WIP: NATS Server + OCSP Support

Signed-off-by: Waldemar Quevedo <wally@synadia.com>
Signed-off-by: Jaime Piña <jaime@synadia.com>

test/configs/certs/ocsp/ca-cert.pem

@@ -0,0 +1,33 @@
+-----BEGIN CERTIFICATE-----
+MIIFwzCCA6ugAwIBAgIUZJ9yFGOXo3achtjB4vd5tymGqDQwDQYJKoZIhvcNAQEL
+BQAwcTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcM
+DVNhbiBGcmFuY2lzY28xEzARBgNVBAoMCkV4YW1wbGUgQ0ExCzAJBgNVBAsMAklU
+MRMwEQYDVQQDDApjYS5leGFtcGxlMB4XDTIxMDQyOTIyMjcwNFoXDTIxMDUyOTIy
+MjcwNFowcTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNV
+BAcMDVNhbiBGcmFuY2lzY28xEzARBgNVBAoMCkV4YW1wbGUgQ0ExCzAJBgNVBAsM
+AklUMRMwEQYDVQQDDApjYS5leGFtcGxlMIICIjANBgkqhkiG9w0BAQEFAAOCAg8A
+MIICCgKCAgEA3kFicIr/uXUvFgl1rieNkKGqB6+pqPskySDtPxMeIIbiIfxly2iH
+lgMppFvrDzu4wgp2/nxNtjEWEHuoPzadM9eVllOaE52fax5NvFKQFxr1bCUmMO8P
+RPEZRmiJ3vD+j7YZXjKGzqcEZeD5CEWnM+0wqJFIJ/XqDynejmwfFWA1HmeAQluS
+BltNnFJhqUaEVS2JwWONcPBJ3RL9lAJEQHXzMTviE4fh+U7+z5FaEJyfFOXyYsG0
+H4ou0xwhIzy4lI4KWKMjkcvNQ6Q121pI6XLULbFSDqiydupVVa+gKdhtP2ktOh6R
++dRMgQ0+X0AziIWTfhCkpfDFF5idZcOoE1NCTwjM5q2u/OnXqn4I2gp9f24w+374
+lT7vKTT9IHDxSR3Q1DdwnrpleVTv/WxhwX/5jTnuqnqTFiDR7wYUiAbA/jGZ2UIW
+enyOuSfzfD7MB1A4tqVxQF3YihakcDUY1e66aJt+2rhU+yfxFWIv7RAuCTN4Qwqr
++OWMM/A2SPVZ63Ro3dCoLCQ3FRtG8FlM0C+R71ySgJRy/MKDc0JSDnmgYWJLtJn7
+6mjLEGgkmnUvr9Csu6G9jDvZb1t+1wth4PUwTvH+NFCGE0xgUQ+zw8DwcFdjAeCg
+OA7PSkefLQGjNQeMPWprybxyGhtGdOmirBUEahZWJqUUdSuVhgDyQYMCAwEAAaNT
+MFEwHQYDVR0OBBYEFLJ9bEoxnCpbhX1NjUcUmbA+crW0MB8GA1UdIwQYMBaAFLJ9
+bEoxnCpbhX1NjUcUmbA+crW0MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEL
+BQADggIBACg5bwGvh3fsjgQIuFi5z0c7Wm5VWrDdcugdsUNfv5A+DXYiI3ALQuFi
+XqbmxyFbzANhyPMwa/Xz1hVZkff4FB18gnjmb1lu14mFxDKlbSZ6XE1t9PFD6A4J
+My3rk0Y9saSu8HK/Sg3Am5Nk6fuuHMCF6gcTps0bM4B2/ZMlRMgeKGHo+HIYTP1j
+TGcHeO3tU69NobmnNphNWllzC2AQYbbau1m40Q42R4jIQPmF2qOarkWNVDtCzkFR
+5X/9sIvXm5BqmdgJfougsld9dnZfEv5r4r6l6RgtsKSeO6nmHG3SLZQr1ptnx8+l
+BLEFd6XriA4q5n8mN2Q3x5pchSE98WexWMhSD3hWJFXox/ZRHaQDg3qrCSCxC0fq
+/X/8jYC3GHA967jgHofeZFgsxx8gGGvTQmd+kzW9zfxjqcYzqhUBr4eIARG7d7Fn
+tqYkk1U05EH1lRNbWauRjdr/Xt37a72H5pxmgQbCaBpxBMHJeOE3x2TMhgL+vk5F
+LEWbgCqyUNpX82O1Rl/1ZElFqfk84/4QFlt/CQFp29VxaFKhu4bZp4AUa51HzuyV
+WbDaBuSIvzTmESie+jHVC3jjpcYwzzd7Hc3h0bPIipk4uooeH0LUrGuoJEF58/m0
+0ISQPyOWt43gqrKmGAafiOyvXCMYC+s5C5WjbVXrnyQlpABHPOjr
+-----END CERTIFICATE-----

