Correct certificate comparisons

DEVSIX-8629 Autoported commit. Original commit hash: [a6e77ae17] Manual files: bouncy-castle-adapter/src/main/java/com/itextpdf/bouncycastle/BouncyCastleFactory.java bouncy-castle-adapter/src/main/java/com/itextpdf/bouncycastle/asn1/x500/X500NameBC.java bouncy-castle-adapter/src/main/java/com/itextpdf/bouncycastle/cert/ocsp/BasicOCSPRespBC.java bouncy-castle-adapter/src/main/java/com/itextpdf/bouncycastle/cert/ocsp/RespIDBC.java bouncy-castle-adapter/src/main/java/com/itextpdf/bouncycastle/cert/ocsp/ResponderIDBC.java bouncy-castle-connector/src/main/java/com/itextpdf/bouncycastleconnector/BouncyCastleDefaultFactory.java bouncy-castle-fips-adapter/src/main/java/com/itextpdf/bouncycastlefips/BouncyCastleFipsFactory.java bouncy-castle-fips-adapter/src/main/java/com/itextpdf/bouncycastlefips/asn1/x500/X500NameBCFips.java bouncy-castle-fips-adapter/src/main/java/com/itextpdf/bouncycastlefips/cert/ocsp/BasicOCSPRespBCFips.java bouncy-castle-fips-adapter/src/main/java/com/itextpdf/bouncycastlefips/cert/ocsp/RespIDBCFips.java bouncy-castle-fips-adapter/src/main/java/com/itextpdf/bouncycastlefips/cert/ocsp/ResponderIDBCFips.java commons/src/main/java/com/itextpdf/commons/bouncycastle/IBouncyCastleFactory.java commons/src/main/java/com/itextpdf/commons/bouncycastle/cert/ocsp/IBasicOCSPResp.java sharpenConfiguration.xml Prepare autoport for: Correct certificate comparisons DEVSIX-8629
aleks-ivanov · Oct 4, 2024 · 0f8556a · 0f8556a
1 parent efc2d56
commit 0f8556a
Show file tree

Hide file tree

Showing 46 changed files with 1,706 additions and 375 deletions.
diff --git a/itext.tests/itext.sign.tests/itext/signatures/TrustedCerrtificatesStoreTest.cs b/itext.tests/itext.sign.tests/itext/signatures/TrustedCerrtificatesStoreTest.cs
diff --git a/itext.tests/itext.sign.tests/itext/signatures/validation/CRLValidatorTest.cs b/itext.tests/itext.sign.tests/itext/signatures/validation/CRLValidatorTest.cs
@@ -83,6 +83,46 @@ public virtual void HappyPathTest() {
             AssertValidationReport.AssertThat(report, (a) => a.HasStatus(ValidationReport.ValidationResult.VALID));
         }
 
