest {
     pub optional_signature: Option<Signature>,
 }
 
+impl OcspRequest {
+    /// Returns the request's nonce value, if any. This method will return `None` if the request
+    /// has no `Nonce` extension or decoding of the `Nonce` extension fails.
+    pub fn nonce(&self) -> Option<Nonce> {
+        self.tbs_request.nonce()
+    }
+}
+
 /// TBSRequest structure as defined in [RFC 6960 Section 4.1.1].
 ///
 /// ```text
@@ -39,7 +48,7 @@ pub struct OcspRequest {
 /// ```
 ///
 /// [RFC 6960 Section 4.1.1]: https://datatracker.ietf.org/doc/html/rfc6960#section-4.1.1
-#[derive(Clone, Debug, Eq, PartialEq, Sequence)]
+#[derive(Clone, Debug, Default, Eq, PartialEq, Sequence)]
 #[allow(missing_docs)]
 pub struct TbsRequest {
     #[asn1(
@@ -58,6 +67,23 @@ pub struct TbsRequest {
     pub request_extensions: Option<Extensions>,
 }
 
+impl TbsRequest {
+    /// Returns the request's nonce value, if any. This method will return `None` if the request
+    /// has no `Nonce` extension or decoding of the `Nonce` extension fails.
+    pub fn nonce(&self) -> Option<Nonce> {
+        match &self.request_extensions {
+            Some(extns) => {
+                let mut filter = extns.iter().filter(|e| e.extn_id == ID_PKIX_OCSP_NONCE);
+                match filter.next() {
+                    Some(extn) => Nonce::from_der(extn.extn_value.as_bytes()).ok(),
+                    None => None,
+                }
+            }
+            None => None,
+        }
+    }
+}
+
 /// Signature structure as defined in [RFC 6960 Section 4.1.1].
 ///
 /// ```text
@@ -95,3 +121,64 @@ pub struct Request {
     #[asn1(context_specific = "0", optional = "true", tag_mode = "EXPLICIT")]
     pub single_request_extensions: Option<Extensions>,
 }
+
+#[cfg(feature = "builder")]
+mod builder {
+    use crate::{builder::Error, CertId, Request};
+    use const_oid::AssociatedOid;
+    use digest::Digest;
+    use x509_cert::{ext::AsExtension, name::Name, serial_number::SerialNumber, Certificate};
+
+    impl Request {
+        /// Returns a new `Request` with the specified `CertID`
+        pub fn new(req_cert: CertId) -> Self {
+            Self {
+                req_cert,
+                single_request_extensions: None,
+            }
+        }
+
+        /// Generates a `CertID` by running the issuer's subject and key through the specified
+        /// [`Digest`].
+        ///
+        /// [RFC 6960 Section 4.1.1]
+        ///
+        /// [RFC 6960 Section 4.1.1]: https://datatracker.ietf.org/doc/html/rfc6960#section-4.1.1
+        pub fn from_issuer<D>(
+            issuer: &Certificate,
+            serial_number: SerialNumber,
+        ) -> Result<Self, Error>
+        where
+            D: Digest + AssociatedOid,
+        {
+            Ok(Self::new(CertId::from_issuer::<D>(issuer, serial_number)?))
+        }
+
+        /// Generates a `CertID` by running the issuer's subject and key through the specified
+        /// [`Digest`] and pulls the serial from `cert`. This does not ensure that `cert` is actually
+        /// issued by `issuer`.
+        ///
+        /// [RFC 6960 Section 4.1.1]
+        ///
+        /// [RFC 6960 Section 4.1.1]: https://datatracker.ietf.org/doc/html/rfc6960#section-4.1.1
+        pub fn from_cert<D>(issuer: &Certificate, cert: &Certificate) -> Result<Self, Error>
+        where
+            D: Digest + AssociatedOid,
+        {
+            Ok(Self::new(CertId::from_cert::<D>(issuer, cert)?))
+        }
+
+        /// Adds a single request extension as specified in [RFC 6960 Section 4.4]. Errors when the
+        /// extension encoding fails.
+        ///
+        /// [RFC 6960 Section 4.4]: https://datatracker.ietf.org/doc/html/rfc6960#section-4.4
+        pub fn with_extension(mut self, ext: impl AsExtension) -> Result<Self, Error> {
+            let ext = ext.to_extension(&Name::default(), &[])?;
+            match self.single_request_extensions {
+                Some(ref mut exts) => exts.push(ext),
+                None => self.single_request_extensions = Some(alloc::vec![ext]),
+            }
+            Ok(self)
+        }
+    }
+}
diff --git a/x509-ocsp/src/responder_id.rs b/x509-ocsp/src/responder_id.rs
new file mode 100644
index 000000000..097a39a33
--- /dev/null
+++ b/x509-ocsp/src/responder_id.rs
@@ -0,0 +1,48 @@
+//! X.509 OCSP ResponderID
+
+use der::{asn1::OctetString, Choice};
+use x509_cert::name::Name;
+
+/// ResponderID structure as defined in [RFC 6960 Section 4.2.1].
+///
+/// ```text
+/// ResponderID ::= CHOICE {
+///    byName              [1] Name,
+///    byKey               [2] KeyHash }
+/// ```
+///
+/// [RFC 6960 Section 4.2.1]: https://datatracker.ietf.org/doc/html/rfc6960#section-4.2.1
+#[derive(Clone, Debug, Eq, PartialEq, Choice)]
+#[allow(missing_docs)]
+pub enum ResponderId {
+    #[asn1(context_specific = "1", tag_mode = "EXPLICIT", constructed = "true")]
+    ByName(Name),
+
+    #[asn1(context_specific = "2", tag_mode = "EXPLICIT", constructed = "true")]
+    ByKey(KeyHash),
+}
+
+impl From<Name> for ResponderId {
+    fn from(other: Name) -> Self {
+        Self::ByName(other)
+    }
+}
+
+impl From<KeyHash> for ResponderId {
+    fn from(other: KeyHash) -> Self {
+        Self::ByKey(other)
+    }
+}
+
+/// KeyHash structure as defined in [RFC 6960 Section 4.2.1].
+///
+/// ```text
+/// KeyHash ::= OCTET STRING -- SHA-1 hash of responder's public key
+///                          -- (i.e., the SHA-1 hash of the value of the
+///                          -- BIT STRING subjectPublicKey [excluding
+///                          -- the tag, length, and number of unused
+///                          -- bits] in the responder's certificate)
+/// ```
+///
+/// [RFC 6960 Section 4.2.1]: https://datatracker.ietf.org/doc/html/rfc6960#section-4.2.1
+pub type KeyHash = OctetString;
diff --git a/x509-ocsp/src/response.rs b/x509-ocsp/src/response.rs
index da365b881..75dd53499 100644
--- a/x509-ocsp/src/response.rs
+++ b/x509-ocsp/src/response.rs
@@ -1,11 +1,10 @@
 //! OCSP Response
 
-use crate::BasicOcspResponse;
-use const_oid::db::rfc6960::ID_PKIX_OCSP_BASIC;
+use const_oid::AssociatedOid;
 use core::option::Option;
 use der::{
     asn1::{Null, ObjectIdentifier, OctetString},
-    Encode, Enumerated, Sequence,
+    Enumerated, Sequence,
 };
 
 /// OcspNoCheck as defined in [RFC 6960 Section 4.2.2.2.1].
@@ -39,17 +38,22 @@ pub struct OcspResponse {
 
 impl OcspResponse {
     /// Encodes an `OcspResponse` with the status set to `Successful`
-    pub fn successful(basic: BasicOcspResponse) -> Result<Self, der::Error> {
+    ///
+    /// [RFC 6960 Section 4.2.1]
+    ///
+    /// [RFC 6960 Section 4.2.1]: https://datatracker.ietf.org/doc/html/rfc6960#section-4.2.1
+    pub fn successful(res: impl AsResponseBytes) -> Result<Self, der::Error> {
         Ok(OcspResponse {
             response_status: OcspResponseStatus::Successful,
-            response_bytes: Some(ResponseBytes {
-                response_type: ID_PKIX_OCSP_BASIC,
-                response: OctetString::new(basic.to_der()?)?,
-            }),
+            response_bytes: Some(res.to_response_bytes()?),
         })
     }
 
     /// Encodes an `OcspResponse` with the status set to `MalformedRequest`
+    ///
+    /// [RFC 6960 Section 4.2.1]
+    ///
+    /// [RFC 6960 Section 4.2.1]: https://datatracker.ietf.org/doc/html/rfc6960#section-4.2.1
     pub fn malformed_request() -> Self {
         OcspResponse {
             response_status: OcspResponseStatus::MalformedRequest,
@@ -58,6 +62,10 @@ impl OcspResponse {
     }
 
     /// Encodes an `OcspResponse` with the status set to `InternalError`
+    ///
+    /// [RFC 6960 Section 4.2.1]
+    ///
+    /// [RFC 6960 Section 4.2.1]: https://datatracker.ietf.org/doc/html/rfc6960#section-4.2.1
     pub fn internal_error() -> Self {
         OcspResponse {
             response_status: OcspResponseStatus::InternalError,
@@ -66,6 +74,10 @@ impl OcspResponse {
     }
 
     /// Encodes an `OcspResponse` with the status set to `TryLater`
+    ///
+    /// [RFC 6960 Section 4.2.1]
+    ///
+    /// [RFC 6960 Section 4.2.1]: https://datatracker.ietf.org/doc/html/rfc6960#section-4.2.1
     pub fn try_later() -> Self {
         OcspResponse {
             response_status: OcspResponseStatus::TryLater,
@@ -74,6 +86,10 @@ impl OcspResponse {
     }
 
     /// Encodes an `OcspResponse` with the status set to `SigRequired`
+    ///
+    /// [RFC 6960 Section 4.2.1]
+    ///
+    /// [RFC 6960 Section 4.2.1]: https://datatracker.ietf.org/doc/html/rfc6960#section-4.2.1
     pub fn sig_required() -> Self {
         OcspResponse {
             response_status: OcspResponseStatus::SigRequired,
@@ -82,6 +98,10 @@ impl OcspResponse {
     }
 