test/configs/certs/ocsp/ca-key.pem

@@ -0,0 +1,51 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIJKQIBAAKCAgEA3kFicIr/uXUvFgl1rieNkKGqB6+pqPskySDtPxMeIIbiIfxl
+y2iHlgMppFvrDzu4wgp2/nxNtjEWEHuoPzadM9eVllOaE52fax5NvFKQFxr1bCUm
+MO8PRPEZRmiJ3vD+j7YZXjKGzqcEZeD5CEWnM+0wqJFIJ/XqDynejmwfFWA1HmeA
+QluSBltNnFJhqUaEVS2JwWONcPBJ3RL9lAJEQHXzMTviE4fh+U7+z5FaEJyfFOXy
+YsG0H4ou0xwhIzy4lI4KWKMjkcvNQ6Q121pI6XLULbFSDqiydupVVa+gKdhtP2kt
+Oh6R+dRMgQ0+X0AziIWTfhCkpfDFF5idZcOoE1NCTwjM5q2u/OnXqn4I2gp9f24w
++374lT7vKTT9IHDxSR3Q1DdwnrpleVTv/WxhwX/5jTnuqnqTFiDR7wYUiAbA/jGZ
+2UIWenyOuSfzfD7MB1A4tqVxQF3YihakcDUY1e66aJt+2rhU+yfxFWIv7RAuCTN4
+Qwqr+OWMM/A2SPVZ63Ro3dCoLCQ3FRtG8FlM0C+R71ySgJRy/MKDc0JSDnmgYWJL
+tJn76mjLEGgkmnUvr9Csu6G9jDvZb1t+1wth4PUwTvH+NFCGE0xgUQ+zw8DwcFdj
+AeCgOA7PSkefLQGjNQeMPWprybxyGhtGdOmirBUEahZWJqUUdSuVhgDyQYMCAwEA
+AQKCAgBmhbS6A3RZAVQ6Dx0Iu9gSinBbYU2a1FawrI6j1NbF3FJ9qObwAITizwyr
+c3cnrL3aTGd9lqtmSphJ/DCtEC1N17l6AZCGUeRSzkS/hTpQXjAttak7U1swyyKE
+lv5aJ8LVWgOzrwz+UI63zCI0DaVGT7htWa72N/rDCeZOvlNMUffO0aGZepIOepl/
+bYT9R7kNbZco7Ro2qbD42KS+XJlNPttyr5PmvHyhuy3RY9Qu64B6bGP16DKFhgF5
+gnVKwtzGMgtVvdNPkrpZ5Gqvh6MwhLaZaT1X47uHHStF/mCcTOiAIq0pLSbbHnI3
+6XsHBx9+b1eNBHJe1YSlENIyOiHSA+BXbiO5UkJ7D6Z7ALI56EE4nuyf0Kx04klC
+HQTENbEjpX+UiOUxrB1qSUCfCykom9U0S4lFf3EZalsbz3cU8tX1GrZoEwLFzDOl
+VWqAsZk1DF0dYT/LLFWGCs2cbK0if7GMAVQhpqx/rcjdUt9aT8xgrgm4opYCXVUo
+2kR6ZtXWQfvJIcflzaJUG4wtls7AI4ZVFXParMxZn7pQ6EAUG2UwP+s4XPURM3d8
+1DkIkdEOfk1BJRka/j7SjQ9SLNJ2w+0AeUHs+WjYIw+26Ok1APdN41k25ij2PKZ6
+HvgaW7+5cjB579KP2uBwfT3KT7JKzY49lh/TQkXidF5N2GWaiQKCAQEA/G2WRe6A
+X4drx/UuH75IDwxJtBQPveZ/xqKqE9mqJLf7s/jdEdPs2YlQ41KY19j2HlpEwC2B
+Gik2RN79Z146tjQ44Mv7gy7xmvjTc5GjEWsV6VrjZOb3qUJoeVxyT3KNWOupSz5y
+pXbk8VVVbBoqtJG6OiKd393sRn/diW6eU3eYuOdm4ymi5WNwhJPk3I49VT2K+MCF
+CBgLApuBwIkR67ivvAa0jt/I0OI11tEyr3tOymAeKneW1IDftC+WyQc4p6Q+1MSi
+bTLH7QVWF6BThJP1aqtOWmE4qCMOSEjjlZZW1/FvA22eSjLxqxpjxMd2dfxrd9GV
+KmbhH3No7/F0VQKCAQEA4WZ/eoy0JPv0DlGZXJiBe3ID8Q+CdX2DqM2U1Lb1Qatq
+gSm1PnFkeh+4xwRFCcyeHofidCtThmEty8U7QQNgGyrntR8rpiLuiGdnGNui0/TB
+1N25yzijopX1cR1I+0W8ppulC+D2Ydth6FMMz8/RwpXtjZdV0XgZJIs2wszgkln8
+SpMLHXugaOMF8qKswSN9ITiJCrPCP1Q1Zp5bwqAs9EG/PWvxVS94mVFj7FV9guCW
+pnWJrEPDvDK6LnZFKTlJvGwb+/nCtDOnIkjVWSumRyWkTYqSkDKDJJ2G9BkTjrwq
+PSvbE5pbzdXjNsOqzXFyX3PAFmOh6j6SaTEKgb52dwKCAQAc7B18s8AHsgd6aLA5
+ON8ewkSrmmTXWFKpmresAJOLE32GeGwz/7kyj5YyBaO3j4dboPIhptUU/0XVjEsy
+jcxiVgdyUkzmEfnizMHFixlJBKEFFMHbLM+RmCdKSHpcef6SAqZqFaSjKsU+lY1t
+Dm54M/5HbPHz1YSd60ah2YfQfnKENRdHzdx5NfSNbDibwLxsSNnkeIKFk+OnD9RF
+EC96d7XC8G29tQxYSqLqkxugmZtEetDaAsvIW1/GUHGRZP9rzdjZHhKSOnBHywW7
+PUZ0eVN0Pl6C4oLQWPvo8lkJKamXonUaynOJgt7HwQVPZZ9AE4TovJ2/tvvyU5Hh
+dCPlAoIBAQDTKIa8dBw/mZnl4CPgTy7eSs3Og00gbFlvRkjrjgrtXn0ES+JzgR80
+GYutRh63M23eBEbttbkl5txUTY1ZNqROTz+KuozVs1vrhZNcAkbkciM0HBP2gjUq
+F3o8YccBPy+gladlHXcz7aYnU8Zo2LQVqwdE4kWPWweS6KiAjhbEhHCKHH8JO8vm
+9ueXizZ0KZ8MBD6+O/D6CxWL8UbdadkzanSSQhFwUGyWlV0bBmvytBvuDabQLxur
+r4okBMB+AiFF17HPuQficZFd2QWl5/J6LJVj3zG2zNt27eyDuQpNaZHYhMFT+AOR
+LZMStvPIS0NukK2fS+9f1waqbTr+mUO5AoIBAQDLxgVGhByPCCcK4D3L9ndQfuRK
+wSil2QLAQ79hqoeFtRMHoqQLlSeaXD90hf5kPmhLr+QWWTFRErDywGcq7+e+fk3+
+lQ8CyGFFiwS19Z9AHLNAAsXtbpaw0dKrEJNZpDbaPIVJRw9S+U6Uw4+/CxmaBk5/
+x12IqzOgyYXjOFmAIC4QwzpiV/snSg/bY4B7njZ650HIMmSjxYZq4Hx8q5BijeRU
+xD4CE98PY9k5xvLczYxIuiobIqLN1es/IBglPGSs6ach/v8a7Fu+jQPMuvqhb3ud
+p6OKVeCDXIwzJKaEomZDpmioZlxnmNIRsS41pjrCPFwn/45XDiKrlvd6NGTI
+-----END RSA PRIVATE KEY-----

