--- /dev/null
+-----BEGIN RSA PRIVATE KEY-----
+MIIG4wIBAAKCAYEArwu2ueiYin7b177OgSjWY0Et7ypE1gXTuXdgTyu+LH2pYmsb
+HxbAFIDf2OeOs/8z+FK0VqxvcRw2zb3lnsLYD3fgHNj8bZdZssiXy8+um/Mtnec2
+J8tkapdjUVkd7vTsUqardOTRcTwM0SWOgQXirZMSdkU1eoqkzAczxsPJTPVKnqVD
+KhBEcPz/7OR+/ocYmQdAaOdl9m6gJn4lBBr2vCozjx0LyWig7zf5j6CgkZECb7jg
+rANhDE3gD9iHC8CyaVPLuuDkllwIetBTfWGDi0tdHv1mY3K6YuuDsjdUnmOeFrPL
+3i3zvnQEMLAD1f0GeRzUMNTHUOe5bKIAxKW9hlhJat10/VZyuP1Sjm1gdpoJkU4z
+g5HPyr/C7mHHC2ofJZZ68Q4bQ2KXAq45MwPPkq0jEFzPdrDR925CRv+3HO6rw+2+
+atIylvZzzdwXfBuB5bOKpcU68tbjGSq58N3V/72DGSxDdNephGTMAmtmum22T+38
+KSPKiuIWT/bsSefbAgMBAAECggGAHQs6hFo9hS1LWN7F8NRPziQwdPB0f3Z0DN/r
+0PcXFNa81iGjXGMv97bybVDucpszik5escrmqsPdrAGIKfF2XAqt2tt99skYDvwN
+g7mv5RxSQ1Lrv2qV/MGlrwe0WcO1unkBFeIphjpKfiFXJb1OQTKX65vMJcr/UQMY
+6i/uJKDGgtA09rPAR2cTJ8E5+Q19XVbArydF2b+9PuXLSoUWz13JNEPDguWjXk3R
+UK18Nurylor8bE4bOilptfddYOvV5/UNxgy8y0XJq6ZJ/g3FqRsiu5e5C8jXm2t/
+qfJ33rJIAZv8LW0YWPteNw0OSo4DCbtfZQdekiJwz5tS0shhOqKhcFIX2hRwUMhj
+yYBMxota6n5bQcKQBv+jf3URKFMDCThUst3GUZz6GIVb9xqTxavgU/KMXkZPUJ8N
+KA5qYBrTK5lMVTf6iZ/N93yZKVky9rrrJdWmX/wWhPt1hr2Mj1UF/W6oi142SLjy
+z7M8A/LaI2/gsm8sSp64JjDdtabBAoHBAObVHQSgV4SoseW5j0BjAklFHN9MRjOc
+17GgZ4hfIda4bs+RpnDXjREU3kdAFmyg0F3/TLzQZklCAui2NKMvz+XHtbwF9aNP
++fK1eLOKiSRzAlKrAwiNPTKFkIFYNVFthH5pWBzS0be+Va52OoxwnSMmSaBEPzDH
+NF7GKZHI+mEDWE+Vz7MiGpLkDuPj3UzG3KQwhxmy+ZVF2LVENFf+FGjiWSQMpxyx
+q7M5nzq6pVPSbxqLFF+X9J7MScbCajL6sQKBwQDCIYIMsBM2pf2zFTifsH39BsXP
+qpztEmdfDqy6D+dquEH5HTUSt2as6FMyk7oxRmuxxunl5bBtL3X2AR3eDdLP42W0
+sPphUQt2RFpyNu2Sd5pjYXcCxH7IQv16EQqPdxYytBU9jJMnRf+QN7Nl9j4nZrDC
+wZcs2PUO1LDoK20+IKSeYRGMUMC65N9x+/qTGEaF4bRJJSGjkhyWPBAdrMekeTJH
+4h5YRZfzXspzpJ1CSKRt+1zhO6IWM8YcalQTVksCgcA75eUnxCuxosy23dXMUWTQ
+enypfPNihTp7PzJecsEnJKiseBEGiwhx/EZJmtm2ymwHWC4jeLhyHgz/Mfiqt8ds