     /// Encodes an `OcspResponse` with the status set to `Unauthorized`
+    ///
+    /// [RFC 6960 Section 4.2.1]
+    ///
+    /// [RFC 6960 Section 4.2.1]: https://datatracker.ietf.org/doc/html/rfc6960#section-4.2.1
     pub fn unauthorized() -> Self {
         OcspResponse {
             response_status: OcspResponseStatus::Unauthorized,
@@ -132,3 +152,14 @@ pub struct ResponseBytes {
     pub response_type: ObjectIdentifier,
     pub response: OctetString,
 }
+
+/// Trait for encoding [`ResponseBytes`]
+pub trait AsResponseBytes: AssociatedOid + der::Encode {
+    /// Encodes the response bytes of successful OCSP responses
+    fn to_response_bytes(&self) -> Result<ResponseBytes, der::Error> {
+        Ok(ResponseBytes {
+            response_type: <Self as AssociatedOid>::OID,
+            response: OctetString::new(self.to_der()?)?,
+        })
+    }
+}
diff --git a/x509-ocsp/src/time.rs b/x509-ocsp/src/time.rs
new file mode 100644
index 000000000..b567b9491
--- /dev/null
+++ b/x509-ocsp/src/time.rs
@@ -0,0 +1,45 @@
+//! OCSP GeneralizedTime implementation
+
+use der::{
+    asn1::{GeneralizedTime, UtcTime},
+    DateTime,
+};
+use x509_cert::{impl_newtype, time::Time};
+
+/// [`GeneralizedTime`] wrapper for easy conversion from legacy `UTCTime`
+///
+/// OCSP does not support `UTCTime` while many other X.509 structures do.
+#[derive(Copy, Clone, Debug, PartialEq, Eq)]
+pub struct OcspGeneralizedTime(pub GeneralizedTime);
+
+impl_newtype!(OcspGeneralizedTime, GeneralizedTime);
+
+#[cfg(feature = "std")]
+impl TryFrom<std::time::SystemTime> for OcspGeneralizedTime {
+    type Error = der::Error;
+
+    fn try_from(other: std::time::SystemTime) -> Result<Self, Self::Error> {
+        Ok(Self(GeneralizedTime::from_system_time(other)?))
+    }
+}
+
+impl From<DateTime> for OcspGeneralizedTime {
+    fn from(other: DateTime) -> Self {
+        Self(GeneralizedTime::from_date_time(other))
+    }
+}
+
+impl From<UtcTime> for OcspGeneralizedTime {
+    fn from(other: UtcTime) -> Self {
+        Self(GeneralizedTime::from_date_time(other.to_date_time()))
+    }
+}
+
+impl From<Time> for OcspGeneralizedTime {
+    fn from(other: Time) -> Self {
+        match other {
+            Time::UtcTime(t) => t.into(),
+            Time::GeneralTime(t) => t.into(),
+        }
+    }
+}
diff --git a/x509-ocsp/tests/builder.rs b/x509-ocsp/tests/builder.rs
new file mode 100644
index 000000000..286c4a9d1
--- /dev/null
+++ b/x509-ocsp/tests/builder.rs
@@ -0,0 +1,436 @@
+#![cfg(feature = "builder")]
+//! ocsp builder tests
+
+use der::{DateTime, Decode, Encode};
+use hex_literal::hex;
+use lazy_static::lazy_static;
+use rsa::{pkcs1v15::SigningKey, pkcs8::DecodePrivateKey, RsaPrivateKey};
+use sha1::Sha1;
+use sha2::{Sha224, Sha256, Sha384, Sha512};
+use x509_cert::{name::Name, serial_number::SerialNumber, Certificate};
+use x509_ocsp::builder::*;
+use x509_ocsp::{ext::*, *};
+
+lazy_static! {
+    static ref ISSUER: Certificate = Certificate::from_der(
+        &std::fs::read("tests/examples/rsa-2048-sha256-ca.der").unwrap()
+    )
+    .unwrap();
+
+    static ref ISSUER_KEY: RsaPrivateKey = RsaPrivateKey::from_pkcs8_der(
+        &std::fs::read("tests/examples/rsa-2048-sha256-ca-key.der").unwrap()
+    )
+    .unwrap();
+
+    static ref CERT: Certificate = Certificate::from_der(
+        &std::fs::read("tests/examples/rsa-2048-sha256-crt.der").unwrap()
+    )
+    .unwrap();
+
+    static ref CERT_KEY: RsaPrivateKey = RsaPrivateKey::from_pkcs8_der(
+        &std::fs::read("tests/examples/rsa-2048-sha256-crt-key.der").unwrap()
+    )
+    .unwrap();
+
+    static ref OCSP: Certificate = Certificate::from_der(
+        &std::fs::read("tests/examples/rsa-2048-sha256-ocsp-crt.der").unwrap()
+    )
+    .unwrap();
+
+    static ref OCSP_KEY: RsaPrivateKey = RsaPrivateKey::from_pkcs8_der(
+        &std::fs::read("tests/examples/rsa-2048-sha256-ocsp-crt-key.der").unwrap()
+    )
+    .unwrap();
+
+    // PrintableString: CN = rsa-2048-sha256-ocsp-crt
+    static ref RESPONDER_ID: ResponderId = ResponderId::ByName(
+        Name::from_der(
+            &hex!("30233121301f060355040313187273612d323034382d7368613235362d6f6373702d637274")[..]
+        )
+        .unwrap()
+    );
+}
+
+#[test]
+fn encode_ocsp_req_sha1_certid() {
+    let req_der = std::fs::read("tests/examples/sha1-certid-ocsp-req.der").unwrap();
+    let req = OcspRequestBuilder::default()
+        .with_request(
+            Request::from_issuer::<Sha1>(&ISSUER, SerialNumber::from(0x10001usize)).unwrap(),
+        )
+        .build();
+    assert_eq!(&req.to_der().unwrap(), &req_der);
+}
+
+#[test]
+fn encode_ocsp_req_sha224_certid() {
+    let req_der = std::fs::read("tests/examples/sha224-certid-ocsp-req.der").unwrap();
+    let req = OcspRequestBuilder::default()
+        .with_request(
+            Request::from_issuer::<Sha224>(&ISSUER, SerialNumber::from(0x10001usize)).unwrap(),
+        )
+        .build();
+    assert_eq!(&req.to_der().unwrap(), &req_der);
+}
+
+#[test]
+fn encode_ocsp_req_sha256_certid() {
+    let req_der = std::fs::read("tests/examples/sha256-certid-ocsp-req.der").unwrap();
+    let req = OcspRequestBuilder::default()
+        .with_request(
+            Request::from_issuer::<Sha256>(&ISSUER, SerialNumber::from(0x10001usize)).unwrap(),
+        )
+        .build();
+    assert_eq!(&req.to_der().unwrap(), &req_der);
+}
+
+#[test]
+fn encode_ocsp_req_sha384_certid() {
+    let req_der = std::fs::read("tests/examples/sha384-certid-ocsp-req.der").unwrap();
+    let req = OcspRequestBuilder::default()
+        .with_request(
+            Request::from_issuer::<Sha384>(&ISSUER, SerialNumber::from(0x10001usize)).unwrap(),
+        )
+        .build();
+    assert_eq!(&req.to_der().unwrap(), &req_der);
+}
+
+#[test]
+fn encode_ocsp_req_sha512_certid() {
+    let req_der = std::fs::read("tests/examples/sha512-certid-ocsp-req.der").unwrap();
+    let req = OcspRequestBuilder::default()
+        .with_request(
+            Request::from_issuer::<Sha512>(&ISSUER, SerialNumber::from(0x10001usize)).unwrap(),
+        )
+        .build();
+    assert_eq!(&req.to_der().unwrap(), &req_der);
+}
+
+#[test]
+fn encode_ocsp_req_multiple_extensions() {
+    let req_der = std::fs::read("tests/examples/ocsp-multiple-exts-clean-req.der").unwrap();
+    let single_ext1 = ServiceLocator::from_der(
+        &hex!(
+            "3051301D311B3019060355040313127273612D323034382D736861323536\
+             2D63613030301006082B0601050507300187047F000001301C06082B0601\
+             0505073001871000000000000000000000000000000001"
+        )[..],
+    )
+    .unwrap();
+    let ext1 = Nonce::from_der(
+        &hex!("0420BB42AE6BEBD2B6E455CA02BC853452635F08863EFFAF25E182905E7FFF1FB40A")[..],
+    )
+    .unwrap();
+    let ext2 = AcceptableResponses::from_der(&hex!("300B06092B0601050507300101")[..]).unwrap();
+    let req = OcspRequestBuilder::default()
+        .with_request(
+            Request::from_issuer::<Sha1>(&ISSUER, SerialNumber::from(0x10001usize))
+                .unwrap()
+                .with_extension(single_ext1)
+                .unwrap(),
+        )
+        .with_extension(ext1)
+        .unwrap()
+        .with_extension(ext2)
+        .unwrap()
+        .build();
+    assert_eq!(&req.to_der().unwrap(), &req_der);
+}
+
+#[test]
+fn encode_ocsp_req_multiple_requests() {
+    let req_der = std::fs::read("tests/examples/ocsp-multiple-requests-req.der").unwrap();
+    let req = OcspRequestBuilder::default()
+        .with_request(
+            Request::from_issuer::<Sha1>(&ISSUER, SerialNumber::from(0x10001usize)).unwrap(),
+        )
+        .with_request(
+            Request::from_issuer::<Sha224>(&ISSUER, SerialNumber::from(0x10001usize)).unwrap(),
+        )
+        .with_request(
+            Request::from_issuer::<Sha256>(&ISSUER, SerialNumber::from(0x10001usize)).unwrap(),
+        )
+        .with_request(
+            Request::from_issuer::<Sha384>(&ISSUER, SerialNumber::from(0x10001usize)).unwrap(),
+        )
+        .with_request(
+            Request::from_issuer::<Sha512>(&ISSUER, SerialNumber::from(0x10001usize)).unwrap(),
+        )
+        .with_request(Request::from_issuer::<Sha1>(&ISSUER, SerialNumber::from(0x5usize)).unwrap())
+        .with_request(Request::from_issuer::<Sha1>(&ISSUER, SerialNumber::from(0x16usize)).unwrap())
+        .with_request(
+            Request::from_issuer::<Sha1>(&ISSUER, SerialNumber::from(0xFFFFFFFFusize)).unwrap(),
+        )
+        .build();
+    assert_eq!(&req.to_der().unwrap(), &req_der);
+}
+
+#[test]
+fn encode_ocsp_req_signed() {
+    let req_der = std::fs::read("tests/examples/ocsp-signed-req.der").unwrap();
+    let mut signer = SigningKey::<Sha256>::new(CERT_KEY.clone());
+    let req = OcspRequestBuilder::default()
+        .with_request(
+            Request::from_issuer::<Sha1>(&ISSUER, SerialNumber::from(0x10001usize)).unwrap(),
+        )
+        .sign(&mut signer, Some(vec![CERT.clone()]))
+        .unwrap();
+    assert_eq!(&req.to_der().unwrap(), &req_der);
+}
+
+#[test]
+fn encode_ocsp_resp_errors() {
+    let req_der = std::fs::read("tests/examples/ocsp-malformed.der").unwrap();
+    let resp = OcspResponse::malformed_request();
+    assert_eq!(&resp.to_der().unwrap(), &req_der);
+    let req_der = std::fs::read("tests/examples/ocsp-internal-error.der").unwrap();
+    let resp = OcspResponse::internal_error();
+    assert_eq!(&resp.to_der().unwrap(), &req_der);
+    let req_der = std::fs::read("tests/examples/ocsp-try-later.der").unwrap();
+    let resp = OcspResponse::try_later();
+    assert_eq!(&resp.to_der().unwrap(), &req_der);
+    let req_der = std::fs::read("tests/examples/ocsp-sig-required.der").unwrap();
+    let resp = OcspResponse::sig_required();
+    assert_eq!(&resp.to_der().unwrap(), &req_der);
+    let req_der = std::fs::read("tests/examples/ocsp-unauthorized.der").unwrap();
+    let resp = OcspResponse::unauthorized();
+    assert_eq!(&resp.to_der().unwrap(), &req_der);
+}
+
+#[test]
+fn encode_ocsp_resp_sha1_certid() {
+    let resp_der = std::fs::read("tests/examples/sha1-certid-ocsp-res.der").unwrap();
+    let mut signer = SigningKey::<Sha256>::new(ISSUER_KEY.clone());
+    let resp = OcspResponseBuilder::new(RESPONDER_ID.clone())
+        .with_single_response(
+            SingleResponse::new(
+                CertId::from_issuer::<Sha1>(&ISSUER, SerialNumber::from(0x10001usize)).unwrap(),
+                CertStatus::good(),
+                OcspGeneralizedTime::from(DateTime::new(2020, 1, 1, 0, 0, 0).unwrap()),
+            )
+            .with_next_update(OcspGeneralizedTime::from(
+                DateTime::new(2020, 1, 1, 0, 0, 0).unwrap(),
+            )),
+        )
+        .sign(
+            &mut signer,
+            Some(vec![ISSUER.clone()]),
+            OcspGeneralizedTime::from(DateTime::new(2020, 1, 1, 0, 0, 0).unwrap()),
+        )
+        .unwrap();
+    assert_eq!(&resp.to_der().unwrap(), &resp_der);
+}
+
+#[test]
+fn encode_ocsp_resp_sha256_certid() {
+    let resp_der = std::fs::read("tests/examples/sha256-certid-ocsp-res.der").unwrap();
+    let mut signer = SigningKey::<Sha256>::new(ISSUER_KEY.clone());
+    let resp = OcspResponseBuilder::new(RESPONDER_ID.clone())
+        .with_single_response(
+            SingleResponse::new(
+                CertId::from_issuer::<Sha256>(&ISSUER, SerialNumber::from(0x10001usize)).unwrap(),
+                CertStatus::good(),
+                OcspGeneralizedTime::from(DateTime::new(2020, 1, 1, 0, 0, 0).unwrap()),
+            )
+            .with_next_update(OcspGeneralizedTime::from(
+                DateTime::new(2020, 1, 1, 0, 0, 0).unwrap(),
+            )),
+        )
+        .sign(
+            &mut signer,
+            Some(vec![ISSUER.clone()]),
+            OcspGeneralizedTime::from(DateTime::new(2020, 1, 1, 0, 0, 0).unwrap()),
+        )
+        .unwrap();
+    assert_eq!(&resp.to_der().unwrap(), &resp_der);
+}
+
+#[test]
+fn encode_ocsp_resp_sha512_certid() {
+    let resp_der = std::fs::read("tests/examples/sha512-certid-ocsp-res.der").unwrap();
+    let mut signer = SigningKey::<Sha256>::new(ISSUER_KEY.clone());
+    let resp = OcspResponseBuilder::new(RESPONDER_ID.clone())
+        .with_single_response(
+            SingleResponse::new(
+                CertId::from_issuer::<Sha512>(&ISSUER, SerialNumber::from(0x10001usize)).unwrap(),
+                CertStatus::good(),
+                OcspGeneralizedTime::from(DateTime::new(2020, 1, 1, 0, 0, 0).unwrap()),
+            )
+            .with_next_update(OcspGeneralizedTime::from(
+                DateTime::new(2020, 1, 1, 0, 0, 0).unwrap(),
+            )),
+        )
+        .sign(
+            &mut signer,
+            Some(vec![ISSUER.clone()]),
+            OcspGeneralizedTime::from(DateTime::new(2020, 1, 1, 0, 0, 0).unwrap()),
+        )
+        .unwrap();
+    assert_eq!(&resp.to_der().unwrap(), &resp_der);
+}
+
+#[test]
+fn encode_ocsp_resp_multiple_extensions() {
+    let resp_der = std::fs::read("tests/examples/ocsp-multiple-exts-res.der").unwrap();
+    let ext1 = Nonce::from_der(
+        &hex!("04201F27F8C9CD8D154DAAEF021D5AAD6EAD7FE0637D044198E3F39291204924CEF8")[..],
+    )
+    .unwrap();
+    let single_ext1 =
+        ArchiveCutoff::from_der(&hex!("180F32303230303130313030303030305A")[..]).unwrap();
+    let single_ext2 = CrlReferences::from_der(
+        &hex!(
+            "3030A0161614687474703A2F2F3132372E302E302E312F63726CA103020101A2\
+             11180F32303230303130313030303030305A"
+        )[..],
+    )
+    .unwrap();
+    let mut signer = SigningKey::<Sha256>::new(ISSUER_KEY.clone());
+    let resp = OcspResponseBuilder::new(RESPONDER_ID.clone())
+        .with_single_response(
+            SingleResponse::new(
+                CertId::from_issuer::<Sha1>(&ISSUER, SerialNumber::from(0x10001usize)).unwrap(),
+                CertStatus::good(),
+                OcspGeneralizedTime::from(DateTime::new(2020, 1, 1, 0, 0, 0).unwrap()),
+            )
+            .with_next_update(OcspGeneralizedTime::from(
+                DateTime::new(2020, 1, 1, 0, 0, 0).unwrap(),
+            ))
+            .with_extension(single_ext1)
+            .unwrap()
+            .with_extension(single_ext2)
+            .unwrap(),
+        )
+        .with_extension(ext1)
+        .unwrap()
+        .sign(
+            &mut signer,
+            Some(vec![ISSUER.clone()]),
+            OcspGeneralizedTime::from(DateTime::new(2020, 1, 1, 0, 0, 0).unwrap()),
+        )
+        .unwrap();
+    assert_eq!(&resp.to_der().unwrap(), &resp_der);
+}
+
+#[test]
+fn encode_ocsp_resp_multiple_responses() {
+    let resp_der = std::fs::read("tests/examples/ocsp-multiple-responses-res.der").unwrap();
+    let mut signer = SigningKey::<Sha256>::new(ISSUER_KEY.clone());
+    let resp = OcspResponseBuilder::new(RESPONDER_ID.clone())
+        .with_single_response(
+            SingleResponse::new(
+                CertId::from_issuer::<Sha1>(&ISSUER, SerialNumber::from(0x10001usize)).unwrap(),
+                CertStatus::good(),
+                OcspGeneralizedTime::from(DateTime::new(2020, 1, 1, 0, 0, 0).unwrap()),
+            )
+            .with_next_update(OcspGeneralizedTime::from(
+                DateTime::new(2020, 1, 1, 0, 0, 0).unwrap(),
+            )),
+        )
+        .with_single_response(
+            SingleResponse::new(
+                CertId::from_issuer::<Sha224>(&ISSUER, SerialNumber::from(0x10001usize)).unwrap(),
+                CertStatus::good(),
+                OcspGeneralizedTime::from(DateTime::new(2020, 1, 1, 0, 0, 0).unwrap()),
+            )
+            .with_next_update(OcspGeneralizedTime::from(
+                DateTime::new(2020, 1, 1, 0, 0, 0).unwrap(),
+            )),
+        )
+        .with_single_response(
+            SingleResponse::new(
+                CertId::from_issuer::<Sha256>(&ISSUER, SerialNumber::from(0x10001usize)).unwrap(),
+                CertStatus::good(),
+                OcspGeneralizedTime::from(DateTime::new(2020, 1, 1, 0, 0, 0).unwrap()),
+            )
+            .with_next_update(OcspGeneralizedTime::from(
+                DateTime::new(2020, 1, 1, 0, 0, 0).unwrap(),
+            )),
+        )
+        .with_single_response(
+            SingleResponse::new(
+                CertId::from_issuer::<Sha384>(&ISSUER, SerialNumber::from(0x10001usize)).unwrap(),
+                CertStatus::good(),
+                OcspGeneralizedTime::from(DateTime::new(2020, 1, 1, 0, 0, 0).unwrap()),
+            )
+            .with_next_update(OcspGeneralizedTime::from(
+                DateTime::new(2020, 1, 1, 0, 0, 0).unwrap(),
+            )),
+        )
+        .with_single_response(
+            SingleResponse::new(
+                CertId::from_issuer::<Sha512>(&ISSUER, SerialNumber::from(0x10001usize)).unwrap(),
+                CertStatus::good(),
+                OcspGeneralizedTime::from(DateTime::new(2020, 1, 1, 0, 0, 0).unwrap()),
+            )
+            .with_next_update(OcspGeneralizedTime::from(
+                DateTime::new(2020, 1, 1, 0, 0, 0).unwrap(),
+            )),
+        )
+        .with_single_response(
+            SingleResponse::new(
+                CertId::from_issuer::<Sha1>(&ISSUER, SerialNumber::from(0x5usize)).unwrap(),
+                CertStatus::good(),
+                OcspGeneralizedTime::from(DateTime::new(2020, 1, 1, 0, 0, 0).unwrap()),
+            )
+            .with_next_update(OcspGeneralizedTime::from(
+                DateTime::new(2020, 1, 1, 0, 0, 0).unwrap(),
+            )),
+        )
+        .with_single_response(
+            SingleResponse::new(
+                CertId::from_issuer::<Sha1>(&ISSUER, SerialNumber::from(0x16usize)).unwrap(),
+                CertStatus::good(),
+                OcspGeneralizedTime::from(DateTime::new(2020, 1, 1, 0, 0, 0).unwrap()),
+            )
+            .with_next_update(OcspGeneralizedTime::from(
+                DateTime::new(2020, 1, 1, 0, 0, 0).unwrap(),
+            )),
+        )
+        .with_single_response(
+            SingleResponse::new(
+                CertId::from_issuer::<Sha1>(&ISSUER, SerialNumber::from(0xFFFFFFFFusize)).unwrap(),
+                CertStatus::good(),
+                OcspGeneralizedTime::from(DateTime::new(2020, 1, 1, 0, 0, 0).unwrap()),
+            )
+            .with_next_update(OcspGeneralizedTime::from(
+                DateTime::new(2020, 1, 1, 0, 0, 0).unwrap(),
+            )),
+        )
+        .sign(
+            &mut signer,
+            Some(vec![ISSUER.clone()]),
+            OcspGeneralizedTime::from(DateTime::new(2020, 1, 1, 0, 0, 0).unwrap()),
+        )
+        .unwrap();
+    assert_eq!(&resp.to_der().unwrap(), &resp_der);
+}
+
+#[test]
+fn encode_ocsp_resp_revoked_delegated() {
+    let resp_der = std::fs::read("tests/examples/rsa-2048-sha256-revoked-ocsp-res.der").unwrap();
+    let mut signer = SigningKey::<Sha256>::new(OCSP_KEY.clone());
+    let resp = OcspResponseBuilder::new(RESPONDER_ID.clone())
+        .with_single_response(
+            SingleResponse::new(
+                CertId::from_issuer::<Sha1>(&ISSUER, SerialNumber::from(3usize)).unwrap(),
+                CertStatus::revoked(RevokedInfo {
+                    revocation_time: OcspGeneralizedTime::from(
+                        DateTime::new(2023, 11, 5, 1, 9, 45).unwrap(),
+                    ),
+                    revocation_reason: None,
+                }),
+                OcspGeneralizedTime::from(DateTime::new(2023, 11, 5, 1, 9, 46).unwrap()),
+            )
+            .with_next_update(OcspGeneralizedTime::from(
+                DateTime::new(2024, 11, 4, 1, 9, 46).unwrap(),
+            )),
+        )
+        .sign(
+            &mut signer,
+            Some(vec![OCSP.clone()]),
+            OcspGeneralizedTime::from(DateTime::new(2023, 11, 5, 1, 9, 46).unwrap()),
+        )
+        .unwrap();
+    assert_eq!(&resp.to_der().unwrap(), &resp_der);
+}
diff --git a/x509-ocsp/tests/examples/DODEMAILCA_63-resp.der b/x509-ocsp/tests/examples/DODEMAILCA_63-resp.der
new file mode 100644
index 0000000000000000000000000000000000000000..21bd389471b848296a445d12edb17eb855442fd0
GIT binary patch
literal 3721
zcmXqL;%nt%WLVI|S7*?~SH;Gu&Bn;e%5K2O$kN1@4HQZ@XyUlKNQ^~<mrHnRhPU9)
z-wewivfmaxqiAHxA;E8CU}S7)Xkcz=VPa%#9tBjq!XU-K#(<NJRhy5QNs5($MMRQ|
zFPC?-eUpk;Wc07D13qF_Yc*Izd=1wIUh@mDOV2b`Wv)A>x%BR?&rHnht6Liw5XKr<
z7yv=k0zsINp^2e6SjeD?B3s%Pih+$ZGO#o<Gcq(aGcb-?z|6(S2(!q*oMv{nL+v&;
zurxF_G&eRhh1ktPl--ntZU>Q}OPMX5bg`w2F1B<NX$xiPu?L<ejEqbS%?u0;P3e{%
zdtr7P8W;kzf{~@MCD?9yq{luYLzlAj*iRQ*CJ<>0WhrGMEVc{`4NMG8O-+mq!Lh|m
zROvyP-IJhp8v)Y^FqN7b8<~@kQYf=~GTd$hLrY*K0JNV3yD3XQQ|J=2Q(-;?)(e(~
zW=5vQ7IgFBG$MUSSvXFoi!C#Vw1t<AQ>)FR?K>|cBR4Apa}y&Y!}?>F7Jj~@d25cu
z8nqyA$N!8{DHeHCr`-G^TpBrbi{#!VDVdvG8zL{{J>Tl2J^Sr{xz|&}j%SHKd)NH%
z;PrR+JCqrX&v90{KRd-*82X#@`q683|5!TA92*yJV(56feh2fbwx^R-uNQ@yzB_)t
z^qrs5IpZ^i9A#_1X=hK0Ub#y0Ni|#DlN-)eV$O%2MtlyKa8=w+fMrs8>b#BZ3z9wy
zA5UhP<)h;@BYGcqiBa|BvZ94uC5@e3)n~)M7GHn%pk%6b^MvZ(Et#wd?>r~|m_Da9
z*t6jNc~^H41Hpp~uDVs57F_wZTE(idW<x@3{mujp|5FcFud0`~;R|RD@a*VS@YP$;
z#8PI^#8L#rc?M0)VGEd<7@3%u<v%DHpoW$~tRXkBk;fd$!Y0fV8f++GAO_-a3G;{Q
z1?wre=a;1x<>jX4l^F6EaDimFg_&LQU66PI-kvaB%)<OG{w@lxzK)(g3eJwYX2u3`
z;=I6yr2!Bb015LbFc(-kLAeGg)UaOOKo;aQW??aq^?sfKL4K|w3jWT)0SbnOE(*p5
zO^hi1W(21aeg>d87ZWJC9M)H@_@#Aamr_#e^?#H9^VrO{JoVzfhhyl5!*OOdkDP=j
zT+_P5vi7K>m*kg}z**J**F?q3EI4#O_3)C-N=s{JC48!vJL&RbeYBUUUsvcyrVFKB
zS({INNo|)ue7b1Ko8AI-Z@)EGt`|OTzq!n0@w5$-Z7ek=yIl-;J3%)<BJT05tSd7L
zFV;jo|77|#L}sb@+vKSHXQtm;`1gFYVZE-+D|VC3I{j4G6Hb42cDFCTHQqWlEdQfA
z^9xgY&f0=!Ul|{`AN<5n8#MRqbDx#k+`Pv7w=%gaO{{j>c{}>1gX_ldiD!5}SU7}N
zZ)i!dv=g>>D}Hu;j@52WF=a8cyDih^D)BNgGcqtPZer8}hKQDdJTNe2m05sEp#f{_
z-oTBG1Jb<!_Aab|&1*9l-+-x2E2E^Oz)D{~xhO|3C9^nDFE=wszc@2JPahaJ;FRI)
z7;k2*mz-JzPHM8MjEw(TK#2=#CNrl2AIJgxAaNFECiVscenfYMm4%6w0UX`3d@MM6
zGY07({R%7z25|=5Y@7*g9*n6>jNB^79Cc)l7Ba`$fQO9>tOuB9n0Zlnf+#$7w7di^
zd1}{Y_s^^CPWK9x<bBBPwPva0vllOl4_w$;)^%ZV*Jn=if(0dht^C&V_g6(tVlOCN
zbTatw$9lc32Pd9;$GV8yVRlTft?m3rAGBX7{i_r`lsV)0vqdWGf8YQ4e`fk-!SgZp
zn_m7-vUO4mIP&HF*^5#iZ(I5{R^3(*{Bku>?&<9xQ`1?_^gfRDYrNll=XAQk;@SU0
zBTY6<U2c?orO|E1tItO-?3!gBZ}2mLMf0-B&rim$ci&VCT=;5E{Ax9?14o{>PPqKp
zXIA+BW%pz=xFxq{Ja5ji`Ve_!wZ=s26)lzhCAuteHQB76PGyvoPB<X*^hB@iDhstb
RiK`!;cP;mK4Dl{~4gk?5RTcmM

literal 0
HcmV?d00001

diff --git a/x509-ocsp/tests/examples/ocsp-by-key-res.der b/x509-ocsp/tests/examples/ocsp-by-key-res.der
new file mode 100644
index 0000000000000000000000000000000000000000..de1b68464631b5559efce2b10b2926e35b0e7bb7
GIT binary patch
literal 511
zcmXqLV*Jg;$grS^@rywd;|DfQZ8k<$R(1nMMwTYVhd`mb293uSiLr=$St0Q36=%!(
zGBcqr2My=S8CmY868uI6Mg|6kKnMm=25AN<1~vwqY^>UR%uG_O3@jp3u1K7SZQ%MW
zl=jiqw&%v#tfjk4SVUs4>xj!RcI*F|bXeF@IAh-4CczjcW=00a1_lg67YJeqEi?vN
zsgH0h6N?gyg1q{VlV^KHeOJ9_l8suMx3>O4axIJFjK`lRO;qqyIrqbWmyJ`a&7<u*
zFC!y2D+6;ABO^m?+<&>Yc~U_e+Fw23KCvcNVB*)UE9-b%W-{+?W3IodYv92?)!uK`
z1;vMf=H1E0KX!&r+p$mU_m2a<-#NRPqK?ECNBsP<O5*vdOOEG4ZoNMG>{H}d{_<Pq
zvz|=2&BAGTrs1s50l`z@%d}ZLOoMj65qR{(Bj2*J=*!cHODfsndXJsf{=0qYYi41A
zAoKI8kmS49=438U`eXC2K<h$3;~|;(C#(H4em@Y;OBLH)vi(X)daQiVJY}^vTJ>Am
zFKQm_lj~0Tx~Ns%bW-q@GVdD<4?j-XmXK(ok=wQDgw(AW=`4X4?%mflbl2_c>bc#p
a;cv&Rt)&Zo3)#ND{_gJSO{=d&#Q^|#^3D_h

literal 0
HcmV?d00001

diff --git a/x509-ocsp/tests/examples/ocsp-dtm-no-chain-res.der b/x509-ocsp/tests/examples/ocsp-dtm-no-chain-res.der
new file mode 100644
index 0000000000000000000000000000000000000000..395d1aa34cb1e9c407587976047945e36e981b1c
GIT binary patch
literal 526
zcmXqLV&dXrWLVI|#B9*S_@9kan~jl`mEC}mk)?_815oIVLF3hhss_r2iU#s*%%LpI
z!V*QriMmDxCKkHI8Hq-wX1e*w#Ra;_MI{paMg~R(28KWg22loS1}O$M2ApiH+I-AR
zQmhOtB2%tNoQQ4U`Ye?8(bl%-#@Vc;yGvL^Vz29n%P@B9|C)4I*itxS-rgp`7$#;$
z2F3;k3_}+PVhAlX23o0)a61!=5{rVo`j3-mdqsU$y=Rh*TAR1F{y}mri{p&PpC?UJ
z@KibX!+@8KQ>)FR?K>|cBR4Apa}y&YgWvj{$`RaxTr1b5Oa6Y&cy{0ADCYGqqBl9a
z-8c4EI_ml3`Tl3;_Gj|UFm+<Pz;$W=8ZMnpk~J)xosyUJba(ES$@ACBigIew@Naw4
zueY=NPQP#2>_3nG%Up^++{!SUJ<IuOw_JSCzISEmKj!?pc8=BW%&%9=BZ?;;jM)Do
zr0JB?mopOWGbcPWTx6<!_nOj$GoI`&36)Ftf2rJ`JC$+4<<KWn<~7fi-Sf+DtHqxS
zaXYUC7YkIHXFWXRQ>mls`uN4C2d6mmq@*s*_X*y#B1&J5=f1<?gdg{_<F9&8>-&Fg
odog<n(}8O@c6*s#UnvxR@z<pT_7}4q&%Cf%!u&e)#47!n0Q)w}jQ{`u

literal 0
HcmV?d00001

diff --git a/x509-ocsp/tests/examples/ocsp-internal-error.der b/x509-ocsp/tests/examples/ocsp-internal-error.der
new file mode 100644
index 000000000..357edab13
--- /dev/null
+++ b/x509-ocsp/tests/examples/ocsp-internal-error.der
@@ -0,0 +1,2 @@
+0
+

