r509-ocsp-responder 0.3.1

data/spec/fixtures/test_ca_ocsp.key

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEogIBAAKCAQEAvVuPqX19dbEXF1ciXNF7BQpwwiNK96GkvmMIn/sCp6N+xXor
+VqWX0KA6hcXWPt8BPwiRy7BwhBqrfMBXW9fFi0dGJaVB9h5dJarPBDxbMEDMhrod
+ExnG2NsXN+sA9YQpE3I6UX9H3z5VMPYwJFtt5U8tGQ63Me6IbTFqn69VsYbts76S
+3xxG2FV1ibWCQg/g7HtxKL4kBH0mxkvWST5CEiBT0EoTgFLSKiuML8Vcd3qXe5vU
+MKgo+vmXDXoymYvCGOefSbIDLoWvh5MCvr28OgD8q2izMVY7YRpCxbSslxGPAoB+
+WIFC7VtXN+EESmjZ8XCMf3J3Gns1Ych/7/LXIQIDAQABAoIBAHfVsSY/P52y0/02
+bI23GJaJE/EYqsHqbzr5q6SrEvQKeRj6huDP7TLfpAmyuTKSqNQ+VR5F6/7+bdaG
+VwLNm7vYAGGkowjiEGrdHSP+GmuAJq+AqxPCdWAZzyjZNYMq/1/KI3QeC9sRNJLG
+ypLHtdWv9Mdt06vq3DXWVzb1nFK7DOKwCmR8qIhsGpBRBuztzHups2joQa4RTihC
+7hmdGz2VLFR0J9xphLV57W/ObJuxTD3sqL3HrsDkfv6Poi6iS1GBFtDUuxrFtUv/
+K1Yao02gkXD32Mq5M38uTyBK7nEhS1V7cvP0iHPdLgan9bsrOREXyVV+u0gr2IN1
+wKvyYs0CgYEA7HiL3JdOwlxzWznHLRPOd07cOnwkq5eauqmT2nzxtqL3InSFmNtL
+1hMfIRA2wejo/Q1Ezi7d7RCHsSHBfCGag7L/NdVnIiHAErbVf+LofvjL2C9LShKB
+u4DxPsb7hcj3I9qaHoc0zotxjAkg38sdr2sfP7EMc5k+asPb9MA/bX8CgYEAzP7z
+J4c+CkUhUg1xynZswjxvvC3oMhbC2vVsuKt/ZMwFolpDvVJNcrFOFkqikaGDLcPB
+Dg2WxxZdujnfXBWjTI8M7pfhD1u2OW99yQsWxnWOc1C4n4OjPH0/sn9IEAjlmTpc
+5NYZB6dAARGRTEJN8srNGm59z0S6jLyciuErS18CgYBk8lz6cVk83YydMAAX/TGR
+ewfGq8JXwiNadhPZHKdvCQipG8cAZvVr0MPkMHC/vLbhd+2ceyNgFUNn2XoojIvS
+lvIdwBkD2BaPpp9jtbD8qycSBbaFS3s4WSYjX3x2M0FVe/d4+s0PMzXoyujOwH3O
+qdMwNFuVaaDcoPnf9MXe7wKBgH9OpbsaplDCddr7NnvB5/EIj2uSJu1UbVaFrCtT
+dh4nBii5XfApOKfNrOzzFNrULx8wvqf3kHe7UCHi5u/NEEjvXdyevcpH7nbk4n0E
+QfSl9P1wV/fYTHu4XOKBYUN0AwKR2DbVL14tY/ZF7rIpSzdI8u9DRyZ9TE0ypRUq
+mTSJAoGAOkzZ2D/nQyIz9mHOKmDoXWbFgZ32rqTzqfS07cq5vtt2Ol2MTRXY386Q
+kW1AyHf0hz8SQe3+An4K6uMpGkZ6dzEOXhsw1+fwU9jFb+qucRuhTVlyVWDVtkf6
+NRg6ZlSfTi3KxmaSsY7X/t9DfWmud8MXTm3cUqI0VdljQmAT85A=
+-----END RSA PRIVATE KEY-----

data/spec/fixtures/test_ca_ocsp_chain.txt

@@ -0,0 +1,48 @@
+-----BEGIN CERTIFICATE-----
+MIIDjzCCAnegAwIBAgIJAP/ZxwuHN9GUMA0GCSqGSIb3DQEBBQUAMF4xCzAJBgNV
+BAYTAlVTMREwDwYDVQQIDAhJbGxpbm9pczEQMA4GA1UEBwwHQ2hpY2FnbzEYMBYG
+A1UECgwPUnVieSBDQSBQcm9qZWN0MRAwDgYDVQQDDAdUZXN0IENBMB4XDTExMDIy
+MDIwNDkxMloXDTMwMDQyMTIwNDkxMlowXjELMAkGA1UEBhMCVVMxETAPBgNVBAgM
+CElsbGlub2lzMRAwDgYDVQQHDAdDaGljYWdvMRgwFgYDVQQKDA9SdWJ5IENBIFBy
+b2plY3QxEDAOBgNVBAMMB1Rlc3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
+ggEKAoIBAQCot8/z3jxARkwyRk0csM84dlWs91W95wPpunx3P3otqUxCJaOAyQl/
+uY8deg0xDmsime2JQ6aG6m76y3LfT4J1tlkhtmiGKhNJir1kgL8sL0wTXYXvwZEw
+qEEYD5mKi7Na9eo4R0ydqd9KAquVIhKywXvV1+Y4RDTx+f1WXmMCBaYZ76/rXmIe
+oE0avriRiihOtlgto+VNJw7VRnvq+cEd81BT62wRk1fG1lcpCqTEfEtKEI6PqqZh
+E2f+6lNmhZZ3Tj7NeNgYQLd4q+L1y030Vj4onpAIJrwfQq3dxTmrLDqnN2WOFsbo
+0qGh3s4yqUaOYd2wIBgCp7fEf5X/yh53AgMBAAGjUDBOMB0GA1UdDgQWBBR5dbuE
+Osss3noJvjEbQ7wcKk1TWDAfBgNVHSMEGDAWgBR5dbuEOsss3noJvjEbQ7wcKk1T
+WDAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4IBAQAp/Fh+WWjN7x/SZzMm
+H1INAS4loufHXzkqI+3bClAzlhzpBVbY7dHwD6H8oKh06EtppbN0Bw3iqXSRyoNd
++lDXccPij5dCuTFQ97DOrv7kGlhiM95XVkx4mvnd+i6jKwgOpllgDE/nKOwC42bq
+lIikcp7XLQUPt7amyX9UeJ8lxQ/niSkT868ls2IZQkF3XEhCi+5VlefEoaiMQZmD
+RyEd/vlsSnpXI5LLpkFq+NFGvgdI7+UADNIyDplyivD4VyQ6+zisX3r1ojroa6Y+
+WyXxLx+AVJVnGjngr2fDKr4ggsYWlJEs8lJ0r90jliYrSPA6rIldTbs3k9AbUp8G
+kS6X
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIEaDCCA1CgAwIBAgIVAOpjrhBj/knK4IwIzIpSmDxdBlOYMA0GCSqGSIb3DQEB
+BQUAMF4xCzAJBgNVBAYTAlVTMREwDwYDVQQIDAhJbGxpbm9pczEQMA4GA1UEBwwH
+Q2hpY2FnbzEYMBYGA1UECgwPUnVieSBDQSBQcm9qZWN0MRAwDgYDVQQDDAdUZXN0
+IENBMB4XDTExMTIxNjA5NTg1NloXDTEyMTIxNTA5NTg1NlowGzEZMBcGA1UEAwwQ
+cjUwOSBPQ1NQIFNpZ25lcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
+ALVK9XwIRznpBNC7Ltqqq4RSrkGdRZzt3fI2MrJVYAz1fc+kZ8IfsmEiZxGgRuQ2
+83TNF70IsSR6a3oiPUKuywqDbKBaXNDMzhLJKvT1bHsIfkBQ//IYKtN9JCBLzs92
+vcsV5hZOhTs0WDyKvmjdX3Xh8vKtMoX1pfSjuXQuTpzTiQW/LDlfnDy5Cf668D1K
+JsaEd8Nd4xncpWTj806WyODAkkqEaIvJJ014itqy9Tjo+m9TxGmRrY6SaBJRQGGe
+Z6e0s6eccYuGrdFyElXc2M5kWkKirTmCSPGGokx9vw8v1EcdvNFlW2pug31RFWt9
+sZ5P6XVkMykwjJwMyPm93dMCAwEAAaOCAV4wggFaMAwGA1UdEwEB/wQCMAAwHQYD
+VR0OBBYEFCgE62q6is5xpdlkkPU1zy93piH2MAsGA1UdDwQEAwIHgDCBkAYDVR0j
+BIGIMIGFgBR5dbuEOsss3noJvjEbQ7wcKk1TWKFipGAwXjELMAkGA1UEBhMCVVMx
+ETAPBgNVBAgMCElsbGlub2lzMRAwDgYDVQQHDAdDaGljYWdvMRgwFgYDVQQKDA9S
+dWJ5IENBIFByb2plY3QxEDAOBgNVBAMMB1Rlc3QgQ0GCCQD/2ccLhzfRlDATBgNV
+HSUEDDAKBggrBgEFBQcDCTAOBgNVHSAEBzAFMAMGAQAwMgYDVR0fBCswKTAnoCWg
+I4YhaHR0cDovL2NybC5kb21haW4uY29tL3Rlc3RfY2EuY3JsMDIGCCsGAQUFBwEB
+BCYwJDAiBggrBgEFBQcwAYYWaHR0cDovL29jc3AuZG9tYWluLmNvbTANBgkqhkiG
+9w0BAQUFAAOCAQEADNAMfwzRpx8UoWe1i/qivAIPJtP2zlop0eIwSy9ocAoAfcHF
+wVsdBzIb74amm4z/+y7j4x8ZAY2d4hosdDH05OKnGVHUT0ASzYjh0zDgOItObk2L
+XrMykW2GCNGTOlt1C/FfKVkBMDQz7Pi8fXmHsI4N1A0krTEVgVwKVLn0TrrLZ6OP
+0vsj9nqSPYJ4eLsIE3gp4RBLJWGtLWtlkIwKLU/ZhpKo7VcvoZU8zDjHJR/HO9uD
+T3vlekoEc5rlWk9Uobh9Sz/pFb/r/ErOkXBnka1XunJQBOLe6wj1T2v/B0zMv6RG
+Tpd0n0zKik4a7nBH82jxg78kRLUfjbhFZienKA==
+-----END CERTIFICATE-----