+        [NUnit.Framework.Test]
+        public virtual void MultipleIssuersWithOneMatch() {
+            RetrieveTestResources("multipleCrlIssuerCandidates");
+            byte[] crl = CreateCrl(crlIssuerCert, crlIssuerKey, TimeTestUtil.TEST_DATE_TIME.AddDays(-5), TimeTestUtil.
+                TEST_DATE_TIME.AddDays(+5));
+            IX509Certificate candidateCrlIssuerCert1 = (IX509Certificate)PemFileHelper.ReadFirstChain(SOURCE_FOLDER + 
+                "multipleCrlIssuerCandidates/crl-issuer-candidate1.cert.pem")[0];
+            IX509Certificate candidateCrlIssuerCert2 = (IX509Certificate)PemFileHelper.ReadFirstChain(SOURCE_FOLDER + 
+                "multipleCrlIssuerCandidates/crl-issuer-candidate2.cert.pem")[0];
+            certificateRetriever.AddTrustedCertificates(JavaUtil.ArraysAsList(candidateCrlIssuerCert1, crlIssuerCert, 
+                candidateCrlIssuerCert2));
+            ValidationReport report = PerformValidation("multipleCrlIssuerCandidates", TimeTestUtil.TEST_DATE_TIME, crl
+                );
+            AssertValidationReport.AssertThat(report, (a) => a.HasStatus(ValidationReport.ValidationResult.VALID));
+            // expected the CRL validator to stop after correct issuer was found
+            NUnit.Framework.Assert.AreEqual(2, mockChainValidator.verificationCalls.Count);
+        }
+
+        [NUnit.Framework.Test]
+        public virtual void MultipleIssuersWithNoMatch() {
+            RetrieveTestResources("multipleCrlIssuerCandidates");
+            byte[] crl = CreateCrl(crlIssuerCert, crlIssuerKey, TimeTestUtil.TEST_DATE_TIME.AddDays(-5), TimeTestUtil.
+                TEST_DATE_TIME.AddDays(+5));
+            IX509Certificate candidateCrlIssuerCert1 = (IX509Certificate)PemFileHelper.ReadFirstChain(SOURCE_FOLDER + 
+                "multipleCrlIssuerCandidates/crl-issuer-candidate1.cert.pem")[0];
+            IX509Certificate candidateCrlIssuerCert2 = (IX509Certificate)PemFileHelper.ReadFirstChain(SOURCE_FOLDER + 
+                "multipleCrlIssuerCandidates/crl-issuer-candidate2.cert.pem")[0];
+            certificateRetriever.AddTrustedCertificates(JavaUtil.ArraysAsList(candidateCrlIssuerCert1, candidateCrlIssuerCert2
+                ));
+            IX509Certificate certificateUnderTest = (IX509Certificate)PemFileHelper.ReadFirstChain(SOURCE_FOLDER + "multipleCrlIssuerCandidates/sign.cert.pem"
+                )[0];
+            ValidationReport result = new ValidationReport();
+            ValidationContext context = new ValidationContext(ValidatorContext.REVOCATION_DATA_VALIDATOR, CertificateSource
+                .SIGNER_CERT, TimeBasedContext.PRESENT);
+            validatorChainBuilder.GetCRLValidator().Validate(result, context, certificateUnderTest, (IX509Crl)CertificateUtil
+                .ParseCrlFromStream(new MemoryStream(crl)), TimeTestUtil.TEST_DATE_TIME, TimeTestUtil.TEST_DATE_TIME);
+            AssertValidationReport.AssertThat(result, (a) => a.HasStatus(ValidationReport.ValidationResult.INDETERMINATE
+                ));
+        }
+
         [NUnit.Framework.Test]
         public virtual void NextUpdateBeforeValidationTest() {
             RetrieveTestResources("happyPath");
@@ -334,7 +374,7 @@ public virtual void CertificateRetrieverFailureTest() {
             byte[] crl = CreateCrl(crlIssuerCert, crlIssuerKey, TimeTestUtil.TEST_DATE_TIME.AddDays(-5), TimeTestUtil.
                 TEST_DATE_TIME.AddDays(+5));
             MockIssuingCertificateRetriever mockCertificateRetriever = new MockIssuingCertificateRetriever();
-            mockCertificateRetriever.OngetCrlIssuerCertificatesDo((c) => {
+            mockCertificateRetriever.OngetCrlIssuerCertificatesByNameDo((c) => {
                 throw new Exception("just testing");
             }
             );

diff --git a/itext.tests/itext.sign.tests/itext/signatures/validation/CertificateChainValidatorTest.cs b/itext.tests/itext.sign.tests/itext/signatures/validation/CertificateChainValidatorTest.cs
@@ -601,6 +601,7 @@ public virtual void TestStopOnInvalidRevocationResultTest() {
                 );
             AssertValidationReport.AssertThat(report, (a) => a.HasStatus(ValidationReport.ValidationResult.INVALID));
             NUnit.Framework.Assert.AreEqual(0, mockCertificateRetriever.getCrlIssuerCertificatesCalls.Count);
+            NUnit.Framework.Assert.AreEqual(0, mockCertificateRetriever.getCrlIssuerCertificatesByNameCalls.Count);
             NUnit.Framework.Assert.AreEqual(1, mockRevocationDataValidator.calls.Count);
         }
     }