\ No newline at end of file
diff --git a/x509-ocsp/tests/examples/ocsp-malformed.der b/x509-ocsp/tests/examples/ocsp-malformed.der
new file mode 100644
index 000000000..e40ff61f3
--- /dev/null
+++ b/x509-ocsp/tests/examples/ocsp-malformed.der
@@ -0,0 +1,2 @@
+0
+


\ No newline at end of file
diff --git a/x509-ocsp/tests/examples/ocsp-multiple-exts-clean-req.der b/x509-ocsp/tests/examples/ocsp-multiple-exts-clean-req.der
new file mode 100644
index 0000000000000000000000000000000000000000..e38210a089ba900b9c35ce837a1dfc39ec6048a3
GIT binary patch
literal 261
zcmXqLVq`RE{AbX(+@NuZfsFwt8>==SGm{i61B=L%D-tJS8@N6TrG2!u?YVI_Yw7M1
z7LnNNI^r^n-TJ>K9Tv6}&X~8iNic?qnUR5UL5e|=K>{16HX9==E4u+BJ4>)Zpn<HR
zw1FfWb0`b5uuxHPqOOsFiG^-)Mxv3anQn5Tfq{Vl8wX5BJ4-zS1EYZql868UDqvg`
zWDsDWkFbS_MTtdWx6``p*O#_E2|dNMr`04VIi91<?*Dq#hfNdW>i^4c;WCg#XkcMv
N{LjK`z>N@L1OQ$xJKq2R

literal 0
HcmV?d00001

diff --git a/x509-ocsp/tests/examples/ocsp-multiple-exts-res.der b/x509-ocsp/tests/examples/ocsp-multiple-exts-res.der
new file mode 100644
index 0000000000000000000000000000000000000000..9a5f5736b408a52b0a6e9e7f66da39a3bc486d94
GIT binary patch
literal 1453
zcmXqLVqM9_$grS^b&)|6>pV72Z8k<$R(1nMMwTYlexOjdK@+3RLRAB0Lq!95Hs(+k
zW?_k<;zV5|0}~6~;*3NiQ#0NC<l+L|<f0M@ej@`T0|P@K1cNAp#xn+uCk<>2IN4aW
z`IwocSQ%JErd*LY5!=A^St#wJt!>YZvsp`bm#~P$Ue^(qVeHobHR-UhrEtc)y-k8K
zOw5c7j13GJ#x4-V5L%dQkZ2%>a6TIgrWyl#ggi3~(4h;&#6&VmN(!v>^$m^8^$dW}
zP(QgSXCX5aBjX}W0~Q(seWs5vgo#CoML}Nu$H}w3qQ0x%Gs#A+&0AalAi0*samM4%
zlO`&7s+{{_z{|#|)#lOmotKf3o0WmNiII_^SngSYz4!6TuXnzms1W=c#<TzB0>SSR
zhS^vDl}-M2@%Wm}k0XSB|6Nw7UF9#qSaIpz{_N`fJbng+htI1zPZ@}^RC0Gj)-s&+
z*}wW%=5;3f-7)?PSa~D%dhRW4ym(UaEuVC)a;uy1wEHoul7;=NR~}UG$Ot+w;me#5
zwREA%%DTIX8j3#OGj?XHR4jV4|M4PQ^9b>*kiBxxt@nsuRhnw8I3w!HUMYuXuJaZ2
z<L<i@sp)4gO`0|%EcurWSNuceg|-F{V=I_f*d)%{UwX4xLt)aLMP6dgftknBIcAEi
zw%(-1r&J--_hPF4+M~C4zCPI69C&!PZSbLlJ6smt`<~z1yr7BM*r177ABeRLnwW$a
z00W!}80KhUWgu%PZ6FCrbVBHfE*Ti#;=D%2hK2^Fz-X~FF^v-EH8uirji6jY+M5`a
zkS$~cM-D#&Fu`*%fnsUj45#Ev&7LX0d6uR16zx?^n(QHXH&E}-><b%od$S}?ho~ld
zJmKH=r|tOlXtfjGZ3ZR}OkPZCC|{?v>-W_iGc;b^H{gFZcTRQ#f8B{>W%D`z|J}`*
zB+YK>zt2G7uHDzX^7||bo0eFF+$|JT*nHFV(K5;BoXOXv-}3*M8kPNa>a^6N1040$
zuD1<$6rV2L>vTx2`AWU!E?xgk!aHSKLjwGKOUrsfs-iqY=Vd(!zxS3^sQ6V)OVgX8
zCnXc6zRg~cb-{&Qv&h9=ccO$r&x5pG%3=9mf2}l-P2Dhi{Zkv`y7DZm#ud*?wiiZQ
zhVw)oIc%5{o{}b3n_l@p$i+;*)Ug$u{T7!Qlo;>;<3LuJh1GzWk@3HQEQrU)B8ENF
z8n}X_m09czY#OlU>V=9+<OxI#F!YgQ29|A>9h=Wpn{L0heBsLqBcslVc|SrKAC(=g
z%Dr)FruZwfEeRd}3qD-%)^S)TucGPnb-|G*$4@YnoHKf(lH)f?Fu7Q^dJ{|kl<%kR
z$>h~_?OP^#v}u0M*C_Y0)As%n?AnIj(qb#>JQIDHmzj&GUI>_Zbn%n-cFJePxfitD
zT{ll+jqQmT)+tHbL#FSS?PpviSmDU1CV54a)8%xv($ekiZ;xGLyXSZ8mzm>>$LYFP
zrccs%8un%eXU+NtrYYHqyzaUO=e|47nK(g~O?}>E<#`)FWi<Hyu9$S|R;WzlpGt0f
pm7II0{xPmG<oKeuQ}M;)Yd6j`8~9&RC<~1>nX$^x;+AR4e*npE44(i1

literal 0
HcmV?d00001

diff --git a/x509-ocsp/tests/examples/ocsp-multiple-requests-nonce-req.der b/x509-ocsp/tests/examples/ocsp-multiple-requests-nonce-req.der
new file mode 100644
index 0000000000000000000000000000000000000000..9d18010196c4816ad43629379296fe5c234a72ef
GIT binary patch
literal 777
zcmXqLVrDgHVrDdGVme`9XJBK%$;PV9$IK+f%D^Hr<%-0K*aoi8LTMjuZF_E<&04y<
zgheFwx{kOEW4HdVNr#0kg)`>uZ4!)OVrFDuGzc;XFyLk5Olb39Ol4+aVgZ^VV=K>o
zCHz{lH@_<5ajDy~Pmjn12C;up$cj3<G=W7%GwGDp+~<pzM@@Tmh*>@$!}se}{<t*L
zd#A7aE{2#HWe|aECL_>H1=fU$b)vPiw;G0QT>bh|Lijb6zjx<zu1jw8o3J?bi_1|K
z1<}J*9fnGme&_CAVP~^<^2>KWgyQV4w-$LH(Vd&W%W^x!>?(r_WV4xoW*ba@zkYJP
znqJY#6aRmQ{@pWwcirOPv&}URq`rN)(z)92<T|hGDlGzPJ<2~1{0~grt-)gO)vv<H
zrigLp@tG`KpW`3z5t(!=o9}PsoQ7Sl%LLCJ)cm%5Li(DI-pwZb50%a<v;KqF-8kEz
zaR##O%s|^6vYuT{Yt~lG4c%|wb9(o+q$k&BTz~o}<=nH=ruP%x2{szUY$_>J3*-8=
zS95#g$|cFtyuYMai;9&u?~r>P^0cy%#o^x?wT_F4&JP6w)_p$v>&cTxvLE^#R{pY&
zZJ1!)JSE_rW)f5KMy;Ltb}cLsOWFk`x0Ti!*Sy`y;@uTrWSJPp263H@ffczafsqxM
zipbY3X5au!hh(NgR)+sTu*lfJ&_JJ!Q=5&Em6hFqk%>i#MM3?kwAkU$LvtjywaqAS
YTzIqS$ib?I-&Fa}zKTCv^+K#10E>?(H~;_u

literal 0
HcmV?d00001

diff --git a/x509-ocsp/tests/examples/ocsp-multiple-requests-req.der b/x509-ocsp/tests/examples/ocsp-multiple-requests-req.der
new file mode 100644
index 0000000000000000000000000000000000000000..035d82906558581a35f2749f8dfa65944bee9047
GIT binary patch
literal 724
zcmXqLV!B|^#B>ITPZ-!4*cfoKv1;=%GfA;Bu!u~#B5@+Nf$OtS+DBX4o*QSgmhLWL
z5sAI7BQC?(t^aG%VPQ+*jCp&T1Y?+(85tN2f(!x-c-c4;+B_IjnOT@vfM&?p%Clby
zzn1LHugZ8_>bC6DBQk+O>|YeJqRuW&V3E;GI;A!D`QqhK(_S57mJi7A{koMuF3t4b
z>Fd6WA!bGyL?D~V2sBfHHKAgiXzlE+h9MhQzrK_Zeof`?-T9pBk{kUdEKdF6a+F0u
z^l(*&q0*(_x%*ex+3cPC^4$-iIQ#3ZMczkr=jQLS+zv6j%Af+-Y$l-D2GifKpIon|
zS9J2k|KFj1_srj2w>bE0bIk*(Zy&C7uJ${*&g;5Li-1~>^3MbR0~2>^uo!&xt1z-D
zV%&LrCJWc+_{V!hCf&;B`&&7uVVCPN!LtW7zb&7TzUHHMvkCu0rSr<H{~&fZ&NgVA
zfowZ7&~}HcXIImjwH0$i_uKcJ-hD0U$@Ll6pZ-ZX_w2Ok{e*XdjRrBBO3Kv2xPI-`
z+}^lyNwPHWFDcfdV&%;{<X(q7t!!j*__s!_<6@%oLxF&GpU?h!^5l{1hkl2ZzwBch
zCRjI533#WO#FV^IYp1?l3rob3c0tK)rM1R2Z+EhIcf}W3CdRQrTxVloMQ%!9WCf-o
U@^y<DH~`ZjnW>PK;Xe=n05V1vPyhe`

literal 0
HcmV?d00001

diff --git a/x509-ocsp/tests/examples/ocsp-multiple-responses-res.der b/x509-ocsp/tests/examples/ocsp-multiple-responses-res.der
new file mode 100644
index 0000000000000000000000000000000000000000..e34ceb13f4df273626d8e9b5deaa459b24c514f1
GIT binary patch
literal 2215
zcmXqL;#kbZ$grS^V~#-+#|$=3Z8k<$R(1nMMwTXyPM}b$K@*GFLRAB0Lq!95Hs(+k
zW?_k<;zV5|0}~6~;*3NiQ#0NC<l+L|<f0M@ej@`T0|P@K1cNApCgxuTDF!wMoNTPx
ze9TNztPCt7Q?5vyh;88dER^=q*0$%y*{r3zOISo=uj`1*Fm~(znsiv$QaEGY-X_5q
zCT2zk#s&rqV;2Zw2pLou1Q_tLaVE5RFs3rIFtGq_lChO%zY=~e*_&UL@wn7&*{4Tj
z0)yDUC}c&QU7ElmqnUI{Ywq*K%cG{fI>am=km37vD}P*?>Alm}eHW8rb7O-+1hUnP
zK&us46Drn;*3RB)7_xEo>q`mY*Hr%AozJ;0xzTUJ;?yrLM_Cj^4_9><DqZ@WyMKk9
z&ECl`-~AAZv%lV2<b6bUZvHOI?Iby20nq<QzGnhD!C?CP^^@z>^omZN`2Rcf@1FU)
z>lO!}ZLWDB_3guz&eeV=*Lhu6X%SHCQT}=0e_-Nn4Hkp1eicSGMT|R-&t&2H9RGNa
z$fR4@e19wFH0*L+CV2Ls=C|b&(${?SZZ_e6sB~VL^&d%2JZR831KEwtKsP#MJ-eFL
ztgV<Ey5GL%^zLg(Pp;3n{`61Exo4+M?<c$yY&3}3R8poE#`SBj=Jv*wOOmB|e@U?x
z6)SJvA@@4uX=Nje!@o6Z9TyXw9|{Dl`+WA-lP8a4KlD4S{AC~8Fu}TcO29kKB&Otz
zT08aaT38~Mv<pgZE3GxIdApOvyDPrPGBJ*g6h9;xSdp8O8Ci);$CTJ1Mx-5S26p87
zgO%Yw5D;k(Fhy#$d9;1!Wn|=LWngY%WMo)#X!(BA*c)P+htwAx{7|nQYa%-<c6-yx
z)iIm@rFyaMa=#Sg+;d?2l`jTv>>c5Lr>&PTd~K_2nmaN2s^~MD8Q-j%gdY^&z9^s&
z{9f@}^p;;to?#-oKQH{e`n9-dr7OGVte^tjSKsa^#cHU2H*Wj-?nr^{MxMlLDb*8S
zw3%&@>kD`F4OscJEpf%Gce8~}wF8y%eB`zT$-Hh=eYNz&0;R0bD>nNgV-L()$(j^d
zeA)S=5_8?t5L^4_o_qQugggIeA1+n4E>)d4+bSdGzw0&K-KXqUuD;KdYgrz{>o>jj
z$Y1AwOY3<=-wShev1cz!iOw(=v^liGQD@1CI4^}w^6@DPnwX7&rJ_C%Ya28%2`^w~
zVq{`sWCZ05q_8rOHIz1xgcP?z=*4YvqJf+^uaU8#p@Au|sI@dPjS}ZIHUe^upj<-Q
zn;4alEd-WWz{ufeFlb`rVgkj|z8Ox*mzq6Oe)B9#>nYl+m^9f#@NS^qpV=2S==Nqw
zoDNY<_ISd-?N8hB>(Oc_yxR;+9+<qC)KI=oY1i+oJ7#FSx^KY$Z0?-w2L8Ge$;#$)
z{{Oq1GfA4=)PJ9W!d<(sdFA(66gDlf2)SD*sId8_>!W3o&pDH?OTXp+F*Pdt?bK<h
zMF%+Qt6gs!?kGN8y4UHDT=SKB&0V_wn}m1DwuS`w`IeUTgj7X&hR(}+5`OP3t5ET)
znwF+FMNdj5OnsZZAnSq)yJnG#yY55@gPsRzyOhK7zy4ZjAe*{j_WGwb#&zXcR*fs3
zmuxSLwhZTqJaX7DCp;xhtTw&!e~^oreyL+CxKLPJW>8|l1B?S%VHQ>cW=6*U2C^U?
zAB!0F>dL?sB(2P1XJFHSwLV*@xI~^n)Br;tIc8wlX4$d%T(#-;Ys(kDtS~a_oS63`
zl<`s7(W=}Vr)G-3GTV~S@xS211#caPb@D2jPG1)sd2;*&L&-U#H!3-PlLV8CWve%_
z^iTPI>YhwqUDv*4qDPzN=X{NFFFS4TFTt*D=q)X_qRunXmwB1Fi0XxanMW5td2gqD
zR-Ai5%iVSJB-YrTh+&<Qv^`|{e%XG;Re}|cjB1isL^)kfS1T>u-v0L3HMV<x$9|bP
zzIdFjdu940ji+I6W^mT5e_)!Dt;p-HdvNZ%^PGtjWZBf`O;(<_@l!^F@9&C9w{C^X
vH2$gNwpYoycj_PG8bgjRdOH<gJid10OtXRiC55ukSd$s6{48#nw)_VG!0R3P

literal 0
HcmV?d00001

diff --git a/x509-ocsp/tests/examples/ocsp-sig-required.der b/x509-ocsp/tests/examples/ocsp-sig-required.der
new file mode 100644
index 000000000..d43f0794c
--- /dev/null
+++ b/x509-ocsp/tests/examples/ocsp-sig-required.der
@@ -0,0 +1,2 @@
+0
+

\ No newline at end of file
diff --git a/x509-ocsp/tests/examples/ocsp-signed-req.der b/x509-ocsp/tests/examples/ocsp-signed-req.der
new file mode 100644
index 0000000000000000000000000000000000000000..e00213e22ced0495db68af57c849a723306276b6
GIT binary patch
literal 1055
zcmXqLVv#m*GH@`kGq5q>WMkFlV`h?KWndARaz)}qYy;P4p|p>-wmmn_W-Z-a!XgrT
zT}NDov0MMwq{G6N!Wr}SHVMWsF*7nSE@)!DY|zAf-hh{lQ>)FR?K>|cBR4Apa}y&Y
zgB<U#ua7D#)VK|_j?b22?l$V--YT&<k?UuL@b}8J1fh9_i&vQzSl_+6_nk%A<%Jgi
zDz=I&i8UANo~f0!epB0-dB=kPn$%pI`$dW^dQ(KDn8{4(+P2<*s>>Aj@@{n$cdl3G
zyP|&bJj2$rNrKEp{|#3qHOn{muK3JY<nUtE0*=*tpQUw{ToRK`|G1~r-F3o^4`<Eg
zGu>DWto3%99XTSlW+q?H%JZidr|}fCUrT!~6aLCi<(qh5L%4oL_3BwcbGui+dMp;R
z?H31cl5mXfgGST2RSt!5qVXy0Dbt<U@)n8c2whmcU8m2Eku^d)sp(;i>WnD@_d_RY
z*=%Y!_@r0r<$@-r?FLOun}K+}K@;P2CPpT-U^0+3ls1rLV-96u78WWhPSiCrFtN}r
z&PX&eHPcN_G>{YLH8M6dG%z(VG_W)=jRJDbfLs$O*Fert#y|?9T^K`qQ3=peC1e{J
z!4bpH02Jq90>#ily*GE(#mgVI_`TF#vacrf%ll@fJDdM2&dTQ4q;InA`TEko=3DX=
z|LuM+ezz**+@;b<nt?snBi9}Hdvu!msi$w(ZOS?Q?&wpOck%yj)E<)gAo(Kj?PZB2
zi%)6znEIvEa49&+JQfYPcz&lvWqq&7F9Uzh%<5BH3c0j)zI=T?tmaohwZN-hQ=jNt
zp)JQ2?c3Debx%X<VQzd=#68RXp(pgV?S5FiQn%-B?^RxtTMrB$F6MXiO4%QmruA}r
zh2gpG14qKoTwyogDRo8TrR43)%!*OXbJITj_;zF3`I(h>B_sCTzZSPmzOv1QYhs7_
zMjyuYe;T%*KO7p{R(!bq^!;+imBrvBj2uF+q|4Iar++2&!^u0pw{%_oS#);oZR5mx
z`M>J!rEjv_6x?pU{k-XnoodoAzY4E)-@cq$IaQn8meHngNzhEa`m49D*-TH^Ime$r
zfAPJQH&5G1csj9u^h~Q;voK3CP<!`7>v@|W-P*IqOvsht+dbop>$8In&D^oN=tSu3
zCA~W&=1kS^{?NR!L3QiID~~lMn{PZ{f5Jmz*Bbtm3)@ef=*TK%6xr63<(Ybe@t>M<
z`OOc$({3G^ut8y2Ppnplt(1|^^l10!4!<JdwpPUn%uVU>Q}SGI1QdK1h}mtSGxPHe
sE34RrH-(y;_k3RV>!E;FUUbo$R~y$RmgJpbR^*#n%C4c5<g&6300hLqCIA2c

literal 0
HcmV?d00001

diff --git a/x509-ocsp/tests/examples/ocsp-try-later.der b/x509-ocsp/tests/examples/ocsp-try-later.der
new file mode 100644
index 000000000..39e09cffa
--- /dev/null
+++ b/x509-ocsp/tests/examples/ocsp-try-later.der
@@ -0,0 +1,2 @@
+0
+

\ No newline at end of file
diff --git a/x509-ocsp/tests/examples/ocsp-unauthorized.der b/x509-ocsp/tests/examples/ocsp-unauthorized.der
new file mode 100644
index 000000000..d6ea06598
--- /dev/null
+++ b/x509-ocsp/tests/examples/ocsp-unauthorized.der
@@ -0,0 +1,2 @@
+0
+

