r509 · vali-um · Sep 7, 2022 · Sep 7, 2022
diff --git a/spec/fixtures/test_ca_ocsp.cer b/spec/fixtures/test_ca_ocsp.cer
@@ -1,26 +1,22 @@
 -----BEGIN CERTIFICATE-----
-MIIEWjCCA0KgAwIBAgIVAL6KQp4q0lBnlTg3fdk1VWh02squMA0GCSqGSIb3DQEB
-BQUAMF4xCzAJBgNVBAYTAlVTMREwDwYDVQQIDAhJbGxpbm9pczEQMA4GA1UEBwwH
-Q2hpY2FnbzEYMBYGA1UECgwPUnVieSBDQSBQcm9qZWN0MRAwDgYDVQQDDAdUZXN0
-IENBMB4XDTEyMDEwNjEwMjYyNloXDTIyMDEwMzE2MjYyNlowYDELMAkGA1UEBhMC
-VVMxETAPBgNVBAgMCElsbGlub2lzMRAwDgYDVQQHDAdDaGljYWdvMREwDwYDVQQK
-DAhyNTA5IExMQzEZMBcGA1UEAwwQcjUwOSBPQ1NQIFNpZ25lcjCCASIwDQYJKoZI
-hvcNAQEBBQADggEPADCCAQoCggEBAL1bj6l9fXWxFxdXIlzRewUKcMIjSvehpL5j
-CJ/7AqejfsV6K1all9CgOoXF1j7fAT8IkcuwcIQaq3zAV1vXxYtHRiWlQfYeXSWq
-zwQ8WzBAzIa6HRMZxtjbFzfrAPWEKRNyOlF/R98+VTD2MCRbbeVPLRkOtzHuiG0x
-ap+vVbGG7bO+kt8cRthVdYm1gkIP4Ox7cSi+JAR9JsZL1kk+QhIgU9BKE4BS0ior
-jC/FXHd6l3ub1DCoKPr5lw16MpmLwhjnn0myAy6Fr4eTAr69vDoA/KtoszFWO2Ea
-QsW0rJcRjwKAfliBQu1bVzfhBEpo2fFwjH9ydxp7NWHIf+/y1yECAwEAAaOCAQsw
-ggEHMAwGA1UdEwEB/wQCMAAwEwYDVR0lBAwwCgYIKwYBBQUHAwkwHQYDVR0OBBYE
-FE7QZeVFxt67S7tR1FuFGA+DjTiMMIGQBgNVHSMEgYgwgYWAFHl1u4Q6yyzeegm+
-MRtDvBwqTVNYoWKkYDBeMQswCQYDVQQGEwJVUzERMA8GA1UECAwISWxsaW5vaXMx
-EDAOBgNVBAcMB0NoaWNhZ28xGDAWBgNVBAoMD1J1YnkgQ0EgUHJvamVjdDEQMA4G
-A1UEAwwHVGVzdCBDQYIJAP/ZxwuHN9GUMDAGA1UdHwQpMCcwJaAjoCGGH2h0dHA6
-Ly9jcmwucjUwOS5vcmcvdGVzdF9jYS5jcmwwDQYJKoZIhvcNAQEFBQADggEBAAGM
-Zg+p84GjC0gzeQZROqS6s4GDJgRn0/kEpnSQO8wDsjLjyyzbW8xIyX9w1EdVaSS8
-mTe/oZ9SvMS8ONHlINyQtM0GuS6OOxtEQcx5/IJxdC+TDXQ27TvBgNg2KUIWxDgG
-9V18jdS/fV3pDFbUfulGciQkUrReCjchM52XUg0mb13VCCLjEUETPVYV6akOgglM
-Lg22je3F6fiEctwHHMABv6fOSrKa3Qg0SCx1WA+uHLnrLjc5vYljAzvQYz8UywoS
-RBnW6UInYvBs6KZmWv9acWGew3pQLOp0+FOrvgnxLWG7D4QuMulaYgKP1cpValmU
-iCkw4FfJqeDBTxrenF4=
+MIIDtTCCAp2gAwIBAgITB3PrP/iLMaOXEJ5h6dZXpbIjozANBgkqhkiG9w0BAQUF
+ADBeMQswCQYDVQQGEwJVUzERMA8GA1UECAwISWxsaW5vaXMxEDAOBgNVBAcMB0No
+aWNhZ28xGDAWBgNVBAoMD1J1YnkgQ0EgUHJvamVjdDEQMA4GA1UEAwwHVGVzdCBD
+QTAeFw0yMDAxMTQyMzAwMDBaFw0zMDAzMzAyMzAwMDBaMGMxCzAJBgNVBAYTAlVT
+MREwDwYDVQQIDAhJbGxpbm9pczEQMA4GA1UEBwwHQ2hpY2FnbzEUMBIGA1UECgwL
+UGF1bCBLZWhyZXIxGTAXBgNVBAMMEHI1MDkgT0NTUCBTaWduZXIwggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQC8pLk9WF0TWyKE0TQpYX+12Ew5BlI9/T9n
+QtvdIZHOmVDCEALOfSXwG87T9piO2AybJTAOwbR/xdS44jNtRugcPJNVgANZJu3u
