Fix OCSP_basic_verify() cert chain construction in case bs->certs is NULL

Now the certs arg is not any more neglected when building the signer cert chain.
Added case to test/recipes/80-test_ocsp.t proving fix for 3-level CA hierarchy.

See also http://rt.openssl.org/Ticket/Display.html?id=4620

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4124)

4 files changed, 147 insertions, 56 deletions

diff --git a/crypto/ocsp/ocsp_vfy.c b/crypto/ocsp/ocsp_vfy.c
index e2cfa6dda5..809f7f41e1 100644
--- a/crypto/ocsp/ocsp_vfy.c
+++ b/crypto/ocsp/ocsp_vfy.c
@@ -73,6 +73,8 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
                     goto f_err;
                 }
             }
+        } else if (certs != NULL) {
+            untrusted = certs;
         } else {
             untrusted = bs->certs;
         }
diff --git a/test/ocsp-tests/ND1_Cross_Root.pem b/test/ocsp-tests/ND1_Cross_Root.pem
new file mode 100644
index 0000000000..20585f1c01
--- /dev/null
+++ b/test/ocsp-tests/ND1_Cross_Root.pem
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIENjCCAx6gAwIBAgIBATANBgkqhkiG9w0BAQUFADBvMQswCQYDVQQGEwJTRTEU
+MBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFkZFRydXN0IEV4dGVybmFs
+IFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBFeHRlcm5hbCBDQSBSb290
+MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFowbzELMAkGA1UEBhMCU0Ux
+FDASBgNVBAoTC0FkZFRydXN0IEFCMSYwJAYDVQQLEx1BZGRUcnVzdCBFeHRlcm5h
+bCBUVFAgTmV0d29yazEiMCAGA1UEAxMZQWRkVHJ1c3QgRXh0ZXJuYWwgQ0EgUm9v
+dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALf3GjPm8gAELTngTlvt
+H7xsD821+iO2zt6bETOXpClMfZOfvUq8k+0DGuOPz+VtUFrWlymUWoCwSXrbLpX9
+uMq/NzgtHj6RQa1wVsfwTz/oMp50ysiQVOnGXw94nZpAPA6sYapeFI+eh6FqUNzX
+mk6vBbOmcZSccbNQYArHE504B4YCqOmoaSYYkKtMsE8jqzpPhNjfzp/haW+710LX
+a0Tkx63ubUFfclpxCDezeWWkWaCUN/cALw3CknLa0Dhy2xSoRcRdKn23tNbE7qzN
+E0S3ySvdQwAl+mG5aWpYIxG3pzOPVnVZ9c0p10a3CitlttNCbxWyuHv77+ldU9U0
+WicCAwEAAaOB3DCB2TAdBgNVHQ4EFgQUrb2YejS0Jvf6xCZU7wO94CTLVBowCwYD
+VR0PBAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wgZkGA1UdIwSBkTCBjoAUrb2YejS0
+Jvf6xCZU7wO94CTLVBqhc6RxMG8xCzAJBgNVBAYTAlNFMRQwEgYDVQQKEwtBZGRU
+cnVzdCBBQjEmMCQGA1UECxMdQWRkVHJ1c3QgRXh0ZXJuYWwgVFRQIE5ldHdvcmsx
+IjAgBgNVBAMTGUFkZFRydXN0IEV4dGVybmFsIENBIFJvb3SCAQEwDQYJKoZIhvcN
+AQEFBQADggEBALCb4IUlwtYj4g+WBpKdQZic2YR5gdkeWxQHIzZlj7DYd7usQWxH