\ No newline at end of file
diff --git a/x509-ocsp/tests/examples/rsa-2048-sha256-ca-crl.der b/x509-ocsp/tests/examples/rsa-2048-sha256-ca-crl.der
new file mode 100644
index 0000000000000000000000000000000000000000..b54dd8480019181982ec5eb08d80689c08a62e3a
GIT binary patch
literal 380
zcmXqLVyrMoGT>$7)N1o+`_9YA$j!=NAZsXXAj!rY%EBxxR8*X(Yh++zp<A4hXk==p
zo17@lYh-L_Xkcn!Xkck#8U^H<0J$bmu7QYw5ECOanj$nCn41_G8C37_>You=tDg7e
z<NZ@g-Mcqh*E)7@$W3K-|1@Rc|Bjn0_nEBP;w8r#{=84!|BUquccBEk+5>kxnffKK
zzH`4)DD!yXb>WY@<KDfU9MG)uJe)Zvgn=<dtm3AuRkcx+7MEDH#G{Q(vUlI`D6UEM
z;(wU8$i1UPOT+4h%vP_3ruWNT*INEM@^43d$<>PTkbk<2*XMtZoa%IV;TM_bmqHd?
z^H64QWdFLa#N=<848wY*>pz?gz4K$mZ>gQw6<&Tm<HXA&%f4!{-aS|$cCF_8f|jgJ
zd1@P9ta)?qLYc>dPaoI$F`9Gxvt}QtE?n)i>SeuIS9+nejki6M=B~X@i;pp!w%-o`
Dp_-M~

literal 0
HcmV?d00001

diff --git a/x509-ocsp/tests/examples/rsa-2048-sha256-ca-key.der b/x509-ocsp/tests/examples/rsa-2048-sha256-ca-key.der
new file mode 100644
index 0000000000000000000000000000000000000000..44c36737088a2b8dd31ad7289e5972d2ab2f0876
GIT binary patch
literal 1217
zcmV;y1U~yPf&{$+0RS)!1_>&LNQU<f0RaI800e>rr!ay9qXGc{0)hbn0KS+)W7303
zWcv)JW{h&ZA!3tA5#3QP{F~6QEsbgz%Ty&}NaPQ;{D#NZTPDa$hA=eXH0Y9mcdjD3
z`_;IZDC*xZ59XbmYk&`a$YUcnod5paY?2!XHBY`UAl*LoZg<}VAhM)5RNZkAAhX#;
z;-(qr31inA?GN~sT5Ii<mSu9l2!DG;+cCIv%XPg%!XAUve<`{xPqGua9fed-PEB=o
zj8uABNmZU|<X7J91rl@We1wARa^!T7mF;VwYS2UnDRM+dEs+>7jNoRvBUW$q`l&D-
zWw4vC<vcTfcWOF;sONOIaa%c83|Yj(F>F_4W)^*CdH+&GHZOHSg#rTs009Dm0RR<V
z1_5DeAqoy)9B!UF#mdf|lH`}tfN4horXsOAE(Pn1)_mtafW`hvJhDa}iQ@$r1ara&
z9GPxE3<c~jsr6c6gQlRg)<UubYO@9OK8c<rfk){0Sw2UOo1ib1otM!b0zEY`)^p=9
zh#E<^XU~yN5t;g=w8w_E7;j$guZWLPM&J3{`UiRn2#3-m-J@Z7=M3Dme~HCHY^tek
zgeNJ;5k_Ljb3oFOji{LlTSvtFi<o}%a0oz56k}8gQVJQ@cLBfSQyV4l!9P=XJi0U&
zuaK%#`U(U}Ole>V4gnAP8g-%IOZZTpErSfNHEbF1+6lqE3+yk3>B~tkz<~mRfdIzZ
zG$9=_X_wHRgOGhO!@Hs+OY@qWR9~FWqc7gJ*lPCsA9J6dZs|_B_gg@Z3dYc7VV=pl
z5e8#MIn630Xh(;dcn?pqxg$&(r*zFvsMbygJYJQhnn8cc9>X*)tez)aB{c4_Ae%2f
zCndhsrFb)Q+r+l`dIV;FdL3`xl?4KUfdKVhi1TN`u;kyvjWNA}b>7z5x(qwy>(s4l
z9K&Qu3VsHIl2-#Op~Sx_>z5?02(n!0<b>r`!F7?@z7~(7zs89-A(_BNBQLihZ$-!V
zYAb^9Fk;1?SEyF5liGCt9;zig(wONt!qRL}sjs~CIx=Lo)VBn+IT&d~oH!0MqJaW|
zfdGZKnX+Ql(U;pBoY4Ni1|}G!TgH|`xqJ!`zGb9XL^HXasLHXP9+4RJh}M1;GGqHA
z5r7+-*>m_Y^ALHoJ;O`(ouPg(YP!dyY|`j;7R~i;d^84ObJugdQ0`|Mv&}9Zl8%F`
z?1wHtmq(O}N?8aHa>`d%!-Y-%j`&!Q&Y1#%fOm+wVG`f!L}j{1bH3$my~LkKBBY-V
zK#IpsxaEf{#9w*?b-qTZMMw9o9PzRiHHJ&F;0HDDgHA1MjAJJs6e3QjVAZLWgsw|$
zfa^To4H|jYsF$l=`qWpl5zoTtzijHKk@T~~hHPArG~4n2ivvT7cPga%j;P_%)c_tT
zfdYYmF#wp8HwX)7)N7b$E5|1;r_#F8GvC?@k1q=mu1A;9k^M^ij;jC1E5ddyM`_aK
z@tg<d%nvR(KIti1^r(_7u6Bm7_BDyDxo_IF(<5-93$QOgsfamt>$RB?jegSBUa8oC
f)rfuNTbd6JruPt_puH5lEyOr-@_Wt}g|qtTE0aUj

literal 0
HcmV?d00001

diff --git a/x509-ocsp/tests/examples/rsa-2048-sha256-ca.der b/x509-ocsp/tests/examples/rsa-2048-sha256-ca.der
new file mode 100644
index 0000000000000000000000000000000000000000..2a2b7321db3db66513eb23b897577a7e31eaee49
GIT binary patch
literal 815
zcmXqLV%9cjViI1!%*4pV#K>sC%f_kI=F#?@mywa1mBB#PP})F}jX9KsSy-s3I8oQg
zz{EngI3v->)J!)y(Lhd|*T~q=(7@Ed(7@8fG)kP;*a*lqf^rFIZ(>wJwvdsPfw_s1
zpTVGsk&CH`k&$8F45#Ev&7LX0d6uR16zx?^n(QHXH&E}-><b%od$S}?ho~ldJmKH=
zr|tOlXtfjGZ3ZR}OkPZCC|{?v>-W_iGc;b^H{gFZcTRQ#f8B{>W%D`z|J}`*B+YK>
zzt2G7uHDzX^7||bo0eFF+$|JT*nHFV(K5;BoXOXv-}3*M8kPNa>a^6N1040$uD1<$
z6rV2L>vTx2`AWU!E?xgk!aHSKLjwGKOUrsfs-iqY=Vd(!zxS3^sQ6V)OVgX8CnXc6
zzRg~cb-{&Qv&h9=ccO$r&x5pG%3=9mf2}l-P2Dhi{Zkv`y7DZm#ud*?wiiZQhVw)o
zIc%5{o{}b3n_l@p$i+;*)UlO`nUR5UahXAh0S_<^WQAE+4VW1j{~O4Hczi5kEF!Vj
zb;M;DyY+ufIxK7{oH1{2lVFU2D@a<I#m>N{0jq+Aic91PL=7<Xkz)p!6o4_q$gu3#
ze6HGb`?ci@Usf0ybxzFt5z6?e>}XZ)jZ-tlUzu%5==fjo;exl0!#a5tO{cF5jyySj
zf}!M`(HoT<ze$40#j@3#So)`YKXp$gudZv~GSQ<=^K-sNxtE=`_m^PTHuRPjTT$nk
z=*zs!TtxLkz|5nIpS-tIJ}b_>pylqmc@k@EPsFfJN!lJVeZOo!<0`=lM@BWtE25k(
zr>m8gZf}2k>>ArWzhl459A7+6*S#`*lE%}pH#0bE);};!$yVfb*F8A*-FeQ$39@YJ
z^Cm0L+xRJ?!S{E?q+7Q_Wg7ofa@(uq+&lG;ag8Cz7rmW|FCJgJai-b8|B^ykXspSM
MRelz?Ok4f~0PyoR=>Px#

literal 0
HcmV?d00001

diff --git a/x509-ocsp/tests/examples/rsa-2048-sha256-crt-key.der b/x509-ocsp/tests/examples/rsa-2048-sha256-crt-key.der
new file mode 100644
index 0000000000000000000000000000000000000000..4a889a8d5dda5d89be730c243f10e18006e856b2
GIT binary patch
literal 1218
zcmV;z1U>sOf&{(-0RS)!1_>&LNQU<f0RaI800e>rs4#*Aqyhl|0)hbn0KqQo+^%0A
z!#Mk;KN*gEW%TcZBHXk8A)0FlvM)5Y=dX4BH?(gd{=4rN-Fj5c(shz4QH<AFuE71p
zmM6;P?XI$H%kIVHMDAby*nPqr@EPb)?b8^fqsk~uHBMxF3Lrup;}ulV&$&2xe~mQy
zFi#0-d&;zN3M#qj>(5qv`cQii>Wwu_TiR8G#-hHmhl<`PD&cKkf>_=;zg5UCw!7hT
zsV$7%jnxe_+TbzaqYpt!WWQc!D(Sa)G0uy?#8=GJ2RFGI)F|m0+tULfT7#Wt@c8!F
zmd}}a-5FTE-_~BXA9;pE3XzC6u}lH4{D8O5!&O~|bHj(r-**A2a{>ba009Dm0RRS&
z<vkSgC%(69nlQXtBJoBubJi9CN-ZX}_nb1#j9>7NMwNq{`Cn3;>_<CRv6kki8lP%)
zkyl2z`D4PPdr&G(XEZ@S*{qM7l&WA4-g4}=fIeWG=uoEE+R8r(TubfG!E%^!gBBOs
z3kxDn2q@<+&o+f?zoFDr@Ky5sq7TB>8UHLC<Hj7D^9n&Y`es?t$z1yZ2^nB?hRJ>L
zv2Iuft(|kWcrRU9fwAvl$muTw(}q~uc#K*JwWhAYFu&dQsGvrNPBf(1^?Hz5QXzM`
zP%jw)cG&iEJvc<|coUEXc>tL36J_m2B^w|TC8|Z@mr&`hU>twqj0J}yHYEaqfdJJ(
zfVv<4*raaGLy`}TDRO_1{dt=PxfZi3)C{41=3ZF1VV$gGryj+*lREB}MQ7$0oa-JB
zUKRC6F4H=$-r<k*eE)}6i$vw;av@Ki0f1Vfo(%+|Fb3{6JnG)fnCU#cad$UMB3Pvf
z+Q4-7S-|G^uYK=ZrHo3&wk?~y38w;qfdJ>{caSuxRjIQc@b-K2lVeE5h$pH=Pcv~7
zMyh8fAs6cpBVtQZq3Gc0G%48bL_!ds?%6|cDm+fK?+liOPPY|#ukQr)MaV)<8RzZe
zU&f<^T+h-3k~ftq_EMAlqh||+!+4<De=ryd?!b)Vk!|kJ=g713#4pj8W^5vkgH-~7
zfdI3Ha2mh@r&vwfpm3gC<gR)Pk_SX(wS5tpm1l^suDEa!&_j<jFsLjg+;;g9QXX_l
z9+ac{rRMNdTWkRH<F}ccWqT{}o6&`ZfWzP=koW)8^d8%8x#g?1$26uI2!|NeKI8C>
zbiI)}DTrw<RzjI=o3r)9ek%)WL%~B}S@QycfMOy<DMat5ZDD*RaoDgCUBOJfx-&+T
zCTyZWlo^CP8rT4q^PqM<N5bt)f~@A>0jcp*?4qfs5YQ>6!w2gxjWA3{Q~4kzz=5`P
zCH*(+uC76I*$Kg)a$oRAK3JPyHd@^01LNhgPSVZAjJwgG!wG!%Q>r@bd1KQOr;XGK
z<pP0$0D;V2Hox#(JUuZVtkX+g%C+ITz!7sQv?KVlhW5tiFy4W@6(c!XKO(wg=y@J4
zxNTf>y-MB24*;={18Y+zEx;$h7|6)cih{5?UZW?RsV(#BD-Z7k-!P4UV8{AXyU*n&
gN`PY>z@dS-rQd$OKy}B`v`4^bcHGRmd~dk-=5D-P$^ZZW

literal 0
HcmV?d00001

diff --git a/x509-ocsp/tests/examples/rsa-2048-sha256-crt.der b/x509-ocsp/tests/examples/rsa-2048-sha256-crt.der
new file mode 100644
index 0000000000000000000000000000000000000000..a8c45aa12a31ff507c3909fca8a44cee86208644
GIT binary patch
literal 691
zcmXqLVp?y|#5kRak;#CUjZ>@5qwPB{BO^B}gMqA}w1FfWb0`b5uuxHPqOOsFiG^-)
zMxv3anQn5Tft)z6k+GqnfvJI^fu)IQ6p(8M<eEUa26Bcn22v31!Wi0%N`RIsA=}8v
z%D~*j$j<;2=VEGNWMnv~_vX&Jc=^K?zn9ue_SK|*dEcybXY+r>S=k($^i8%sUtjvy
zd`rIKzuoV}?^cDJyHq+!GqC4+<hlcYk4{rR_4Mt!O*yCE9ewKZF8<$*+CwrQBwqx+
zy)3b0@hJ@-Q@@lNE(Ir<$D$z@&+oLTtnW4XW#G@5S$%3tA(z(9m#@!<)%*&m7I@Wb
z>Jxn{wB^{MeVf|5?rCT}%#Ck~xM#UP^n~8F-4Bab>h|32y~=BH>w)3J#r%$5Df{En
zv|etnFg(|N;7ItHE9~YwrLJhal)QbJSuv`4ZrX<*-)>AhKeO_#WW>Jv*W$LxSGKuu
zP3$n==)<`FPs8@}heKoAiVwG+zF*F`vY3gPk%198gn)4Z3?W7amIgolE2$q&-ub<y
z>*~*<vuke~C)UgVRd+9aljWx1cJuA$O=s*>lYaSCc&+>P<<!cl+U&NBHib)qX6n^n
zy>-oIdcw{*{`~oi@2$Lf+D^jLiS?srTHTt3S(1U;yB}K5+x+O(o;_wlt_<Jq8DCtV
z9du~sj@3mcLT4}O-61h&s($x}=8X-iTPI$5tTEYq<N5j%9um9O@TXkZe(FR=Rw<*%
zww^4{)EkWd)RfC_e(;@k>&S!+3d?$8wK{C2jC`g?yGM8U6$!VsDo$W-N{^qC=XxWc
z;JZM~ZVR26pKn-M#V))l)ZD!1^RizL1+?;_i{8B2xHhpQ?+mjd-_%le4W%TPm307}
CS1f`6

literal 0
HcmV?d00001

diff --git a/x509-ocsp/tests/examples/rsa-2048-sha256-ocsp-crt-key.der b/x509-ocsp/tests/examples/rsa-2048-sha256-ocsp-crt-key.der
new file mode 100644
index 0000000000000000000000000000000000000000..b325ece9de7ce6a4508b911e8c0df72dcfdf1a74
GIT binary patch
literal 1218
zcmV;z1U>sOf&{(-0RS)!1_>&LNQU<f0RaI800e>rs4#*Aqyhl|0)hbn0ETq~muhx1
zxlvBiqURb1L=wjde!_>JDZ487EK*x)LS3?G1wwa5W>jJ6UR4>;StX&qWiMZZs6hM$
zI50f?TAxM$l<0nJdUw!LeeYM`>WQgnn_rl7wkG5h5zCe++P9;)IS2`ismKti<mw>t
zMcgcNzdEGQ^TW~`E0C`+yIL3zkA%Fv_sK5x|F^$YMTwUMN!`8k>2FHLuee!RPBM(S
znPfII>~@KS3QInIy_r+3^v4OKajezo_lFWLM!Vu-0C}U?@j(>;V<C#04+c25`*$2#
zG>X#+&CxQk#%mbhh1YD>uRQ=m8vy4Jk3i0_u$NQo)hP}WiNGQv_W}a}009Dm0RS5-
z@_E|r;4TLoV!XibC7{3>u=I%IS8CgYCr2@@f1km}m-W~rx_MiC9qA5Hl_f6GtmIAF
zgSc$TfmDTy4TMs|mcoGPYl@^p*(cHhbX9RwX6s)%Gsq9S@4{H#6N`VS`bDfZA=3S~
zKwchVVc)n)(`iMtp!H%AN2FRT%`gO9Xe*Pu4z4LM!PLLSam>*H>Q5lh=u4DOz-#1!
zHNmSqmZSiBwP4=7GOh^%#AAh3d-DXEFE^J|L^Pts$Dp6~zR)j#4;{=yrK45$2?CL<
zfJ$B%_9pB&c~8gfN8PX~m-^@Y94zfPb6OWSOw&ot+TF>i_t`w+iJ!Z+CqV*%fdIM=
zW@xKorh{?E6xs}oWx<?Dc~@?r!<Dan5L&(039bHnWyg;Dyp{@yfaunNO}Qk@caG;D
z$KmIh{I%4hLJ+MXstH30VDXfm4yz>+2+|BLqKBeZnJBp>Bz$Ec51WhWBZ%@+tJ1e?
zf4j2Qma{Mjd3bd}!)<`BDJcx&$KL{hfdIJx))MC=6Sz966(=tvaSnk2KRPqJt5m8|
zbN~GDOT!_?=|h#WsOT0u)H|4Q$AanzJ3?RqnFytcQ^cLVAeI<1p|}6<Q8=qc<d`Fo
zL2cdrtjQ$f4TKbaWRxGNd?lS1>*)qwG)6E*&vr}8mAI}e^a*S^Kx2!st7V^Q=jj50
zfK+}dpQ{Bo-9?l|G3d1MnFS({%2nYAF*oY5yrZqYC71>6=)6=i25D}bZXnCU!YZZs
zJ)2ZvZ-c-1b&|z7L0x`^JA#M>&~MLwmDN?{PmWx-PNg_<fqml=IJ2wes+-jsU>v*B
zZ}k8Qm+;kQ#-%Tm3Q{GtTuUv?Uuq2>JpzG&0G+Ai#{W%ou+i=rQ0I?e&S#3$gPDsO
zoN)UK_~C34ksZ7f7m@%>ie5-&y3<rdAAzg7H2U=6qR7ykA2<KZZJqh3aMK|5D?)6H
zY)k`!t4l!Pd>Vh22{s+^L3=7muN00-a<K-Vt|5J$EXT8)$zw(O7yYkX{CO1BX(`TY
z;R1ny0G(fXI&(KA$;B<NC|f;?XLj)pAJ+y<?q2CU$Ac2^FAH~GdTn?9>+CGutKvEI
zpWH4O1)WF^B-6z*(P<J*Up)Rox*HUm=(Ul3>+TKKbjW80(~JYhQOhIpO{GRLEpPg(
g0^R{>;WycAHg;iAT`B%&&c>Wz&ONB=KwEqf4to$qt^fc4

literal 0
HcmV?d00001

diff --git a/x509-ocsp/tests/examples/rsa-2048-sha256-ocsp-crt.der b/x509-ocsp/tests/examples/rsa-2048-sha256-ocsp-crt.der
new file mode 100644
index 0000000000000000000000000000000000000000..aa671c2380cd42d6bc3d49b9f85618767a7b77a9
GIT binary patch
literal 814
zcmXqLV%9QfViH=w%*4pV#K>a6%f_kI=F#?@mywa1mBB#PP})F}jX9KsSy-s3I8oQg
zz{EngI3v->)J!)y(Lhd|*T~q=(7@Ed(7@8fEDFdq0dh^CTmxl8MFV+=b_sOt`N_ov
zy2(W)22G4g$ksBlGB7tW@-qO%xtN+585!D2nWtx!8Sf1AyR_)J6uXPian8C!?ejHv
zYkk)Viq3M1-IT%VRPL4*lK3(%RPsWk>cV}g`tdC*9R9Fc7})%Yn(xLi<wadiRr!UW
z+V|lPUUja_m>oZ(c$?Z25y8{bG;VEQyu*@%vuEWAft62QDSULjqf@-!YRQGqhc8KM
zPgrlTJ4%ATzh%$f?<e)X{@=bo)U|UutLNRlpI_#C9b3O6GSbheXXnfmGvha9oh@A6
zc6EDa2Cw~coO5yEnyW9qw+rdH?S7QRP`UW#M@LbHWW}!8{A?E6f0xTdnRH#|JbTe-
z<FRas2d&q0uC2FaaF%9xF3|6AZo`J@!LP4s@(FhyP*VEN#LURRxH#V+*MJikl(NDs
zOa=@F+#n`D3kx$7>jMK}5J#1T$AF8CLz|6}m6e^D(?Av^$j2haA|kim(7J2giJXpQ
z?~M%J%C@g}_5KNt7FlH$2?MbPk=W}x;xdfg`oAU}7Pb`5n76k{Fa|kFfGGhOC5#Me
zd421%5<9i*e=U0C))H59{$l*aZQ)B!>S*w}JjuP4z`0FK_`|mV{om(qUA>VKmVH3%
z8*>8lwv#N)2bpDpUOO`U;ZC>`!`8pP;`iUwC5rqiS)m^@T=xWQ<q`W~AAaufy3Q>V
zyF@zz^<KZe()-a!!mi&aabfQ!#p_$LSyJC6UERO1Ea_#gOIhjGSpm;E?U+xW2<OS=
zz4*eg<%H3KwBwh`)~vnySXogpghN5&AkTqWdosB8eOWFR?!8=-@0|O~FEg?nm-x)x
zYt4Jt{-7|o<3tAat_6&l^ILDHJFNKn?3lwp|JBz&%{ow-Z#(bum(L%bC9K{b^|Mom
Nb3J?ZY$LG?8vxNvIf?)P