data/spec/fixtures/test_ca_subroot.cer

@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIEJjCCAw6gAwIBAgIVALxHSa9L48ZH3q9EANuGMICYOmRpMA0GCSqGSIb3DQEB
+BQUAMF4xCzAJBgNVBAYTAlVTMREwDwYDVQQIDAhJbGxpbm9pczEQMA4GA1UEBwwH
+Q2hpY2FnbzEYMBYGA1UECgwPUnVieSBDQSBQcm9qZWN0MRAwDgYDVQQDDAdUZXN0
+IENBMB4XDTEyMDEwNjExNTQxOVoXDTMyMDEwMTE3NTQxOVowLjELMAkGA1UEBhMC
+VVMxHzAdBgNVBAMMFnI1MDkgQXJiaXRyYXJ5IFN1YnJvb3QwggEiMA0GCSqGSIb3
+DQEBAQUAA4IBDwAwggEKAoIBAQC6s6E0RHPdC/g6ZVe/4bRka2FndjqCwxiuTpaq
+FQwf8/etXyCuz0ZADs04WaqCtIs+uUoXh+jSBg0BVC0rc1pCoQIraq9M3ZJ1umu/
+i96Ohhjbk1ygJW3U1+vdxWuowk4H51/pLbNUIy/fntSTE1vSbVo1rviK/SFXpHT3
+PaPjIX4IjLpnW12+h1zH5P9yLoIZ/NN+s64rW21JX3y/gFG4DW9d0LxMKbI5Nixv
+bn+1mpLCcPn+pO4i/8o8AXs/FsoKing32m23k7+8rz2IWKZWcVoLe4/x+j00zzjv
+eXAvvoXBomYgftsj83tCQ5vOFznVoZJROfqKtcRwFpDaQosBAgMBAAGjggEJMIIB
+BTASBgNVHRMBAf8ECDAGAQH/AgEAMAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUtsRD
+bNCYQJnEYNRxJAcAcPZ6JWowgZAGA1UdIwSBiDCBhYAUeXW7hDrLLN56Cb4xG0O8
+HCpNU1ihYqRgMF4xCzAJBgNVBAYTAlVTMREwDwYDVQQIDAhJbGxpbm9pczEQMA4G
+A1UEBwwHQ2hpY2FnbzEYMBYGA1UECgwPUnVieSBDQSBQcm9qZWN0MRAwDgYDVQQD
+DAdUZXN0IENBggkA/9nHC4c30ZQwMAYIKwYBBQUHAQEEJDAiMCAGCCsGAQUFBzAB
+hhRodHRwOi8vb2NzcC5yNTA5Lm9yZzANBgkqhkiG9w0BAQUFAAOCAQEAAV6ub5mP
+xLYV8Zpu6WhG1JvM8PKEUzPv5jR3Bzm0MG9ISlT9soVO2LxcRoRUMscTzvPLIIj/
+R24fMjJMzewu/BmYVcJJ9aG1z5Zdlczjz+Jm8P40V1x6iMn/MZrDc4Yx00TIkzT0
+b2w6GvPjS6RZwybTr6d1bj8EB0Urbuk7a/FL3hOi5wQ4AWh+RqW8mWjvjs1ElKE5
+hpIb2fjC3JnifZAo/sD2xV8Y3Vasqb2uUGYZ3+HZFTbF+WQ6OZHVHlv0xB1yYTid
+4melkAZEPf5OblurgioGu0b9nSHGdrCrk84nKdNN3w5rFOPo/dyaO5wcYIpcpC6f
+Hs6C1rY6pPOImw==
+-----END CERTIFICATE-----