test/configs/certs/ocsp/client-cert.pem

@@ -0,0 +1,126 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 2 (0x2)
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=US, ST=California, L=San Francisco, O=Example CA, OU=IT, CN=ca.example
+        Validity
+            Not Before: Apr 29 22:27:06 2021 GMT
+            Not After : Jul 28 22:27:06 2021 GMT
+        Subject: C=US, ST=California, L=San Francisco, O=Example Widgets Ltd, OU=IT, CN=NATS Client
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                RSA Public-Key: (4096 bit)
+                Modulus:
+                    00:a6:48:c5:e0:d0:74:d0:bd:d3:22:6f:a5:19:20:
+                    9c:a2:7b:d8:cd:7a:69:1a:5f:8f:61:b6:a3:59:92:
+                    90:a6:32:2a:66:31:ff:a5:10:69:ae:6b:b7:5f:d9:
+                    f1:00:f4:6f:af:8f:f4:31:24:33:bb:a7:ed:4a:ca:
+                    43:c3:d9:69:24:c0:04:85:53:df:e9:63:93:82:65:
+                    33:90:c4:3a:3f:ee:7c:f3:67:71:97:21:ac:97:0c:
+                    db:b3:ac:89:6f:ee:f7:d2:cb:aa:92:57:99:3d:f0:
+                    6f:84:a9:f7:fa:52:b4:53:46:df:8d:95:6a:1c:18:
+                    30:f3:df:a2:46:b5:db:ff:f5:ce:1c:52:b8:05:0d:
+                    22:f5:40:18:1d:5b:c7:98:7d:eb:58:da:74:b8:05:
+                    05:8b:3a:aa:5f:8d:98:dc:7e:5b:fc:eb:b9:44:0a:
+                    93:ff:b5:ff:31:8b:2c:cd:cd:29:37:58:4f:bf:ce:
+                    ac:0f:b3:bc:c4:89:71:b4:61:a7:f8:00:bd:c2:10:
+                    f8:97:3b:ec:e7:b1:00:4a:25:68:f8:2e:00:15:74:
+                    bb:7c:0d:eb:c5:2e:87:f2:75:96:07:c4:22:fa:a3:
+                    a7:9e:f1:89:e3:d0:54:ae:c1:a0:ed:1f:a6:ed:fc:
+                    c8:36:08:97:bb:7f:c4:26:4a:7d:a2:17:86:86:6b:
+                    18:4c:48:bf:ec:12:c7:98:19:09:61:8e:2b:cd:2f:
+                    ca:ae:a3:21:8a:c8:e4:eb:36:fe:e7:69:32:e0:28:
+                    31:0f:b1:a9:ec:d2:ce:87:bc:5c:99:b8:ec:19:d7:
+                    03:53:38:1a:95:46:0b:2b:3e:6e:fe:48:70:10:b9:
+                    b6:cd:8f:f0:e3:8a:41:ce:cb:9b:96:15:c6:6c:09:
+                    bd:9e:ef:9f:50:3b:ea:78:2f:40:a6:0d:1d:f9:98:
+                    c5:90:ed:2e:ac:47:44:32:22:d7:2d:de:6d:31:07:
+                    c0:ef:94:d5:b7:4d:0d:8a:07:86:02:16:5c:57:c5:
+                    d2:ce:d3:57:45:66:0f:bb:b5:f0:89:e6:54:c6:27:
+                    01:fa:b4:41:85:92:ed:be:68:59:b2:91:ed:7c:49:
+                    68:04:dc:f2:da:70:05:6c:2d:60:79:0c:7f:2b:70:
+                    1f:50:0c:e6:99:5d:75:1a:d9:b0:2a:a2:d5:44:69:
+                    9d:9a:e0:e7:c4:10:36:4f:e0:04:a8:de:8b:b5:12:
+                    9b:d4:3f:33:4c:5d:cb:0d:dc:1e:44:b5:94:13:9b:
+                    7a:4c:69:92:bc:9f:20:cb:58:be:66:3f:45:1f:37:
+                    61:63:e7:ab:d7:81:ef:b4:14:7c:0f:56:bc:a1:f9:
+                    b9:8d:46:46:96:a9:0a:b6:42:28:70:e0:20:71:ef:
+                    0c:ca:69
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            X509v3 Key Usage: 
+                Digital Signature, Non Repudiation, Key Encipherment
+            Authority Information Access: 
+                OCSP - URI:http://127.0.0.1:8888
+
+            TLS Feature: 
+                status_request
+            X509v3 Subject Alternative Name: 
+                DNS:localhost, DNS:client.localhost
+    Signature Algorithm: sha256WithRSAEncryption
+         0c:71:0f:85:e8:22:48:59:e1:29:52:e2:06:f6:87:94:38:df:
+         96:5e:46:25:2a:a1:37:cd:8c:62:79:a5:a5:db:6f:4a:a8:7f:
+         e4:f9:7f:e4:80:d3:2c:8a:86:8d:2c:97:6b:d2:b5:21:75:a1:
+         1d:de:69:7a:e7:cb:2c:14:cf:ba:e7:e7:01:b6:f4:52:f7:d7:
+         ae:85:fa:66:b2:25:df:6a:ef:98:30:3c:fc:30:4b:62:30:a9:
+         37:b6:45:9e:5d:b7:b0:45:b2:88:e3:2a:c0:91:eb:2d:35:1f:
+         d6:80:45:6f:88:1b:63:13:b4:85:59:69:67:a3:5d:18:da:a3:
+         ec:65:30:6e:3a:a7:76:c6:e5:a3:0d:ea:53:6d:e6:1d:99:d2:
+         d1:26:0f:a5:b3:5c:e4:a6:96:62:51:f6:67:70:c1:9c:c5:09:
+         e9:e1:e0:0c:b4:ed:be:9b:3b:4e:8b:c9:65:55:09:28:87:50:
+         29:e6:28:66:2c:9e:66:cf:d0:c4:47:85:b0:00:51:1b:8b:4f:
+         56:b5:69:f3:8c:30:13:e8:13:d3:d1:3a:15:2e:36:16:cd:4c:
+         40:4c:16:99:a2:f6:96:f1:b7:4a:05:ff:54:37:05:06:9b:06:
+         50:50:66:ae:b4:b1:81:17:c6:54:84:d4:d3:88:1c:4a:99:4d:
+         10:ff:38:c7:8b:7f:e8:5e:d0:5d:d3:4c:3e:a6:7e:13:cf:87:
+         49:d0:fa:50:8a:10:5b:c9:89:50:3f:d8:ca:8f:11:5f:f6:62:
+         03:7d:06:2a:59:b2:f7:0f:b6:5d:40:5e:5e:67:f8:68:45:f2:
+         d4:d8:67:b1:6d:3d:06:89:ac:c8:45:47:97:77:2f:9d:95:d7:
+         e2:c3:61:ad:07:df:b9:fd:3d:b3:f1:d1:19:88:07:03:c6:7d:
+         37:f0:34:18:1c:f5:85:c3:d4:03:70:19:c3:8a:bd:76:d9:7e:
+         e4:49:f7:62:b7:f3:81:b4:c9:a3:e6:28:e6:7c:43:d8:7d:30:
+         37:1d:1b:15:72:52:ae:6c:94:6e:2d:83:74:49:91:59:e1:aa:
+         04:96:68:29:a1:ca:8b:23:c9:7d:93:1a:5b:d7:bb:4a:32:98:
+         13:c9:64:5a:cc:3d:ca:dc:66:fe:11:2c:b4:98:32:1f:45:f4:
+         79:76:b7:f0:60:4d:fa:ae:b3:b9:37:00:29:c4:8f:51:51:32:
+         94:6a:6c:fc:b7:37:4d:46:40:9c:67:92:4b:63:dc:84:bd:6d:
+         17:e5:ca:ae:b9:cb:6f:20:ab:e3:e5:12:5f:0a:2c:91:a6:43:
+         b5:2b:c1:a8:d1:41:42:a8:23:e6:57:d4:46:e4:84:1a:58:11:
+         b9:10:f4:65:19:dd:57:bf
+-----BEGIN CERTIFICATE-----
+MIIF8TCCA9mgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBxMQswCQYDVQQGEwJVUzET
+MBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzETMBEG
+A1UECgwKRXhhbXBsZSBDQTELMAkGA1UECwwCSVQxEzARBgNVBAMMCmNhLmV4YW1w
+bGUwHhcNMjEwNDI5MjIyNzA2WhcNMjEwNzI4MjIyNzA2WjB7MQswCQYDVQQGEwJV
+UzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzEc
+MBoGA1UECgwTRXhhbXBsZSBXaWRnZXRzIEx0ZDELMAkGA1UECwwCSVQxFDASBgNV
+BAMMC05BVFMgQ2xpZW50MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA
+pkjF4NB00L3TIm+lGSCconvYzXppGl+PYbajWZKQpjIqZjH/pRBprmu3X9nxAPRv
+r4/0MSQzu6ftSspDw9lpJMAEhVPf6WOTgmUzkMQ6P+5882dxlyGslwzbs6yJb+73
+0suqkleZPfBvhKn3+lK0U0bfjZVqHBgw89+iRrXb//XOHFK4BQ0i9UAYHVvHmH3r
+WNp0uAUFizqqX42Y3H5b/Ou5RAqT/7X/MYsszc0pN1hPv86sD7O8xIlxtGGn+AC9
+whD4lzvs57EASiVo+C4AFXS7fA3rxS6H8nWWB8Qi+qOnnvGJ49BUrsGg7R+m7fzI
+NgiXu3/EJkp9oheGhmsYTEi/7BLHmBkJYY4rzS/KrqMhisjk6zb+52ky4CgxD7Gp
+7NLOh7xcmbjsGdcDUzgalUYLKz5u/khwELm2zY/w44pBzsublhXGbAm9nu+fUDvq
+eC9Apg0d+ZjFkO0urEdEMiLXLd5tMQfA75TVt00NigeGAhZcV8XSztNXRWYPu7Xw
+ieZUxicB+rRBhZLtvmhZspHtfEloBNzy2nAFbC1geQx/K3AfUAzmmV11GtmwKqLV
+RGmdmuDnxBA2T+AEqN6LtRKb1D8zTF3LDdweRLWUE5t6TGmSvJ8gy1i+Zj9FHzdh
+Y+er14HvtBR8D1a8ofm5jUZGlqkKtkIocOAgce8MymkCAwEAAaOBiTCBhjAJBgNV
+HRMEAjAAMAsGA1UdDwQEAwIF4DAxBggrBgEFBQcBAQQlMCMwIQYIKwYBBQUHMAGG
+FWh0dHA6Ly8xMjcuMC4wLjE6ODg4ODARBggrBgEFBQcBGAQFMAMCAQUwJgYDVR0R
+BB8wHYIJbG9jYWxob3N0ghBjbGllbnQubG9jYWxob3N0MA0GCSqGSIb3DQEBCwUA
+A4ICAQAMcQ+F6CJIWeEpUuIG9oeUON+WXkYlKqE3zYxieaWl229KqH/k+X/kgNMs
+ioaNLJdr0rUhdaEd3ml658ssFM+65+cBtvRS99euhfpmsiXfau+YMDz8MEtiMKk3
+tkWeXbewRbKI4yrAkestNR/WgEVviBtjE7SFWWlno10Y2qPsZTBuOqd2xuWjDepT
+beYdmdLRJg+ls1zkppZiUfZncMGcxQnp4eAMtO2+mztOi8llVQkoh1Ap5ihmLJ5m
+z9DER4WwAFEbi09WtWnzjDAT6BPT0ToVLjYWzUxATBaZovaW8bdKBf9UNwUGmwZQ
+UGautLGBF8ZUhNTTiBxKmU0Q/zjHi3/oXtBd00w+pn4Tz4dJ0PpQihBbyYlQP9jK
+jxFf9mIDfQYqWbL3D7ZdQF5eZ/hoRfLU2GexbT0GiazIRUeXdy+dldfiw2GtB9+5
+/T2z8dEZiAcDxn038DQYHPWFw9QDcBnDir122X7kSfdit/OBtMmj5ijmfEPYfTA3
+HRsVclKubJRuLYN0SZFZ4aoElmgpocqLI8l9kxpb17tKMpgTyWRazD3K3Gb+ESy0
+mDIfRfR5drfwYE36rrO5NwApxI9RUTKUamz8tzdNRkCcZ5JLY9yEvW0X5cquuctv
+IKvj5RJfCiyRpkO1K8Go0UFCqCPmV9RG5IQaWBG5EPRlGd1Xvw==
+-----END CERTIFICATE-----