+YINRsPkyPef89iYTx4AWpb9a/IfPeHmJIZriTAcKhjW88t5RxNKWt9x+Tu5w/Rw5
+6wwCURQtjr0W4MHfRnXnJK3s9EK0hZNwEGe6nQY1ShjTK3rMUUKhemPR5ruhxSvC
+Nr4TDea9Y355e6cJDUCrat2PisP29owaQgVR1EX1n6diIWgVIEM8med8vSTYqZEX
+c4g/VhsxOBi0cQ+azcgOno4uG+GMmIPLHzHxREzGBHNJdmAPx/i9F4BrLunMTA5a
+mnkPIAou1Z5jJh5VkpTYghdae9C8x49OhgQ=
+-----END CERTIFICATE-----
diff --git a/test/ocsp-tests/ND1_Issuer_ICA-Cross.pem b/test/ocsp-tests/ND1_Issuer_ICA-Cross.pem
new file mode 100644
index 0000000000..08f04f69b5
--- /dev/null
+++ b/test/ocsp-tests/ND1_Issuer_ICA-Cross.pem
@@ -0,0 +1,58 @@
+-----BEGIN CERTIFICATE-----
+MIIFBjCCA+6gAwIBAgIQEaO00OyNt3+doM1dLVEvQjANBgkqhkiG9w0BAQUFADCB
+gTELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
+A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxJzAlBgNV
+BAMTHkNPTU9ETyBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0xMDA1MjQwMDAw
+MDBaFw0yMDA1MzAxMDQ4MzhaMIGOMQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3Jl
+YXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxmb3JkMRowGAYDVQQKExFDT01P
+RE8gQ0EgTGltaXRlZDE0MDIGA1UEAxMrQ09NT0RPIEV4dGVuZGVkIFZhbGlkYXRp
+b24gU2VjdXJlIFNlcnZlciBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
+ggEBAMxKljPNJY1n7iiWN4dG8PYEooR/U6qW5h+xAhxu7X0h1Nc8HqLYaS+ot/Wi
+7WRYZOFEZTZJQSABjTsT4gjzDPJXOZM3txyTRIOOvy3xoQV12m7ue28b6naDKHRK
+HCvT9cQDcpOvhs4JjDx11MkKL3Lzrb0OMDyEoXMfAyUUpY/D1vS15N2GevUZumjy
+hVSiMBHK0ZLLO3QGEqA3q2rYVBHfbJoWlLm0p2XGdC0x801S6VVRn8s+oo12mHDS
+b6ZlRS8bhbtbbfnywARmE4R6nc4n2PREnr+svpnba0/bWCGwiSe0jzLWS15ykV7f
+BZ3ZSS/0tm9QH3XLgJ3m0+TR8tMCAwEAAaOCAWkwggFlMB8GA1UdIwQYMBaAFAtY
+5YvGTBU3pECpMKkhvkc2Wlb/MB0GA1UdDgQWBBSIRFH/UCppXi2I9CG62Qzyzsvq
+fDAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADA+BgNVHSAENzA1
+MDMGBFUdIAAwKzApBggrBgEFBQcCARYdaHR0cHM6Ly9zZWN1cmUuY29tb2RvLmNv
+bS9DUFMwSQYDVR0fBEIwQDA+oDygOoY4aHR0cDovL2NybC5jb21vZG9jYS5jb20v
+Q09NT0RPQ2VydGlmaWNhdGlvbkF1dGhvcml0eS5jcmwwdAYIKwYBBQUHAQEEaDBm
+MD4GCCsGAQUFBzAChjJodHRwOi8vY3J0LmNvbW9kb2NhLmNvbS9DT01PRE9BZGRU
+cnVzdFNlcnZlckNBLmNydDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuY29tb2Rv
+Y2EuY29tMA0GCSqGSIb3DQEBBQUAA4IBAQCaQ7+vpHJezX1vf/T8PYy7cOYe3QT9
+P9ydn7+JdpvyhjH8f7PtKpFTLOKqsOPILHH3FYojHPFpLoH7sbxiC6saVBzZIl40
+TKX2Iw9dej3bQ81pfhc3Us1TocIR1FN4J2TViUFNFlW7kMvw2OTd3dMJZEgo/zIj
+hC+Me1UvzymINzR4DzOq/7fylqSbRIC1vmxWVKukgZ4lGChUOn8sY89ZIIwYazgs
+tN3t40DeDDYlV5rA0WCeXgNol64aO+pF11GZSe5EWVYLXrGPaOqKnsrSyaADfnAl