+ucpXSph6hEhElmP33/872bhfRVNNIZzVJixWrrHclKz9HcY7K5NXdpB3uFULvgNI
+Qt5ykV4s+LoRbKdWFuqjZgsWdnlbDsV/G8umBhX2qfOC1nDAORvPoJPgjm80c13z
+b5GIZwT5LPzedn4QCXJS6IQf/IIdfiSOWQVSMYdKkRWoyNtlfGYa3aDPERYplaby
+Pp/9hh3+DgAzvAgGF1ABtLKoXNpSa7oj9zJYAIZMGHyr16dFMMXNAgMBAAGjZzBl
+MA4GA1UdDwEB/wQEAwIChDAhBgNVHSUBAf8EFzAVBggrBgEFBQcDCQYJKwYBBQUH
+MAEFMDAGA1UdHwQpMCcwJaAjoCGGH2h0dHA6Ly9jcmwucjUwOS5vcmcvdGVzdF9j
+YS5jcmwwDQYJKoZIhvcNAQEFBQADggEBAB6QhE8Q7ICfpBLVLG9HySX48hVjzgWk
+dPmu5BfUXfgQ2mmhmQUyIidoOph0F/S9kpDQbGT36NGfvlNHkGNGwVg6o2zw/5kV
+xOOupvPcG5du+iLfOmEUMd0qKToJdv6FM72cBv8bBnQq6dOEa40KtonvNWDXGBZp
+4PYrzw2JqJis1PID1j/NJF/GzlSAnqi4B0nVYKQJvfvhx/yqBTXGDcigcJQipanz
+m2L/sJaF8rB8btz0h75ela+QF65IO7pB2jAVf048RHGZVTUty5FqVMW+o+kdHnHg
+6kTnCl0ALncFkSSC4m1APGc/Pr1sp2JZGpvvoWEUV5xS0BZEmwNpiUI=
 -----END CERTIFICATE-----
diff --git a/spec/fixtures/test_ca_ocsp.key b/spec/fixtures/test_ca_ocsp.key
@@ -1,27 +1,27 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIIEogIBAAKCAQEAvVuPqX19dbEXF1ciXNF7BQpwwiNK96GkvmMIn/sCp6N+xXor
-VqWX0KA6hcXWPt8BPwiRy7BwhBqrfMBXW9fFi0dGJaVB9h5dJarPBDxbMEDMhrod
-ExnG2NsXN+sA9YQpE3I6UX9H3z5VMPYwJFtt5U8tGQ63Me6IbTFqn69VsYbts76S
-3xxG2FV1ibWCQg/g7HtxKL4kBH0mxkvWST5CEiBT0EoTgFLSKiuML8Vcd3qXe5vU
-MKgo+vmXDXoymYvCGOefSbIDLoWvh5MCvr28OgD8q2izMVY7YRpCxbSslxGPAoB+
-WIFC7VtXN+EESmjZ8XCMf3J3Gns1Ych/7/LXIQIDAQABAoIBAHfVsSY/P52y0/02
-bI23GJaJE/EYqsHqbzr5q6SrEvQKeRj6huDP7TLfpAmyuTKSqNQ+VR5F6/7+bdaG
-VwLNm7vYAGGkowjiEGrdHSP+GmuAJq+AqxPCdWAZzyjZNYMq/1/KI3QeC9sRNJLG
-ypLHtdWv9Mdt06vq3DXWVzb1nFK7DOKwCmR8qIhsGpBRBuztzHups2joQa4RTihC
-7hmdGz2VLFR0J9xphLV57W/ObJuxTD3sqL3HrsDkfv6Poi6iS1GBFtDUuxrFtUv/
-K1Yao02gkXD32Mq5M38uTyBK7nEhS1V7cvP0iHPdLgan9bsrOREXyVV+u0gr2IN1
-wKvyYs0CgYEA7HiL3JdOwlxzWznHLRPOd07cOnwkq5eauqmT2nzxtqL3InSFmNtL
-1hMfIRA2wejo/Q1Ezi7d7RCHsSHBfCGag7L/NdVnIiHAErbVf+LofvjL2C9LShKB
-u4DxPsb7hcj3I9qaHoc0zotxjAkg38sdr2sfP7EMc5k+asPb9MA/bX8CgYEAzP7z
-J4c+CkUhUg1xynZswjxvvC3oMhbC2vVsuKt/ZMwFolpDvVJNcrFOFkqikaGDLcPB
-Dg2WxxZdujnfXBWjTI8M7pfhD1u2OW99yQsWxnWOc1C4n4OjPH0/sn9IEAjlmTpc
-5NYZB6dAARGRTEJN8srNGm59z0S6jLyciuErS18CgYBk8lz6cVk83YydMAAX/TGR
-ewfGq8JXwiNadhPZHKdvCQipG8cAZvVr0MPkMHC/vLbhd+2ceyNgFUNn2XoojIvS
-lvIdwBkD2BaPpp9jtbD8qycSBbaFS3s4WSYjX3x2M0FVe/d4+s0PMzXoyujOwH3O
-qdMwNFuVaaDcoPnf9MXe7wKBgH9OpbsaplDCddr7NnvB5/EIj2uSJu1UbVaFrCtT