test/configs/certs/ocsp/client-key.pem

@@ -0,0 +1,51 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIJJwIBAAKCAgEApkjF4NB00L3TIm+lGSCconvYzXppGl+PYbajWZKQpjIqZjH/
+pRBprmu3X9nxAPRvr4/0MSQzu6ftSspDw9lpJMAEhVPf6WOTgmUzkMQ6P+5882dx
+lyGslwzbs6yJb+730suqkleZPfBvhKn3+lK0U0bfjZVqHBgw89+iRrXb//XOHFK4
+BQ0i9UAYHVvHmH3rWNp0uAUFizqqX42Y3H5b/Ou5RAqT/7X/MYsszc0pN1hPv86s
+D7O8xIlxtGGn+AC9whD4lzvs57EASiVo+C4AFXS7fA3rxS6H8nWWB8Qi+qOnnvGJ
+49BUrsGg7R+m7fzINgiXu3/EJkp9oheGhmsYTEi/7BLHmBkJYY4rzS/KrqMhisjk
+6zb+52ky4CgxD7Gp7NLOh7xcmbjsGdcDUzgalUYLKz5u/khwELm2zY/w44pBzsub
+lhXGbAm9nu+fUDvqeC9Apg0d+ZjFkO0urEdEMiLXLd5tMQfA75TVt00NigeGAhZc
+V8XSztNXRWYPu7XwieZUxicB+rRBhZLtvmhZspHtfEloBNzy2nAFbC1geQx/K3Af
+UAzmmV11GtmwKqLVRGmdmuDnxBA2T+AEqN6LtRKb1D8zTF3LDdweRLWUE5t6TGmS
+vJ8gy1i+Zj9FHzdhY+er14HvtBR8D1a8ofm5jUZGlqkKtkIocOAgce8MymkCAwEA
+AQKCAgBFFuuQ00wWBykYn8a7P/+Uy1xzU68j1Byg/t+0Md+EDkfrmk6b6MvgOsVA
+QC+Qs/9LtMZDPMV57PX9IzkwwL6dFGNMemMId+UsQpxARCfntFGaWJqrrsQlJqSK
+bN/V8DZsEU9X6qmzQJk1R+HO0lo2V7Y+/5vM/Igqa/ri4mD8Ysc2oW/wOVsTB4R9
+fkraI0eL7YidhQiepstvVEf1JVNXLSIXEUYY8yeLEEaXY+0CH+FS0q5O/+Eoz+q8
+he7ibnxpi9+eBroSMkrqg8yvgX1rbMsRaj9R+Fln9k9V/rqB5UmaEsW2MDNfQPh6
+TbJwI52URdG1iAqZ1k2I8bllVE4NiG7rc//iTqjwRoIBKZHYs4dLlFbL0NELzvnK
+iJ5FKNhyYNPBcdUmc4WZh15zL3yKEuMlIsvrBF1Z2zE95JozllPMlqDFbQ/ZBZvN
+mtEo4TUc6YexD5xWF9Cz2LNErB/XGjFBZuzmlwAmz8yFLnm1aWFr84ZBpinOilyJ
+PoZvkqVWhaI6VqmB49wcYW/ARIc8hg4H59RfNs8bkdz15hCcPJb1Ibr08uRZyIsL
+j3lg1FYNGSw+Q5YFZVQcFk/s9O4/i8X4Ums4wR7JQ3oDtGQYkTZJGUVL1Zroab8I
+PBAmiUT/BfXxmBeVZnTKRVoaTcoiGbAqzhXdpeeO+6GY5Lf2AQKCAQEA2GbyzT71
+gKIdU3dGN3bHBfI9uDsXZFCGZcClRJ/lLuFI/+cYgrCrCJqyPnk6T/4aL1UYLKTt
+4JrMRwdrguqk5nqbGqBFs9NcM23WR6pvbVI45DKxMnrviB+xFJIg4XSCr9iU0fDp
+oBVwS2CGxAExhESmeqVL2UfjiGSlrBvvZLHB+jzbSwsk7+2j1ndkSsJy1PwL8/SI
+FOZZS8F7nkI2BJfkLQjddeUXCxvbAIbyvLzpzKmEojvaBZWJVBclnPYY21EasrCG
+5vDQSFUGrrkkBFVPnXSaoGiDwvH6r1VGM8iI40bbd7umwrs0tcMG+HRyk3IduEOO
+Af9huu06iP4RyQKCAQEAxLYfsiUXHHGUmP+g8NDiZIgwsfNAOYY6p9Lv+Yo629s0
+oYbSu8gFZW0NvzxcgNlSRfOAw/k0VcdoWzCpKhyGMr3UW29dQ5vMHVdBg7w1mqlW
+fWJIC03djrHCzSs+q1IDx4dMRnhtzRqfnAIgR8Z+lAAxkzum0UPRs1l6mYVBbgYU
+XYE7a7tWeluDccbBal4FroQjeCPA99LeztuuMcHv8uiFn9wdbvZouQELZwTtFc7v
+MzZ3TnHESqf7h2VszC/wZVgvy8SIUHr2k1KkWQZ5Yj6EzVYPin4o99KbQS/sB3TA
+XVdk8LbnyeHwqhJyfGfCRU0bQz2eCJFoA9HU8bxDoQKCAQB6/Fc1anigOIIuM3VG
+hEysBnYpQ/wRWOpo3cmPbMgVkpeoSDBX5gvuAe0XMFKBr8o16Eiq5rkCkzdRjtf9
+OVmqWzfXNAspHhAicmP7qtNU8AvBNUYbiF6loE1FgZ8KQusbAR3jCuXbwxNk42Dz
++DGqGFH9FgA7Zm3b0EePvviY46V4kCmZRqYhbY9VjdkD2+rjPLOWW/0S068gLMAS
+u1Jz3dch+Q3TuPUVrSkT7Z36weqmFBl7EkTgM5IuplEMGZka28cuksC4c1gMI7Z+
+il370HhE5kYSsBNiMZ/lEbOqLmgNsvF75Lvro/Va75IAlj2fqpVVaZ9FZ1ylnblM
+rghxAoIBACdNVAvdyT5PmybufBNhSLpZU5FaToyvuuxpArVS3uuqYlubemM2VY2s
+OkDpKHo98Wg0fJerJL+2tazyjfnx9QYSU2lpWLL3X9LE6jwN0I/0IWmvx0Eq74dh
+ENC5QS4tlr+40o6J5TZDiXw8GIL+r6+WUlFea7gH2tAAorQloar/3/XGqj6eEWsk
++aAz29UKsAvsLsIEMrvRD984mRcr7msT9g64hdDzvnyoLsUIgO4IiFYtHa04ocVg
+xqqIozIwqdE1y2bk/29FAhrxOhDncD0mzJXSCgzbpAfPtmFR19CtjPmZSnulr63w
+TItOYD1m5bO+8iF/ICIKG0QYGnmp6cECggEAYSm20YW2HLOevT1CDawT0FJLmMyW
+n8ghIIe3IwAaPoNSBnY8v3CBMJSWQZUVG6w8J9sNDlMlbezREaQmDpX+uU95EVV2
+H1aSMQubutlQPkmHF93ikDA4VhAiw6IxiEugE/cpyiqwD1OEpjFByVwatFmkx6jE
+ies/X8MeYLDJ0pDNjPjliZ69GZx248Tw8YbnW2nPPbumtOC7LFxfe+AKRj0Mo7hz
+r3C7fujv0N+G90ZVKKeFz5W+g/IIL+vpoULbdqNiQrk/JtMs+xZAOub4xwYuIqwl
+b27+5JwI32FhPqn5sEZNiFiRz0Ea7MxjpgzBHDG35KXmkLOPKs52cjpSOA==
+-----END RSA PRIVATE KEY-----