diff --git a/itext.tests/itext.sign.tests/itext/signatures/validation/OCSPValidatorIntegrationTest.cs b/itext.tests/itext.sign.tests/itext/signatures/validation/OCSPValidatorIntegrationTest.cs
@@ -99,10 +99,11 @@ public virtual void ValidateResponderOcspNoCheckTest() {
         [NUnit.Framework.Test]
         public virtual void ValidateAuthorizedOCSPResponderWithOcspTest() {
             ValidationReport report = VerifyResponderWithOcsp(false);
-            AssertValidationReport.AssertThat(report, (a) => a.HasNumberOfFailures(0).HasNumberOfLogs(2).HasLogItems(2
-                , (al) => al.WithCheckName(CertificateChainValidator.CERTIFICATE_CHECK).WithMessage(CertificateChainValidator
-                .CERTIFICATE_TRUSTED, (l) => ((CertificateReportItem)l).GetCertificate().GetSubjectDN())).HasStatus(ValidationReport.ValidationResult
-                .VALID));
+            AssertValidationReport.AssertThat(report, (a) => a.HasNumberOfFailures(0).HasNumberOfLogs(2).HasLogItem((al
+                ) => al.WithCheckName(CertificateChainValidator.CERTIFICATE_CHECK).WithMessage(CertificateChainValidator
+                .CERTIFICATE_TRUSTED, (l) => ((CertificateReportItem)l).GetCertificate().GetSubjectDN())).HasLogItem((
+                al) => al.WithCheckName(OCSPValidator.OCSP_CHECK).WithMessage(OCSPValidator.OCSP_RESPONDER_IS_CA)).HasStatus
+                (ValidationReport.ValidationResult.VALID));
         }
 
         [NUnit.Framework.Test]

diff --git a/itext.tests/itext.sign.tests/itext/signatures/validation/OCSPValidatorTest.cs b/itext.tests/itext.sign.tests/itext/signatures/validation/OCSPValidatorTest.cs
@@ -21,6 +21,7 @@ You should have received a copy of the GNU Affero General Public License
 along with this program.  If not, see <https://www.gnu.org/licenses/>.
 */
 using System;
+using System.Collections.Generic;
 using iText.Bouncycastleconnector;
 using iText.Commons.Bouncycastle;
 using iText.Commons.Bouncycastle.Asn1.Ocsp;
@@ -96,6 +97,49 @@ public virtual void HappyPathTest() {
             AssertValidationReport.AssertThat(report, (a) => a.HasStatus(ValidationReport.ValidationResult.VALID));
         }
 