literal 0
HcmV?d00001

diff --git a/x509-ocsp/tests/examples/rsa-2048-sha256-revoked-ocsp-res.der b/x509-ocsp/tests/examples/rsa-2048-sha256-revoked-ocsp-res.der
new file mode 100644
index 0000000000000000000000000000000000000000..570cc64651ba6077595a7d180fa717504b07593f
GIT binary patch
literal 1310
zcmXqLVwK`zWLVI|Ds0fi%Fo8B&Bn;e%5K2O$kN2hV9><!$DncjLRAB0Lq!95Hs(+k
zW?_k<;zV5|0}~6~;*3NiQ#0NC<l+L|<f0M@ej@`TV?#p&Qv*W-OB1swgHnTH11keg
zHdbvuW+o|C1{RSiS0qlvHgJ6wO8aPQ+jHY=*3#W2EF!Vjb;M;DyY+ufIxK7{oH1{2
zlVA)JBlAK*G$T!;&;-n)7C_XP0IfBFS<B1DsnzDu_MMlJk(-r)xrvdH!9jJ(GQLiM
zHE)i7ShVVp5})bO@=7_5zTR2!Z#t|N2|BzzaWVVUeYHagPYQoes5$*9S;Tm6TdHzQ
zIq&jAr!EEUzZbdjMec*e=O&uuf4jT5vAH>o#c&Eo{t;itd)%|XeTn!}`uxYX1J9pv
zESXjx>*yzu%3bwX{m<DpAC6a3{(QR0*uA(oitYZYqrX$Na-@oVBN~dnpAxJ4En*y?
zdt~O!xKnvGoAiz?ySn`Q9gV#c7H3IV=q-JG<7H?;hF9B>IWsf9pAbL$RwdS<K_XOF
zEqA%}-xqc>#P6CekIMGiu=}W$+XH7^?@8>Bi{=D~UcWsd;pzST(a&s?e*}Na=K8?-
z$hi6Rf+l7ogC=G@Al5QyViH=w%*4pV#K>ZR8de6fhSCO-ka!kCkLTn>137VClo$qb
zQ9_=WWMa_7sDx}SBRGoqfr*WgiwP80ZKcf9v&xKj2KrrE^jwPFMd&zZ-J$mRn!B~W
z>jXt-ImK?uV09{YOAASS85b&fAyReWzEu7AmK6?vSS<`}{zT1pW0>-yE~l#eLQw7d
z@CUCtS7ywPpHaL`?TLus>1i6bwlCgc$-&vP@`S+3C$AJfy57+#-fy+!!so-6q_rok
zH`onKWc@9B_I^L9_x1nw{h_X%(^)<5?*05S-|N`=9g&fKMm;-crkEMODeG+E^0uqn
zJ2QCgm*bp^3)ftI@x5J0&u#akB!<exH$OUxG9)W@&E{vb*#5g*Cd#DiGUwTgMjMZ1
zOFU@3o^x%zErYW(!*hXthjSY?Ob>p2Rg+J+^MI1lcP3^=2FAtt2D!kT!yGCr%)(^A
zV89Jx^0TloGqFA}5C(BnS$GV%*f<~=mYLH)79_~WBE}*jx8BgYYu$;Qj%DwS4BpDN
zuXpwS3C_K;$}AEFVhvdH8*-Gua*bME-}<b?PA&UiiypbP#MPX?7=LkF_>z-48hkEK
za&IMYZW9y!@GU_9_qkhFZ={4}9}xS-oWQ*8Bun!_W|^SZjtqae6RyOt^{=n^{Wo=q
zBEL#j=*JA#Jpo&J#D3U^pL@KnbIZgo(T+g9*RQYiel(J>>o-bV*t<#b`j%{#)OSf&
z_b)6<dYS7|R=Raoz;jMJ=F=y_d2)F#zA$V#VYDFa_@%NnYp*_5Rul~3P|!HYb70n<
z46c1&mWzdZFW2Nd=l=4`j4a0`K6Ce4^WL>TD9r6RkwLv{0b}O;*4yb0E51HE=J3yd
k_4QA)4pipb&b$2O^M_{%tM^C!>=fc$&z?QoNbJG}0J;zPO8@`>

literal 0
HcmV?d00001

diff --git a/x509-ocsp/tests/examples/sha1-certid-ocsp-req.der b/x509-ocsp/tests/examples/sha1-certid-ocsp-req.der
new file mode 100644
index 0000000000000000000000000000000000000000..348228bfdc7865b0876f58257fce2b9114e0f98c
GIT binary patch
literal 70
zcmV-M0J;A#L@+`yKrlWqJTM6c1uG5%0vZJX1Qe9i7|30K3iA?X@jX3^*v)FCyL1E;
cUDqrZ907|j`jW#FITL7}y@C;30s{d60kbU?D*ylh

literal 0
HcmV?d00001

diff --git a/x509-ocsp/tests/examples/sha1-certid-ocsp-res.der b/x509-ocsp/tests/examples/sha1-certid-ocsp-res.der
new file mode 100644
index 0000000000000000000000000000000000000000..bc739d7012d9bca3f92f7bc0d51e42d4aeec0594
GIT binary patch
literal 1296
zcmXqLV&&mtWLVI|%4*QW%E-p4&Bn;e%5K2O$kN2}$)Jhlok8P*g{lV1hKdIAY|No7
z%)$~y#fiE`1|}A|#Tki4re?bN$;Ab_$weg+{6+>w1_p*e2nJCGX$C0<HU^w*tlE6c
zOj4{2EFx2`NSugm;QB0-_R-e1=f>HrrMpX5L}IV&h|4f`>;IZ`SlCiHW8U5-!5AiH
zMh3<P1`I<N2x15s@Un4gwRyCC=VfH%W@TV*Vq|1cYWVz@Tg`dPqx!b3GyiIq#0L7F
zTV$D%b?`!vLaD+0H+~{rfu0}dF!prh71W*l7?^08bs<wPtS`puS%tGT^NHCZbEK74
z+_-tzqf?swN)B6-_$9sIWAb5zn{-pFTj~$(5tY4hLhN<zV&477e%p&*zSa0F@H7X{
zH+7S&zT0f|X0JY7D}Ql?Wsz>jBn5V*&VQd(?@x-kC|%G0M2d5#dQzrO``uzYQQwe2
z;WdYvgY^zb$O^C<T1{uz_+awBa<7A@^Le6H7Nq|DADy9F$uIEs*NPXqYAb~w-c#$1
z%GX%D$#}toy@7&pw|^b`bmYWM&3?r<PAYFauei_fj(<7DP5SfZ1x?Jx22ITRK&)-h
z#3a0cnTe5!iIEX4tPErgr41w@5i5iqvB`-Ba^k#3#)gIlroc$GG%<}5=QTD0a*d!|
zLfV@cm5?oD1V;`(gFzD`7ZWI!_RVlgzSQiQ@|$N_T2Ikl#iYp|f_DS;{>;9xLAN(c
z;&g~=vd0ttZGYO1UyoKh;oW9n^1$T9q=xc!O1pkv-7!Ps)qMm0XLILdH}Kb;NLDtV
z^Z(!7oJrE`rvCd36z<x6%`3mpqOfU+MabPkL50mXT^}uze9oDCUHUEmkEv1FZ>LU6
zEjqwaU+sF^a7Xd!(!EZH<eIP4YwptZ-z2<KwlyTc&$qO!C!{LMGjv|olkj_QS%r#U
z)wDFdDSA>eVd~rL1z8td*fon>+;t~P81y_y+oc?q|Mk~O1KHFKv)4bhF|I4mvT9uM
zykvV}v}HI?<dMUMIpHa3Vzud&|ASo2^h+IE!HIlvnL&vG4=@g7g;`h)m>C)W8_0rq
zd@N$vvxb2yNLrc2&cLPtYu;I?xI~^n)Br;tIc8wlX4$d%T(#-;Ys(kDtS~a_oS63`
zl<`s7(W=}Vr)G-3GTV~S@xS211#caPb@D2jPG1)sd2;*&L&-U#H!3-PlLV8CWve%_
z^iTPI>YhwqUDv*4qDPzN=X{NFFFS4TFTt*D=q)X_qRunXmwB1Fi0XxanMW5td2gqD
zR-Ai5%iVSJB-YrTh+&<Qv^`|{e%XG;Re}|cjB1isL^)kfS1T>u-v0L3HMV<x$9|bP
zzIdFjdu940ji+I6W^mT5e_)!Dt;p-HdvNZ%^PGtjWZBf`O;(<_@l!^F@9&C9w{C^X
vH2$gNwpYoycj_PG8bgjRdOH<gJid10OtXRiC55ukSd$s6{48#nw)_VG-B;({

literal 0
HcmV?d00001

diff --git a/x509-ocsp/tests/examples/sha224-certid-ocsp-req.der b/x509-ocsp/tests/examples/sha224-certid-ocsp-req.der
new file mode 100644
index 0000000000000000000000000000000000000000..81b850cc611bc9a9515a88fda1d793ba9050678c
GIT binary patch
literal 90
zcmV-g0HyyhSTI&FR4`I7P%sS!31Egu0c8UO0t5vB1ROmd2h>;AV@nSu0mmBK9p%Iv
wQBnu=AZl98rC<acDPqbho#&&cT9)d<10PUmP4%@8US>7k%hye#0s{d60jfeCIRF3v

literal 0
HcmV?d00001

diff --git a/x509-ocsp/tests/examples/sha256-certid-ocsp-req.der b/x509-ocsp/tests/examples/sha256-certid-ocsp-req.der
new file mode 100644
index 0000000000000000000000000000000000000000..55ea9213ad9fa6448ff0519a4d56b812fcba81c2
GIT binary patch
literal 98
zcmV-o0G<CZU@%@VTrgTNSTGF+31Egu0c8UO0s#d81Rw=qc&-(Fo3$}iv8(ISU{}^8
z{oS7lu492tkfUYvM8yOk6~lUnF(T6YZNI2KJiU|Y?)Va3Ki7qFOT;amZ@M|R0s{d6
E0jB>Zga7~l

literal 0
HcmV?d00001

diff --git a/x509-ocsp/tests/examples/sha256-certid-ocsp-res.der b/x509-ocsp/tests/examples/sha256-certid-ocsp-res.der
new file mode 100644
index 0000000000000000000000000000000000000000..fab85a7055f37d12717f13b79ade550e4fbe1f3e
GIT binary patch
literal 1326
zcmXqLV%6eeWLVI|s%+52D$mBL&Bn;e%5K2O$kN0r02JaeXxz6@)j-)$(LkP!Ih2K2
zSfZ#nQP;@8#6q_?BhkpzOgBHdxIj0#s6>L_$iT?Jzz_(*Aj+Vz*`Tq(Ai{u`jWeOm
zgE5tvg^7`sfklBep<<nA?d+|FAsbh}zLXGtP37<1`JC&L8~r9MPW|F?ltn@Ga8-w)
z(xu<I`&Zc6?4A7b-4CHS`|GVm-bZxj=I^rH&cw{fz}UcmVdVlr3?Y#1T5TR}-+37s
zxmg*Qn;01xswDr1@On6UstfMeki_$K`-#^Ai4wkj4<=+Ai@d+&_4-+z=el`rawoUv
zHW#}Wy05qX_TohBQ}Z9MBXsBM_Jpz)OV4XQ^Y*^MT#?(;pD$S2e7h)Zp23^7o3A9>
zhZ#&?_4uH|slZLWi2{|)AB#@5u94??8KQ9@n?1!T=Ry15bNilKJ_=dMHBTU(-Mr|4
zMN8tOD*=5zpZ4g*a|KHGl$k^wG?~m|6keY+w`-|lVW*tDTGqn%4re3e)*hUE>hH}n
z6U3%5tvXn+!?349`pquZIdxxM0+!aCy?pH9xrKJZS9|v@ezI^?!z|zZ5B_o(O^8#?
zUTQAcW1jKZ|G%b~ZHmc0rb7#wn2imZnDv2J+n|X_cmXpLBNG!NBU)G)$Qnu;NJ64r
z2tC@96Ak3Vd5w$>4Gm0zQEq8s8YRwaYy{*QLAivqH!&(9TL?@Vz{ufeFlb`rVgkj|
zz8Ox*mzq6Oe)B9#>nYl+m^9f#@NS^qpV=2S==NqwoDNY<_ISd-?N8hB>(Oc_yxR;+
z9+<qC)KI=oY1i+oJ7#FSx^KY$Z0?-w2L8Ge$;#$){{Oq1GfA4=)PJ9W!d<(sdFA(6
z6gDlf2)SD*sId8_>!W3o&pDH?OTXp+F*Pdt?bK<hMF%+Qt6gs!?kGN8y4UHDT=SKB
z&0V_wn}m1DwuS`w`IeUTgj7X&hR(}+5`OP3t5ET)nwF+FMNdj5OnsZZAnSq)yJnG#
zyY55@gPsRzyOhK7zy4ZjAe*{j_WGwb#&zXcR*fs3muxSLwhZTqJaX7DCp;xhtTw&!
ze~^oreyL+CIFT<dGbl0O0mgx>Fbk^zGb7`F16dG{k420{B=)+FxC~>r{;x@gg)N0M
z=Iw0~j4^NpNh`D18Q3&nRj^QTi9CU*0fs(u%)qkEvSahPYSZo4mM?r+VPw=fG4Dqx
z<D;^pRk=4#%@luSwk4tCf5C?f-Z~EJ<W)4CzAiZO<oF4Ol5<9HRC4?#2__fIR&QeI
zpYr|GJ(;|^u6@fyk2cNE`5NV3cG})wf?eCtTUu;IooAvi^D=W0)e8YLk1l@l-cI?f
zIQN2<yX)pjtg$^2!#X8td&u<tvi*#!1S=dF)g-Toa=M(ZR$98f{q3=9Z1?<*{W5cW
z@i<-g%JfMZPs85K;H+8yz%(UWk=I@K;M{lTITI(yvZ>FTtUPbyr;G;Q-xZT?-3pay
u{8Pzouaa}`)IY{Gh8$n?b}GJjeC@`WW&{6A3T2_OCNoy~S==&h`40fQ?EMq~

literal 0
HcmV?d00001

diff --git a/x509-ocsp/tests/examples/sha384-certid-ocsp-req.der b/x509-ocsp/tests/examples/sha384-certid-ocsp-req.der
new file mode 100644
index 0000000000000000000000000000000000000000..99d6db30ccbf07b03189a3d8edcd83b9af99d7f6
GIT binary patch
literal 131
zcmV-}0DS*2fq*c6Fnln2FnBNx1_@w>NC9O71OfsD00c0X@2``8CN6Tx$p8CQ{k)&M
zexp;(gM8o`_VCn+t4_(TO4lTW5GITx`N02CVY?^<F!fG&GCXntxyP9V3iDs%ycCk!
lYYzQ+oPfGTrV-7-DfXw3XRPr{gESA}BF`fQ{sIF500C|}Itu^*

literal 0
HcmV?d00001

diff --git a/x509-ocsp/tests/examples/sha512-certid-ocsp-req.der b/x509-ocsp/tests/examples/sha512-certid-ocsp-req.der
new file mode 100644
index 0000000000000000000000000000000000000000..6a8a2605af89f43cb3556abe51428577dbde7afb
GIT binary patch
literal 167
zcmV;Y09gMpfut~jp)i4-FoByeftWB21_@w>NC9O71OfvE00cm4=GA6{D<N%Fzdwx2
zyVhdl*O=Gk{AAAN%QfF%?h%17T(Wd_CRPgiy(zbWsib2Y4f+}da&sfIxE||N<#~Yw
zK>n;Ih|ys~;Sf-+^UeC?<l-Ihk3gyVKV5*3JA;%^?kQpdW3ei^FFu3>Sfqy$8MbwO
VGkop21WSrvayemM1_A>C00A*<NnQW|

literal 0
HcmV?d00001

diff --git a/x509-ocsp/tests/examples/sha512-certid-ocsp-res.der b/x509-ocsp/tests/examples/sha512-certid-ocsp-res.der
new file mode 100644
index 0000000000000000000000000000000000000000..1a54a0d17259212d830ce59418eceb0000e09455
GIT binary patch
literal 1391
zcmXqLV$J4aWLVI|nqttzn!v`X&Bn;e%5K2O$kN0b2o&-)X#BrW)j-)$(LkP!Ih2K2
zSfZ#nQP;@8#6q_?BhkpzOgBHdxIj0#s6>L_$iT?Jzz_(*Aj+Weh(Y5)gT@&Kylk8a
zZ61uN%q&dItPCs;S<kMfHES#8hVHlTIlcQ@(v#~mu0Q>ga_-q_)B6eU1RD)vHkFjA
zg>n7btGT^#<&tD+-d|FzMa9aScgVdCd0N@X;_z>cTF1pi=Z69T>pq|T_2kJT*$@2=
zD}UL?HcYT?o)Yj*Gl?mAqt;G+yB3y+CGCQe+e&MVYu@f;@$QN*vP_I)V`64xU~FK(
zaPtB|3?Y!~wc0$|zVk9Na<eipH!(6YD17wr)^>VO)2rFny6x*O-@0l!mPZUex8Fbh
zU;NALhIZPe2Nlou=07>hG&^%@yuahi$5r1M%NW(Jx<_5T-uypnrA+@*T^SZv4vV=R
zG8?{k^w?LwzLCW>`SaR0)elyi%1?bGzB$#(DfY?>8%^J&7}?|N&Kiik6q)BF)xh=i
z(r#ws*ZI8%=J|WZJ;}T^&G&28#CiGewjcR*_FDe(>0czZTleg@KFcY)%aw^^#>)8Z
zYD!ma4&6UE^-XZn&SO^@QXLP4&NF;cIIRg7IfvYs|LX|q{d18w&`#XIQvdjQN&fc6
z)ox+BUrmEo&%fl&m%c=OLWbzU7}rUUb(3XnV<#+?yRx8(+1Q|oSs#eC4VsvQ7cet1
zGBGhSqJ@=#tf91lBqZGkp{JYVL<2c-UL#{eLjzM_nz1x7jS}ZIHUe^upj<-Qn;4al
zEo1~o4nKoI6C)QBD3<oka7w<^?3wbLXIWZL(O$)*$sU4t1NHvQzOX^JH%sDlh-$LO
z6aH;~+Kyk3Ry*O{W?=Hb<i(_h@^wnPeqY@&L*vzb1O8`o=VUkV*PTdKHlOqV-`$)^
z((I=G`wSHB+I`I{zt5tuX^BP1-9kZy%{N^iEt7oCnS5RPE&q?HQQ2>&PD?F1z)@fA
zdfRYE@#)gNPKV^0uheVq()HgYyi>L{B*4$Nw5%tjD#|l-Ue=TFdv95VieJ^VG`%T$
zQZixc+w28d7hKpii(K4wCrTLfJV@K69G3s}*GdD~)D5%OKeaKgE6=iOT=BeQdttO?
zI8Wq}!-hHGDQRN0>6QP3T+H-K9b3VPd~umUi2)BV4rGN{SPhsN8UGu|f_Qu^Vk{!D
z*LB2Y7`yd<O*$-WDV#BHZ<An*fh$N_nZ?e)rU9#hg^Ek$2}BJr^pRr*mTi_Do6l97
zZojsC;mZmmqt1zWKSCKFl^w0hy>V)$_$#w52_63nK3wqDaabp>qUrQ?!I3A&PcW36
zGkT+v<2Ok#xmdP(6HEV;@2Bp`<kfZUTPAw6X@1VvDEG3{_Wly=+J@fJVk_!A6MdPN
znTx1i2$*?v@ssy<%4fy77qr}6H&0@X?THxHDM{Nyrtg>SXIv#%;mD{ac}0}d<#e^u
z((UbUk6mNC=XdOvnd6Jc>AF{@PttfA_GSiW&H4wXDcOp=?z#u(zB|vEI6;<8ecoi{
zc^f}vH2D6mm~`t_s7&LZN^X0VoO`GKF|IM>_@cK{@x|k7H_kL0_+L^e3yn3IvC7Zl
ImTAj>0Q#37NdN!<