+ysvfxHQfMqubTXfKrxIzQRzDMtkQqQXOTFZZGfiL7q1I2DEjGZmN4nf9U3SR6M79
+xfuo+Myk7awrQ6SZzdsavXF3BVrmEt1ubHtoq0JLn/a1LFqCUqztDTjUoKQsiSPm
+q4WSEy5yBbCWS0eER9aKz7pA2wIoZBf39O7YAq7oF6ECgcBl5Gx7+Fa9UjZsrnC/
+8ETQb6OXsfcXv5ceH3etWPef3gJSnG/k2Po9OtugKkWJ42pXLw5JKluFk2mYq1Ff
+4WWK09HoGxPvzDf15T6LwCTFwZz5GIj8nOHmfrLIRPWEA39VMYwMeCIsdOMEcRfq
+JmrNB2szbaTJVz6YgC4yTcjS2RNORaiOOzxNXB+jlhwY5J7vWl3kHmcfkWsLt47F
+5JAM1cf8TsSalDyC8nfUZsxbpAEZ8Nr5JPGYMaiD9ZMXay0CgcEAjDWHG31/+Vmd
+L17lUfNCNcyDChlf4cVXA748/HCHM49JuS7NSSxToAzWCaoy5DkUesg0xSHLM0Ko
+HOAiCuQmzFDjOIi4/NSDEYwe02SnFF1trGFLIzta+Ona8VQlDKp6onQ9lxefL8In
+9+6PujFy6/HEKk57Nypd3k1J0LHj0u5QeRHVnSiMq0XioXR/61yxeNURHPzI+wVd
+726pM6NA3e6RFencK5SOgBoUi28RNAE1a3+BiXJGQRD2WxG9DaOG
+-----END RSA PRIVATE KEY-----
--- /dev/null
+-----BEGIN RSA PRIVATE KEY-----
+MIIG5QIBAAKCAYEApKIYxjNSYijlzMBWXLM7BEtKXUFtYpvta/fKgC16wuVW1rCT
+sS6xB10QFjeVtYAnDY3qBSC17xVL7gmhYTJHBW6dBEzq0NBLimWDvy9FnHerwSn1
+q1EUBqFjlTKwEgKsRzI5AOnUf0jHV9FoSNJdyTO9vunEAPMylcqQRIDCnkpSQwh/
+8KAU2iIhaasoOw8uj5RH5w8NAepEY8AV+W2OPJB1vGip+TU+q8MoXjT9lYRK0E7J
+c6iJAGb24ZjvHp3mpJcDhASifrp6E1OxeFfdADulAQ9xj8VLOzi8EmMjOrZritYl
+Iq9ITlyw1ws+bFwG9szLXB6eV38e5Ubbu/VMqGx/XQ90SDgP7MAsorkRoe48i2IQ
++fea9QUGSgOfxAKu/SjehplpsGaARyb1Y5wXxzRnyVrX8dNwP5OojK5mQUaUW76k
+biCbwOM37QDPUgwEgpLkItiNCwcXMdjwxsuXSusAn41u9cDF0+uXr9tUkDLaLcNz
+9OZyNlZJO1ba3ksvAgMBAAECggGBAJRRPISDA/tO4Qh/Vs6Y4dhShCJTqVonI9Qb
+HqIvVuNyfbNYzRXY/L+nhbCeTw9+7q/1ZBlOiNlllExU/MB17SnlpyuSqBGLNiLu
+pax9x/bYkTGqvZqjpqj6iJ6HVbxEEDTr+BLslfY9+OkSzSKd8sQrCwyNyXkZoD72
+iNZOMgcs6cNeSvTbIy4JhZSPD+V1HftYGRb+pjdNeGNtT96wZm4FrywYFtlesKFJ
+ZnrIvpQO5N+Zuz+pXBOyr0Q65WHt2cOxniTrMTlgWiGJvGlRF6s0UMnVJDFd36dD
+OHyCHHkRYxVh5M4wnBnoVjRRPfO7Dr37MdZQuvMgcG3uZ600g2+8UEE6NS1WgsRk
+oANsbyzoZkwNJplmPgJZ9b+Iupkp+ivTebzkxZbMWDaM+jGRZy0EwlNHKxRZubcF
+bsxnfsR8zlzsTTRRFQxsvqjadg0d0SVH2+3+0ksfCIs7qbqDfLNSLKzkW3pQySII