+        [NUnit.Framework.Test]
+        public virtual void MultipleIssuerCandidatesHappyPathTest() {
+            IX509Certificate candidateOcspIssuerCert1 = (IX509Certificate)PemFileHelper.ReadFirstChain(SOURCE_FOLDER +
+                 "candidate1-ocsp-issuer.cert.pem")[0];
+            IX509Certificate candidateOcspIssuerCert2 = (IX509Certificate)PemFileHelper.ReadFirstChain(SOURCE_FOLDER +
+                 "candidate2-ocsp-issuer.cert.pem")[0];
+            certificateRetriever.AddTrustedCertificates(JavaUtil.ArraysAsList(candidateOcspIssuerCert1, responderCert, 
+                candidateOcspIssuerCert2));
+            TestOcspResponseBuilder builder = new TestOcspResponseBuilder(responderCert, ocspRespPrivateKey);
+            builder.SetOcspCertsChain(new IX509Certificate[] { caCert });
+            TestOcspClient ocspClient = new TestOcspClient().AddBuilderForCertIssuer(caCert, builder);
+            IBasicOcspResponse basicOCSPResp = FACTORY.CreateBasicOCSPResponse(FACTORY.CreateASN1Primitive(ocspClient.
+                GetEncoded(checkCert, caCert, null)));
+            ValidationReport report = new ValidationReport();
+            certificateRetriever.AddTrustedCertificates(JavaCollectionsUtil.SingletonList(caCert));
+            OCSPValidator validator = validatorChainBuilder.BuildOCSPValidator();
+            validator.Validate(report, baseContext, checkCert, basicOCSPResp.GetResponses()[0], basicOCSPResp, TimeTestUtil
+                .TEST_DATE_TIME, TimeTestUtil.TEST_DATE_TIME);
+            AssertValidationReport.AssertThat(report, (a) => a.HasStatus(ValidationReport.ValidationResult.VALID));
+        }
+
+        [NUnit.Framework.Test]
+        public virtual void MultipleIssuerCandidatesFailingTest() {
+            IX509Certificate candidateOcspIssuerCert1 = (IX509Certificate)PemFileHelper.ReadFirstChain(SOURCE_FOLDER +
+                 "candidate1-ocsp-issuer.cert.pem")[0];
+            IX509Certificate candidateOcspIssuerCert2 = (IX509Certificate)PemFileHelper.ReadFirstChain(SOURCE_FOLDER +
+                 "candidate2-ocsp-issuer.cert.pem")[0];
+            certificateRetriever.AddTrustedCertificates(JavaUtil.ArraysAsList(candidateOcspIssuerCert1, candidateOcspIssuerCert2
+                ));
+            TestOcspResponseBuilder builder = new TestOcspResponseBuilder(responderCert, ocspRespPrivateKey);
+            builder.SetOcspCertsChain(new IX509Certificate[] { caCert });
+            TestOcspClient ocspClient = new TestOcspClient().AddBuilderForCertIssuer(caCert, builder);
+            IBasicOcspResponse basicOCSPResp = FACTORY.CreateBasicOCSPResponse(FACTORY.CreateASN1Primitive(ocspClient.
+                GetEncoded(checkCert, caCert, null)));
+            ValidationReport report = new ValidationReport();
+            certificateRetriever.AddTrustedCertificates(JavaCollectionsUtil.SingletonList(caCert));
+            OCSPValidator validator = validatorChainBuilder.BuildOCSPValidator();
+            validator.Validate(report, baseContext, checkCert, basicOCSPResp.GetResponses()[0], basicOCSPResp, TimeTestUtil
+                .TEST_DATE_TIME, TimeTestUtil.TEST_DATE_TIME);
+            AssertValidationReport.AssertThat(report, (a) => a.HasStatus(ValidationReport.ValidationResult.INDETERMINATE
+                ));
+        }
+
         [NUnit.Framework.Test]
         public virtual void OcpsIssuerChainValidationsUsesCorrectParametersTest() {
             DateTime checkDate = TimeTestUtil.TEST_DATE_TIME;
@@ -419,6 +463,12 @@ public virtual void CertificateRetrieverIsCertificateTrustedFailureTest() {
                 throw new Exception("Test isCertificateTrusted failure");
             }
             );
+            MockTrustedCertificatesStore mockTrustStore = new MockTrustedCertificatesStore();
+            mockTrustStore.OnIsCertificateTrustedForOcspDo((c) => {
+                throw new Exception("Test isCertificateTrusted failure");
+            }
+            );
+            mockCertificateRetriever.OnGetTrustedCertificatesStoreDo(() => mockTrustStore);
             ValidationReport report = ValidateTest(checkDate);
             AssertValidationReport.AssertThat(report, (a) => a.HasStatus(ValidationReport.ValidationResult.INDETERMINATE
                 ).HasLogItem((l) => l.WithMessage(OCSPValidator.OCSP_RESPONDER_TRUST_NOT_RETRIEVED)));
@@ -500,8 +550,8 @@ public TestIssuingCertificateRetriever(String issuerPath)
                 this.issuerCertificate = PemFileHelper.ReadFirstChain(issuerPath)[0];
             }
 
-            public override IX509Certificate RetrieveIssuerCertificate(IX509Certificate certificate) {
-                return issuerCertificate;
+            public override IList<IX509Certificate> RetrieveIssuerCertificate(IX509Certificate certificate) {
+                return JavaCollectionsUtil.SingletonList((IX509Certificate)issuerCertificate);
             }
         }
     }

diff --git a/itext.tests/itext.sign.tests/itext/signatures/validation/RevocationDataValidatorTest.cs b/itext.tests/itext.sign.tests/itext/signatures/validation/RevocationDataValidatorTest.cs
@@ -733,7 +733,7 @@ public virtual void CertificateRetrieverRetrieveIssuerCertificateFailureTest() {
             mockOCSPValidator.OnCallDo((c) => c.report.AddReportItem(reportItem));
             validator.Validate(report, baseContext, checkCert, checkDate);
             AssertValidationReport.AssertThat(report, (a) => a.HasStatus(ValidationReport.ValidationResult.INDETERMINATE
-                ).HasLogItem((l) => l.WithMessage(RevocationDataValidator.ISSUER_RETRIEVAL_FAILED)));
+                ).HasLogItem((l) => l.WithMessage(RevocationDataValidator.UNABLE_TO_RETRIEVE_REV_DATA_ONLINE)));
         }
 