-dh4nBii5XfApOKfNrOzzFNrULx8wvqf3kHe7UCHi5u/NEEjvXdyevcpH7nbk4n0E
-QfSl9P1wV/fYTHu4XOKBYUN0AwKR2DbVL14tY/ZF7rIpSzdI8u9DRyZ9TE0ypRUq
-mTSJAoGAOkzZ2D/nQyIz9mHOKmDoXWbFgZ32rqTzqfS07cq5vtt2Ol2MTRXY386Q
-kW1AyHf0hz8SQe3+An4K6uMpGkZ6dzEOXhsw1+fwU9jFb+qucRuhTVlyVWDVtkf6
-NRg6ZlSfTi3KxmaSsY7X/t9DfWmud8MXTm3cUqI0VdljQmAT85A=
+MIIEpAIBAAKCAQEAvKS5PVhdE1sihNE0KWF/tdhMOQZSPf0/Z0Lb3SGRzplQwhAC
+zn0l8BvO0/aYjtgMmyUwDsG0f8XUuOIzbUboHDyTVYADWSbt7rnKV0qYeoRIRJZj
+99//O9m4X0VTTSGc1SYsVq6x3JSs/R3GOyuTV3aQd7hVC74DSELecpFeLPi6EWyn
+Vhbqo2YLFnZ5Ww7FfxvLpgYV9qnzgtZwwDkbz6CT4I5vNHNd82+RiGcE+Sz83nZ+
+EAlyUuiEH/yCHX4kjlkFUjGHSpEVqMjbZXxmGt2gzxEWKZWm8j6f/YYd/g4AM7wI
+BhdQAbSyqFzaUmu6I/cyWACGTBh8q9enRTDFzQIDAQABAoIBAQCUzle1NWwOZbiA
+DsrXzapBVsMhxIPBlHCcUxg+gkmTMEuNGbYtDnmLw1POzlofa/vdsmMLcO+iTvrz
+cLPigql8BKiwLE/31oaf5vzfCN/o3UpomD15fb/HhYIz3OrOEDK3zOny4tE40Cr5
+a7BAYqpStxtU5RppLdVG/kCdHWCtlZZbd3gacxSycxoqti5vL/cZIAkvYgjL8PMo
+uwxL+19XfoisxazGRGwru9F75wY6/6RjAXkJsFlByfXGwU2QgpWPuIE2r7k5uNK4
++GB0qhecnfIF285MiLzVLC5ZrRKqVtLjhh9+P8ag44+xWKqLj7XPz+AJy9C/qW4w
+iOTZlcW9AoGBAPHrzRHAsKoii+z+8z1FSpbH8rt8zmXKFMQnJElyHyLZFr4ZtNmt
+8B9UWm7pT7gxkPmbzfNaiD+KZ5o2KMiy+wVsL4j3E1X0q+c/fthi4xqfFZjOC1kb
+l2GL1XAPeJgkg3Ji8YGbACAIbQAvdTmS/2WrLNaNPz2VK6HDhqsOtnAbAoGBAMef
+LeZmRqNbKfMUjfrMA+cLtD2Wg/Y+fX1QJaCjHOcHHjvUYHtdWy+vhKB8b1RqXXzc
+nBKZXu+siLNHtxxFu8QzGi9DaI0lpz2GjfXF/9K/OVLGMHpTYSjLDcqywZztviCQ
+ebHR9e5LAXxc7LMBH8a11uSENyl9gbX9ssiwxxA3AoGBAN+ATTYAgna8ce+jXw+V
+K6L/2RYz6O+LcgICc3jTUUa9r1AzqayOENCw+teK/1aZnGmu8ufIFSY29R44uRcq
+m9TXrVbphVidMg/zznmVamFW5foFKeDKJ+I78RWVhYFyAmq0VJC7pbLyddl8/t0R
+HJlOOp+BYRLA9M1/ObRhZFVPAoGADMr+vg0/6agmABYJI1F/zobJfkjvHBDVKfrA
+7pKFf6jNHzh1FnLdLSkqbr6Kw/YtF5trxSVfGC0Oda7a5Uzyw5gizXScdq87EI5W
++rE9u9vVaKCa6rv9NggNUjgygEQcMyoPIn46LJNR/Q5XfQFNcAanRu3SOy536Zng
+o0vw9fECgYBJBre6nZtrLc7Y6BNfhC9bR/6C3iOQn9t6r2mx1nYmU60HCZ0icOZI
+X8ukdPpRq9HTREzZD9jXxFBT03/9RM4n/UhCjzLyy2ndYj3EJxAZYAxcHbFl4uzc
+VUhJZjmm691IQrthsV0PLCP3R6K/PlxN3egIHXWrFUAoHS9GHdJ5Pw==
 -----END RSA PRIVATE KEY-----
diff --git a/spec/server_spec.rb b/spec/server_spec.rb
@@ -125,7 +125,7 @@ def app
   end
 
   it "should return unauthorized on a POST which does not match any configured CA" do
-    der = Base64.decode64(URI.decode("MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ1mI4Ww4R5LZiQ295pj4OF%2F44yyAQUyk7dWyc1Kdn27sPlU%2B%2BkwBmWHa8CEFqb7H4xpqYH6ed2G0%2BPMG4%3D"))