+EOEnNSb4Iwgb/hc7LluBdI5dd9WfEQKBwQDWyuyeepmMR9OqTKXPVB5Xe1yLq3vQ
+HCN5n1Fp6weIpiWAZDHTGWfcQkUOVYm0dILoz0JXYQMV5n09NAN7QxU8SAaK5Skb
+d2QBawny7At4MrpnSowA0cdyuTughLb7Lg2Yb77u1b09w71vXZHaAqIxmZCUMdjW
+7o/PWHbVApmB3XlDpJ3Y2WMIbTKkAWJOgh7IfZXSeJR672yuDJOEfHX3BNcdJQZC
+OmuNB36I3ZJmhxTlPOX9kO0nguLNDpol2GMCgcEAxDeyy7nk2kOZWdxzLfSS0m2E
+/K3uJCzbqj4LBJ8pZFJRO5V8k4pIArz28jTrgt85OtvG14PJQIYIS1V2kRDFXHt3
+qTKZdzoylpplNTSvIIiVFj7TaneT6E+oqYUKKaYOn8wDMOxgflElf352F7/NgYEA
+ZgTrmHm4FdcUQpVRQu3H1Cn4+6oyC5/ZQpxG/WZMbBN6xl5kNMFf4CSw5c98G/ZT
+jeb0cb1MrQ6PYNTr8VVbMQd+nJzoYbPyf5UVg03FAoHAN6rF4ljR3Lps0BEnU/Fw
+H6oYFRavcwMn6ohw2CuSe0bcJ0dQZm6KLVp7fTiMBNnBZ8b3YaAB5bYjtS36zQJY
+yZO9Jlg37CdoIrn0DSJB4rf6+XQnjrrPnxsEqhhbOAP6gAxOBqYccpp9SRSODVtr
+X8F16AJ3OVUArnM18QTIdhDJMc/DHQVSFkf+vOSi7sfoZHuvzal0idvtZbparRZ4
+mDmH6sTCt31ejGFp2Nzb6XiO4M6EqM/btsbEMvLa3n4TAoHBAKpImB8bTZNptOz6
+Vu7b4ItDxnSu0QuN7niY7WDua7KHib3G5lz4VbQin8Dk0jo6VOVSlAa2dPJNH2eZ
+XJNaVZ0D/X3Vzr9cv0hZ51k8RntabN/oV/t+mNq0PvAW6BHq7agaGe7cRIV7EKrL
+adsEdmlcNadTv84MXAiAJjH+eY424wOqBU0Kj/HsoFShYS5KGCp24UbD5fyukPDp
+hqd54AA4TpzIgP0wRhmtmBp1zekbpU8wbN2ngjhAPUQhcpEH7QKBwQDFqimO5IDb
+8DuWT6E5R/4TYttP2BjtaFgcV26UhKsKlcyy31OP7nHOM9jICodEKCVzfw477Dtf
+g8Xp8QUnQ4MM8sTmokMtsKX6yKCGLxeadPV0jw0ASsDH7op0CBH30pcWNVPeEGlC
+b3qfqHMNGDQJyAkGun5mAjAzjWT89eDrwJDfeuxnos5+XlAPz/xIqZaj9TSV0Xjs
+1U/np8oqu50iEXhyLVqG6GqXRkiqJ4W73qRqCYCBu1O3Fuc00/TOPLM=
+-----END RSA PRIVATE KEY-----
--- /dev/null
+#!/bin/sh
+
+# Test case: Try to establish TLS connections with gnutls-cli and
+# check the validity of the server certificate via OCSP
+#
+# Copyright (C) 2016 Thomas Klute
+#
+# This file is part of GnuTLS.
+#
+# GnuTLS is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 3 of the License, or (at
+# your option) any later version.