+9DLJTlCDh6I0SD1PNXf82Ijq9n0ezkO21cJqfjhmY03n7jLvDyToKmf6
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIE8TCCA9mgAwIBAgIQbyXcFa/fXqMIVgw7ek/H+DANBgkqhkiG9w0BAQUFADBv
+MQswCQYDVQQGEwJTRTEUMBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFk
+ZFRydXN0IEV4dGVybmFsIFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBF
+eHRlcm5hbCBDQSBSb290MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFow
+gYExCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO
+BgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMScwJQYD
+VQQDEx5DT01PRE8gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwggEiMA0GCSqGSIb3
+DQEBAQUAA4IBDwAwggEKAoIBAQDQQIuLcuORG/dRwRtUBJjTqb/B5opdO4f7u4jO
+DeMvPwaW8KIpUJmu2zuhV7B0UXHN7UKRTUH+qcjYaoZ3RLtZZpdQXrTULHBEz9o3
+lUJpPDDEcbNS8CFNodi6OXwcnqMknfKDFpiqFnxDmxVbt640kf7UYiYYRpo/68H5
+8ZBX66x6DYvbcjBqZtXgRqNw3GjZ/wRIiXfeten7Z21B6bw5vTLZYgLxsag9bjec
+4i/i06Imi8a4VUOI4SM+pdIkOWpHqwDUobOpJf4NP6cdutNRwQuk2qw471VQJAVl
+RpM0Ty2NrcbUIRnSjsoFYXEHc0flihkSvQRNzk6cpUisuyb3AgMBAAGjggF0MIIB
+cDAfBgNVHSMEGDAWgBStvZh6NLQm9/rEJlTvA73gJMtUGjAdBgNVHQ4EFgQUC1jl
+i8ZMFTekQKkwqSG+RzZaVv8wDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMB
+Af8wEQYDVR0gBAowCDAGBgRVHSAAMEQGA1UdHwQ9MDswOaA3oDWGM2h0dHA6Ly9j
+cmwudXNlcnRydXN0LmNvbS9BZGRUcnVzdEV4dGVybmFsQ0FSb290LmNybDCBswYI
+KwYBBQUHAQEEgaYwgaMwPwYIKwYBBQUHMAKGM2h0dHA6Ly9jcnQudXNlcnRydXN0
+LmNvbS9BZGRUcnVzdEV4dGVybmFsQ0FSb290LnA3YzA5BggrBgEFBQcwAoYtaHR0
+cDovL2NydC51c2VydHJ1c3QuY29tL0FkZFRydXN0VVROU0dDQ0EuY3J0MCUGCCsG
+AQUFBzABhhlodHRwOi8vb2NzcC51c2VydHJ1c3QuY29tMA0GCSqGSIb3DQEBBQUA
+A4IBAQAHYJOZqs7Q00fQNzPeP2S35S6jJQzVMx0Njav2fkZ7WQaS44LE5/X289kF
+z0k0LTdf9CXH8PtrI3fx8UDXTLtJRTHdAChntylMdagfeTHJNjcPyjVPjPF+3vxG
+q79om3AjMC63xVx7ivsYE3lLkkKM3CyrbCK3KFOzGkrOG/soDrc6pNoN90AyT99v
+uwFQ/IfTdtn8+7aEA8rJNhj33Wzbu7qBHKat/ij5z7micV0ZBepKRtxzQe+JlEKx
+Q4hvNRevHmCDrHqMEHufyfaDbZ76iO4+3e6esL/garnQnweyCROa9aTlyFt5p0c1
+M2jlVZ6qW8swC53HD79oRIGXi1FK
+-----END CERTIFICATE-----
diff --git a/test/recipes/80-test_ocsp.t b/test/recipes/80-test_ocsp.t
index 103a7aea0e..9f178dec62 100644
--- a/test/recipes/80-test_ocsp.t
+++ b/test/recipes/80-test_ocsp.t
@@ -29,6 +29,10 @@ sub test_ocsp {
     my $title = shift;
     my $inputfile = shift;
     my $CAfile = shift;
+    my $untrusted = shift;
+    if ($untrusted eq "") {
+        $untrusted = $CAfile;
+    }
     my $expected_exit = shift;
 