test/configs/certs/ocsp/server-cert.pem

@@ -0,0 +1,126 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 1 (0x1)
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=US, ST=California, L=San Francisco, O=Example CA, OU=IT, CN=ca.example
+        Validity
+            Not Before: Apr 29 22:27:06 2021 GMT
+            Not After : Jul 28 22:27:06 2021 GMT
+        Subject: C=US, ST=California, L=San Francisco, O=Example Widgets Ltd, OU=IT, CN=NATS Server
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                RSA Public-Key: (4096 bit)
+                Modulus:
+                    00:b2:95:25:59:11:6a:42:42:f0:31:e7:49:f7:a0:
+                    8f:fc:2f:33:b6:43:4d:3b:98:d6:c3:06:a9:b0:dc:
+                    a9:c0:ee:77:e2:27:8c:8a:cd:be:0d:4d:45:64:d4:
+                    be:17:9e:a9:c0:5f:b2:21:42:5c:2c:a0:09:32:2a:
+                    01:75:1d:e7:05:62:33:31:9d:96:fe:fa:44:c3:0a:
+                    08:50:80:dc:0e:26:dd:c5:c6:5a:c6:66:c7:f6:4c:
+                    db:2e:12:36:a7:a0:1e:63:ba:66:92:e5:d6:af:c0:
+                    fb:da:2c:01:fe:6b:91:1e:1d:2d:e7:19:27:56:69:
+                    3e:90:90:ca:11:6b:9a:e3:22:76:5e:42:d5:63:2b:
+                    3f:1c:77:f2:89:a9:d4:6a:a8:34:ec:6a:52:74:1e:
+                    0e:a8:c7:bd:98:b0:a5:f7:11:90:7f:37:aa:05:d8:
+                    07:6d:55:ff:1f:3a:71:54:a2:76:1d:a5:59:93:92:
+                    b8:77:b9:57:33:fc:61:35:64:76:96:b5:3f:44:88:
+                    b2:05:d6:b9:e7:71:66:b6:a5:ce:05:0a:df:9d:b1:
+                    b2:8a:24:ac:7a:62:8c:39:18:e7:ec:6d:e8:62:37:
+                    4e:2a:78:83:3c:6f:25:48:ef:e5:13:7e:b8:89:9f:
+                    39:57:95:67:99:c6:96:db:52:24:a6:15:18:11:b4:
+                    01:a0:e0:35:8d:d7:95:3b:ba:35:af:33:6d:bd:61:
+                    6c:3e:5d:cb:f6:39:e4:f6:35:28:bb:7a:07:70:25:
+                    14:28:65:0b:10:59:d8:c4:5e:66:df:b0:fb:fe:87:
+                    d2:7e:e7:cf:05:06:a5:da:c1:07:37:2a:ce:64:4b:
+                    af:2d:e5:2c:3f:41:1d:08:bd:49:b7:3b:22:67:00:
+                    a1:45:51:92:70:6e:b6:76:5f:4b:b8:40:bd:e9:4a:
+                    75:33:59:36:3f:9e:3a:69:66:2f:9c:3e:37:8c:62:
+                    f4:41:bc:6f:c7:74:80:52:a1:a9:c5:63:3d:50:2c:
+                    27:54:e9:57:f1:58:41:91:45:26:95:3f:df:3a:92:
+                    12:db:21:e4:08:61:b2:f6:d1:b1:1a:e5:b1:cf:7c:
+                    e9:7d:c7:27:a2:0f:c6:11:a4:8f:c2:6f:6a:51:fe:
+                    76:be:75:29:69:f2:dc:a5:28:d6:e7:b3:ca:ed:f2:
+                    7f:59:cb:5f:75:d0:f6:6a:71:50:81:e2:9f:5b:e7:
+                    88:98:cd:15:e0:d1:61:53:65:04:08:e9:ab:cb:14:
+                    5c:6f:34:9b:ca:30:99:e0:bf:0e:de:4d:9a:bf:8f:
+                    c7:dd:e1:6c:7d:24:b8:89:53:70:4a:16:d0:15:bc:
+                    6d:40:63:3e:df:90:1b:a2:2b:bb:78:e6:47:9e:08:
+                    e3:ea:79
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            X509v3 Key Usage: 
+                Digital Signature, Non Repudiation, Key Encipherment
+            Authority Information Access: 
+                OCSP - URI:http://127.0.0.1:8888
+
+            TLS Feature: 
+                status_request
+            X509v3 Subject Alternative Name: 
+                DNS:localhost, DNS:server.localhost
+    Signature Algorithm: sha256WithRSAEncryption
+         3b:ea:73:11:c9:25:93:5e:00:56:bd:a6:ea:0d:9f:b6:77:10:
+         a6:8a:2a:f0:b9:bc:60:99:d9:aa:7d:c2:a0:cc:37:9e:8a:65:
+         6c:b1:24:9e:75:e1:53:e3:65:12:fa:ca:d4:ad:c6:07:60:a3:
+         9b:f4:c1:64:0c:04:33:28:67:1f:55:3d:1b:eb:05:b5:90:b0:
+         5d:36:ea:47:7c:ab:8c:75:36:f4:76:89:c6:8f:e3:3e:f0:d3:
+         82:d0:55:f5:76:4e:88:74:bc:29:d9:c8:ee:8e:42:56:f1:72:
+         39:1d:5f:b1:ef:00:d4:86:a0:0f:82:39:98:6a:fb:fc:44:e2:
+         e3:e5:0a:5a:ed:36:f9:32:d6:e8:93:a8:a0:e1:7a:ff:4f:23:
+         e6:d1:70:af:6a:95:0f:98:94:d6:f4:bd:e1:aa:89:6c:68:04:
+         c9:ea:eb:39:64:d7:4a:8d:d1:3f:68:36:f6:45:55:d6:0f:6e:
+         3c:f0:19:55:fb:73:01:64:7d:f3:92:8f:4a:29:08:70:f3:f7:
+         75:c8:b8:75:1d:55:7c:e8:36:2d:47:96:52:f3:23:c2:03:10:
+         9b:4f:eb:df:53:11:15:d7:5c:a9:32:59:45:a8:44:23:a8:63:
+         db:a4:4a:14:e1:ea:56:00:b6:e7:9b:7f:29:5b:54:6b:84:79:
+         80:05:1a:e3:1a:b5:a0:0d:bc:e4:15:aa:f9:98:05:05:ac:10:
+         a0:37:13:a4:0f:46:7e:2f:d1:b4:12:a8:e5:18:5f:13:8f:09:
+         06:2d:20:1b:f1:74:5e:2f:c0:a0:80:97:da:7b:94:29:b9:72:
+         be:13:47:91:d6:c2:3a:51:25:e1:e1:a1:da:83:6c:8b:0a:87:
+         b8:fb:a4:91:e2:80:62:cf:c7:b7:ad:69:40:bd:de:df:b0:73:
+         de:eb:82:69:a9:16:04:75:2f:76:8c:49:ea:d1:e0:61:e8:91:
+         8e:a4:fd:5e:90:7c:2f:46:99:ed:bc:2e:61:a8:ba:9f:ff:52:
+         c0:3d:11:2c:cd:96:e3:f7:d1:9a:52:b7:8f:56:cd:23:6e:a5:
+         31:f4:32:f3:dd:26:41:1f:bb:94:93:54:c0:7d:c1:4b:fc:0a:
+         5b:5a:53:83:cc:da:9a:92:48:3b:ab:ff:bb:ad:9b:af:8b:cd:
+         84:20:b9:57:75:a0:19:0a:07:7b:8c:7b:39:34:db:d8:dc:15:
+         22:08:69:20:2b:a8:29:e2:9f:f3:f8:e1:c9:87:a8:02:d2:20:
+         a4:65:26:91:6f:e9:e5:37:9c:c8:f8:61:47:12:52:8b:0d:0d:
+         c1:67:57:ba:eb:f3:d1:09:58:af:38:c5:69:fe:0d:06:2b:3c:
+         73:31:35:a7:05:2e:c2:7e
+-----BEGIN CERTIFICATE-----
+MIIF8TCCA9mgAwIBAgIBATANBgkqhkiG9w0BAQsFADBxMQswCQYDVQQGEwJVUzET
+MBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzETMBEG
+A1UECgwKRXhhbXBsZSBDQTELMAkGA1UECwwCSVQxEzARBgNVBAMMCmNhLmV4YW1w
+bGUwHhcNMjEwNDI5MjIyNzA2WhcNMjEwNzI4MjIyNzA2WjB7MQswCQYDVQQGEwJV
+UzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzEc
+MBoGA1UECgwTRXhhbXBsZSBXaWRnZXRzIEx0ZDELMAkGA1UECwwCSVQxFDASBgNV
+BAMMC05BVFMgU2VydmVyMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA
+spUlWRFqQkLwMedJ96CP/C8ztkNNO5jWwwapsNypwO534ieMis2+DU1FZNS+F56p
+wF+yIUJcLKAJMioBdR3nBWIzMZ2W/vpEwwoIUIDcDibdxcZaxmbH9kzbLhI2p6Ae
+Y7pmkuXWr8D72iwB/muRHh0t5xknVmk+kJDKEWua4yJ2XkLVYys/HHfyianUaqg0
+7GpSdB4OqMe9mLCl9xGQfzeqBdgHbVX/HzpxVKJ2HaVZk5K4d7lXM/xhNWR2lrU/
+RIiyBda553FmtqXOBQrfnbGyiiSsemKMORjn7G3oYjdOKniDPG8lSO/lE364iZ85
+V5VnmcaW21IkphUYEbQBoOA1jdeVO7o1rzNtvWFsPl3L9jnk9jUou3oHcCUUKGUL
+EFnYxF5m37D7/ofSfufPBQal2sEHNyrOZEuvLeUsP0EdCL1JtzsiZwChRVGScG62
+dl9LuEC96Up1M1k2P546aWYvnD43jGL0Qbxvx3SAUqGpxWM9UCwnVOlX8VhBkUUm
+lT/fOpIS2yHkCGGy9tGxGuWxz3zpfccnog/GEaSPwm9qUf52vnUpafLcpSjW57PK
+7fJ/WctfddD2anFQgeKfW+eImM0V4NFhU2UECOmryxRcbzSbyjCZ4L8O3k2av4/H
+3eFsfSS4iVNwShbQFbxtQGM+35Aboiu7eOZHngjj6nkCAwEAAaOBiTCBhjAJBgNV
+HRMEAjAAMAsGA1UdDwQEAwIF4DAxBggrBgEFBQcBAQQlMCMwIQYIKwYBBQUHMAGG
+FWh0dHA6Ly8xMjcuMC4wLjE6ODg4ODARBggrBgEFBQcBGAQFMAMCAQUwJgYDVR0R
+BB8wHYIJbG9jYWxob3N0ghBzZXJ2ZXIubG9jYWxob3N0MA0GCSqGSIb3DQEBCwUA
+A4ICAQA76nMRySWTXgBWvabqDZ+2dxCmiirwubxgmdmqfcKgzDeeimVssSSedeFT
+42US+srUrcYHYKOb9MFkDAQzKGcfVT0b6wW1kLBdNupHfKuMdTb0donGj+M+8NOC
+0FX1dk6IdLwp2cjujkJW8XI5HV+x7wDUhqAPgjmYavv8ROLj5Qpa7Tb5Mtbok6ig
+4Xr/TyPm0XCvapUPmJTW9L3hqolsaATJ6us5ZNdKjdE/aDb2RVXWD2488BlV+3MB
+ZH3zko9KKQhw8/d1yLh1HVV86DYtR5ZS8yPCAxCbT+vfUxEV11ypMllFqEQjqGPb
+pEoU4epWALbnm38pW1RrhHmABRrjGrWgDbzkFar5mAUFrBCgNxOkD0Z+L9G0Eqjl
+GF8TjwkGLSAb8XReL8CggJfae5QpuXK+E0eR1sI6USXh4aHag2yLCoe4+6SR4oBi
+z8e3rWlAvd7fsHPe64JpqRYEdS92jEnq0eBh6JGOpP1ekHwvRpntvC5hqLqf/1LA
+PREszZbj99GaUrePVs0jbqUx9DLz3SZBH7uUk1TAfcFL/ApbWlODzNqakkg7q/+7
+rZuvi82EILlXdaAZCgd7jHs5NNvY3BUiCGkgK6gp4p/z+OHJh6gC0iCkZSaRb+nl
+N5zI+GFHElKLDQ3BZ1e66/PRCVivOMVp/g0GKzxzMTWnBS7Cfg==
+-----END CERTIFICATE-----

