OCSP-stapling enhancement and testing.

Server:
  Honor environment variable as well as running_in_test_harness in permitting bogus staplings
  Update server tests
  Add "-ocsp" option to client-ssl.
  Server side: add verification of stapled status.
  First cut server-mode ocsp testing.
  Fix some uninitialized ocsp-related data.

Client (new):
  Verify stapling using only the chain that verified the server cert, not any acceptable chain.
  Add check for multiple responses in a stapling, which is not handled
  Refuse verification on expired and revoking staplings.
  Handle OCSP client refusal on lack of stapling from server.
  More fixing in client OCSP: use the server cert signing chain to verify the OCSP info.
  Add transport hosts_require_ocsp option.
  Log stapling responses.
  Start on tests for client-side.

Testing support:
    Add CRL generation code and documentation update
    Initial CA & certificate set for testing.

BUGFIX:
    Once a single OCSP response has been extracted the validation
    routine return code is no longer about the structure, but the actual
    returned OCSP status.

1 files changed, 47 insertions, 0 deletions

diff --git a/test/aux-fixed/exim-ca/example.net/server2.example.net/ca_chain.pem b/test/aux-fixed/exim-ca/example.net/server2.example.net/ca_chain.pem
new file mode 100644
index 000000000..39e5eedc6
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.net/server2.example.net/ca_chain.pem
@@ -0,0 +1,47 @@
+Bag Attributes
+    friendlyName: Signing Cert
+subject=/O=example.net/CN=clica Signing Cert
+issuer=/O=example.net/CN=clica CA
+-----BEGIN CERTIFICATE-----
+MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAzWhcNMzgw
+MTAxMTIzNDAzWjAzMRQwEgYDVQQKEwtleGFtcGxlLm5ldDEbMBkGA1UEAxMSY2xp
+Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAN9lXg/7R2gY
+392B325b/0eHLOrQG1px0aPuSwCBG0cKwCATtsKjYne15vNXAskVAdejY0Ujvo+a
+d4jVi2qYJ8sCAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB
+Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLm5ldC9s
+YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EAlm29nFrjiJPaldOtHxpmWzE3Zxit
+Sl4RxdeJcJ7aGL2gDOAWmiVh6UPbMm/o6Vg2PxHp2YviOhVunp1C2t85ow==
+-----END CERTIFICATE-----
+Bag Attributes
+    friendlyName: Certificate Authority
+subject=/O=example.net/CN=clica CA
+issuer=/O=example.net/CN=clica CA
+-----BEGIN CERTIFICATE-----
+MIIBaTCCAROgAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAzWhcNMzgw
+MTAxMTIzNDAzWjApMRQwEgYDVQQKEwtleGFtcGxlLm5ldDERMA8GA1UEAxMIY2xp
+Y2EgQ0EwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAp2tm7DhEtMNQPz23MpsxYVje
+SgMgmkDx8qdr97SBBVqtPcHMMrCEZ9dQiYCFxbshxXfeova+DbLZISDlHA9xjQID
+AQABoyYwJDASBgNVHRMBAf8ECDAGAQH/AgEBMA4GA1UdDwEB/wQEAwIBBjANBgkq
+hkiG9w0BAQUFAANBAG/rfiV0UE6Q//VIKN5CprvNXDGQFfcFCWNRCu6ZGTPpaDf2
+iPqVISD9trZrvtlUIgKjGgOQQbdNH9RBj5+6QKo=
+-----END CERTIFICATE-----
+Bag Attributes
+    friendlyName: server2.example.net
+    localKeyID: E6 14 E8 D3 C2 D6 33 C5 46 4A 62 47 B7 C2 BA D6 3B 26 F2 56 
+subject=/CN=server2.example.net
+issuer=/O=example.net/CN=clica Signing Cert
+-----BEGIN CERTIFICATE-----
+MIICAzCCAa2gAwIBAgICAMkwDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh
+bXBsZS5uZXQxGzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydDAeFw0xMjExMDEx
+MjM0MDRaFw0zODAxMDExMjM0MDRaMB4xHDAaBgNVBAMTE3NlcnZlcjIuZXhhbXBs
+ZS5uZXQwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAoXux6WdUK5xq7w+eMCFo2iEE
+GCUYpmqc4H6AmgxmglEfrndnKMv/fLRJpMUMe65a2fIPdMaZO6uX/fBDYSeUjwID
+AQABo4G/MIG8MA4GA1UdDwEB/wQEAwIE8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcD
+AQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxl
+Lm5ldC9sYXRlc3QuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0
+cDovL29zY3AvZXhhbXBsZS5uZXQvMB4GA1UdEQQXMBWCE3NlcnZlcjIuZXhhbXBs
+ZS5uZXQwDQYJKoZIhvcNAQEFBQADQQBhKq+CoKmxvdEJ4+AlNsJGpByKiwsDo0Cz
+mtgyGnn4a+3kkKYb2/KWosrBBLIzZbuzQ6sAjDKKioKJy7+ENuki
+-----END CERTIFICATE-----