     run(app(["openssl", "base64", "-d",
@@ -38,7 +42,7 @@ sub test_ocsp {
          sub { ok(run(app(["openssl", "ocsp", "-respin", "ocsp-resp-fff.dat",
                            "-partial_chain", @check_time,
                            "-CAfile", catfile($ocspdir, $CAfile),
-                           "-verify_other", catfile($ocspdir, $CAfile),
+                           "-verify_other", catfile($ocspdir, $untrusted),
                            "-no-CApath"])),
                   $title); });
     unlink "ocsp-resp-fff.dat";
@@ -47,144 +51,146 @@ sub test_ocsp {
 plan tests => 10;
 
 subtest "=== VALID OCSP RESPONSES ===" => sub {
-    plan tests => 6;
+    plan tests => 7;
 
     test_ocsp("NON-DELEGATED; Intermediate CA -> EE",
-	      "ND1.ors", "ND1_Issuer_ICA.pem", 0);
+	      "ND1.ors", "ND1_Issuer_ICA.pem", "", 0);
     test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",
-	      "ND2.ors", "ND2_Issuer_Root.pem", 0);
+	      "ND2.ors", "ND2_Issuer_Root.pem", "", 0);
     test_ocsp("NON-DELEGATED; Root CA -> EE",
-	      "ND3.ors", "ND3_Issuer_Root.pem", 0);
+	      "ND3.ors", "ND3_Issuer_Root.pem", "", 0);
+    test_ocsp("NON-DELEGATED; 3-level CA hierarchy",
+	      "ND1.ors", "ND1_Cross_Root.pem", "ND1_Issuer_ICA-Cross.pem", 0);
     test_ocsp("DELEGATED; Intermediate CA -> EE",
-	      "D1.ors", "D1_Issuer_ICA.pem", 0);
+	      "D1.ors", "D1_Issuer_ICA.pem", "", 0);
     test_ocsp("DELEGATED; Root CA -> Intermediate CA",
-	      "D2.ors", "D2_Issuer_Root.pem", 0);
+	      "D2.ors", "D2_Issuer_Root.pem", "", 0);
     test_ocsp("DELEGATED; Root CA -> EE",
-	      "D3.ors", "D3_Issuer_Root.pem", 0);
+	      "D3.ors", "D3_Issuer_Root.pem", "", 0);
 };
 
 subtest "=== INVALID SIGNATURE on the OCSP RESPONSE ===" => sub {
     plan tests => 6;
 
     test_ocsp("NON-DELEGATED; Intermediate CA -> EE",
-	      "ISOP_ND1.ors", "ND1_Issuer_ICA.pem", 1);
+	      "ISOP_ND1.ors", "ND1_Issuer_ICA.pem", "", 1);
     test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",
-	      "ISOP_ND2.ors", "ND2_Issuer_Root.pem", 1);
+	      "ISOP_ND2.ors", "ND2_Issuer_Root.pem", "", 1);
     test_ocsp("NON-DELEGATED; Root CA -> EE",
-	      "ISOP_ND3.ors", "ND3_Issuer_Root.pem", 1);
+	      "ISOP_ND3.ors", "ND3_Issuer_Root.pem", "", 1);
     test_ocsp("DELEGATED; Intermediate CA -> EE",
-	      "ISOP_D1.ors", "D1_Issuer_ICA.pem", 1);
+	      "ISOP_D1.ors", "D1_Issuer_ICA.pem", "", 1);
     test_ocsp("DELEGATED; Root CA -> Intermediate CA",
-	      "ISOP_D2.ors", "D2_Issuer_Root.pem", 1);
+	      "ISOP_D2.ors", "D2_Issuer_Root.pem", "", 1);
     test_ocsp("DELEGATED; Root CA -> EE",
-	      "ISOP_D3.ors", "D3_Issuer_Root.pem", 1);
+	      "ISOP_D3.ors", "D3_Issuer_Root.pem", "", 1);
 };
 