+#
+# GnuTLS is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with GnuTLS; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+
+srcdir="${srcdir:-.}"
+CERTTOOL="${CERTTOOL:-../../src/certtool${EXEEXT}}"
+OCSPTOOL="${OCSPTOOL:-../../src/ocsptool${EXEEXT}}"
+GNUTLS_SERV="${GNUTLS_SERV:-../../src/gnutls-serv${EXEEXT}}"
+GNUTLS_CLI="${GNUTLS_CLI:-../../src/gnutls-cli${EXEEXT}}"
+DIFF="${DIFF:-diff}"
+TEMPLATE_FILE="out.$$.tmpl.tmp"
+SERVER_CERT_FILE="cert.$$.pem.tmp"
+
+export TZ="UTC"
+
+. "${srcdir}/../scripts/common.sh"
+
+eval "${GETPORT}"
+# Port for gnutls-serv
+TLS_SERVER_PORT=$PORT
+
+# Port to use for OCSP server, must match the OCSP URI set in the
+# server_*.pem certificates
+eval "${GETPORT}"
+OCSP_PORT=$PORT
+
+# Maximum timeout for server startup (OCSP and TLS)
+SERVER_START_TIMEOUT=10
+
+# Check for OpenSSL
+OPENSSL=`which openssl`
+if ! test -x "${OPENSSL}"; then
+ echo "You need openssl to run this test."
+ exit 77
+fi
+
+# Check for netcat
+NETCAT=`which nc`
+if ! test -x "${NETCAT}"; then
+ echo "You need nc to run this test."
+ exit 77
+fi
+
+# Check for datefudge
+TSTAMP=`datefudge "2006-09-23" date -u +%s || true`
+if test "$TSTAMP" != "1158969600"; then
+ echo $TSTAMP
+ echo "You need datefudge to run this test."
+ exit 77
+fi
+
+CERTDATE="2016-04-28"
+TESTDATE="2016-04-29"
+
+OCSP_PID=""
+TLS_SERVER_PID=""
+stop_servers ()
+{
+ test -z "${OCSP_PID}" || kill "${OCSP_PID}"
+ test -z "${TLS_SERVER_PID}" || kill "${TLS_SERVER_PID}"
+ rm -f "$TEMPLATE_FILE"
+ rm -f "$SERVER_CERT_FILE"
+}
+trap stop_servers 1 15 2 EXIT
+
+echo "=== Generating good server certificate ==="
+
+rm -f "$TEMPLATE_FILE"
+cp "${srcdir}/certs/server_good.template" "$TEMPLATE_FILE"
+echo "ocsp_uri=http://localhost:${OCSP_PORT}/ocsp/" >>"$TEMPLATE_FILE"
+
+# Generate certificates with the random port
+datefudge -s "${CERTDATE}" ${CERTTOOL} \
+ --generate-certificate --load-ca-privkey "${srcdir}/certs/ca.key" \
+ --load-ca-certificate "${srcdir}/certs/ca.pem" \
+ --load-privkey "${srcdir}/certs/server_good.key" \
+ --template "${TEMPLATE_FILE}" --outfile "${SERVER_CERT_FILE}" 2>/dev/null
+
+echo "=== Bringing OCSP server up ==="
+
+# Start OpenSSL OCSP server
+#
+# WARNING: As of version 1.0.2g, OpenSSL OCSP cannot bind the TCP port
+# if started repeatedly in a short time, probably a lack of
+# SO_REUSEADDR usage.
+PORT=${OCSP_PORT}
+launch_bare_server $$ \
+ datefudge "${TESTDATE}" \
+ "${OPENSSL}" ocsp -index "${srcdir}/certs/ocsp_index.txt" -text \
+ -port "${OCSP_PORT}" \
+ -rsigner "${srcdir}/certs/ocsp-server.pem" \
+ -rkey "${srcdir}/certs/ocsp-server.key" \
+ -CA "${srcdir}/certs/ca.pem"
+OCSP_PID="${!}"
+wait_server "${OCSP_PID}"
+
+echo "=== Verifying OCSP server is up ==="
+
+# Port probing (as done in wait_port) makes the OpenSSL OCSP server
+# crash due to the "invalid request", so try proper requests
+t=0
+while test "${t}" -lt "${SERVER_START_TIMEOUT}"; do
+ # Run a test request to make sure the server works
+ datefudge "${TESTDATE}" \
+ "${OCSPTOOL}" --ask \
+ --load-cert "${SERVER_CERT_FILE}" \
+ --load-issuer "${srcdir}/certs/ca.pem"
+ rc=$?