+    der = Base64.decode64(URI::DEFAULT_PARSER.unescape("MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ1mI4Ww4R5LZiQ295pj4OF%2F44yyAQUyk7dWyc1Kdn27sPlU%2B%2BkwBmWHa8CEFqb7H4xpqYH6ed2G0%2BPMG4%3D"))
     post '/', der, "CONTENT_TYPE" => "application/ocsp-request"
     ocsp_response = R509::OCSP::Response.parse(last_response.body)
     ocsp_response.status.should == OpenSSL::OCSP::RESPONSE_STATUS_UNAUTHORIZED
@@ -137,7 +137,7 @@ def app
     @redis.should_receive(:hgetall).with("cert:/C=US/ST=Illinois/L=Chicago/O=Ruby CA Project/CN=Test CA:1051177536915098490149656742929223623669143613238").and_return({})
     @stats.should_receive(:record).with("/C=US/ST=Illinois/L=Chicago/O=Ruby CA Project/CN=Test CA", "1051177536915098490149656742929223623669143613238", "UNKNOWN")
 
-    der = Base64.decode64(URI.decode("MFYwVDBSMFAwTjAJBgUrDgMCGgUABBQ4ykaMB0SN9IGWx21tTHBRnmCnvQQUeXW7hDrLLN56Cb4xG0O8HCpNU1gCFQC4IG5U4zC4RYb4VQ%2B2f0zCoFCvNg%3D%3D"))
+    der = Base64.decode64(URI::DEFAULT_PARSER.unescape("MFYwVDBSMFAwTjAJBgUrDgMCGgUABBQ4ykaMB0SN9IGWx21tTHBRnmCnvQQUeXW7hDrLLN56Cb4xG0O8HCpNU1gCFQC4IG5U4zC4RYb4VQ%2B2f0zCoFCvNg%3D%3D"))
     post '/', der, "CONTENT_TYPE" => "application/ocsp-request"
     ocsp_response = R509::OCSP::Response.parse(last_response.body)
     ocsp_response.status.should == OpenSSL::OCSP::RESPONSE_STATUS_SUCCESSFUL
@@ -152,7 +152,7 @@ def app
     @redis.should_receive(:hgetall).with("cert:/C=US/ST=Illinois/L=Chicago/O=Ruby CA Project/CN=Test CA:1051177536915098490149656742929223623669143613238").and_return({"status" => R509::Validity::REVOKED})
     @stats.should_receive(:record).with("/C=US/ST=Illinois/L=Chicago/O=Ruby CA Project/CN=Test CA", "1051177536915098490149656742929223623669143613238", "REVOKED")
 
-    der = Base64.decode64(URI.decode("MFYwVDBSMFAwTjAJBgUrDgMCGgUABBQ4ykaMB0SN9IGWx21tTHBRnmCnvQQUeXW7hDrLLN56Cb4xG0O8HCpNU1gCFQC4IG5U4zC4RYb4VQ%2B2f0zCoFCvNg%3D%3D"))
+    der = Base64.decode64(URI::DEFAULT_PARSER.unescape("MFYwVDBSMFAwTjAJBgUrDgMCGgUABBQ4ykaMB0SN9IGWx21tTHBRnmCnvQQUeXW7hDrLLN56Cb4xG0O8HCpNU1gCFQC4IG5U4zC4RYb4VQ%2B2f0zCoFCvNg%3D%3D"))
     post '/', der, "CONTENT_TYPE" => "application/ocsp-request"
     ocsp_response = R509::OCSP::Response.parse(last_response.body)