literal 0
HcmV?d00001

diff --git a/x509-ocsp/tests/ext.rs b/x509-ocsp/tests/ext.rs
new file mode 100644
index 000000000..175856adc
--- /dev/null
+++ b/x509-ocsp/tests/ext.rs
@@ -0,0 +1,220 @@
+//! ocsp extension tests
+
+use core::str::FromStr;
+use der::{
+    asn1::{Ia5String, Null, ObjectIdentifier, Uint},
+    DateTime, Encode,
+};
+use hex_literal::hex;
+use spki::AlgorithmIdentifierOwned;
+use x509_cert::{
+    ext::{
+        pkix::{name::*, *},
+        *,
+    },
+    name::Name,
+};
+use x509_ocsp::{ext::*, OcspGeneralizedTime};
+
+const ID_AD_OCSP: ObjectIdentifier = ObjectIdentifier::new_unwrap("1.3.6.1.5.5.7.48.1");
+const ID_PKIX_OCSP_BASIC: ObjectIdentifier = ObjectIdentifier::new_unwrap("1.3.6.1.5.5.7.48.1.1");
+const ID_PKIX_OCSP_NONCE: ObjectIdentifier = ObjectIdentifier::new_unwrap("1.3.6.1.5.5.7.48.1.2");
+const ID_PKIX_OCSP_CRL: ObjectIdentifier = ObjectIdentifier::new_unwrap("1.3.6.1.5.5.7.48.1.3");
+
+//  0:d=0  hl=2 l=  25 cons: SEQUENCE
+//  2:d=1  hl=2 l=   9 prim: OBJECT            :OCSP Nonce
+// 13:d=1  hl=2 l=  12 prim: OCTET STRING      [HEX DUMP]:040A00010203040506070809
+// --
+//  0:d=0  hl=2 l=  10 prim: OCTET STRING      [HEX DUMP]:00010203040506070809
+#[test]
+fn as_extension_nonce() {
+    let bytes = [0, 1, 2, 3, 4, 5, 6, 7, 8, 9];
+    let ext = Nonce::new(bytes).unwrap();
+    assert_eq!(ext.0.as_bytes(), &bytes);
+    let ext = ext.to_extension(&Name::default(), &[]).unwrap();
+    assert_eq!(
+        &ext.to_der().unwrap(),
+        &hex!("301906092b0601050507300102040c040a00010203040506070809")[..]
+    );
+}
+
+#[cfg(feature = "rand")]
+#[test]
+fn nonce_generation() {
+    let mut rng = rand::thread_rng();
+    let nonce = Nonce::generate(&mut rng, 10).unwrap();
+    assert_eq!(nonce.0.as_bytes().len(), 10);
+    let nonce = Nonce::generate(&mut rng, 5).unwrap();
+    assert_eq!(nonce.0.as_bytes().len(), 5);
+    let nonce = Nonce::generate(&mut rng, 32).unwrap();
+    assert_eq!(nonce.0.as_bytes().len(), 32);
+    let nonce = Nonce::generate(&mut rng, 4096).unwrap();
+    assert_eq!(nonce.0.as_bytes().len(), 4096);
+}
+
+//  0:d=0  hl=2 l=  63 cons: SEQUENCE
+//  2:d=1  hl=2 l=   9 prim: OBJECT            :OCSP CRL ID
+// 13:d=1  hl=2 l=  50 prim: OCTET STRING      [HEX DUMP]:3030A0161614687474703A2F2F3132372E302E302\
+//                                                        E312F63726CA103020101A211180F323032303031\
+//                                                        30313030303030305A
+// --
+//  0:d=0  hl=2 l=  48 cons: SEQUENCE
+//  2:d=1  hl=2 l=  22 cons: cont [ 0 ]
+//  4:d=2  hl=2 l=  20 prim: IA5STRING         :http://127.0.0.1/crl
+// 26:d=1  hl=2 l=   3 cons: cont [ 1 ]
+// 28:d=2  hl=2 l=   1 prim: INTEGER           :01
+// 31:d=1  hl=2 l=  17 cons: cont [ 2 ]
+// 33:d=2  hl=2 l=  15 prim: GENERALIZEDTIME   :20200101000000Z
+#[test]
+fn as_extension_crl_references() {
+    let ext = CrlReferences {
+        crl_url: Some(Ia5String::new("http://127.0.0.1/crl").unwrap()),
+        crl_num: Some(Uint::new(&[1]).unwrap()),
+        crl_time: Some(OcspGeneralizedTime::from(
+            DateTime::new(2020, 1, 1, 0, 0, 0).unwrap(),
+        )),
+    };
+    let ext = ext.to_extension(&Name::default(), &[]).unwrap();
+    assert_eq!(
+        &ext.to_der().unwrap(),
+        &hex!(
+            "303f06092b060105050730010304323030a0161614687474703a2f2f3132372e30\
+             2e302e312f63726ca103020101a211180f32303230303130313030303030305a"
+        )[..]
+    );
+}
+
+//  0:d=0  hl=2 l=  51 cons: SEQUENCE
+//  2:d=1  hl=2 l=   9 prim: OBJECT            :Acceptable OCSP Responses
+// 13:d=1  hl=2 l=   1 prim: BOOLEAN           :255
+// 16:d=1  hl=2 l=  35 prim: OCTET STRING      [HEX DUMP]:302106092B060105050730010106092B060105050\
+//                                                        730010206092B0601050507300103
+// --
+//  0:d=0  hl=2 l=  33 cons: SEQUENCE
+//  2:d=1  hl=2 l=   9 prim: OBJECT            :Basic OCSP Response
+// 13:d=1  hl=2 l=   9 prim: OBJECT            :OCSP Nonce
+// 24:d=1  hl=2 l=   9 prim: OBJECT            :OCSP CRL ID
+#[test]
+fn as_extension_acceptable_responses() {
+    let ext = AcceptableResponses::from(vec![
+        ID_PKIX_OCSP_BASIC,
+        ID_PKIX_OCSP_NONCE,
+        ID_PKIX_OCSP_CRL,
+    ]);
+    let ext = ext.to_extension(&Name::default(), &[]).unwrap();
+    assert_eq!(
+        &ext.to_der().unwrap(),
+        &hex!(
+            "303306092b06010505073001040101ff0423302106092b06010505073001010609\
+             2b060105050730010206092b0601050507300103"
+        )[..]
+    );
+}
+
+//  0:d=0  hl=2 l=  30 cons: SEQUENCE
+//  2:d=1  hl=2 l=   9 prim: OBJECT            :OCSP Archive Cutoff
+// 13:d=1  hl=2 l=  17 prim: OCTET STRING      [HEX DUMP]:180F32303230303130313030303030305A
+// --
+//  0:d=0  hl=2 l=  15 prim: GENERALIZEDTIME   :20200101000000Z
+#[test]
+fn as_extension_archive_cutoff() {
+    let ext = ArchiveCutoff::from(OcspGeneralizedTime::from(
+        DateTime::new(2020, 1, 1, 0, 0, 0).unwrap(),
+    ));
+    let ext = ext.to_extension(&Name::default(), &[]).unwrap();
+    assert_eq!(
+        &ext.to_der().unwrap(),
+        &hex!("301e06092b06010505073001060411180f32303230303130313030303030305a")[..]
+    );
+}
+
+//  0:d=0  hl=2 l= 122 cons: SEQUENCE
+//  2:d=1  hl=2 l=   9 prim: OBJECT            :OCSP Service Locator
+// 13:d=1  hl=2 l= 109 prim: OCTET STRING      [HEX DUMP]:306B3050310B3009060355040613025553310C300\
+//                                                        A060355040A0C036F7267310D300B060355040B0C\
+//                                                        047465737431123010060355040B0C09746573742\
+//                                                        D646565703110300E06035504030C077365727669\
+//                                                        63653017301506082B0601050507300182096C6F6\
+//                                                        3616C686F7374
+// --
+//  0:d=0  hl=2 l= 107 cons: SEQUENCE
+//  2:d=1  hl=2 l=  80 cons: SEQUENCE
+//  4:d=2  hl=2 l=  11 cons: SET
+//  6:d=3  hl=2 l=   9 cons: SEQUENCE
+//  8:d=4  hl=2 l=   3 prim: OBJECT            :countryName
+// 13:d=4  hl=2 l=   2 prim: PRINTABLESTRING   :US
+// 17:d=2  hl=2 l=  12 cons: SET
+// 19:d=3  hl=2 l=  10 cons: SEQUENCE
+// 21:d=4  hl=2 l=   3 prim: OBJECT            :organizationName
+// 26:d=4  hl=2 l=   3 prim: UTF8STRING        :org
+// 31:d=2  hl=2 l=  13 cons: SET
+// 33:d=3  hl=2 l=  11 cons: SEQUENCE
+// 35:d=4  hl=2 l=   3 prim: OBJECT            :organizationalUnitName
+// 40:d=4  hl=2 l=   4 prim: UTF8STRING        :test
+// 46:d=2  hl=2 l=  18 cons: SET
+// 48:d=3  hl=2 l=  16 cons: SEQUENCE
+// 50:d=4  hl=2 l=   3 prim: OBJECT            :organizationalUnitName
+// 55:d=4  hl=2 l=   9 prim: UTF8STRING        :test-deep
+// 66:d=2  hl=2 l=  16 cons: SET
+// 68:d=3  hl=2 l=  14 cons: SEQUENCE
+// 70:d=4  hl=2 l=   3 prim: OBJECT            :commonName
+// 75:d=4  hl=2 l=   7 prim: UTF8STRING        :service
+// 84:d=1  hl=2 l=  23 cons: SEQUENCE
+// 86:d=2  hl=2 l=  21 cons: SEQUENCE
+// 88:d=3  hl=2 l=   8 prim: OBJECT            :OCSP
+// 98:d=3  hl=2 l=   9 prim: cont [ 2 ]
+#[test]
+fn as_extension_service_locator() {
+    let ext = ServiceLocator {
+        issuer: Name::from_str("CN=service,OU=test-deep,OU=test,O=org,C=US").unwrap(),
+        locator: Some(AuthorityInfoAccessSyntax::from(vec![AccessDescription {
+            access_method: ID_AD_OCSP,
+            access_location: GeneralName::DnsName(Ia5String::new("localhost").unwrap()),
+        }])),
+    };
+    let ext = ext.to_extension(&Name::default(), &[]).unwrap();
+    assert_eq!(
+        &ext.to_der().unwrap(),
+        &hex!(
+            "307a06092b0601050507300107046d306b3050310b300906035504061302555331\
+             0c300a060355040a0c036f7267310d300b060355040b0c04746573743112301006\
+             0355040b0c09746573742d646565703110300e06035504030c0773657276696365\
+             3017301506082b0601050507300182096c6f63616c686f7374"
+        )[..]
+    );
+}
+
+//  0:d=0  hl=2 l=  47 cons: SEQUENCE
+//  2:d=1  hl=2 l=   9 prim: OBJECT            :Extended OCSP Status
+// 13:d=1  hl=2 l=  34 prim: OCTET STRING      [HEX DUMP]:3020301E300D06092A864886F70D01010B0500300\
+//                                                        D06092A864886F70D01010B0500
+// --
+//  0:d=0  hl=2 l=  32 cons: SEQUENCE
+//  2:d=1  hl=2 l=  30 cons: SEQUENCE
+//  4:d=2  hl=2 l=  13 cons: SEQUENCE
+//  6:d=3  hl=2 l=   9 prim: OBJECT            :sha256WithRSAEncryption
+// 17:d=3  hl=2 l=   0 prim: NULL
+// 19:d=2  hl=2 l=  13 cons: SEQUENCE
+// 21:d=3  hl=2 l=   9 prim: OBJECT            :sha256WithRSAEncryption
+// 32:d=3  hl=2 l=   0 prim: NULL
+#[test]
+fn as_extension_pref_sig_algs() {
+    let ext = PreferredSignatureAlgorithms::from(vec![PreferredSignatureAlgorithm {
+        sig_identifier: AlgorithmIdentifierOwned {
+            oid: ObjectIdentifier::new_unwrap("1.2.840.113549.1.1.11"),
+            parameters: Some(Null.into()),
+        },
+        cert_identifier: Some(AlgorithmIdentifierOwned {
+            oid: ObjectIdentifier::new_unwrap("1.2.840.113549.1.1.11"),
+            parameters: Some(Null.into()),
+        }),
+    }]);
+    let ext = ext.to_extension(&Name::default(), &[]).unwrap();
+    assert_eq!(
+        &ext.to_der().unwrap(),
+        &hex!(
+            "302f06092b060105050730010804223020301e300d06092a864886f70d01010b05\
+             00300d06092a864886f70d01010b0500"
+        )[..]
+    );
+}
diff --git a/x509-ocsp/tests/ocsp.rs b/x509-ocsp/tests/ocsp.rs
index e61c9f84a..2c74fc2a8 100644
--- a/x509-ocsp/tests/ocsp.rs
+++ b/x509-ocsp/tests/ocsp.rs
@@ -101,6 +101,7 @@ fn decode_ocsp_resp_ca_signed() {
     assert_eq!(
         bor.tbs_response_data
             .produced_at
+            .as_ref()
             .to_unix_duration()
             .as_secs(),
         1643775145
@@ -143,10 +144,17 @@ fn decode_ocsp_resp_ca_signed() {
         }
     }
 
-    assert_eq!(sr.this_update.to_unix_duration().as_secs(), 1643774221);
+    assert_eq!(
+        sr.this_update.as_ref().to_unix_duration().as_secs(),
+        1643774221
+    );
     assert!(sr.next_update.is_some());
     assert_eq!(
-        sr.next_update.unwrap().to_unix_duration().as_secs(),
+        sr.next_update
+            .unwrap()
+            .as_ref()
+            .to_unix_duration()
+            .as_secs(),
         1644376321
     );
 
@@ -246,6 +254,7 @@ fn decode_ocsp_resp_delegated() {
     assert_eq!(
         bor.tbs_response_data
             .produced_at
+            .as_ref()
             .to_unix_duration()
             .as_secs(),
         1643900556
@@ -278,17 +287,27 @@ fn decode_ocsp_resp_delegated() {
         CertStatus::Revoked(ri) => {
             assert!(ri.revocation_reason.is_some());
             assert_eq!(ri.revocation_reason.unwrap(), CrlReason::AffiliationChanged,);
-            assert_eq!(ri.revocation_time.to_unix_duration().as_secs(), 1632934667,);
+            assert_eq!(
+                ri.revocation_time.as_ref().to_unix_duration().as_secs(),
+                1632934667,
+            );
         }
         _ => {
             panic!("Expected Good and got something other")
         }
     }
 
-    assert_eq!(sr.this_update.to_unix_duration().as_secs(), 1643848200);
+    assert_eq!(
+        sr.this_update.as_ref().to_unix_duration().as_secs(),
+        1643848200
+    );
     assert!(sr.next_update.is_some());
     assert_eq!(
-        sr.next_update.unwrap().to_unix_duration().as_secs(),
+        sr.next_update
+            .unwrap()
+            .as_ref()
+            .to_unix_duration()
+            .as_secs(),
         1644456600
     );
 