data/spec/fixtures/test_ca_subroot.key

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEogIBAAKCAQEAurOhNERz3Qv4OmVXv+G0ZGthZ3Y6gsMYrk6WqhUMH/P3rV8g
+rs9GQA7NOFmqgrSLPrlKF4fo0gYNAVQtK3NaQqECK2qvTN2Sdbprv4vejoYY25Nc
+oCVt1Nfr3cVrqMJOB+df6S2zVCMv357UkxNb0m1aNa74iv0hV6R09z2j4yF+CIy6
+Z1tdvodcx+T/ci6CGfzTfrOuK1ttSV98v4BRuA1vXdC8TCmyOTYsb25/tZqSwnD5
+/qTuIv/KPAF7PxbKCop4N9ptt5O/vK89iFimVnFaC3uP8fo9NM8473lwL76FwaJm
+IH7bI/N7QkObzhc51aGSUTn6irXEcBaQ2kKLAQIDAQABAoIBAGjoMGenIxeM90EQ
+2tq132AhukyhcUUyjPa8sAoH45U8x+oCLuIrE8VAy+2i7J2fBzMKeGh6dMc2oS4i
+93KX0Zroz8hHnRLq2bYPNyYdWMPq86LFzeEqxuk3HpCxssnTzHbCevESPdbEIs1b
+eQTfdtPpoCvUElI+4/JUNWkLmMAxhlnQjAVIIB4RsjUugn4h2VZIj5tx7L9at06C
+TPz10xA6v+uIxtYE1Ijr0LB0LjV7FIttfHbq/6SoNaRCGYz1m0VN6CJ/cN6tBMAj
+EKwpnfD1kr0T1N+Y27lnLEW+xSg8DfQIchaKc3dJFr8Sx+WbpajSKEywtfl4wpTV
+iwT/ZDECgYEA6dqXr038bf29womMh9Qds2YMUt5SI+SjA9DHxcvodCzyG5dvchpY
+0V8RXPWJsVV9ECWbGr8T0ZPPXo3EFR8JyOUBDnDgDE0SlhFo4lNlRLHYFsUPrjgf
+6IHhCTtkZtdOr7ObZe4mOjo3K2tQcN7e4uArIFqNP5tUc48hcNhO410CgYEAzGHo
+oOsj7xBBO+3ohIsXgXXlNqcAnCBkUYVC9HIBi+atWUddpsXrXF+YVMn3Kw8nEZnE
+/KUINnwn+NyInmSEmgRuWo6Uv+dxa8I7H51LkjtmhhIFkMTxXewTLdrWkX1M/9dp
+RwrkGHN3vTYPi4/PT18FIw/MZ6pH9ly4M1Kqj/UCgYBUAC4eTWAQTmX8XBY7sCjf
+CRgCKFPPCtC3jSZFWYJtQLvSx2nDzcz7oC+Hebd1GKUsyKVXTS2cSYDikP/PKnAE
+VqYzfr4sDP9RIn3PVm945n0daLnCNezYQtcHzuq4ujxMhrKaQZo/riulEA48DQJ4
+8lbrbztvjqceP1qew0RLDQKBgGBqy/imFSShcXTZLjjg+SzMtl5K+IGu0kSW7lgt
+NEeQgjS88xRLCFZijpVpVd4NXuvxs7lQDYjOl3jSaOz4FIooDvtPiiLiB2LDlWq7
+pLwOo7YZ6GA8WHVrejzGoTSvfNSxBWxLWgGi71jmmPzI0g7qj5zTxiUdcqdpZEhp
+9ibFAoGAPMEI59/eCmSZPIZ7acs//4HI0QTo6856KZj4bqlowdeZf/D7uyCpn7UX
+904L4tAVwLKddqmDXbReS/ObsNs4v1FsdgnTySR59PYmW67S/CMzyN0T9Ld4xtOe
+R/khjaviCkqAmPzDRx8+OZmbzNJtb0s6hJIQS73lcj84kuprSio=
+-----END RSA PRIVATE KEY-----

data/spec/fixtures/test_ca_subroot_ocsp.cer

@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIEPzCCAyegAwIBAgIVAPVJ8f7HkMe36qArq2sTN1abDCjWMA0GCSqGSIb3DQEB
+BQUAMC4xCzAJBgNVBAYTAlVTMR8wHQYDVQQDDBZyNTA5IEFyYml0cmFyeSBTdWJy
+b290MB4XDTEyMDEwNjEzMDgzNFoXDTMyMDEwMTE5MDgzNFowaDELMAkGA1UEBhMC
+VVMxETAPBgNVBAgMCElsbGlub2lzMRAwDgYDVQQHDAdDaGljYWdvMREwDwYDVQQK
+DAhyNTA5IExMQzEhMB8GA1UEAwwYcjUwOSBTdWJyb290IE9DU1AgU2lnbmVyMIIB
+IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuOPd0oz5t/GJyB94jTXyALy7
+tD2F3FgIIkMx+0zWwxytd7OMWmYGnxxSjx/kC1VbLnB254llbWVf6aZO13sNgXTb
+tXtWcHBSIfje1IAFW85+UHuQ3L/cv/JoFxFL0r0L/MPO0zwMTBa68TVTS6LhvjNY
+8mK0Oot6i/m/Hh7LXK6ynYxqqacAdK6PKMKsGG1ywDwrGNvjLpH3qmzTkqTkF+8o
+J2B5kgIAMVEfgiK46zFtIMe6tcDT7n5KJ2NwG3GVwRnrTgnuBqpp8/hukAEdLT/L
+yD0DShA5HWljJQGj8JlWe+x2k68kMHN4fgNfBoE97wjFCdeolKSHUP6yDn3+wQID
+AQABo4IBGDCCARQwDAYDVR0TAQH/BAIwADATBgNVHSUEDDAKBggrBgEFBQcDCTAd
+BgNVHQ4EFgQU0sNGTKxh+UEPYyBk1Wi3Uisq4gkwgZwGA1UdIwSBlDCBkYAUtsRD
+bNCYQJnEYNRxJAcAcPZ6JWqhYqRgMF4xCzAJBgNVBAYTAlVTMREwDwYDVQQIDAhJ
+bGxpbm9pczEQMA4GA1UEBwwHQ2hpY2FnbzEYMBYGA1UECgwPUnVieSBDQSBQcm9q
+ZWN0MRAwDgYDVQQDDAdUZXN0IENBghUAvEdJr0vjxkfer0QA24YwgJg6ZGkwMQYI
+KwYBBQUHAQEEJTAjMCEGCCsGAQUFBzABhhVodHRwOi8vb2NzcC5yNTA5Lm9yZy8w
+DQYJKoZIhvcNAQEFBQADggEBALOUPqx9blxSYAvor/H1ITWz0huj+WPvGdPQABGn
+nu16V7Jak3EposqXY9ObKteWzdiLvo41O4mVAviBhdKYexo/LLlEa5cP6/lRQ2yC
+TR5MKYTVIaaSuxCTxwM4AF2XFaRs2AnxcpPKQjCkxe6fT0lPwuQbBdQqjtRl39CR
++2muSQlqpCz4KTPivTOCyOizIrhnxhMjcSr1zxpEPsCbJO0Bd/8PPHPER3MMXmYb
+Ci3HVRWqDczVniy3tmKh20rEWZPUmJNiLaGLdD5Ug39YhGMn9fkT+x8+UxIeaNZW
+2JtcNoOp9v5e7EOcxJp2doHq3+FCOii3LwHlwk2XMAeKYKo=
+-----END CERTIFICATE-----