+ if test "${rc}" = "0"; then
+ break
+ else
+ t=`expr ${t} + 1`
+ sleep 1
+ fi
+done
+# Fail if the final OCSP request failed
+if test "${rc}" != "0"; then
+ echo "OCSP server check failed."
+ exit ${rc}
+fi
+
+echo "=== Test 1: Server with valid certificate ==="
+
+PORT=${TLS_SERVER_PORT}
+launch_bare_server $$ \
+ datefudge "${TESTDATE}" \
+ "${GNUTLS_SERV}" --echo --disable-client-cert \
+ --x509keyfile="${srcdir}/certs/server_good.key" \
+ --x509certfile="${SERVER_CERT_FILE}" \
+ --port="${TLS_SERVER_PORT}"
+TLS_SERVER_PID="${!}"
+wait_server $TLS_SERVER_PID
+
+wait_for_port "${TLS_SERVER_PORT}"
+
+echo "test 123456" | \
+ datefudge -s "${TESTDATE}" \
+ "${GNUTLS_CLI}" --ocsp --x509cafile="${srcdir}/certs/ca.pem" \
+ --port="${TLS_SERVER_PORT}" localhost
+rc=$?
+
+if test "${rc}" != "0"; then
+ echo "Connecting to server with valid certificate failed."
+ exit ${rc}
+fi
+
+kill "${TLS_SERVER_PID}"
+wait "${TLS_SERVER_PID}"
+unset TLS_SERVER_PID
+
+echo "=== Generating bad server certificate ==="
+
+rm -f "${SERVER_CERT_FILE}"
+rm -f "${TEMPLATE_FILE}"
+cp "${srcdir}/certs/server_bad.template" "$TEMPLATE_FILE"
+echo "ocsp_uri=http://localhost:${OCSP_PORT}/ocsp/" >>"$TEMPLATE_FILE"
+
+# Generate certificates with the random port
+datefudge -s "${CERTDATE}" ${CERTTOOL} \
+ --generate-certificate --load-ca-privkey "${srcdir}/certs/ca.key" \
+ --load-ca-certificate "${srcdir}/certs/ca.pem" \
+ --load-privkey "${srcdir}/certs/server_bad.key" \
+ --template "${TEMPLATE_FILE}" --outfile "${SERVER_CERT_FILE}"
+
+echo "=== Test 2: Server with revoked certificate ==="
+
+eval "${GETPORT}"
+TLS_SERVER_PORT=$PORT
+
+launch_bare_server $$ \
+ datefudge "${TESTDATE}" \
+ "${GNUTLS_SERV}" --echo --disable-client-cert \
+ --x509keyfile="${srcdir}/certs/server_bad.key" \
+ --x509certfile="${SERVER_CERT_FILE}" \
+ --port="${TLS_SERVER_PORT}"
+TLS_SERVER_PID="${!}"
+wait_server ${TLS_SERVER_PID}
+wait_for_port "${TLS_SERVER_PORT}"
+
+echo "test 123456" | \
+ datefudge -s "${TESTDATE}" \
+ "${GNUTLS_CLI}" --ocsp --x509cafile="${srcdir}/certs/ca.pem" \
+ --port="${TLS_SERVER_PORT}" localhost
+rc=$?
+
+kill "${TLS_SERVER_PID}"
+wait "${TLS_SERVER_PID}"
+unset TLS_SERVER_PID
+
+# This connection should not work because the certificate has been
+# revoked.
+if test "${rc}" = "0"; then
+ echo "Connecting to server with revoked certificate succeeded."
+ exit 1
+fi
+
+kill ${OCSP_PID}
+wait ${OCSP_PID}
+unset OCSP_PID
+
+rm -f "${SERVER_CERT_FILE}"
+rm -f "${TEMPLATE_FILE}"
+
+exit 0