test/configs/certs/ocsp/server-key.pem

@@ -0,0 +1,51 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIJKQIBAAKCAgEAspUlWRFqQkLwMedJ96CP/C8ztkNNO5jWwwapsNypwO534ieM
+is2+DU1FZNS+F56pwF+yIUJcLKAJMioBdR3nBWIzMZ2W/vpEwwoIUIDcDibdxcZa
+xmbH9kzbLhI2p6AeY7pmkuXWr8D72iwB/muRHh0t5xknVmk+kJDKEWua4yJ2XkLV
+Yys/HHfyianUaqg07GpSdB4OqMe9mLCl9xGQfzeqBdgHbVX/HzpxVKJ2HaVZk5K4
+d7lXM/xhNWR2lrU/RIiyBda553FmtqXOBQrfnbGyiiSsemKMORjn7G3oYjdOKniD
+PG8lSO/lE364iZ85V5VnmcaW21IkphUYEbQBoOA1jdeVO7o1rzNtvWFsPl3L9jnk
+9jUou3oHcCUUKGULEFnYxF5m37D7/ofSfufPBQal2sEHNyrOZEuvLeUsP0EdCL1J
+tzsiZwChRVGScG62dl9LuEC96Up1M1k2P546aWYvnD43jGL0Qbxvx3SAUqGpxWM9
+UCwnVOlX8VhBkUUmlT/fOpIS2yHkCGGy9tGxGuWxz3zpfccnog/GEaSPwm9qUf52
+vnUpafLcpSjW57PK7fJ/WctfddD2anFQgeKfW+eImM0V4NFhU2UECOmryxRcbzSb
+yjCZ4L8O3k2av4/H3eFsfSS4iVNwShbQFbxtQGM+35Aboiu7eOZHngjj6nkCAwEA
+AQKCAgATS4wagIgzmpnrOmtChyWngM4cjk8E9nGV5t1kz6LDxsBLPiywPqSfOU8b
+IuVbFfiPYYeUkl/1LmFv+xvnNJDmgwK3BKjw6ceOL0JQuGuOV+K0YMckEqzeTtWL
+t8oR+HnwGo7EpnK40KglnYWloKewUkTIaG5YpsxswEgk87RrgCi77IqzyVNrVwZs
+m13pHD2DocVA6JJ66AHzQnrcJBixtij3sqyywozrKdxe4aLTdy8jg8HMpcjnRAiY
+xT8O74xjckWR3e5+NEF90JJe9xrMJgv9YxMDsiwmayt73zAxlHosmpLLb9Lee5UL
+szBrJjoC3ZCxC8T283wkObk9CG74baJDHcJrRYJ6XMY9lZ6X0jgY0HFU3aSovs49
+9FSCxAMhdpQ7ej6GzOUBLs6NH4mUNm7SkrU3PJ5bEd5F9gxs+cQaMmy2tf91rZ96
+eeQdP+IpL8XDqwPfF2VnqQMc8bFjYwhOtrPSnjoWc/WdyigpNbRbUAKzRb8KOO8e
+JUbcG57egbAFkfOjW8Vy1qS1+DEEoiwjik6+bQA5/3HisJYH9v90JzR74zQmQhou
+CPqJfdjIYiqGH8LnT8hSsCBAIb+Afaqm2FHAncfPbzNaIAeQgLfT9S3JlHWsCZg7
+/lgWTks9v09r4zOG9H8UkNJJujLVWzIzn8afXBwfCx5C23D/RQKCAQEA3xIM/FzO
+iOcv0oGX343MoPcGvcSaUOQ4YI8pa1tjLx3iBkdovwO9tgA2POCEVi7q0ajRPSZx
+qAC+no+SoX7Q1Bl6aFaR6k8fwtZwuG8QrRSHsdjeeYn2pVyHTxRAvfGVm2seK9x/
+6GqkyyYhFYdz6h1O5hunKQBwyYCWCroTgLW2WhKEdgiT9Mk89nS/ZL2yZkFr5jOP
+9oXm+XApibInn8ZdpXE3FvkZ0ykXqaZ2oV6pyhZFFmDv5ImDb0vjUI8o56cokQAV
+e0m3dcvB566yeJLj6/SnpZjc5/7aHQM8n+SGckHgE4bskTQLXnO+DZb7D0kMCMgE
+Xpo81zwG6lAxcwKCAQEAzPHfyyYrCPgGJe9Z5e8qz+MtuJGwDpV7IQa6ZQjPUIn1
+r18aYp0e5GUX8d+m1cjkX+afPfcwPag9cFZ093PpMd1X8EREtP/UohNHFOeuIufZ
+kQi5t+QCbyNVzKUEFtPVQlY8F4rU35iXjdP7DLnFBFp/qI0GTqoXf7T44UAlt5t9
+lu5AimhyEzndPTNGr4uVNliAkT3EB/6k7/H5g4C1ISaIsjlw9tyjVtGpzIlAuK5Y
+g45FnKBE98EogERP1EXXfW9koW/RWsbV2e7yd9KiFqjfl7FWvTYkXkPpMt3XhYGC
+gj/Kxz7pOL5uFZGTf6xQLD523nuYySK2GlmlTV1JYwKCAQEAnd5bfFp9/JuI17TJ
+c/gZoq1QgwrZn3f0gjmvOYBCsHy4knMFKXIPV/fMascGQSwRGXIdKubDNv/X58V6
+I3rpdcHWRHNH7wgyVSSIP66yoZtO8UmnIWLHQH48cHXH3+VSWNy1TJtPln+qwu7o
+KSFkooI9bVKSuczLBYBQL6VC2is/s305a4Nkmq+0ykMTlMs/r2iLYS6KqxBWx59e
+dkm0CzpK2iRGtaZzZWLGkVTyzf99sDyUhmLyQ84iS6jsZf37F/7QEdZ6XXdtNBuQ
+zlNvkS97yGisIOEPLczKNhAtXodPsxr15zvsvlKT3TOShHGemlG7B5fup7kGZ9je
+mANLCwKCAQBrRvzPOPZz5mhJeSWEj5HIafFn2JLgv2xJWF0/P8JNNTnuh4inL/mY
+sjY7fMe2xkaM0IpwhDCzRZqLcCYf1YOuf19lvEZ+vB+Qiyi9D5z+VoBzQ677TBXe
+GQ/zZDlkvZO2+q7P3/MX66cBLYIPIjq30atbDh7MFIriZVeViN91YaX22FXeXVfB
+KpvdSjbo8tazMNZzsHIpgSjTFMV4CWpGpQYOzLSN8+ZoLq2EDCBdy503l8RmfRo8
+2dYadieXRMvMs/9n5cEflE8imco/4HjKBbGslL6DopCc601pO+hx0N4A0eWSMCMi
+ecPj9GTSAt+gmT3drbLHLi1GU8CMY5VjAoIBAQCbKEHibCNoY421jvMwYiwYAEqq
+/xxGJQyuO+5Nc9XwxU+jMW7O9nYSSuuuXxhRNG7LXdn31icrzuMM61STXgef8Cuf
+QIYLZrTwVQfmdUt8YJiMprjwCors5hax7XnQQaVWon0jhX2wA6yG+UNNUhi9+i8i
+7xog8FnJszGL98gHVnohkk7nq4VLuzm36I74aLfEU58jWvCv3b03bCGJaXXtMKan
+aj3IE28qDvtJCxPsF9UltbnpUrJOP4ghZQtq0vlmZkLHySAV7o4D8Ffw4qdBQFOy
+3SUCcH7wZAyGUFt+r/B9GkPeKrWgJ/Q8jQ7KoAtlWBAhAJT0zfrtwxAqeqTn
+-----END RSA PRIVATE KEY-----