data/spec/fixtures/test_ca_subroot_ocsp.key

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAuOPd0oz5t/GJyB94jTXyALy7tD2F3FgIIkMx+0zWwxytd7OM
+WmYGnxxSjx/kC1VbLnB254llbWVf6aZO13sNgXTbtXtWcHBSIfje1IAFW85+UHuQ
+3L/cv/JoFxFL0r0L/MPO0zwMTBa68TVTS6LhvjNY8mK0Oot6i/m/Hh7LXK6ynYxq
+qacAdK6PKMKsGG1ywDwrGNvjLpH3qmzTkqTkF+8oJ2B5kgIAMVEfgiK46zFtIMe6
+tcDT7n5KJ2NwG3GVwRnrTgnuBqpp8/hukAEdLT/LyD0DShA5HWljJQGj8JlWe+x2
+k68kMHN4fgNfBoE97wjFCdeolKSHUP6yDn3+wQIDAQABAoIBAEql1X2Y5Ynav2JJ
+Mobw7NBXYwGWhWE9Oat7rcZkc6E7Bt55Y4VsA+hhqwOWQKBCyhmp1pgM5SKR93OC
+bfqZ+A34fGx9a5zh/Icyz+TD+2XhrSYZfZdi72GgIV6O4SoooZpgBDVM3TorQzb3
+7LVxAeulF5hlOZcZkVTKdNtYW4sDXa0zthSLhCladQjRSV2znuNN1ZRocQhNRMv6
+4MgOVon2S22HkxFHz0yT6NImp6Ns3Qvjoej1MAcuhMhcHFFvhHvn1GUF4Ur6A6JP
+Rbr2Z6h0hUmKqVX02kEgYhJduy3btVr+QGKDZBD43vzFZ74ZQsLbK9mXZFU0eOe9
+dWglZ0ECgYEA5i2saggVyHbOm+WbE5FvUwVrkdokM9lUeK6QY+mWN0xJ8uTUwplR
+iXw4gr7Jcl5D8SoNm6EFGzQh4ZVkZw8v0CpO18sA3gTBVLMPl8EijUzUNk6MIKUL
+h37O0Wr6hnpFsuTwFZgwmuBc4KYY9eNVhzURjDD+bbvNx+9krYLuU3UCgYEAzaGX
+StD/d8ypcAmzl0x4BeN7QbkHRtYC5MqPfkycmegypJAIXIV9kVRGznj4+Q2Zne9e
+E1llS41KJHgi04LL34/wunSAPGNTLEbhQObSxZppDTFmZhouN4CMEIUMrETXHDri
+Qy0SMLmnD3LxmpnGvMMyQICU1BfLvIPxvUh3kJ0CgYATohWwvZvOC4Q3+++sTZ1n
+QXEZcbfgzErOOGWMgCIV+WXdV/Nl3dn8liHj1Q4tuSima2XZvnRHC71QFoQH3l2/
+rbwn3+LlDRbIeLV9xjWCQ+ld8Hk3V5ySJBjT+AICcm97gNeRn/eVXknNx50dbBSh
+gb9La+pnxbsZsKuvuRlG+QKBgQC8U8ByXxN6LtEHsXrvmLNcAUmDmehWMe8Yh4QA
+Ej5insyy9s8RnZixH1RyCU1NG+2TPgUVB4zEMzSyTezndiUuLXA19Dj2Fam5JXlr
+rXtgStjnolS8MkIdxveAsbo3lBzG2A8dowvD4GRmu8kW5Lulach+VsT3sot/rgAa
+cWI/6QKBgQCWL6c25xjU71n+ZQfXt1nLes1Z06bs25oOJnY6cKwXn41o4Z+FAaEG
++XSpGDHed5lO/WqolSMF1BGAVgZU6x7YK0iBDbRia5bVs3KAs0p7vEO2vIKNx58A
+UuuAb6igKKOLzM7L7vzNwQr4QyuSUTL0cgOlVT6RVR1F6tlkXd2wdw==
+-----END RSA PRIVATE KEY-----

data/spec/fixtures/test_config.yaml

@@ -0,0 +1,17 @@
+copy_nonce: true
+cache_headers: true
+max_cache_age: 60
+certificate_authorities: {
+    test_ca: {
+        ca_cert: {
+            cert: "spec/fixtures/test_ca.cer",
+            key: "spec/fixtures/test_ca.key"
+        }
+    },
+    second_ca: {
+        ca_cert: {
+            cert: "spec/fixtures/second_ca.cer",
+            key: "spec/fixtures/second_ca.key"
+        }
+    }
+}