diff --git a/x509-ocsp/tests/requests.rs b/x509-ocsp/tests/requests.rs
new file mode 100644
index 000000000..aadf8a856
--- /dev/null
+++ b/x509-ocsp/tests/requests.rs
@@ -0,0 +1,444 @@
+//! ocsp request decode tests
+
+use der::{asn1::ObjectIdentifier, Decode, Encode};
+use hex_literal::hex;
+use x509_cert::{ext::Extension, serial_number::SerialNumber};
+use x509_ocsp::{ext::Nonce, *};
+
+const ID_SHA1: ObjectIdentifier = ObjectIdentifier::new_unwrap("1.3.14.3.2.26");
+const ID_SHA224: ObjectIdentifier = ObjectIdentifier::new_unwrap("2.16.840.1.101.3.4.2.4");
+const ID_SHA256: ObjectIdentifier = ObjectIdentifier::new_unwrap("2.16.840.1.101.3.4.2.1");
+const ID_SHA384: ObjectIdentifier = ObjectIdentifier::new_unwrap("2.16.840.1.101.3.4.2.2");
+const ID_SHA512: ObjectIdentifier = ObjectIdentifier::new_unwrap("2.16.840.1.101.3.4.2.3");
+const ID_PKIX_OCSP_NONCE: ObjectIdentifier = ObjectIdentifier::new_unwrap("1.3.6.1.5.5.7.48.1.2");
+const ID_PKIX_OCSP_SERVICE_LOCATOR: ObjectIdentifier =
+    ObjectIdentifier::new_unwrap("1.3.6.1.5.5.7.48.1.7");
+const ID_PKIX_OCSP_RESPONSE: ObjectIdentifier =
+    ObjectIdentifier::new_unwrap("1.3.6.1.5.5.7.48.1.4");
+//const ID_PKIX_OCSP_PREF_SIG_ALGS: ObjectIdentifier =
+//    ObjectIdentifier::new_unwrap("1.3.6.1.5.5.7.48.1.8");
+const SHA_256_WITH_RSA_ENCRYPTION: ObjectIdentifier =
+    ObjectIdentifier::new_unwrap("1.2.840.113549.1.1.11");
+
+fn assert_ocsp_request(ocsp_req: &OcspRequest, req_len: usize) {
+    assert_eq!(ocsp_req.tbs_request.version, Version::V1);
+    assert_eq!(ocsp_req.tbs_request.request_list.len(), req_len);
+}
+
+fn assert_request(
+    req: &Request,
+    expected_hash_oid: ObjectIdentifier,
+    expected_issuer_name_hash: &[u8],
+    expected_issuer_key_hash: &[u8],
+    expected_serial: &SerialNumber,
+) {
+    assert_eq!(req.req_cert.hash_algorithm.oid, expected_hash_oid);
+    assert!(req.req_cert.hash_algorithm.parameters.is_some());
+    assert_eq!(
+        &req.req_cert.issuer_name_hash.as_bytes(),
+        &expected_issuer_name_hash
+    );
+    assert_eq!(
+        &req.req_cert.issuer_key_hash.as_bytes(),
+        &expected_issuer_key_hash
+    );
+    assert_eq!(&req.req_cert.serial_number, expected_serial);
+}
+
+fn assert_extension(
+    ext: &Extension,
+    expected_oid: ObjectIdentifier,
+    expected_critical: bool,
+    data: &[u8],
+) {
+    assert_eq!(ext.extn_id, expected_oid);
+    assert_eq!(ext.critical, expected_critical);
+    assert_eq!(&ext.extn_value.as_bytes(), &data);
+}
+
+#[test]
+fn decode_ocsp_req_sha1_certid() {
+    let data = std::fs::read("tests/examples/sha1-certid-ocsp-req.der").unwrap();
+    let ocsp_req = OcspRequest::from_der(&data[..]).unwrap();
+    let name_hash = hex!("94D418C85D800AF31266F13D3D8CD8CD6AA5BB74");
+    let key_hash = hex!("5DD72C171C018B2FFA92C3133913689EBD82115C");
+    let serial = SerialNumber::from(0x10001usize);
+    assert_ocsp_request(&ocsp_req, 1);
+    assert!(ocsp_req.optional_signature.is_none());
+    assert_request(
+        &ocsp_req.tbs_request.request_list[0],
+        ID_SHA1,
+        &name_hash[..],
+        &key_hash[..],
+        &serial,
+    );
+}
+
+#[test]
+fn decode_ocsp_req_sha224_certid() {
+    let data = std::fs::read("tests/examples/sha224-certid-ocsp-req.der").unwrap();
+    let ocsp_req = OcspRequest::from_der(&data[..]).unwrap();
+    let name_hash = hex!("3D1F07D457D6634B0F2501C71ADB1DE5C41C515207F4206A5ACDA560");
+    let key_hash = hex!("2962CA2A9DE7A3A75A96EAC2031F50684DF5B50F5E6635DECBD74DA3");
+    let serial = SerialNumber::from(0x10001usize);
+    assert_ocsp_request(&ocsp_req, 1);
+    assert!(ocsp_req.optional_signature.is_none());
+    assert_request(
+        &ocsp_req.tbs_request.request_list[0],
+        ID_SHA224,
+        &name_hash[..],
+        &key_hash[..],
+        &serial,
+    );
+}
+
+#[test]
+fn decode_ocsp_req_sha256_certid() {
+    let data = std::fs::read("tests/examples/sha256-certid-ocsp-req.der").unwrap();
+    let ocsp_req = OcspRequest::from_der(&data[..]).unwrap();
+    let name_hash = hex!("056078AE157D9BB53154B1ABEBD26057D624FDDD9F09AE63814E90A365F444C5");
+    let key_hash = hex!("15C37A883122D2FB6DBFA83E3CBD93E9EEF8125E3FD785724BC42D9D6FBA39B7");
+    let serial = SerialNumber::from(0x10001usize);
+    assert_ocsp_request(&ocsp_req, 1);
+    assert!(ocsp_req.optional_signature.is_none());
+    assert_request(
+        &ocsp_req.tbs_request.request_list[0],
+        ID_SHA256,
+        &name_hash[..],
+        &key_hash[..],
+        &serial,
+    );
+}
+
+#[test]
+fn decode_ocsp_req_sha384_certid() {
+    let data = std::fs::read("tests/examples/sha384-certid-ocsp-req.der").unwrap();
+    let ocsp_req = OcspRequest::from_der(&data[..]).unwrap();
+    let name_hash = hex!(
+        "97EFAF937F262E72C9C8FFFB55FDBC9FBB7EA353CD837CE01AF6F0D489AB\
+         4EC9AE4AD7248410268C23F9C0FF5161BB28"
+    );
+    let key_hash = hex!(
+        "F54E78323C7201B9C799040AF35FE3BC1492DA6B0EFD799C80BA45A611CD\
+         C129F6A79067ACF14B83340FE122CF2305FE"
+    );
+    let serial = SerialNumber::from(0x10001usize);
+    assert_ocsp_request(&ocsp_req, 1);
+    assert!(ocsp_req.optional_signature.is_none());
+    assert_request(
+        &ocsp_req.tbs_request.request_list[0],
+        ID_SHA384,
+        &name_hash[..],
+        &key_hash[..],
+        &serial,
+    );
+}
+
+#[test]
+fn decode_ocsp_req_sha512_certid() {
+    let data = std::fs::read("tests/examples/sha512-certid-ocsp-req.der").unwrap();
+    let ocsp_req = OcspRequest::from_der(&data[..]).unwrap();
+    let name_hash = hex!(
+        "6AE6D566832B216D55BF3F8CCBBBD662E4D798D7E5FC64CEE6CB35DF60EE\
+         1181305CB2747626560AFABD29B781A9A4631B0DFA1A05727323B3B81EEB\
+         54E57981"
+    );
+    let key_hash = hex!(
+        "FEAC2688D16143E11050AEF3CDFAE4E4E21DF08F40A9FA3F5D80903B8394\
+         50EE29620263B12AB92F3E840458A4871119B6757D337CEDB9044B8A5F72\
+         39615E06"
+    );
+    let serial = SerialNumber::from(0x10001usize);
+    assert_ocsp_request(&ocsp_req, 1);
+    assert!(ocsp_req.optional_signature.is_none());
+    assert_request(
+        &ocsp_req.tbs_request.request_list[0],
+        ID_SHA512,
+        &name_hash[..],
+        &key_hash[..],
+        &serial,
+    );
+}
+
+#[test]
+fn decode_ocsp_req_multiple_extensions() {
+    let data = std::fs::read("tests/examples/ocsp-multiple-exts-clean-req.der").unwrap();
+    let ocsp_req = OcspRequest::from_der(&data[..]).unwrap();
+    let name_hash = hex!("94D418C85D800AF31266F13D3D8CD8CD6AA5BB74");
+    let key_hash = hex!("5DD72C171C018B2FFA92C3133913689EBD82115C");
+    let serial = SerialNumber::from(0x10001usize);
+    let nonce_ext = hex!("0420BB42AE6BEBD2B6E455CA02BC853452635F08863EFFAF25E182905E7FFF1FB40A");
+    let nonce = Nonce::new(hex!(
+        "BB42AE6BEBD2B6E455CA02BC853452635F08863EFFAF25E182905E7FFF1FB40A"
+    ))
+    .unwrap();
+    let response_ext = hex!("300B06092B0601050507300101");
+    let srv_loc_ext = hex!(
+        "3051301D311B3019060355040313127273612D323034382D736861323536\
+         2D63613030301006082B0601050507300187047F000001301C06082B0601\
+         0505073001871000000000000000000000000000000001"
+    );
+
+    // Assert OcspRequest and RequestExtensions
+    assert_ocsp_request(&ocsp_req, 1);
+    assert!(ocsp_req.optional_signature.is_none());
+    assert!(ocsp_req.tbs_request.request_extensions.is_some());
+    let req_exts = ocsp_req.tbs_request.request_extensions.as_ref().unwrap();
+    assert_eq!(req_exts.len(), 2);
+    assert_extension(&req_exts[0], ID_PKIX_OCSP_NONCE, false, &nonce_ext[..]);
+    assert_eq!(ocsp_req.nonce(), Some(nonce));
+    assert_extension(&req_exts[1], ID_PKIX_OCSP_RESPONSE, true, &response_ext[..]);
+
+    // Assert Request and SingleRequestExtensions
+    let req = &ocsp_req.tbs_request.request_list[0];
+    assert_request(req, ID_SHA1, &name_hash[..], &key_hash[..], &serial);
+    assert!(req.single_request_extensions.is_some());
+    let single_req_exts = req.single_request_extensions.as_ref().unwrap();
+    assert_eq!(single_req_exts.len(), 1);
+    assert_extension(
+        &single_req_exts[0],
+        ID_PKIX_OCSP_SERVICE_LOCATOR,
+        false,
+        &srv_loc_ext[..],
+    );
+}
+
+#[test]
+fn decode_ocsp_req_multiple_requests() {
+    let data = std::fs::read("tests/examples/ocsp-multiple-requests-req.der").unwrap();
+    let ocsp_req = OcspRequest::from_der(&data[..]).unwrap();
+    let sha1_name_hash = hex!("94D418C85D800AF31266F13D3D8CD8CD6AA5BB74");
+    let sha1_key_hash = hex!("5DD72C171C018B2FFA92C3133913689EBD82115C");
+    let sha224_name_hash = hex!("3D1F07D457D6634B0F2501C71ADB1DE5C41C515207F4206A5ACDA560");
+    let sha224_key_hash = hex!("2962CA2A9DE7A3A75A96EAC2031F50684DF5B50F5E6635DECBD74DA3");
+    let sha256_name_hash = hex!("056078AE157D9BB53154B1ABEBD26057D624FDDD9F09AE63814E90A365F444C5");
+    let sha256_key_hash = hex!("15C37A883122D2FB6DBFA83E3CBD93E9EEF8125E3FD785724BC42D9D6FBA39B7");
+    let sha384_name_hash = hex!(
+        "97EFAF937F262E72C9C8FFFB55FDBC9FBB7EA353CD837CE01AF6F0D489AB\
+         4EC9AE4AD7248410268C23F9C0FF5161BB28"
+    );
+    let sha384_key_hash = hex!(
+        "F54E78323C7201B9C799040AF35FE3BC1492DA6B0EFD799C80BA45A611CD\
+         C129F6A79067ACF14B83340FE122CF2305FE"
+    );
+    let sha512_name_hash = hex!(
+        "6AE6D566832B216D55BF3F8CCBBBD662E4D798D7E5FC64CEE6CB35DF60EE\
+         1181305CB2747626560AFABD29B781A9A4631B0DFA1A05727323B3B81EEB\
+         54E57981"
+    );
+    let sha512_key_hash = hex!(
+        "FEAC2688D16143E11050AEF3CDFAE4E4E21DF08F40A9FA3F5D80903B8394\
+         50EE29620263B12AB92F3E840458A4871119B6757D337CEDB9044B8A5F72\
+         39615E06"
+    );
+    assert_ocsp_request(&ocsp_req, 8);
+    assert!(ocsp_req.optional_signature.is_none());
+    let req_list = &ocsp_req.tbs_request.request_list;
+    assert_request(
+        &req_list[0],
+        ID_SHA1,
+        &sha1_name_hash[..],
+        &sha1_key_hash[..],
+        &SerialNumber::from(0x10001usize),
+    );
+    assert_request(
+        &req_list[1],
+        ID_SHA224,
+        &sha224_name_hash[..],
+        &sha224_key_hash[..],
+        &SerialNumber::from(0x10001usize),
+    );
+    assert_request(
+        &req_list[2],
+        ID_SHA256,
+        &sha256_name_hash[..],
+        &sha256_key_hash[..],
+        &SerialNumber::from(0x10001usize),
+    );
+    assert_request(
+        &req_list[3],
+        ID_SHA384,
+        &sha384_name_hash[..],
+        &sha384_key_hash[..],
+        &SerialNumber::from(0x10001usize),
+    );
+    assert_request(
+        &req_list[4],
+        ID_SHA512,
+        &sha512_name_hash[..],
+        &sha512_key_hash[..],
+        &SerialNumber::from(0x10001usize),
+    );
+    assert_request(
+        &req_list[5],
+        ID_SHA1,
+        &sha1_name_hash[..],
+        &sha1_key_hash[..],
+        &SerialNumber::from(0x5usize),
+    );
+    assert_request(
+        &req_list[6],
+        ID_SHA1,
+        &sha1_name_hash[..],
+        &sha1_key_hash[..],
+        &SerialNumber::from(0x16usize),
+    );
+    assert_request(
+        &req_list[7],
+        ID_SHA1,
+        &sha1_name_hash[..],
+        &sha1_key_hash[..],
+        &SerialNumber::from(0xFFFFFFFFusize),
+    );
+}
+
+#[test]
+fn decode_ocsp_req_multiple_requests_nonce() {
+    let data = std::fs::read("tests/examples/ocsp-multiple-requests-nonce-req.der").unwrap();
+    let ocsp_req = OcspRequest::from_der(&data[..]).unwrap();
+    let sha1_name_hash = hex!("94D418C85D800AF31266F13D3D8CD8CD6AA5BB74");
+    let sha1_key_hash = hex!("5DD72C171C018B2FFA92C3133913689EBD82115C");
+    let sha224_name_hash = hex!("3D1F07D457D6634B0F2501C71ADB1DE5C41C515207F4206A5ACDA560");
+    let sha224_key_hash = hex!("2962CA2A9DE7A3A75A96EAC2031F50684DF5B50F5E6635DECBD74DA3");
+    let sha256_name_hash = hex!("056078AE157D9BB53154B1ABEBD26057D624FDDD9F09AE63814E90A365F444C5");
+    let sha256_key_hash = hex!("15C37A883122D2FB6DBFA83E3CBD93E9EEF8125E3FD785724BC42D9D6FBA39B7");
+    let sha384_name_hash = hex!(
+        "97EFAF937F262E72C9C8FFFB55FDBC9FBB7EA353CD837CE01AF6F0D489AB\
+         4EC9AE4AD7248410268C23F9C0FF5161BB28"
+    );
+    let sha384_key_hash = hex!(
+        "F54E78323C7201B9C799040AF35FE3BC1492DA6B0EFD799C80BA45A611CD\
+         C129F6A79067ACF14B83340FE122CF2305FE"
+    );
+    let sha512_name_hash = hex!(
+        "6AE6D566832B216D55BF3F8CCBBBD662E4D798D7E5FC64CEE6CB35DF60EE\
+         1181305CB2747626560AFABD29B781A9A4631B0DFA1A05727323B3B81EEB\
+         54E57981"
+    );
+    let sha512_key_hash = hex!(
+        "FEAC2688D16143E11050AEF3CDFAE4E4E21DF08F40A9FA3F5D80903B8394\
+         50EE29620263B12AB92F3E840458A4871119B6757D337CEDB9044B8A5F72\
+         39615E06"
+    );
+    let nonce_ext = hex!("042027E51B16C355C29C18B686987041A1D972C4C17AE1F6250FCDEA5FCD7AE81677");
+    let nonce = Nonce::new(hex!(
+        "27E51B16C355C29C18B686987041A1D972C4C17AE1F6250FCDEA5FCD7AE81677"
+    ))
+    .unwrap();
+
+    assert_ocsp_request(&ocsp_req, 8);
+    assert!(ocsp_req.optional_signature.is_none());
+    assert!(ocsp_req.nonce().is_some());
+    assert!(ocsp_req.tbs_request.request_extensions.is_some());
+    let req_exts = ocsp_req.tbs_request.request_extensions.as_ref().unwrap();
+    assert_eq!(req_exts.len(), 1);
+    assert_extension(&req_exts[0], ID_PKIX_OCSP_NONCE, false, &nonce_ext[..]);
+    assert_eq!(ocsp_req.nonce(), Some(nonce));
+
+    let req_list = &ocsp_req.tbs_request.request_list;
+    assert_request(
+        &req_list[0],
+        ID_SHA1,
+        &sha1_name_hash[..],
+        &sha1_key_hash[..],
+        &SerialNumber::from(0x10001usize),
+    );
+    assert_request(
+        &req_list[1],
+        ID_SHA224,
+        &sha224_name_hash[..],
+        &sha224_key_hash[..],
+        &SerialNumber::from(0x10001usize),
+    );
+    assert_request(
+        &req_list[2],
+        ID_SHA256,
+        &sha256_name_hash[..],
+        &sha256_key_hash[..],
+        &SerialNumber::from(0x10001usize),
+    );
+    assert_request(
+        &req_list[3],
+        ID_SHA384,
+        &sha384_name_hash[..],
+        &sha384_key_hash[..],
+        &SerialNumber::from(0x10001usize),
+    );
+    assert_request(
+        &req_list[4],
+        ID_SHA512,
+        &sha512_name_hash[..],
+        &sha512_key_hash[..],
+        &SerialNumber::from(0x10001usize),
+    );
+    assert_request(
+        &req_list[5],
+        ID_SHA1,
+        &sha1_name_hash[..],
+        &sha1_key_hash[..],
+        &SerialNumber::from(0x5usize),
+    );
+    assert_request(
+        &req_list[6],
+        ID_SHA1,
+        &sha1_name_hash[..],
+        &sha1_key_hash[..],
+        &SerialNumber::from(0x16usize),
+    );
+    assert_request(
+        &req_list[7],
+        ID_SHA1,
+        &sha1_name_hash[..],
+        &sha1_key_hash[..],
+        &SerialNumber::from(0xFFFFFFFFusize),
+    );
+}
+
+#[test]
+fn decode_ocsp_req_signed() {
+    let data = std::fs::read("tests/examples/ocsp-signed-req.der").unwrap();
+    let cert_data = std::fs::read("tests/examples/rsa-2048-sha256-crt.der").unwrap();
+    let ocsp_req = OcspRequest::from_der(&data[..]).unwrap();
+    let name_hash = hex!("94D418C85D800AF31266F13D3D8CD8CD6AA5BB74");
+    let key_hash = hex!("5DD72C171C018B2FFA92C3133913689EBD82115C");
+    let serial = SerialNumber::from(0x10001usize);
+    let signature = hex!(
+        "1e0dfaf5e27978260b302ac79b1a038b328c\
+         0bb518b3610af97813f7796660129e71a3aa\
+         35703bddd5bdee3876d3a138fe78b514a45d\
+         37168b992a6aafb286cc9ec653fd347cd69d\
+         f41a065bb258791634991b7d868dfe25a621\
+         bd0db54117437f270ed427c9cf00b5cd6211\
+         0372ff31aa62831f838da8f3017240e8aaa0\
+         08abbde6668974d2161b67f1bc75474590d8\
+         f0cd371f694604303b2eb936c4c416ac990e\
+         8ca9cfcaa3660c7307d666e71c57ea4e24f6\
+         175180572f787bab9a529d8babeae3165cb6\
+         fa080d62135c2de081359d7a40715e155f64\
+         07649742066ea2142c12d0abb72c8e3e0105\
+         582b6282e15c25989410df55912a3cb280c1\
+         e48d1ae9"
+    );
+    assert_ocsp_request(&ocsp_req, 1);
+    assert_request(
+        &ocsp_req.tbs_request.request_list[0],
+        ID_SHA1,
+        &name_hash[..],
+        &key_hash[..],
+        &serial,
+    );
+    match &ocsp_req.optional_signature {
+        Some(sig) => {
+            assert_eq!(sig.signature_algorithm.oid, SHA_256_WITH_RSA_ENCRYPTION);
+            assert_eq!(sig.signature.as_bytes().unwrap(), signature);
+            match &sig.certs {
+                Some(certs) => {
+                    assert_eq!(certs.len(), 1);
+                    assert_eq!(certs[0].to_der().unwrap(), cert_data);
+                }
+                None => panic!("no signing certificate"),
+            }
+        }
+        None => panic!("no signature"),
+    }
+}
diff --git a/x509-ocsp/tests/responses.rs b/x509-ocsp/tests/responses.rs
new file mode 100644
index 000000000..fa520f542
--- /dev/null
+++ b/x509-ocsp/tests/responses.rs
@@ -0,0 +1,568 @@
+//! ocsp response decode tests
+
+use der::{
+    asn1::{Null, ObjectIdentifier, OctetString},
+    DateTime, Decode, Encode,
+};
+use hex_literal::hex;
+use lazy_static::lazy_static;
+use spki::AlgorithmIdentifierOwned;
+use x509_cert::{
+    ext::{pkix::CrlReason, Extension},
+    name::Name,
+    serial_number::SerialNumber,
+};
+use x509_ocsp::{ext::Nonce, *};
+
+const ID_PKIX_OCSP_BASIC: ObjectIdentifier = ObjectIdentifier::new_unwrap("1.3.6.1.5.5.7.48.1.1");
+const ID_SHA1: ObjectIdentifier = ObjectIdentifier::new_unwrap("1.3.14.3.2.26");
+const ID_SHA256: ObjectIdentifier = ObjectIdentifier::new_unwrap("2.16.840.1.101.3.4.2.1");
+const ID_SHA512: ObjectIdentifier = ObjectIdentifier::new_unwrap("2.16.840.1.101.3.4.2.3");
+const ID_PKIX_OCSP_NONCE: ObjectIdentifier = ObjectIdentifier::new_unwrap("1.3.6.1.5.5.7.48.1.2");
+const ID_PKIX_OCSP_CRL: ObjectIdentifier = ObjectIdentifier::new_unwrap("1.3.6.1.5.5.7.48.1.3");
+const ID_PKIX_OCSP_ARCHIVE_CUTOFF: ObjectIdentifier =
+    ObjectIdentifier::new_unwrap("1.3.6.1.5.5.7.48.1.6");
+const SHA_256_WITH_RSA_ENCRYPTION: ObjectIdentifier =
+    ObjectIdentifier::new_unwrap("1.2.840.113549.1.1.11");
+
+lazy_static! {
+    // PrintableString: CN = rsa-2048-sha256-ocsp-crt
+    static ref RESPONDER_ID: ResponderId = ResponderId::ByName(
+        Name::from_der(
+            &hex!("30233121301f060355040313187273612d323034382d7368613235362d6f6373702d637274")[..]
+        )
+        .unwrap()
+    );
+
+    // Time used almost everywhere in these tests
+    static ref TIME: OcspGeneralizedTime = OcspGeneralizedTime::from(
+        DateTime::new(2020, 1, 1, 0, 0, 0).unwrap()
+    );
+}
+
+fn assert_ocsp_response(ocsp_res: &OcspResponse) -> BasicOcspResponse {
+    assert_eq!(ocsp_res.response_status, OcspResponseStatus::Successful);
+    let res = ocsp_res.response_bytes.as_ref().unwrap();
+    assert_eq!(res.response_type, ID_PKIX_OCSP_BASIC);
+    BasicOcspResponse::from_der(res.response.as_bytes()).unwrap()
+}
+
+fn assert_signature(
+    res: &BasicOcspResponse,
+    expected_alg_oid: ObjectIdentifier,
+    expected_sig: &[u8],
+    expected_cert: Option<&[u8]>,
+) {
+    assert_eq!(res.signature_algorithm.oid, expected_alg_oid);
+    assert_eq!(res.signature.as_bytes().unwrap(), expected_sig);
+    match expected_cert {
+        Some(c) => {
+            let certs = res.certs.as_ref().unwrap();
+            assert_eq!(certs[0].to_der().unwrap(), c);
+        }
+        None => assert!(res.certs.as_ref().is_none()),
+    }
+}
+
+fn assert_basic_response<'a>(
+    res: &'a BasicOcspResponse,
+    expected_id: &ResponderId,
+    expected_time: &OcspGeneralizedTime,
+    expected_certid: &CertId,
+) -> &'a SingleResponse {
+    let data = &res.tbs_response_data;
+    assert_eq!(data.version, Version::V1);
+    assert_eq!(&data.responder_id, expected_id);
+    assert_eq!(&data.produced_at, expected_time);
+    let mut filter = data
+        .responses
+        .iter()
+        .filter(|r| &r.cert_id == expected_certid);
+    match filter.next() {
+        None => panic!("CertId not found"),
+        Some(res) => res,
+    }