         [NUnit.Framework.Test]

diff --git a/...t.tests/itext.sign.tests/itext/signatures/validation/SignatureValidatorIntegrationTest.cs b/...t.tests/itext.sign.tests/itext/signatures/validation/SignatureValidatorIntegrationTest.cs
@@ -80,9 +80,11 @@ public virtual void ValidLatestSignatureTest() {
                 SignatureValidator signatureValidator = builder.BuildSignatureValidator(document);
                 report = signatureValidator.ValidateSignatures();
             }
-            AssertValidationReport.AssertThat(report, (a) => a.HasStatus(ValidationReport.ValidationResult.VALID).HasLogItems
-                (3, (al) => al.WithCertificate(rootCert).WithCheckName(CertificateChainValidator.CERTIFICATE_CHECK).WithMessage
-                (CertificateChainValidator.CERTIFICATE_TRUSTED, (i) => rootCert.GetSubjectDN())));
+            AssertValidationReport.AssertThat(report, (a) => a.HasStatus(ValidationReport.ValidationResult.VALID).HasLogItem
+                ((al) => al.WithCertificate(rootCert).WithCheckName(CertificateChainValidator.CERTIFICATE_CHECK).WithMessage
+                (CertificateChainValidator.CERTIFICATE_TRUSTED, (i) => rootCert.GetSubjectDN())).HasLogItem((al) => al
+                .WithCheckName(OCSPValidator.OCSP_CHECK).WithMessage(OCSPValidator.OCSP_RESPONDER_TRUSTED)).HasLogItem
+                ((al) => al.WithCheckName(OCSPValidator.OCSP_CHECK).WithMessage(OCSPValidator.OCSP_RESPONDER_IS_CA)));
         }
 
         [NUnit.Framework.Test]
@@ -107,9 +109,9 @@ public virtual void ShortValidityCertsWithOcspTest() {
                 .UNEXPECTED_ENTRY_IN_XREF, (i) => 30)).HasLogItem((al) => al.WithCheckName(SignatureValidator.SIGNATURE_VERIFICATION
                 ).WithMessage(SignatureValidator.VALIDATING_SIGNATURE_NAME, (i) => "timestampSig1")).HasLogItem((al) =>
                  al.WithCheckName(SignatureValidator.SIGNATURE_VERIFICATION).WithMessage(SignatureValidator.VALIDATING_SIGNATURE_NAME
-                , (i) => "Signature1")).HasLogItems(2, (al) => al.WithCertificate(rootCert).WithCheckName(CertificateChainValidator
+                , (i) => "Signature1")).HasLogItem((al) => al.WithCertificate(rootCert).WithCheckName(CertificateChainValidator
                 .CERTIFICATE_CHECK).WithMessage(CertificateChainValidator.CERTIFICATE_TRUSTED, (i) => rootCert.GetSubjectDN
-                ())).HasLogItems(4, (al) => al.WithCertificate(tsRootCert).WithCheckName(CertificateChainValidator.CERTIFICATE_CHECK
+                ())).HasLogItems(2, (al) => al.WithCertificate(tsRootCert).WithCheckName(CertificateChainValidator.CERTIFICATE_CHECK
                 ).WithMessage(CertificateChainValidator.CERTIFICATE_TRUSTED, (i) => tsRootCert.GetSubjectDN())));
         }
 