data/spec/server_spec.rb

@@ -0,0 +1,400 @@
+require File.dirname(__FILE__) + '/spec_helper'
+require 'time'
+
+
+describe R509::Ocsp::Responder::Server do
+    before :all do
+        @test_ca_cert = OpenSSL::X509::Certificate.new(File.read(Pathname.new(__FILE__).dirname + "fixtures/test_ca.cer"))
+        @second_ca_cert = OpenSSL::X509::Certificate.new(File.read(Pathname.new(__FILE__).dirname + "fixtures/second_ca.cer"))
+    end
+
+    before :each do
+        # clear the dependo before each test
+        Dependo::Registry.clear
+        Dependo::Registry[:log] = Logger.new(nil)
+
+        # we always want to mock with a new redis
+        @redis = double("redis")
+        Dependo::Registry[:redis] = @redis
+
+        # and we want to mock the stats recorder
+        @stats = double("stats")
+        Dependo::Registry[:stats] = @stats
+
+        # default value for :copy_nonce is false (can override on a per-test basis)
+        Dependo::Registry[:copy_nonce] = false
+
+        # default value for :cache_headers is false (can override on a per-test basis)
+        Dependo::Registry[:cache_headers] = false
+
+        # default value for :max_cache_age is nil (can override on a per-test basis)
+        Dependo::Registry[:max_cache_age] = nil
+
+        # read the config.yaml
+        @config_pool = R509::Config::CaConfigPool.from_yaml("certificate_authorities", File.read(File.dirname(__FILE__)+"/fixtures/test_config.yaml"))
+    end
+
+    def app
+        # this is executed after the code in each test, so if we change something in the dependo registry, it'll show up here (we will set :copy_nonce in some tests)
+        Dependo::Registry[:ocsp_signer] = R509::Ocsp::Signer.new(
+            :configs => @config_pool,
+            :validity_checker => R509::Validity::Redis::Checker.new(Dependo::Registry[:redis]),
+            :copy_nonce => Dependo::Registry[:copy_nonce]
+        )
+        @app ||= R509::Ocsp::Responder::Server
+    end
+
+    it "should return unauthorized on a GET which does not match any configured CA" do
+        get '/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ1mI4Ww4R5LZiQ295pj4OF%2F44yyAQUyk7dWyc1Kdn27sPlU%2B%2BkwBmWHa8CEFqb7H4xpqYH6ed2G0%2BPMG4%3D'
+        ocsp_response = R509::Ocsp::Response.parse(last_response.body)
+        ocsp_response.status.should == OpenSSL::OCSP::RESPONSE_STATUS_UNAUTHORIZED
+        last_response.content_type.should == "application/ocsp-response"
+        last_response.should be_ok
+    end
+
+    it "should return a valid (UNKNOWN) response on a GET request from the test_ca CA" do
+        @redis.should_receive(:hgetall).with("cert:/C=US/ST=Illinois/L=Chicago/O=Ruby CA Project/CN=Test CA:1051177536915098490149656742929223623669143613238").and_return({})
+        @stats.should_receive(:record).with("/C=US/ST=Illinois/L=Chicago/O=Ruby CA Project/CN=Test CA", "1051177536915098490149656742929223623669143613238", "UNKNOWN")
+
+        get '/MFYwVDBSMFAwTjAJBgUrDgMCGgUABBQ4ykaMB0SN9IGWx21tTHBRnmCnvQQUeXW7hDrLLN56Cb4xG0O8HCpNU1gCFQC4IG5U4zC4RYb4VQ%2B2f0zCoFCvNg%3D%3D'
+        ocsp_response = R509::Ocsp::Response.parse(last_response.body)
+        ocsp_response.status.should == OpenSSL::OCSP::RESPONSE_STATUS_SUCCESSFUL
+        ocsp_response.basic.status[0][1].should == OpenSSL::OCSP::V_CERTSTATUS_UNKNOWN
+        ocsp_response.basic.status[0][0].serial.should == 1051177536915098490149656742929223623669143613238
+        ocsp_response.verify(@test_ca_cert).should == true
+        last_response.content_type.should == "application/ocsp-response"
+        last_response.should be_ok
+    end
+
+    it "should return a valid (REVOKED) response on a GET request from the test_ca CA" do
+        @redis.should_receive(:hgetall).with("cert:/C=US/ST=Illinois/L=Chicago/O=Ruby CA Project/CN=Test CA:1051177536915098490149656742929223623669143613238").and_return({"status" => R509::Validity::REVOKED})
+        @stats.should_receive(:record).with("/C=US/ST=Illinois/L=Chicago/O=Ruby CA Project/CN=Test CA", "1051177536915098490149656742929223623669143613238", "REVOKED")
+
+        get '/MFYwVDBSMFAwTjAJBgUrDgMCGgUABBQ4ykaMB0SN9IGWx21tTHBRnmCnvQQUeXW7hDrLLN56Cb4xG0O8HCpNU1gCFQC4IG5U4zC4RYb4VQ%2B2f0zCoFCvNg%3D%3D'
+        ocsp_response = R509::Ocsp::Response.parse(last_response.body)
+        ocsp_response.status.should == OpenSSL::OCSP::RESPONSE_STATUS_SUCCESSFUL
+        ocsp_response.basic.status[0][1].should == OpenSSL::OCSP::V_CERTSTATUS_REVOKED
+        ocsp_response.basic.status[0][0].serial.should == 1051177536915098490149656742929223623669143613238
+        ocsp_response.verify(@test_ca_cert).should == true
+        last_response.content_type.should == "application/ocsp-response"
+        last_response.should be_ok
+    end
+
+    it "should return a valid (VALID) response on a GET request from the test_ca CA" do
+        @redis.should_receive(:hgetall).with("cert:/C=US/ST=Illinois/L=Chicago/O=Ruby CA Project/CN=Test CA:1051177536915098490149656742929223623669143613238").and_return({"status" => R509::Validity::VALID})
+        @stats.should_receive(:record).with("/C=US/ST=Illinois/L=Chicago/O=Ruby CA Project/CN=Test CA", "1051177536915098490149656742929223623669143613238", "VALID")
+
+        get '/MFYwVDBSMFAwTjAJBgUrDgMCGgUABBQ4ykaMB0SN9IGWx21tTHBRnmCnvQQUeXW7hDrLLN56Cb4xG0O8HCpNU1gCFQC4IG5U4zC4RYb4VQ%2B2f0zCoFCvNg%3D%3D'
+        ocsp_response = R509::Ocsp::Response.parse(last_response.body)
+        ocsp_response.status.should == OpenSSL::OCSP::RESPONSE_STATUS_SUCCESSFUL
+        ocsp_response.basic.status[0][1].should == OpenSSL::OCSP::V_CERTSTATUS_GOOD
+        ocsp_response.basic.status[0][0].serial.should == 1051177536915098490149656742929223623669143613238
+        ocsp_response.verify(@test_ca_cert).should == true
+        last_response.content_type.should == "application/ocsp-response"
+        last_response.should be_ok
+    end
+
+    it "should return a valid (VALID) response on a GET request with extra leading slashes from the test_ca CA" do
+        @redis.should_receive(:hgetall).with("cert:/C=US/ST=Illinois/L=Chicago/O=Ruby CA Project/CN=Test CA:1051177536915098490149656742929223623669143613238").and_return({"status" => R509::Validity::VALID})
+        @stats.should_receive(:record).with("/C=US/ST=Illinois/L=Chicago/O=Ruby CA Project/CN=Test CA", "1051177536915098490149656742929223623669143613238", "VALID")
+
+        get '/%2F%2FMFYwVDBSMFAwTjAJBgUrDgMCGgUABBQ4ykaMB0SN9IGWx21tTHBRnmCnvQQUeXW7hDrLLN56Cb4xG0O8HCpNU1gCFQC4IG5U4zC4RYb4VQ%2B2f0zCoFCvNg%3D%3D'
+        ocsp_response = R509::Ocsp::Response.parse(last_response.body)
+        ocsp_response.status.should == OpenSSL::OCSP::RESPONSE_STATUS_SUCCESSFUL
+        ocsp_response.basic.status[0][1].should == OpenSSL::OCSP::V_CERTSTATUS_GOOD
+        ocsp_response.basic.status[0][0].serial.should == 1051177536915098490149656742929223623669143613238