 subtest "=== WRONG RESPONDERID in the OCSP RESPONSE ===" => sub {
     plan tests => 6;
 
     test_ocsp("NON-DELEGATED; Intermediate CA -> EE",
-	      "WRID_ND1.ors", "ND1_Issuer_ICA.pem", 1);
+	      "WRID_ND1.ors", "ND1_Issuer_ICA.pem", "", 1);
     test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",
-	      "WRID_ND2.ors", "ND2_Issuer_Root.pem", 1);
+	      "WRID_ND2.ors", "ND2_Issuer_Root.pem", "", 1);
     test_ocsp("NON-DELEGATED; Root CA -> EE",
-	      "WRID_ND3.ors", "ND3_Issuer_Root.pem", 1);
+	      "WRID_ND3.ors", "ND3_Issuer_Root.pem", "", 1);
     test_ocsp("DELEGATED; Intermediate CA -> EE",
-	      "WRID_D1.ors", "D1_Issuer_ICA.pem", 1);
+	      "WRID_D1.ors", "D1_Issuer_ICA.pem", "", 1);
     test_ocsp("DELEGATED; Root CA -> Intermediate CA",
-	      "WRID_D2.ors", "D2_Issuer_Root.pem", 1);
+	      "WRID_D2.ors", "D2_Issuer_Root.pem", "", 1);
     test_ocsp("DELEGATED; Root CA -> EE",
-	      "WRID_D3.ors", "D3_Issuer_Root.pem", 1);
+	      "WRID_D3.ors", "D3_Issuer_Root.pem", "", 1);
 };
 
 subtest "=== WRONG ISSUERNAMEHASH in the OCSP RESPONSE ===" => sub {
     plan tests => 6;
 
     test_ocsp("NON-DELEGATED; Intermediate CA -> EE",
-	      "WINH_ND1.ors", "ND1_Issuer_ICA.pem", 1);
+	      "WINH_ND1.ors", "ND1_Issuer_ICA.pem", "", 1);
     test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",
-	      "WINH_ND2.ors", "ND2_Issuer_Root.pem", 1);
+	      "WINH_ND2.ors", "ND2_Issuer_Root.pem", "", 1);
     test_ocsp("NON-DELEGATED; Root CA -> EE",
-	      "WINH_ND3.ors", "ND3_Issuer_Root.pem", 1);
+	      "WINH_ND3.ors", "ND3_Issuer_Root.pem", "", 1);
     test_ocsp("DELEGATED; Intermediate CA -> EE",
-	      "WINH_D1.ors", "D1_Issuer_ICA.pem", 1);
+	      "WINH_D1.ors", "D1_Issuer_ICA.pem", "", 1);
     test_ocsp("DELEGATED; Root CA -> Intermediate CA",
-	      "WINH_D2.ors", "D2_Issuer_Root.pem", 1);
+	      "WINH_D2.ors", "D2_Issuer_Root.pem", "", 1);
     test_ocsp("DELEGATED; Root CA -> EE",
-	      "WINH_D3.ors", "D3_Issuer_Root.pem", 1);
+	      "WINH_D3.ors", "D3_Issuer_Root.pem", "", 1);
 };
 
 subtest "=== WRONG ISSUERKEYHASH in the OCSP RESPONSE ===" => sub {
     plan tests => 6;
 