     ocsp_response.status.should == OpenSSL::OCSP::RESPONSE_STATUS_SUCCESSFUL
@@ -167,7 +167,7 @@ def app
     @redis.should_receive(:hgetall).with("cert:/C=US/ST=Illinois/L=Chicago/O=Ruby CA Project/CN=Test CA:1051177536915098490149656742929223623669143613238").and_return({"status" => R509::Validity::VALID})
     @stats.should_receive(:record).with("/C=US/ST=Illinois/L=Chicago/O=Ruby CA Project/CN=Test CA", "1051177536915098490149656742929223623669143613238", "VALID")
 
-    der = Base64.decode64(URI.decode("MFYwVDBSMFAwTjAJBgUrDgMCGgUABBQ4ykaMB0SN9IGWx21tTHBRnmCnvQQUeXW7hDrLLN56Cb4xG0O8HCpNU1gCFQC4IG5U4zC4RYb4VQ%2B2f0zCoFCvNg%3D%3D"))
+    der = Base64.decode64(URI::DEFAULT_PARSER.unescape("MFYwVDBSMFAwTjAJBgUrDgMCGgUABBQ4ykaMB0SN9IGWx21tTHBRnmCnvQQUeXW7hDrLLN56Cb4xG0O8HCpNU1gCFQC4IG5U4zC4RYb4VQ%2B2f0zCoFCvNg%3D%3D"))
     post '/', der, "CONTENT_TYPE" => "application/ocsp-request"
     ocsp_response = R509::OCSP::Response.parse(last_response.body)
     ocsp_response.status.should == OpenSSL::OCSP::RESPONSE_STATUS_SUCCESSFUL
@@ -182,7 +182,7 @@ def app
     @redis.should_receive(:hgetall).with("cert:/C=US/ST=Illinois/L=Chicago/O=R509, Ltd/CN=R509 Secondary Test CA:773553085290984246110251380739025914079776985795").and_return({"status" => R509::Validity::VALID})
     @stats.should_receive(:record).with("/C=US/ST=Illinois/L=Chicago/O=R509, Ltd/CN=R509 Secondary Test CA", "773553085290984246110251380739025914079776985795", "VALID")
 
-    der = Base64.decode64(URI.decode("MFYwVDBSMFAwTjAJBgUrDgMCGgUABBT1kOLWHXbHiKP3sVPVxVziq%2FMqIwQUP8ezIf8yhMLgHnccSKJLQdhDaVkCFQCHf1HsjUAACwcp3qQL4IxclfXSww%3D%3D"))
+    der = Base64.decode64(URI::DEFAULT_PARSER.unescape("MFYwVDBSMFAwTjAJBgUrDgMCGgUABBT1kOLWHXbHiKP3sVPVxVziq%2FMqIwQUP8ezIf8yhMLgHnccSKJLQdhDaVkCFQCHf1HsjUAACwcp3qQL4IxclfXSww%3D%3D"))
     post '/', der, "CONTENT_TYPE" => "application/ocsp-request"
     ocsp_response = R509::OCSP::Response.parse(last_response.body)
     ocsp_response.status.should == OpenSSL::OCSP::RESPONSE_STATUS_SUCCESSFUL
@@ -375,7 +375,7 @@ def app
     @redis.should_receive(:hgetall).with("cert:/C=US/ST=Illinois/L=Chicago/O=Ruby CA Project/CN=Test CA:1051177536915098490149656742929223623669143613238").and_return({"status" => R509::Validity::VALID})