+        ocsp_response.verify(@test_ca_cert).should == true
+        last_response.content_type.should == "application/ocsp-response"
+        last_response.should be_ok
+    end
+
+    it "should return a valid (VALID) response on a GET request from a second configured CA (second_ca)" do
+        @redis.should_receive(:hgetall).with("cert:/C=US/ST=Illinois/L=Chicago/O=R509, Ltd/CN=R509 Secondary Test CA:773553085290984246110251380739025914079776985795").and_return({"status" => R509::Validity::VALID})
+        @stats.should_receive(:record).with("/C=US/ST=Illinois/L=Chicago/O=R509, Ltd/CN=R509 Secondary Test CA", "773553085290984246110251380739025914079776985795", "VALID")
+
+        get '/MFYwVDBSMFAwTjAJBgUrDgMCGgUABBT1kOLWHXbHiKP3sVPVxVziq%2FMqIwQUP8ezIf8yhMLgHnccSKJLQdhDaVkCFQCHf1HsjUAACwcp3qQL4IxclfXSww%3D%3D'
+        ocsp_response = R509::Ocsp::Response.parse(last_response.body)
+        ocsp_response.status.should == OpenSSL::OCSP::RESPONSE_STATUS_SUCCESSFUL
+        ocsp_response.basic.status[0][1].should == OpenSSL::OCSP::V_CERTSTATUS_GOOD
+        ocsp_response.basic.status[0][0].serial.should == 773553085290984246110251380739025914079776985795
+        ocsp_response.verify(@test_ca_cert).should == false
+        ocsp_response.verify(@second_ca_cert).should == true
+        last_response.content_type.should == "application/ocsp-response"
+        last_response.should be_ok
+    end
+
+    it "should return unauthorized on a POST which does not match any configured CA" do
+        der = Base64.decode64(URI.decode("MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ1mI4Ww4R5LZiQ295pj4OF%2F44yyAQUyk7dWyc1Kdn27sPlU%2B%2BkwBmWHa8CEFqb7H4xpqYH6ed2G0%2BPMG4%3D"))
+        post '/', der, "CONTENT_TYPE" => "application/ocsp-request"
+        ocsp_response = R509::Ocsp::Response.parse(last_response.body)
+        ocsp_response.status.should == OpenSSL::OCSP::RESPONSE_STATUS_UNAUTHORIZED
+        last_response.content_type.should == "application/ocsp-response"
+        last_response.should be_ok
+    end
+
+    it "should return a valid (UNKNOWN) response on a POST request from the test_ca CA" do
+        @redis.should_receive(:hgetall).with("cert:/C=US/ST=Illinois/L=Chicago/O=Ruby CA Project/CN=Test CA:1051177536915098490149656742929223623669143613238").and_return({})
+        @stats.should_receive(:record).with("/C=US/ST=Illinois/L=Chicago/O=Ruby CA Project/CN=Test CA", "1051177536915098490149656742929223623669143613238", "UNKNOWN")
+
+        der = Base64.decode64(URI.decode("MFYwVDBSMFAwTjAJBgUrDgMCGgUABBQ4ykaMB0SN9IGWx21tTHBRnmCnvQQUeXW7hDrLLN56Cb4xG0O8HCpNU1gCFQC4IG5U4zC4RYb4VQ%2B2f0zCoFCvNg%3D%3D"))
+        post '/', der, "CONTENT_TYPE" => "application/ocsp-request"
+        ocsp_response = R509::Ocsp::Response.parse(last_response.body)
+        ocsp_response.status.should == OpenSSL::OCSP::RESPONSE_STATUS_SUCCESSFUL
+        ocsp_response.basic.status[0][1].should == OpenSSL::OCSP::V_CERTSTATUS_UNKNOWN
+        ocsp_response.basic.status[0][0].serial.should == 1051177536915098490149656742929223623669143613238
+        ocsp_response.verify(@test_ca_cert).should == true
+        last_response.content_type.should == "application/ocsp-response"
+        last_response.should be_ok
+    end
+
+    it "should return a valid (REVOKED) response on a POST request from the test_ca CA" do
+        @redis.should_receive(:hgetall).with("cert:/C=US/ST=Illinois/L=Chicago/O=Ruby CA Project/CN=Test CA:1051177536915098490149656742929223623669143613238").and_return({"status" => R509::Validity::REVOKED})
+        @stats.should_receive(:record).with("/C=US/ST=Illinois/L=Chicago/O=Ruby CA Project/CN=Test CA", "1051177536915098490149656742929223623669143613238", "REVOKED")
+
+        der = Base64.decode64(URI.decode("MFYwVDBSMFAwTjAJBgUrDgMCGgUABBQ4ykaMB0SN9IGWx21tTHBRnmCnvQQUeXW7hDrLLN56Cb4xG0O8HCpNU1gCFQC4IG5U4zC4RYb4VQ%2B2f0zCoFCvNg%3D%3D"))
+        post '/', der, "CONTENT_TYPE" => "application/ocsp-request"
+        ocsp_response = R509::Ocsp::Response.parse(last_response.body)
+        ocsp_response.status.should == OpenSSL::OCSP::RESPONSE_STATUS_SUCCESSFUL
+        ocsp_response.basic.status[0][1].should == OpenSSL::OCSP::V_CERTSTATUS_REVOKED
+        ocsp_response.basic.status[0][0].serial.should == 1051177536915098490149656742929223623669143613238
+        ocsp_response.verify(@test_ca_cert).should == true
+        last_response.content_type.should == "application/ocsp-response"
+        last_response.should be_ok
+    end
+
+    it "should return a valid (VALID) response on a POST request from the test_ca CA" do
+        @redis.should_receive(:hgetall).with("cert:/C=US/ST=Illinois/L=Chicago/O=Ruby CA Project/CN=Test CA:1051177536915098490149656742929223623669143613238").and_return({"status" => R509::Validity::VALID})
+        @stats.should_receive(:record).with("/C=US/ST=Illinois/L=Chicago/O=Ruby CA Project/CN=Test CA", "1051177536915098490149656742929223623669143613238", "VALID")
+
+        der = Base64.decode64(URI.decode("MFYwVDBSMFAwTjAJBgUrDgMCGgUABBQ4ykaMB0SN9IGWx21tTHBRnmCnvQQUeXW7hDrLLN56Cb4xG0O8HCpNU1gCFQC4IG5U4zC4RYb4VQ%2B2f0zCoFCvNg%3D%3D"))
+        post '/', der, "CONTENT_TYPE" => "application/ocsp-request"
+        ocsp_response = R509::Ocsp::Response.parse(last_response.body)
+        ocsp_response.status.should == OpenSSL::OCSP::RESPONSE_STATUS_SUCCESSFUL
+        ocsp_response.basic.status[0][1].should == OpenSSL::OCSP::V_CERTSTATUS_GOOD
+        ocsp_response.basic.status[0][0].serial.should == 1051177536915098490149656742929223623669143613238
+        ocsp_response.verify(@test_ca_cert).should == true
+        last_response.content_type.should == "application/ocsp-response"
+        last_response.should be_ok
+    end
+
+    it "should return a valid (VALID) response on a POST request from a second configured CA (second_ca)" do
+        @redis.should_receive(:hgetall).with("cert:/C=US/ST=Illinois/L=Chicago/O=R509, Ltd/CN=R509 Secondary Test CA:773553085290984246110251380739025914079776985795").and_return({"status" => R509::Validity::VALID})
+        @stats.should_receive(:record).with("/C=US/ST=Illinois/L=Chicago/O=R509, Ltd/CN=R509 Secondary Test CA", "773553085290984246110251380739025914079776985795", "VALID")
+
+        der = Base64.decode64(URI.decode("MFYwVDBSMFAwTjAJBgUrDgMCGgUABBT1kOLWHXbHiKP3sVPVxVziq%2FMqIwQUP8ezIf8yhMLgHnccSKJLQdhDaVkCFQCHf1HsjUAACwcp3qQL4IxclfXSww%3D%3D"))
+        post '/', der, "CONTENT_TYPE" => "application/ocsp-request"
+        ocsp_response = R509::Ocsp::Response.parse(last_response.body)
+        ocsp_response.status.should == OpenSSL::OCSP::RESPONSE_STATUS_SUCCESSFUL
+        ocsp_response.basic.status[0][1].should == OpenSSL::OCSP::V_CERTSTATUS_GOOD
+        ocsp_response.basic.status[0][0].serial.should == 773553085290984246110251380739025914079776985795
+        ocsp_response.verify(@test_ca_cert).should == false