+}
+
+fn assert_single_response(
+    single_res: &SingleResponse,
+    expected_status: CertStatus,
+    expected_this_update: &OcspGeneralizedTime,
+    expected_next_update: Option<&OcspGeneralizedTime>,
+) {
+    assert_eq!(single_res.cert_status, expected_status);
+    assert_eq!(single_res.this_update, *expected_this_update);
+    assert_eq!(single_res.next_update, expected_next_update.copied());
+}
+
+fn assert_extension(
+    ext: &Extension,
+    expected_oid: ObjectIdentifier,
+    expected_critical: bool,
+    data: &[u8],
+) {
+    assert_eq!(ext.extn_id, expected_oid);
+    assert_eq!(ext.critical, expected_critical);
+    assert_eq!(&ext.extn_value.as_bytes(), &data);
+}
+
+#[test]
+fn decode_ocsp_resp_malformed_request() {
+    let data = std::fs::read("tests/examples/ocsp-malformed.der").unwrap();
+    let ocsp_res = OcspResponse::from_der(&data[..]).unwrap();
+    assert_eq!(
+        ocsp_res.response_status,
+        OcspResponseStatus::MalformedRequest
+    );
+}
+
+#[test]
+fn decode_ocsp_resp_internal_error() {
+    let data = std::fs::read("tests/examples/ocsp-internal-error.der").unwrap();
+    let ocsp_res = OcspResponse::from_der(&data[..]).unwrap();
+    assert_eq!(ocsp_res.response_status, OcspResponseStatus::InternalError);
+}
+
+#[test]
+fn decode_ocsp_resp_try_later() {
+    let data = std::fs::read("tests/examples/ocsp-try-later.der").unwrap();
+    let ocsp_res = OcspResponse::from_der(&data[..]).unwrap();
+    assert_eq!(ocsp_res.response_status, OcspResponseStatus::TryLater);
+}
+
+#[test]
+fn decode_ocsp_resp_sig_required() {
+    let data = std::fs::read("tests/examples/ocsp-sig-required.der").unwrap();
+    let ocsp_res = OcspResponse::from_der(&data[..]).unwrap();
+    assert_eq!(ocsp_res.response_status, OcspResponseStatus::SigRequired);
+}
+
+#[test]
+fn decode_ocsp_resp_unauthorized() {
+    let data = std::fs::read("tests/examples/ocsp-unauthorized.der").unwrap();
+    let ocsp_res = OcspResponse::from_der(&data[..]).unwrap();
+    assert_eq!(ocsp_res.response_status, OcspResponseStatus::Unauthorized);
+}
+
+#[test]
+fn decode_ocsp_resp_sha1_certid() {
+    let ca = std::fs::read("tests/examples/rsa-2048-sha256-ca.der").unwrap();
+    let data = std::fs::read("tests/examples/sha1-certid-ocsp-res.der").unwrap();
+    let signature = hex!(
+        "2280f3fd0b2643b4e27f86b599fd29745d51\
+        4dcea239646ac1d0522075309fec4e148a51\
+        49f19c018c886e707ec9f15161396ad0692e\
+        568e5c3ae678433b03c89b549c1b22a8d8d9\
+        c348891b07d46c068217d22e53c61f5671b2\
+        2d657b847fc2bc151dd8c816eb7da30dbfc6\
+        fb3f17d3da81e651cb080cf627346a8edb06\
+        7f36eaf2d677e8d404a22d889220072289fe\
+        f325df925cd11b7f0fe41a09b92762694c87\
+        dd733e154d545113acc283532ec0181d1007\
+        313a9700b1e093be774ac1cb6f0c5aa97065\
+        fdff5b682d790f10edfaa8e82d26a913e1de\
+        268d5a6f28a3b233a0e0bd51115edbfac6f2\
+        c4c8d9298f21ec4224ec49d447984b5fe994\
+        461bf3b3"
+    );
+    let res = OcspResponse::from_der(&data[..]).unwrap();
+    let res = assert_ocsp_response(&res);
+    assert_signature(&res, SHA_256_WITH_RSA_ENCRYPTION, &signature[..], Some(&ca));
+    assert!(res.nonce().is_none());
+    let certid = CertId {
+        hash_algorithm: AlgorithmIdentifierOwned {
+            oid: ID_SHA1,
+            parameters: Some(Null.into()),
+        },
+        issuer_name_hash: OctetString::new(&hex!("94D418C85D800AF31266F13D3D8CD8CD6AA5BB74")[..])
+            .unwrap(),
+        issuer_key_hash: OctetString::new(&hex!("5DD72C171C018B2FFA92C3133913689EBD82115C")[..])
+            .unwrap(),
+        serial_number: SerialNumber::from(0x10001usize),
+    };
+    let single = assert_basic_response(&res, &RESPONDER_ID, &TIME, &certid);
+    assert_single_response(single, CertStatus::Good(Null), &TIME, Some(&TIME));
+}
+
+#[test]
+fn decode_ocsp_resp_sha256_certid() {
+    let ca = std::fs::read("tests/examples/rsa-2048-sha256-ca.der").unwrap();
+    let data = std::fs::read("tests/examples/sha256-certid-ocsp-res.der").unwrap();
+    let signature = hex!(
+        "7a19ff540d4841492711b8b0620cf5b7c8eb\
+         1061184d8ee0906b3314efd24aebe67e49ae\
+         9e461ec9b76d8373477147af3bf6e8c85de5\
+         37f8eb582d9f2d8c5505731b9e83cceddf30\
+         9d14db97e7a0a583db72669e30ecadb3d463\
+         3f563097aae3c120ca51b28d61107983f172\
+         c985ac1f0ce95428c06b0764426ce087fdce\
+         bee739e254a90a9e105f073772c038846192\
+         d4508e4cf2bc2e5f0a511b8c76345ac13493\
+         0432577f629d8aa52171891e1f266aa1ef40\
+         cd581eadc193cafdd9cc90169602aac170b8\
+         318c781becba059c7ef54450a57ccdd3c6e1\
+         cea13e13d58dbea3e4a1aa809a4dbfe0fd08\
+         32905e256ba537198c3768f34fff29163d64\
+         34be02c2"
+    );
+    let res = OcspResponse::from_der(&data[..]).unwrap();
+    let res = assert_ocsp_response(&res);
+    assert!(res.nonce().is_none());
+    assert_signature(&res, SHA_256_WITH_RSA_ENCRYPTION, &signature[..], Some(&ca));
+    let certid = CertId {
+        hash_algorithm: AlgorithmIdentifierOwned {
+            oid: ID_SHA256,
+            parameters: Some(Null.into()),
+        },
+        issuer_name_hash: OctetString::new(
+            &hex!("056078AE157D9BB53154B1ABEBD26057D624FDDD9F09AE63814E90A365F444C5")[..],
+        )
+        .unwrap(),
+        issuer_key_hash: OctetString::new(
+            &hex!("15C37A883122D2FB6DBFA83E3CBD93E9EEF8125E3FD785724BC42D9D6FBA39B7")[..],
+        )
+        .unwrap(),
+        serial_number: SerialNumber::from(0x10001usize),
+    };
+    let single = assert_basic_response(&res, &RESPONDER_ID, &TIME, &certid);
+    assert_single_response(single, CertStatus::Good(Null), &TIME, Some(&TIME));
+}
+
+#[test]
+fn decode_ocsp_resp_sha512_certid() {
+    let ca = std::fs::read("tests/examples/rsa-2048-sha256-ca.der").unwrap();
+    let data = std::fs::read("tests/examples/sha512-certid-ocsp-res.der").unwrap();
+    let signature = hex!(
+        "20f1484b2b42e07c8d298e85b6f5ba4d7e7b\
+         1e04e2004cdbefe3ff73fa36d82b66d2e078\
+         e6bd6fe4cd029b69955f4f41e9e37af70176\
+         0126d5475ad5d783ff6aa91c8fe52d1c0445\
+         08389d881cb0f7888c3f7bebd86a0a93f3ad\
+         ec7be0ab351f95ec17b3653a425dd4e83c29\
+         4d625c1dc7aecd3014e9149e421a800ae5d2\
+         bb0333eb6f8dc09e4f495ee469da964df56a\
+         919e6feeb7c4facdd66fa797f4192b85bcbf\
+         3bcd091dba45020898a95fb72622d53cc2df\
+         c195ec5362b9c6d5006541c2559e31e47196\
+         82c13081c24603ff2c112efe441f302b61b0\
+         047fe3e7746fb781ab46562df53553ab9fd2\
+         4b0e67a427906815c15c4592e32d631d3d5d\
+         90a51ed4"
+    );
+    let res = OcspResponse::from_der(&data[..]).unwrap();
+    let res = assert_ocsp_response(&res);
+    assert!(res.nonce().is_none());
+    assert_signature(&res, SHA_256_WITH_RSA_ENCRYPTION, &signature[..], Some(&ca));
+    let certid = CertId {
+        hash_algorithm: AlgorithmIdentifierOwned {
+            oid: ID_SHA512,
+            parameters: Some(Null.into()),
+        },
+        issuer_name_hash: OctetString::new(
+            &hex!(
+                "6AE6D566832B216D55BF3F8CCBBBD662E4D798D7E5FC64CEE6CB35DF60EE1181305CB2\
+                 747626560AFABD29B781A9A4631B0DFA1A05727323B3B81EEB54E57981"
+            )[..],
+        )
+        .unwrap(),
+        issuer_key_hash: OctetString::new(
+            &hex!(
+                "FEAC2688D16143E11050AEF3CDFAE4E4E21DF08F40A9FA3F5D80903B839450EE296202\
+                 63B12AB92F3E840458A4871119B6757D337CEDB9044B8A5F7239615E06"
+            )[..],
+        )
+        .unwrap(),
+        serial_number: SerialNumber::from(0x10001usize),
+    };
+    let single = assert_basic_response(&res, &RESPONDER_ID, &TIME, &certid);
+    assert_single_response(single, CertStatus::Good(Null), &TIME, Some(&TIME));
+}
+
+#[test]
+fn decode_ocsp_resp_multiple_extensions() {
+    let ca = std::fs::read("tests/examples/rsa-2048-sha256-ca.der").unwrap();
+    let data = std::fs::read("tests/examples/ocsp-multiple-exts-res.der").unwrap();
+    let signature = hex!(
+        "731ee6703f4bc779f5dcf7c87811fd560cbf\
+         e9a011f718316bd5fe7693fad1c7acb3e358\
+         12fbfda6712b7a4f180178d2debf6b7b6f6e\
+         0f0020e1e77a89ca301504790b88597d00cd\
+         4cbfabfa69d7023fbb5c4fa0050d58bd49bd\
+         7581d1c921ed0e1b7d2385463396df5caa63\
+         134f7ba9c120486852cf184d03605aa5a124\
+         a97edd2128214cf768b96b2478a2ecbfe3a2\
+         3d3758176a54bd1ee73bbc17d522953b2198\
+         5ad4bd1a40e6459f202f5edf4472262f6ba5\
+         6296985663fa3c0a5fe123a13d30e15d7803\
+         a83c619abf75d973282092dca24a16435169\
+         c667089914ab3bb2260e2278128ee8952fad\
+         c5da0cf5e0b58351c39b3d53c260dc0a384b\
+         bee7deb3"
+    );
+    let nonce_ext = hex!("04201F27F8C9CD8D154DAAEF021D5AAD6EAD7FE0637D044198E3F39291204924CEF8");
+    let nonce = Nonce::new(hex!(
+        "1F27F8C9CD8D154DAAEF021D5AAD6EAD7FE0637D044198E3F39291204924CEF8"
+    ))
+    .unwrap();
+    let archive_cutoff_ext = hex!("180F32303230303130313030303030305A");
+    let crl_refs_ext = hex!(
+        "3030A0161614687474703A2F2F3132372E302E302E312F63726CA103020101A2\
+         11180F32303230303130313030303030305A"
+    );
+    let res = OcspResponse::from_der(&data[..]).unwrap();
+    let res = assert_ocsp_response(&res);
+    assert_signature(&res, SHA_256_WITH_RSA_ENCRYPTION, &signature[..], Some(&ca));
+    assert!(res.tbs_response_data.response_extensions.as_ref().is_some());
+    assert_extension(
+        &res.tbs_response_data.response_extensions.as_ref().unwrap()[0],
+        ID_PKIX_OCSP_NONCE,
+        false,
+        &nonce_ext[..],
+    );
+    assert_eq!(res.nonce(), Some(nonce));
+    let certid = CertId {
+        hash_algorithm: AlgorithmIdentifierOwned {
+            oid: ID_SHA1,
+            parameters: Some(Null.into()),
+        },
+        issuer_name_hash: OctetString::new(&hex!("94D418C85D800AF31266F13D3D8CD8CD6AA5BB74")[..])
+            .unwrap(),
+        issuer_key_hash: OctetString::new(&hex!("5DD72C171C018B2FFA92C3133913689EBD82115C")[..])
+            .unwrap(),
+        serial_number: SerialNumber::from(0x10001usize),
+    };
+    let single = assert_basic_response(&res, &RESPONDER_ID, &TIME, &certid);
+    assert_single_response(single, CertStatus::Good(Null), &TIME, Some(&TIME));
+    assert!(single.single_extensions.as_ref().is_some());
+    assert_extension(
+        &single.single_extensions.as_ref().unwrap()[0],
+        ID_PKIX_OCSP_ARCHIVE_CUTOFF,
+        false,
+        &archive_cutoff_ext[..],
+    );
+    assert_extension(
+        &single.single_extensions.as_ref().unwrap()[1],
+        ID_PKIX_OCSP_CRL,
+        false,
+        &crl_refs_ext[..],
+    );
+}
+
+#[test]
+fn decode_ocsp_resp_dtm_no_chain() {
+    let data = std::fs::read("tests/examples/ocsp-dtm-no-chain-res.der").unwrap();
+    let signature = hex!(
+        "4eafb923580b110aa9ae6719fbe701cdbed3\
+         5a03afe85bb24346df334f22c549f8e7bfe6\
+         cebf690c98354206d00ad2bfac0a2cb2197c\
+         04098919d32e2db9bb1c6e4f2a6a5a428228\
+         4f86e48f2eb98bdc8f4d769bfce2ff1cd25b\
+         c385009b076a43d58b1e5f52beee7667f89c\
+         fad6ce054eccfaeaa7587391c158bfe85482\
+         ca42f4cc18879990e131a2352bddd622d0cc\
+         4907446079a5bff479bf6d9501a0d355e494\
+         9e839d1dbcfa4eb538fcd05eb9d653731079\
+         376ae1c24c792c2545e3e8f2e0ca096e1a1a\
+         d29f4c53b2a85a2f1e0cdf40c360f8df6b5f\
+         d54b968effd6b773077402c0d6d8bb4a35d7\
+         a91257d1fad2c03fd16b41cce83ca403eb55\
+         c8aa2f99"
+    );
+    let nonce_ext = hex!("04201F27F8C9CD8D154DAAEF021D5AAD6EAD7FE0637D044198E3F39291204924CEF8");
+    let nonce = Nonce::new(hex!(
+        "1F27F8C9CD8D154DAAEF021D5AAD6EAD7FE0637D044198E3F39291204924CEF8"
+    ))
+    .unwrap();
+    let res = OcspResponse::from_der(&data[..]).unwrap();
+    let res = assert_ocsp_response(&res);
+    assert_signature(&res, SHA_256_WITH_RSA_ENCRYPTION, &signature[..], None);
+    assert!(res.tbs_response_data.response_extensions.as_ref().is_some());
+    assert_extension(
+        &res.tbs_response_data.response_extensions.as_ref().unwrap()[0],
+        ID_PKIX_OCSP_NONCE,
+        false,
+        &nonce_ext[..],
+    );
+    assert_eq!(res.nonce(), Some(nonce));
+    let certid = CertId {
+        hash_algorithm: AlgorithmIdentifierOwned {
+            oid: ID_SHA1,
+            parameters: Some(Null.into()),
+        },
+        issuer_name_hash: OctetString::new(&hex!("94D418C85D800AF31266F13D3D8CD8CD6AA5BB74")[..])
+            .unwrap(),
+        issuer_key_hash: OctetString::new(&hex!("5DD72C171C018B2FFA92C3133913689EBD82115C")[..])
+            .unwrap(),
+        serial_number: SerialNumber::from(0x10001usize),
+    };
+    let single = assert_basic_response(&res, &RESPONDER_ID, &TIME, &certid);
+    assert_single_response(single, CertStatus::Good(Null), &TIME, Some(&TIME));
+}
+
+#[test]
+fn decode_ocsp_resp_dtm_by_key() {
+    let data = std::fs::read("tests/examples/ocsp-by-key-res.der").unwrap();
+    let signature = hex!(
+        "7d5eff1e869e1a52b087eae00bc8ac5d1091\
+         f5b5a97e0c449903bb86037fd52d30480795\
+         3f4e9ad021e151378b6333f8b95596b8be2a\
+         fbf8c04df7098b025ac45d7358f9f4aa18e7\
+         aad241ce54daebc5e6f259f50f77da379ae4\
+         90db040931cc80cd4cc011ca57a62b058835\
+         52bbec10e2e4486f397972f4e558d2246b57\
+         2ee342adfedbd2f56971701103e77a5463dd\
+         d69c69a762fc3cfe702ad08f01c21c9fc97b\
+         4f68fbe0176e6516bb74b7d474675d1f529e\
+         2326ec2a7fb507d129c18e1e8b64f5a28527\
+         359253d4764bd800e1f194b6606134286d8a\
+         b2c81ada98670451d0dedf2d31472d8e8a8c\
+         db80b0fd889ab575a0fb123debd7eeddcbb2\
+         abd45a5e"
+    );
+    let responder_id = ResponderId::ByKey(
+        OctetString::new(&hex!("F4A810E6EA0984AF7636128A40284379986A4735")[..]).unwrap(),
+    );
+    let nonce_ext = hex!("04201F27F8C9CD8D154DAAEF021D5AAD6EAD7FE0637D044198E3F39291204924CEF8");
+    let nonce = Nonce::new(hex!(
+        "1F27F8C9CD8D154DAAEF021D5AAD6EAD7FE0637D044198E3F39291204924CEF8"
+    ))
+    .unwrap();
+    let res = OcspResponse::from_der(&data[..]).unwrap();
+    let res = assert_ocsp_response(&res);
+    assert_signature(&res, SHA_256_WITH_RSA_ENCRYPTION, &signature[..], None);
+    assert!(res.tbs_response_data.response_extensions.as_ref().is_some());
+    assert_extension(
+        &res.tbs_response_data.response_extensions.as_ref().unwrap()[0],
+        ID_PKIX_OCSP_NONCE,
+        false,
+        &nonce_ext[..],
+    );
+    assert_eq!(res.nonce(), Some(nonce));
+    let certid = CertId {
+        hash_algorithm: AlgorithmIdentifierOwned {
+            oid: ID_SHA1,
+            parameters: Some(Null.into()),
+        },
+        issuer_name_hash: OctetString::new(&hex!("94D418C85D800AF31266F13D3D8CD8CD6AA5BB74")[..])
+            .unwrap(),
+        issuer_key_hash: OctetString::new(&hex!("5DD72C171C018B2FFA92C3133913689EBD82115C")[..])
+            .unwrap(),
+        serial_number: SerialNumber::from(0x10001usize),
+    };
+    let single = assert_basic_response(&res, &responder_id, &TIME, &certid);
+    assert_single_response(single, CertStatus::Good(Null), &TIME, Some(&TIME));
+}
+
+#[test]
+fn decode_ocsp_resp_multiple_responses() {
+    let ca = std::fs::read("tests/examples/rsa-2048-sha256-ca.der").unwrap();
+    let data = std::fs::read("tests/examples/ocsp-multiple-responses-res.der").unwrap();
+    let signature = hex!(
+        "acc2a7bf355dd81629c227a2c1f07f2b5d34\
+         1d9a5db782a9ab5cb3fe654a05ba47d25c43\
+         8cc0b7d4f430460788574ecb3ba400f58679\
+         829d915bd515e63c98f63b8213e073dbd110\
+         2053ef21f65bb4fa024956142df9d0f9d5f5\
+         7372a94507499a52702deaf6dc225d2825f7\
+         3386f5eec4703db10c61d6647b91e88636b4\
+         1e8e57454d50a9f98661a8eaee9b13352b51\
+         226e4c1eb6521ceb8525eaa5c8a0226a55d4\
+         3cbe595dc09aa905625973d343c922037ee5\
+         543d3fe749bc8f581389fc2bc375233b7525\
+         919b3a685cff45d62dbbca3ea9abdf026d39\
+         775c0d4e977dc4fd43fea57f0c15ef13088a\
+         076ba6645b6837113cc2a8412ca4c85e4a20\
+         b21f5f64"
+    );
+    let res = OcspResponse::from_der(&data[..]).unwrap();
+    let res = assert_ocsp_response(&res);
+    assert!(res.nonce().is_none());
+    assert_signature(&res, SHA_256_WITH_RSA_ENCRYPTION, &signature[..], Some(&ca));
+    let sha1_certid = CertId {
+        hash_algorithm: AlgorithmIdentifierOwned {
+            oid: ID_SHA1,
+            parameters: Some(Null.into()),
+        },
+        issuer_name_hash: OctetString::new(&hex!("94D418C85D800AF31266F13D3D8CD8CD6AA5BB74")[..])
+            .unwrap(),
+        issuer_key_hash: OctetString::new(&hex!("5DD72C171C018B2FFA92C3133913689EBD82115C")[..])
+            .unwrap(),
+        serial_number: SerialNumber::from(0x10001usize),
+    };
+    let sha256_certid = CertId {
+        hash_algorithm: AlgorithmIdentifierOwned {
+            oid: ID_SHA256,
+            parameters: Some(Null.into()),
+        },
+        issuer_name_hash: OctetString::new(
+            &hex!("056078AE157D9BB53154B1ABEBD26057D624FDDD9F09AE63814E90A365F444C5")[..],
+        )
+        .unwrap(),
+        issuer_key_hash: OctetString::new(
+            &hex!("15C37A883122D2FB6DBFA83E3CBD93E9EEF8125E3FD785724BC42D9D6FBA39B7")[..],
+        )
+        .unwrap(),
+        serial_number: SerialNumber::from(0x10001usize),
+    };
+    let sha512_certid = CertId {
+        hash_algorithm: AlgorithmIdentifierOwned {
+            oid: ID_SHA512,
+            parameters: Some(Null.into()),
+        },
+        issuer_name_hash: OctetString::new(
+            &hex!(
+                "6AE6D566832B216D55BF3F8CCBBBD662E4D798D7E5FC64CEE6CB35DF60EE1181305CB2\
+                 747626560AFABD29B781A9A4631B0DFA1A05727323B3B81EEB54E57981"
+            )[..],
+        )
+        .unwrap(),
+        issuer_key_hash: OctetString::new(
+            &hex!(
+                "FEAC2688D16143E11050AEF3CDFAE4E4E21DF08F40A9FA3F5D80903B839450EE296202\
+                 63B12AB92F3E840458A4871119B6757D337CEDB9044B8A5F7239615E06"
+            )[..],
+        )
+        .unwrap(),
+        serial_number: SerialNumber::from(0x10001usize),
+    };
+    let single = assert_basic_response(&res, &RESPONDER_ID, &TIME, &sha1_certid);
+    assert_single_response(single, CertStatus::Good(Null), &TIME, Some(&TIME));
+    let single = assert_basic_response(&res, &RESPONDER_ID, &TIME, &sha256_certid);
+    assert_single_response(single, CertStatus::Good(Null), &TIME, Some(&TIME));
+    let single = assert_basic_response(&res, &RESPONDER_ID, &TIME, &sha512_certid);
+    assert_single_response(single, CertStatus::Good(Null), &TIME, Some(&TIME));
+}
+
+#[test]
+fn decode_ocsp_resp_revoked_response() {
+    let data = std::fs::read("tests/examples/DODEMAILCA_63-resp.der").unwrap();
+    let res = OcspResponse::from_der(&data[..]).unwrap();
+    let res = assert_ocsp_response(&res);
+    assert!(res.nonce().is_none());
+    let certid = CertId {
+        hash_algorithm: AlgorithmIdentifierOwned {
+            oid: ID_SHA1,
+            parameters: Some(Null.into()),
+        },
+        issuer_name_hash: OctetString::new(&hex!("190A0E6D0DB33F82244A595BFA8AC04C163AAD28")[..])
+            .unwrap(),
+        issuer_key_hash: OctetString::new(&hex!("4D31AD51D64E577E67693325037EC629A5DDBAF3")[..])
+            .unwrap(),
+        serial_number: SerialNumber::from(0x7ab92usize),
+    };
+    let mut filter = res
+        .tbs_response_data
+        .responses
+        .iter()
+        .filter(|r| r.cert_id == certid);
+    match filter.next() {
+        None => panic!("CertId not found"),
+        Some(res) => match &res.cert_status {
+            CertStatus::Revoked(info) => {
+                assert!(info.revocation_reason.as_ref().is_some());
+                assert_eq!(info.revocation_reason.unwrap(), CrlReason::Superseded);
+            }
+            _ => panic!("should be revoked"),
+        },
+    }
+}