     @stats.should_receive(:record).with("/C=US/ST=Illinois/L=Chicago/O=Ruby CA Project/CN=Test CA", "1051177536915098490149656742929223623669143613238", "VALID")
 
-    der = Base64.decode64(URI.decode("MFYwVDBSMFAwTjAJBgUrDgMCGgUABBQ4ykaMB0SN9IGWx21tTHBRnmCnvQQUeXW7hDrLLN56Cb4xG0O8HCpNU1gCFQC4IG5U4zC4RYb4VQ%2B2f0zCoFCvNg%3D%3D"))
+    der = Base64.decode64(URI::DEFAULT_PARSER.unescape("MFYwVDBSMFAwTjAJBgUrDgMCGgUABBQ4ykaMB0SN9IGWx21tTHBRnmCnvQQUeXW7hDrLLN56Cb4xG0O8HCpNU1gCFQC4IG5U4zC4RYb4VQ%2B2f0zCoFCvNg%3D%3D"))
     post '/', der, "CONTENT_TYPE" => "application/ocsp-request"
     R509::OCSP::Response.parse(last_response.body)
     last_response.content_type.should == "application/ocsp-response"
@@ -389,7 +389,7 @@ def app
     @redis.should_receive(:hgetall).with("cert:/C=US/ST=Illinois/L=Chicago/O=Ruby CA Project/CN=Test CA:1051177536915098490149656742929223623669143613238").and_return({"status" => R509::Validity::VALID})
     @stats.should_receive(:record).with("/C=US/ST=Illinois/L=Chicago/O=Ruby CA Project/CN=Test CA", "1051177536915098490149656742929223623669143613238", "VALID")
 
-    der = Base64.decode64(URI.decode("MFYwVDBSMFAwTjAJBgUrDgMCGgUABBQ4ykaMB0SN9IGWx21tTHBRnmCnvQQUeXW7hDrLLN56Cb4xG0O8HCpNU1gCFQC4IG5U4zC4RYb4VQ%2B2f0zCoFCvNg%3D%3D"))
+    der = Base64.decode64(URI::DEFAULT_PARSER.unescape("MFYwVDBSMFAwTjAJBgUrDgMCGgUABBQ4ykaMB0SN9IGWx21tTHBRnmCnvQQUeXW7hDrLLN56Cb4xG0O8HCpNU1gCFQC4IG5U4zC4RYb4VQ%2B2f0zCoFCvNg%3D%3D"))
     post '/', der, "CONTENT_TYPE" => "application/ocsp-request"
     R509::OCSP::Response.parse(last_response.body)
     last_response.content_type.should == "application/ocsp-response"

diff --git a/spec/signer_spec.rb b/spec/signer_spec.rb
@@ -85,7 +85,7 @@
     request_response[:response].status.should == OpenSSL::OCSP::RESPONSE_STATUS_SUCCESSFUL
     request_response[:response].verify(@ocsp_chain_config.ca_cert.cert).should == true
     #TODO Better way to check whether we're adding the certs when signing the basic_response than response size...
-    request_response[:response].to_der.size.should be >= 3600
+    request_response[:response].to_der.size.should be >= 3500
     request_response[:response].to_der.size.should be <= 3900
   end
   it "responds successfully from the test_ca" do