+        ocsp_response.verify(@second_ca_cert).should == true
+        last_response.content_type.should == "application/ocsp-response"
+        last_response.should be_ok
+    end
+
+    it "should return 200 OK when querying status and redis is available" do
+        @redis.should_receive(:ping).and_return("PONG")
+        get '/status'
+        last_response.should be_ok
+    end
+
+    it "should return 500 DOWN when querying status with redis unavailable" do
+        @redis.should_receive(:ping).and_raise(StandardError)
+        get '/status'
+        last_response.should_not be_ok
+        last_response.body.should == "Down"
+    end
+
+    it "a malformed request should return a proper OCSP response (GET)" do
+        get '/Msdfsfsdf'
+        ocsp_response = R509::Ocsp::Response.parse(last_response.body)
+        ocsp_response.status.should == OpenSSL::OCSP::RESPONSE_STATUS_MALFORMEDREQUEST
+        last_response.content_type.should == "application/ocsp-response"
+        last_response.should be_ok
+    end
+
+    it "a malformed request should return a proper OCSP response (POST)" do
+        post '/', 'Mdskfsdf', "CONTENT_TYPE" => "application/ocsp-request"
+        ocsp_response = R509::Ocsp::Response.parse(last_response.body)
+        ocsp_response.status.should == OpenSSL::OCSP::RESPONSE_STATUS_MALFORMEDREQUEST
+        last_response.content_type.should == "application/ocsp-response"
+        last_response.should be_ok
+    end
+
+    it "copies nonce when copy_nonce is true" do
+        @redis.should_receive(:hgetall).with("cert:/C=US/ST=Illinois/L=Chicago/O=Ruby CA Project/CN=Test CA:872625873161273451176241581705670534707360122361").and_return({"status" => R509::Validity::VALID})
+        @stats.should_receive(:record).with("/C=US/ST=Illinois/L=Chicago/O=Ruby CA Project/CN=Test CA", "872625873161273451176241581705670534707360122361", "VALID")
+
+        # set to true for this test (this works because the app doesn't get set up until after this code)
+        Dependo::Registry[:copy_nonce] = true
+
+        get '/MHsweTBSMFAwTjAJBgUrDgMCGgUABBQ4ykaMB0SN9IGWx21tTHBRnmCnvQQUeXW7hDrLLN56Cb4xG0O8HCpNU1gCFQCY2eXAtMNzVS33fF0PHrUSjklF%2BaIjMCEwHwYJKwYBBQUHMAECBBIEEDTJniOQonxCRmmHAHCVstw%3D'
+        request = OpenSSL::OCSP::Request.new(Base64.decode64("MHsweTBSMFAwTjAJBgUrDgMCGgUABBQ4ykaMB0SN9IGWx21tTHBRnmCnvQQUeXW7hDrLLN56Cb4xG0O8HCpNU1gCFQCY2eXAtMNzVS33fF0PHrUSjklF+aIjMCEwHwYJKwYBBQUHMAECBBIEEDTJniOQonxCRmmHAHCVstw="))
+        ocsp_response = R509::Ocsp::Response.parse(last_response.body)
+        request.check_nonce(ocsp_response.basic).should == R509::Ocsp::Request::Nonce::PRESENT_AND_EQUAL
+
+    end
+
+    it "doesn't copy nonce when copy_nonce is false" do
+        @redis.should_receive(:hgetall).with("cert:/C=US/ST=Illinois/L=Chicago/O=Ruby CA Project/CN=Test CA:872625873161273451176241581705670534707360122361").and_return({"status" => R509::Validity::VALID})
+        @stats.should_receive(:record).with("/C=US/ST=Illinois/L=Chicago/O=Ruby CA Project/CN=Test CA", "872625873161273451176241581705670534707360122361", "VALID")
+
+        # set to false for this test (this works because the app doesn't get set up until after this code)
+        Dependo::Registry[:copy_nonce] = false
+
+        get '/MHsweTBSMFAwTjAJBgUrDgMCGgUABBQ4ykaMB0SN9IGWx21tTHBRnmCnvQQUeXW7hDrLLN56Cb4xG0O8HCpNU1gCFQCY2eXAtMNzVS33fF0PHrUSjklF%2BaIjMCEwHwYJKwYBBQUHMAECBBIEEDTJniOQonxCRmmHAHCVstw%3D'
+        request = OpenSSL::OCSP::Request.new(Base64.decode64("MHsweTBSMFAwTjAJBgUrDgMCGgUABBQ4ykaMB0SN9IGWx21tTHBRnmCnvQQUeXW7hDrLLN56Cb4xG0O8HCpNU1gCFQCY2eXAtMNzVS33fF0PHrUSjklF+aIjMCEwHwYJKwYBBQUHMAECBBIEEDTJniOQonxCRmmHAHCVstw="))
+        ocsp_response = R509::Ocsp::Response.parse(last_response.body)
+        request.check_nonce(ocsp_response.basic).should == R509::Ocsp::Request::Nonce::REQUEST_ONLY
+    end
+
+    it "returns caching headers for GET when cache_headers is true and no nonce is present" do
+        Dependo::Registry[:cache_headers] = true
+
+        now = Time.now
+        Time.stub!(:now).and_return(now)
+
+        @redis.should_receive(:hgetall).with("cert:/C=US/ST=Illinois/L=Chicago/O=R509, Ltd/CN=R509 Secondary Test CA:773553085290984246110251380739025914079776985795").and_return({"status" => R509::Validity::VALID})
+        @stats.should_receive(:record).with("/C=US/ST=Illinois/L=Chicago/O=R509, Ltd/CN=R509 Secondary Test CA", "773553085290984246110251380739025914079776985795", "VALID")
+
+        get '/MFYwVDBSMFAwTjAJBgUrDgMCGgUABBT1kOLWHXbHiKP3sVPVxVziq%2FMqIwQUP8ezIf8yhMLgHnccSKJLQdhDaVkCFQCHf1HsjUAACwcp3qQL4IxclfXSww%3D%3D'
+        ocsp_response = R509::Ocsp::Response.parse(last_response.body)
+        last_response.headers.size.should == 6
+        last_response.headers["Last-Modified"].should == Time.now.httpdate
+        last_response.headers["ETag"].should == OpenSSL::Digest::SHA1.new(ocsp_response.to_der).to_s
+        last_response.headers["Expires"].should == ocsp_response.basic.status[0][5].httpdate
+        max_age = ocsp_response.basic.status[0][5] - now
+        last_response.headers["Cache-Control"].should == "max-age=#{max_age.to_i}, public, no-transform, must-revalidate"
+    end
+
+    it "returns no caching headers for GET when cache_headers is false and no nonce is present" do
+        Dependo::Registry[:cache_headers] = false
+
+        now = Time.now
+        Time.stub!(:now).and_return(now)
+
+        @redis.should_receive(:hgetall).with("cert:/C=US/ST=Illinois/L=Chicago/O=R509, Ltd/CN=R509 Secondary Test CA:773553085290984246110251380739025914079776985795").and_return({"status" => R509::Validity::VALID})
+        @stats.should_receive(:record).with("/C=US/ST=Illinois/L=Chicago/O=R509, Ltd/CN=R509 Secondary Test CA", "773553085290984246110251380739025914079776985795", "VALID")
+
+        get '/MFYwVDBSMFAwTjAJBgUrDgMCGgUABBT1kOLWHXbHiKP3sVPVxVziq%2FMqIwQUP8ezIf8yhMLgHnccSKJLQdhDaVkCFQCHf1HsjUAACwcp3qQL4IxclfXSww%3D%3D'
+        ocsp_response = R509::Ocsp::Response.parse(last_response.body)
+        last_response.headers.size.should == 2
+    end
+
+    it "returns no caching headers for GET when cache_headers is true and a nonce is present" do
+        Dependo::Registry[:cache_headers] = true
+
+        now = Time.now
+        Time.stub!(:now).and_return(now)
+
+        @redis.should_receive(:hgetall).with("cert:/C=US/ST=Illinois/L=Chicago/O=Ruby CA Project/CN=Test CA:872625873161273451176241581705670534707360122361").and_return({"status" => R509::Validity::VALID})
+        @stats.should_receive(:record).with("/C=US/ST=Illinois/L=Chicago/O=Ruby CA Project/CN=Test CA", "872625873161273451176241581705670534707360122361", "VALID")
+
+        get '/MHsweTBSMFAwTjAJBgUrDgMCGgUABBQ4ykaMB0SN9IGWx21tTHBRnmCnvQQUeXW7hDrLLN56Cb4xG0O8HCpNU1gCFQCY2eXAtMNzVS33fF0PHrUSjklF%2BaIjMCEwHwYJKwYBBQUHMAECBBIEEDTJniOQonxCRmmHAHCVstw%3D'