test/ocspresponder_test.go

@@ -0,0 +1,245 @@
+package test
+
+import (
+	"bytes"
+	"crypto/rsa"
+	"crypto/x509"
+	"encoding/pem"
+	"fmt"
+	"io"
+	"net/http"
+	"os"
+	"strconv"
+	"strings"
+	"sync"
+	"testing"
+	"time"
+
+	"golang.org/x/crypto/ocsp"
+)
+
+func TestOCSPResponder(t *testing.T) {
+	const (
+		caCert = "../test/configs/certs/ocsp/ca-cert.pem"
+		caKey = "../test/configs/certs/ocsp/ca-key.pem"
+		userCert = "../test/configs/certs/ocsp/server.crt"
+	)
+
+	s := newOCSPResponder(t, caCert, caKey)
+	defer s.Close()
+
+	// setOCSPDatabase(t, s.URL, userCert, ocsp.Good)		// FAIL
+	setOCSPDatabase(t, s.Addr, userCert, ocsp.Revoked) // PASS
+
+	resp := postOCSPRequest(t, s.Addr, userCert, caCert)
+	if got, want := resp.Status, ocsp.Revoked; got != want {
+		t.Fatalf("unexpected cert status, got %d, want %d", got, want)
+	}
+}
+
+func postOCSPRequest(t *testing.T, ocspURL, certPEM, issuerPEM string) *ocsp.Response {
+	t.Helper()
+
+	cert := parseCertPEM(t, certPEM)
+	issuer := parseCertPEM(t, issuerPEM)
+
+	reqData, err := ocsp.CreateRequest(cert, issuer, nil)
+	if err != nil {
+		t.Fatalf("failed to create OCSP request: %s", err)
+	}
+
+	r := bytes.NewReader(reqData)
+	hc := &http.Client{Timeout: 3 * time.Second}
+
+	httpResp, err := hc.Post(ocspURL, "application/ocsp-request", r)
+	if err != nil {
+		t.Fatalf("failed POST request: %s", err)
+	}
+	defer httpResp.Body.Close()
+
+	respData, err := io.ReadAll(httpResp.Body)
+	if err != nil {
+		t.Fatalf("failed to read OCSP HTTP response body: %s", err)
+	}
+
+	if got, want := httpResp.Status, "200 OK"; got != want {
+		t.Error(strings.TrimSpace(string(respData)))
+		t.Fatalf("unexpected OCSP HTTP status, got %q, want %q", got, want)
+	}
+
+	resp, err := ocsp.ParseResponse(respData, issuer)
+	if err != nil {
+		t.Fatalf("failed to parse OCSP response: %s", err)
+	}
+
+	return resp
+}
+
+func setOCSPDatabase(t *testing.T, ocspURL, certPEM string, status int) {
+	t.Helper()
+
+	cert := parseCertPEM(t, certPEM)
+
+	hc := &http.Client{Timeout: 3 * time.Second}
+	resp, err := hc.Post(
+		fmt.Sprintf("%s/statuses/%s", ocspURL, cert.SerialNumber),
+		"",
+		strings.NewReader(fmt.Sprint(status)),
+	)
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer resp.Body.Close()
+
+	data, err := io.ReadAll(resp.Body)
+	if err != nil {
+		t.Fatalf("failed to read OCSP HTTP response body: %s", err)
+	}
+
+	if got, want := resp.Status, "200 OK"; got != want {
+		t.Error(strings.TrimSpace(string(data)))
+		t.Fatalf("unexpected OCSP HTTP set status, got %q, want %q", got, want)
+	}
+}
+
+func newOCSPResponder(t *testing.T, issuerCertPEM, issuerKeyPEM string) *http.Server {
+	t.Helper()
+	var mu sync.Mutex
+	status := make(map[string]int)
+
+	issuerCert := parseCertPEM(t, issuerCertPEM)
+	issuerKey := parseKeyPEM(t, issuerKeyPEM)
+
+	mux := http.NewServeMux()
+	// The "/statuses/" endpoint is for directly setting a key-value pair in
+	// the CA's status database.
+	mux.HandleFunc("/statuses/", func(rw http.ResponseWriter, r *http.Request) {
+		defer r.Body.Close()
+
+		key := r.URL.Path[len("/statuses/"):]
+		switch r.Method {
+		case "GET":
+			mu.Lock()
+			n, ok := status[key]
+			if !ok {
+				n = ocsp.Unknown
+			}
+			mu.Unlock()
+
+			fmt.Fprintf(rw, "%s %d", key, n)
+		case "POST":
+			data, err := io.ReadAll(r.Body)
+			if err != nil {
+				http.Error(rw, err.Error(), http.StatusBadRequest)
+				return
+			}
+
+			n, err := strconv.Atoi(string(data))
+			if err != nil {
+				http.Error(rw, err.Error(), http.StatusBadRequest)
+				return
+			}
+
+			mu.Lock()
+			status[key] = n
+			mu.Unlock()
+
+			fmt.Fprintf(rw, "%s %d", key, n)
+		default:
+			http.Error(rw, "Method Not Allowed", http.StatusMethodNotAllowed)
+			return
+		}
+	})
+	// The "/" endpoint is for normal OCSP requests. This actually parses an
+	// OCSP status request and signs a response with a CA. Lightly based off:
+	// https://www.ietf.org/rfc/rfc2560.txt
+	mux.HandleFunc("/", func(rw http.ResponseWriter, r *http.Request) {
+		defer r.Body.Close()
+
+		if r.Method != "POST" {
+			http.Error(rw, "Method Not Allowed", http.StatusMethodNotAllowed)
+			return
+		}
+		if r.Header.Get("Content-Type") != "application/ocsp-request" {
+			http.Error(rw, "Unsupported Media Type", http.StatusUnsupportedMediaType)
+			return
+		}
+
+		reqData, err := io.ReadAll(r.Body)
+		if err != nil {
+			http.Error(rw, err.Error(), http.StatusInternalServerError)
+			return
+		}
+
+		ocspReq, err := ocsp.ParseRequest(reqData)
+		if err != nil {
+			http.Error(rw, err.Error(), http.StatusBadRequest)
+			return
+		}
+
+		mu.Lock()
+		n, ok := status[ocspReq.SerialNumber.String()]
+		if !ok {
+			n = ocsp.Unknown
+		}
+		mu.Unlock()
+
+		tmpl := ocsp.Response{
+			Status:       n,
+			SerialNumber: ocspReq.SerialNumber,
+		}
+		respData, err := ocsp.CreateResponse(issuerCert, issuerCert, tmpl, issuerKey)
+		if err != nil {
+			http.Error(rw, err.Error(), http.StatusInternalServerError)
+			return
+		}
+
+		rw.Header().Set("Content-Type", "application/ocsp-response")
+		rw.Header().Set("Content-Length", fmt.Sprint(len(respData)))
+
+		fmt.Fprint(rw, string(respData))
+	})
+
+	srv := &http.Server{
+		Addr:    "127.0.0.1:8888",
+		Handler: mux,
+	}
+	go srv.ListenAndServe()
+	return srv
+}
+
+func parseCertPEM(t *testing.T, certPEM string) *x509.Certificate {
+	t.Helper()
+	block := parsePEM(t, certPEM)
+
+	cert, err := x509.ParseCertificate(block.Bytes)
+	if err != nil {
+		t.Fatalf("failed to parse cert %s: %s", certPEM, err)
+	}
+	return cert
+}
+
+func parseKeyPEM(t *testing.T, keyPEM string) *rsa.PrivateKey {
+	t.Helper()
+	block := parsePEM(t, keyPEM)
+
+	key, err := x509.ParsePKCS1PrivateKey(block.Bytes)
+	if err != nil {
+		t.Fatalf("failed to parse ikey %s: %s", keyPEM, err)
+	}
+	return key
+}
+
+func parsePEM(t *testing.T, pemPath string) *pem.Block {
+	t.Helper()
+	data, err := os.ReadFile(pemPath)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	block, _ := pem.Decode(data)
+	if block == nil {
+		t.Fatalf("failed to decode PEM %s", pemPath)
+	}
+	return block
+}

test/tls_test.go

@@ -15,6 +15,7 @@ package test
 
 import (
 	"bufio"
+	"context"
 	"crypto/tls"
 	"crypto/x509"
 	"errors"
@@ -29,6 +30,7 @@ import (
 
 	"github.com/nats-io/nats-server/v2/server"
 	"github.com/nats-io/nats.go"
+	"golang.org/x/crypto/ocsp"
 )
 
 var noOpErrHandler = func(_ *nats.Conn, _ *nats.Subscription, _ error) {}
@@ -1935,3 +1937,106 @@ func TestTLSClientSVIDAuth(t *testing.T) {
 		})
 	}
 }
+
+func TestTLSClientOCSP(t *testing.T) {
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	// Start mock HTTP responder service.
+	s := newOCSPResponder(t, "configs/certs/ocsp/ca-cert.pem", "configs/certs/ocsp/ca-key.pem")
+	defer s.Shutdown(ctx)
+
+	// Give it some time for the HTTP server to start.
+	time.Sleep(2 * time.Second)
+
+	setCertStatus := func(t *testing.T, cert string, ocspStatus int) {
+		setOCSPDatabase(t,
+			fmt.Sprintf("http://%s", s.Addr),
+			cert,
+			ocspStatus,
+		)
+	}
+
+	for _, test := range []struct {
+		name      string
+		config    string
+		certs     nats.Option
+		err       error
+		rerr      error
+		configure func()
+	}{
+		{
+			"connect with tls and get a staple from valid certificate",
+			`
+				port: -1
+				%s
+			`,
+			nats.ClientCert("./configs/certs/ocsp/client-cert.pem", "./configs/certs/ocsp/client-key.pem"),
+			nil,
+			nil,
+			func() { setCertStatus(t, "configs/certs/ocsp/server-cert.pem", ocsp.Good) },
+		},
+		// FIXME: Test that the server will not start with an invalid cert.
+		// {
+		// 	"connect with tls and get a staple from invalid certificate",
+		// 	`
+		// 		port: -1
+		// 		%s
+		// 	`,
+		// 	nats.ClientCert("./configs/certs/ocsp/client-cert.pem", "./configs/certs/ocsp/client-key.pem"),
+		// 	nil,
+		// 	nil,
+		// 	func() { setCertStatus(t, "configs/certs/ocsp/server-cert.pem", ocsp.Revoked) },
+		// },
+	} {
+		t.Run(test.name, func(t *testing.T) {
+			test.configure()
+
+			content := fmt.Sprintf(test.config, `
+				tls {
+					cert_file: "configs/certs/ocsp/server-cert.pem"
+					key_file: "configs/certs/ocsp/server-key.pem"
+					ca_file: "configs/certs/ocsp/ca-cert.pem"
+					timeout: 5
+
+					# Makes the server honor must-staple flag if present in server cert.
+					ocsp: true
+				}
+			`)
+			conf := createConfFile(t, []byte(content))
+			defer removeFile(t, conf)
+			s, opts := RunServerWithConfig(conf)
+			defer s.Shutdown()
+
+			nc, err := nats.Connect(fmt.Sprintf("tls://localhost:%d", opts.Port),
+				test.certs,
+				nats.RootCAs("configs/certs/ocsp/ca-cert.pem"),
+				nats.ErrorHandler(noOpErrHandler),
+			)
+			if test.err == nil && err != nil {
+				t.Errorf("Expected to connect, got %v", err)
+			} else if test.err != nil && err == nil {
+				t.Errorf("Expected error on connect")
+			} else if test.err != nil && err != nil {
+				// Error on connect was expected
+				if test.err.Error() != err.Error() {
+					t.Errorf("Expected error %s, got: %s", test.err, err)
+				}
+				return
+			}
+			defer nc.Close()
+
+			nc.Subscribe("ping", func(m *nats.Msg) {
+				m.Respond([]byte("pong"))
+			})
+			nc.Flush()
+
+			_, err = nc.Request("ping", []byte("ping"), 250*time.Millisecond)
+			if test.rerr != nil && err == nil {
+				t.Errorf("Expected error getting response")
+			} else if test.rerr == nil && err != nil {
+				t.Errorf("Expected response")
+			}
+		})
+	}
+}