     test_ocsp("NON-DELEGATED; Intermediate CA -> EE",
-	      "WIKH_ND1.ors", "ND1_Issuer_ICA.pem", 1);
+	      "WIKH_ND1.ors", "ND1_Issuer_ICA.pem", "", 1);
     test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",
-	      "WIKH_ND2.ors", "ND2_Issuer_Root.pem", 1);
+	      "WIKH_ND2.ors", "ND2_Issuer_Root.pem", "", 1);
     test_ocsp("NON-DELEGATED; Root CA -> EE",
-	      "WIKH_ND3.ors", "ND3_Issuer_Root.pem", 1);
+	      "WIKH_ND3.ors", "ND3_Issuer_Root.pem", "", 1);
     test_ocsp("DELEGATED; Intermediate CA -> EE",
-	      "WIKH_D1.ors", "D1_Issuer_ICA.pem", 1);
+	      "WIKH_D1.ors", "D1_Issuer_ICA.pem", "", 1);
     test_ocsp("DELEGATED; Root CA -> Intermediate CA",
-	      "WIKH_D2.ors", "D2_Issuer_Root.pem", 1);
+	      "WIKH_D2.ors", "D2_Issuer_Root.pem", "", 1);
     test_ocsp("DELEGATED; Root CA -> EE",
-	      "WIKH_D3.ors", "D3_Issuer_Root.pem", 1);
+	      "WIKH_D3.ors", "D3_Issuer_Root.pem", "", 1);
 };
 
 subtest "=== WRONG KEY in the DELEGATED OCSP SIGNING CERTIFICATE ===" => sub {
     plan tests => 3;
 
     test_ocsp("DELEGATED; Intermediate CA -> EE",
-	      "WKDOSC_D1.ors", "D1_Issuer_ICA.pem", 1);
+	      "WKDOSC_D1.ors", "D1_Issuer_ICA.pem", "", 1);
     test_ocsp("DELEGATED; Root CA -> Intermediate CA",
-	      "WKDOSC_D2.ors", "D2_Issuer_Root.pem", 1);
+	      "WKDOSC_D2.ors", "D2_Issuer_Root.pem", "", 1);
     test_ocsp("DELEGATED; Root CA -> EE",
-	      "WKDOSC_D3.ors", "D3_Issuer_Root.pem", 1);
+	      "WKDOSC_D3.ors", "D3_Issuer_Root.pem", "", 1);
 };
 
 subtest "=== INVALID SIGNATURE on the DELEGATED OCSP SIGNING CERTIFICATE ===" => sub {
     plan tests => 3;
 
     test_ocsp("DELEGATED; Intermediate CA -> EE",
-	      "ISDOSC_D1.ors", "D1_Issuer_ICA.pem", 1);
+	      "ISDOSC_D1.ors", "D1_Issuer_ICA.pem", "", 1);
     test_ocsp("DELEGATED; Root CA -> Intermediate CA",
-	      "ISDOSC_D2.ors", "D2_Issuer_Root.pem", 1);
+	      "ISDOSC_D2.ors", "D2_Issuer_Root.pem", "", 1);
     test_ocsp("DELEGATED; Root CA -> EE",
-	      "ISDOSC_D3.ors", "D3_Issuer_Root.pem", 1);
+	      "ISDOSC_D3.ors", "D3_Issuer_Root.pem", "", 1);
 };
 
 subtest "=== WRONG SUBJECT NAME in the ISSUER CERTIFICATE ===" => sub {
     plan tests => 6;
 
     test_ocsp("NON-DELEGATED; Intermediate CA -> EE",
-	      "ND1.ors", "WSNIC_ND1_Issuer_ICA.pem", 1);
+	      "ND1.ors", "WSNIC_ND1_Issuer_ICA.pem", "", 1);
     test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",
-	      "ND2.ors", "WSNIC_ND2_Issuer_Root.pem", 1);
+	      "ND2.ors", "WSNIC_ND2_Issuer_Root.pem", "", 1);
     test_ocsp("NON-DELEGATED; Root CA -> EE",
-	      "ND3.ors", "WSNIC_ND3_Issuer_Root.pem", 1);
+	      "ND3.ors", "WSNIC_ND3_Issuer_Root.pem", "", 1);
     test_ocsp("DELEGATED; Intermediate CA -> EE",
-	      "D1.ors", "WSNIC_D1_Issuer_ICA.pem", 1);
+	      "D1.ors", "WSNIC_D1_Issuer_ICA.pem", "", 1);
     test_ocsp("DELEGATED; Root CA -> Intermediate CA",
-	      "D2.ors", "WSNIC_D2_Issuer_Root.pem", 1);
+	      "D2.ors", "WSNIC_D2_Issuer_Root.pem", "", 1);
     test_ocsp("DELEGATED; Root CA -> EE",
-	      "D3.ors", "WSNIC_D3_Issuer_Root.pem", 1);
+	      "D3.ors", "WSNIC_D3_Issuer_Root.pem", "", 1);
 };
 