+        ocsp_response = R509::Ocsp::Response.parse(last_response.body)
+        last_response.headers.size.should == 2
+    end
+
+    it "returns no caching headers for GET when cache_headers is false and a nonce is present" do
+        Dependo::Registry[:cache_headers] = false
+
+        now = Time.now
+        Time.stub!(:now).and_return(now)
+
+        @redis.should_receive(:hgetall).with("cert:/C=US/ST=Illinois/L=Chicago/O=Ruby CA Project/CN=Test CA:872625873161273451176241581705670534707360122361").and_return({"status" => R509::Validity::VALID})
+        @stats.should_receive(:record).with("/C=US/ST=Illinois/L=Chicago/O=Ruby CA Project/CN=Test CA", "872625873161273451176241581705670534707360122361", "VALID")
+
+        get '/MHsweTBSMFAwTjAJBgUrDgMCGgUABBQ4ykaMB0SN9IGWx21tTHBRnmCnvQQUeXW7hDrLLN56Cb4xG0O8HCpNU1gCFQCY2eXAtMNzVS33fF0PHrUSjklF%2BaIjMCEwHwYJKwYBBQUHMAECBBIEEDTJniOQonxCRmmHAHCVstw%3D'
+        ocsp_response = R509::Ocsp::Response.parse(last_response.body)
+        last_response.headers.size.should == 2
+    end
+
+    it "returns custom max_cache_age when it's set properly" do
+        Dependo::Registry[:cache_headers] = true
+        Dependo::Registry[:max_cache_age] = 600
+
+        now = Time.now
+        Time.stub!(:now).and_return(now)
+
+        @redis.should_receive(:hgetall).with("cert:/C=US/ST=Illinois/L=Chicago/O=R509, Ltd/CN=R509 Secondary Test CA:773553085290984246110251380739025914079776985795").and_return({"status" => R509::Validity::VALID})
+        @stats.should_receive(:record).with("/C=US/ST=Illinois/L=Chicago/O=R509, Ltd/CN=R509 Secondary Test CA", "773553085290984246110251380739025914079776985795", "VALID")
+
+        get '/MFYwVDBSMFAwTjAJBgUrDgMCGgUABBT1kOLWHXbHiKP3sVPVxVziq%2FMqIwQUP8ezIf8yhMLgHnccSKJLQdhDaVkCFQCHf1HsjUAACwcp3qQL4IxclfXSww%3D%3D'
+        ocsp_response = R509::Ocsp::Response.parse(last_response.body)
+        last_response.headers.size.should == 6
+        last_response.headers["Last-Modified"].should == now.httpdate
+        last_response.headers["ETag"].should == OpenSSL::Digest::SHA1.new(ocsp_response.to_der).to_s
+        last_response.headers["Expires"].should == ocsp_response.basic.status[0][5].httpdate
+        last_response.headers["Cache-Control"].should == "max-age=600, public, no-transform, must-revalidate"
+    end
+
+    it "returns default max_cache_age if custom age is too large" do
+        Dependo::Registry[:cache_headers] = true
+        Dependo::Registry[:max_cache_age] = 950000
+
+        now = Time.now
+        Time.stub!(:now).and_return(now)
+
+        @redis.should_receive(:hgetall).with("cert:/C=US/ST=Illinois/L=Chicago/O=R509, Ltd/CN=R509 Secondary Test CA:773553085290984246110251380739025914079776985795").and_return({"status" => R509::Validity::VALID})
+        @stats.should_receive(:record).with("/C=US/ST=Illinois/L=Chicago/O=R509, Ltd/CN=R509 Secondary Test CA", "773553085290984246110251380739025914079776985795", "VALID")
+
+        get '/MFYwVDBSMFAwTjAJBgUrDgMCGgUABBT1kOLWHXbHiKP3sVPVxVziq%2FMqIwQUP8ezIf8yhMLgHnccSKJLQdhDaVkCFQCHf1HsjUAACwcp3qQL4IxclfXSww%3D%3D'
+        ocsp_response = R509::Ocsp::Response.parse(last_response.body)
+        last_response.headers.size.should == 6
+        last_response.headers["Last-Modified"].should == now.httpdate
+        last_response.headers["ETag"].should == OpenSSL::Digest::SHA1.new(ocsp_response.to_der).to_s
+        last_response.headers["Expires"].should == ocsp_response.basic.status[0][5].httpdate
+        max_age = ocsp_response.basic.status[0][5] - now
+        last_response.headers["Cache-Control"].should == "max-age=#{max_age.to_i}, public, no-transform, must-revalidate"
+    end
+
+    it "returns no caching headers for GET when cache_headers is false" do
+        Dependo::Registry[:cache_headers] = false
+
+        @redis.should_receive(:hgetall).with("cert:/C=US/ST=Illinois/L=Chicago/O=R509, Ltd/CN=R509 Secondary Test CA:773553085290984246110251380739025914079776985795").and_return({"status" => R509::Validity::VALID})
+        @stats.should_receive(:record).with("/C=US/ST=Illinois/L=Chicago/O=R509, Ltd/CN=R509 Secondary Test CA", "773553085290984246110251380739025914079776985795", "VALID")
+
+        get '/MFYwVDBSMFAwTjAJBgUrDgMCGgUABBT1kOLWHXbHiKP3sVPVxVziq%2FMqIwQUP8ezIf8yhMLgHnccSKJLQdhDaVkCFQCHf1HsjUAACwcp3qQL4IxclfXSww%3D%3D'
+        last_response.content_type.should == "application/ocsp-response"
+        last_response.headers.size.should == 2
+        last_response.should be_ok
+    end
+
+    it "returns no caching headers for POST when cache_headers is true" do
+        Dependo::Registry[:cache_headers] = true
+
+        @redis.should_receive(:hgetall).with("cert:/C=US/ST=Illinois/L=Chicago/O=Ruby CA Project/CN=Test CA:1051177536915098490149656742929223623669143613238").and_return({"status" => R509::Validity::VALID})
+        @stats.should_receive(:record).with("/C=US/ST=Illinois/L=Chicago/O=Ruby CA Project/CN=Test CA", "1051177536915098490149656742929223623669143613238", "VALID")
+
+        der = Base64.decode64(URI.decode("MFYwVDBSMFAwTjAJBgUrDgMCGgUABBQ4ykaMB0SN9IGWx21tTHBRnmCnvQQUeXW7hDrLLN56Cb4xG0O8HCpNU1gCFQC4IG5U4zC4RYb4VQ%2B2f0zCoFCvNg%3D%3D"))
+        post '/', der, "CONTENT_TYPE" => "application/ocsp-request"
+        ocsp_response = R509::Ocsp::Response.parse(last_response.body)
+        last_response.content_type.should == "application/ocsp-response"
+        last_response.headers.size.should == 2
+        last_response.should be_ok
+    end
+
+    it "returns no caching headers for POST when cache_headers is false" do
+        Dependo::Registry[:cache_headers] = false
+
+        @redis.should_receive(:hgetall).with("cert:/C=US/ST=Illinois/L=Chicago/O=Ruby CA Project/CN=Test CA:1051177536915098490149656742929223623669143613238").and_return({"status" => R509::Validity::VALID})
+        @stats.should_receive(:record).with("/C=US/ST=Illinois/L=Chicago/O=Ruby CA Project/CN=Test CA", "1051177536915098490149656742929223623669143613238", "VALID")
+
+        der = Base64.decode64(URI.decode("MFYwVDBSMFAwTjAJBgUrDgMCGgUABBQ4ykaMB0SN9IGWx21tTHBRnmCnvQQUeXW7hDrLLN56Cb4xG0O8HCpNU1gCFQC4IG5U4zC4RYb4VQ%2B2f0zCoFCvNg%3D%3D"))
+        post '/', der, "CONTENT_TYPE" => "application/ocsp-request"
+        ocsp_response = R509::Ocsp::Response.parse(last_response.body)
+        last_response.content_type.should == "application/ocsp-response"
+        last_response.headers.size.should == 2
+        last_response.should be_ok
+    end
+
+    it "should reload and print config when receiving a SIGUSR2" do
+        config = double("config")
+        stub_const("R509::Ocsp::Responder::OcspConfig",config)
+        #R509::Ocsp::Responder::OcspConfig = double("config")
+        R509::Ocsp::Responder::OcspConfig.should_receive(:load_config)
+        R509::Ocsp::Responder::OcspConfig.should_receive(:print_config)
+        Process.kill :USR2, Process.pid
+    end
+end