@@ -195,16 +197,18 @@ public virtual void ValidateSingleSignatureTest1() {
                 (4).HasNumberOfFailures(0).HasLogItem((al) => al.WithCheckName(DocumentRevisionsValidator.DOC_MDP_CHECK
                 ).WithMessage(DocumentRevisionsValidator.UNEXPECTED_ENTRY_IN_XREF, (i) => 17).WithStatus(ReportItem.ReportItemStatus
                 .INFO)).HasLogItem((al) => al.WithCheckName(SignatureValidator.SIGNATURE_VERIFICATION).WithMessage(SignatureValidator
-                .VALIDATING_SIGNATURE_NAME, (p) => "Signature1")).HasLogItems(2, (al) => al.WithCertificate(rootCert).
-                WithCheckName(CertificateChainValidator.CERTIFICATE_CHECK).WithMessage(CertificateChainValidator.CERTIFICATE_TRUSTED
-                , (i) => rootCert.GetSubjectDN())));
+                .VALIDATING_SIGNATURE_NAME, (p) => "Signature1")).HasLogItem((al) => al.WithCertificate(rootCert).WithCheckName
+                (CertificateChainValidator.CERTIFICATE_CHECK).WithMessage(CertificateChainValidator.CERTIFICATE_TRUSTED
+                , (i) => rootCert.GetSubjectDN())).HasLogItem((al) => al.WithCheckName(OCSPValidator.OCSP_CHECK).WithMessage
+                (OCSPValidator.OCSP_RESPONDER_IS_CA)));
             AssertValidationReport.AssertThat(report2, (a) => a.HasStatus(ValidationReport.ValidationResult.INVALID).HasNumberOfLogs
                 (4).HasNumberOfFailures(1).HasLogItem((al) => al.WithCheckName(DocumentRevisionsValidator.DOC_MDP_CHECK
                 ).WithMessage(DocumentRevisionsValidator.PAGE_ANNOTATIONS_MODIFIED).WithStatus(ReportItem.ReportItemStatus
                 .INVALID)).HasLogItem((al) => al.WithCheckName(SignatureValidator.SIGNATURE_VERIFICATION).WithMessage(
-                SignatureValidator.VALIDATING_SIGNATURE_NAME, (p) => "Signature2")).HasLogItems(2, (al) => al.WithCertificate
+                SignatureValidator.VALIDATING_SIGNATURE_NAME, (p) => "Signature2")).HasLogItem((al) => al.WithCertificate
                 (rootCert).WithCheckName(CertificateChainValidator.CERTIFICATE_CHECK).WithMessage(CertificateChainValidator
-                .CERTIFICATE_TRUSTED, (i) => rootCert.GetSubjectDN())));
+                .CERTIFICATE_TRUSTED, (i) => rootCert.GetSubjectDN())).HasLogItem((al) => al.WithCheckName(OCSPValidator
+                .OCSP_CHECK).WithMessage(OCSPValidator.OCSP_RESPONDER_IS_CA)));
         }
 
         [NUnit.Framework.Test]
@@ -314,8 +318,8 @@ public virtual void LatestSignatureIsTimestampTest() {
                 SignatureValidator signatureValidator = builder.BuildSignatureValidator(document);
                 report = signatureValidator.ValidateLatestSignature(document);
             }
-            AssertValidationReport.AssertThat(report, (a) => a.HasNumberOfFailures(0).HasNumberOfLogs(3).HasLogItems(2
-                , (la) => la.WithCheckName(CertificateChainValidator.CERTIFICATE_CHECK).WithMessage(CertificateChainValidator
+            AssertValidationReport.AssertThat(report, (a) => a.HasNumberOfFailures(0).HasNumberOfLogs(3).HasLogItem((la
+                ) => la.WithCheckName(CertificateChainValidator.CERTIFICATE_CHECK).WithMessage(CertificateChainValidator
                 .CERTIFICATE_TRUSTED, (l) => rootCert.GetSubjectDN()).WithCertificate(rootCert)));
         }
 
@@ -356,9 +360,11 @@ public virtual void CertificatesNotInLatestSignatureButSetAsKnownTest() {
                 SignatureValidator signatureValidator = builder.BuildSignatureValidator(document);
                 report = signatureValidator.ValidateLatestSignature(document);
             }
-            AssertValidationReport.AssertThat(report, (a) => a.HasStatus(ValidationReport.ValidationResult.VALID).HasLogItems
-                (3, (al) => al.WithCheckName(CertificateChainValidator.CERTIFICATE_CHECK).WithMessage(CertificateChainValidator
-                .CERTIFICATE_TRUSTED, (i) => rootCert.GetSubjectDN()).WithCertificate(rootCert)));
+            AssertValidationReport.AssertThat(report, (a) => a.HasStatus(ValidationReport.ValidationResult.VALID).HasLogItem
+                ((al) => al.WithCheckName(CertificateChainValidator.CERTIFICATE_CHECK).WithMessage(CertificateChainValidator
+                .CERTIFICATE_TRUSTED, (i) => rootCert.GetSubjectDN()).WithCertificate(rootCert)).HasLogItem((al) => al
+                .WithCheckName(OCSPValidator.OCSP_CHECK).WithMessage(OCSPValidator.OCSP_RESPONDER_TRUSTED)).HasLogItem
+                ((al) => al.WithCheckName(OCSPValidator.OCSP_CHECK).WithMessage(OCSPValidator.OCSP_RESPONDER_IS_CA)));
         }
 
         [NUnit.Framework.Test]