 subtest "=== WRONG KEY in the ISSUER CERTIFICATE ===" => sub {
     plan tests => 6;
 
     test_ocsp("NON-DELEGATED; Intermediate CA -> EE",
-	      "ND1.ors", "WKIC_ND1_Issuer_ICA.pem", 1);
+	      "ND1.ors", "WKIC_ND1_Issuer_ICA.pem", "", 1);
     test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",
-	      "ND2.ors", "WKIC_ND2_Issuer_Root.pem", 1);
+	      "ND2.ors", "WKIC_ND2_Issuer_Root.pem", "", 1);
     test_ocsp("NON-DELEGATED; Root CA -> EE",
-	      "ND3.ors", "WKIC_ND3_Issuer_Root.pem", 1);
+	      "ND3.ors", "WKIC_ND3_Issuer_Root.pem", "", 1);
     test_ocsp("DELEGATED; Intermediate CA -> EE",
-	      "D1.ors", "WKIC_D1_Issuer_ICA.pem", 1);
+	      "D1.ors", "WKIC_D1_Issuer_ICA.pem", "", 1);
     test_ocsp("DELEGATED; Root CA -> Intermediate CA",
-	      "D2.ors", "WKIC_D2_Issuer_Root.pem", 1);
+	      "D2.ors", "WKIC_D2_Issuer_Root.pem", "", 1);
     test_ocsp("DELEGATED; Root CA -> EE",
-	      "D3.ors", "WKIC_D3_Issuer_Root.pem", 1);
+	      "D3.ors", "WKIC_D3_Issuer_Root.pem", "", 1);
 };
 
 subtest "=== INVALID SIGNATURE on the ISSUER CERTIFICATE ===" => sub {
@@ -192,15 +198,15 @@ subtest "=== INVALID SIGNATURE on the ISSUER CERTIFICATE ===" => sub {
 
     # Expect success, because we're explicitly trusting the issuer certificate.
     test_ocsp("NON-DELEGATED; Intermediate CA -> EE",
-	      "ND1.ors", "ISIC_ND1_Issuer_ICA.pem", 0);
+	      "ND1.ors", "ISIC_ND1_Issuer_ICA.pem", "", 0);
     test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",
-	      "ND2.ors", "ISIC_ND2_Issuer_Root.pem", 0);
+	      "ND2.ors", "ISIC_ND2_Issuer_Root.pem", "", 0);
     test_ocsp("NON-DELEGATED; Root CA -> EE",
-	      "ND3.ors", "ISIC_ND3_Issuer_Root.pem", 0);
+	      "ND3.ors", "ISIC_ND3_Issuer_Root.pem", "", 0);
     test_ocsp("DELEGATED; Intermediate CA -> EE",
-	      "D1.ors", "ISIC_D1_Issuer_ICA.pem", 0);
+	      "D1.ors", "ISIC_D1_Issuer_ICA.pem", "", 0);
     test_ocsp("DELEGATED; Root CA -> Intermediate CA",
-	      "D2.ors", "ISIC_D2_Issuer_Root.pem", 0);
+	      "D2.ors", "ISIC_D2_Issuer_Root.pem", "", 0);
     test_ocsp("DELEGATED; Root CA -> EE",
-	      "D3.ors", "ISIC_D3_Issuer_Root.pem", 0);
+	      "D3.ors", "ISIC_D3_Issuer_Root.pem", "", 0);
 };