zmap
diff --git a/‎v3/cmd/zlint/main.go‎
Lines changed: 23 additions & 17 deletions b/‎v3/cmd/zlint/main.go‎
Lines changed: 23 additions & 17 deletions
diff --git a/‎v3/lints/rfc/lint_ocsp_this_update_not_after_produced_at_test.go‎
Lines changed: 8 additions & 0 deletions b/‎v3/lints/rfc/lint_ocsp_this_update_not_after_produced_at_test.go‎
Lines changed: 8 additions & 0 deletions
diff --git a/‎v3/test/helpers.go‎
Lines changed: 21 additions & 18 deletions b/‎v3/test/helpers.go‎
Lines changed: 21 additions & 18 deletions
diff --git a/‎v3/testdata/ocspThisUpdateAfterProducedAt.der‎
241 Bytes b/‎v3/testdata/ocspThisUpdateAfterProducedAt.der‎
241 Bytes
diff --git a/‎v3/testdata/ocspThisUpdateNotAfterProducedAt.der‎
241 Bytes b/‎v3/testdata/ocspThisUpdateNotAfterProducedAt.der‎
241 Bytes
@@ -32,6 +32,7 @@ import (
 	"github.com/zmap/zlint/v3"
 	"github.com/zmap/zlint/v3/formattedoutput"
 	"github.com/zmap/zlint/v3/lint"
+	"golang.org/x/crypto/ocsp"
 
 	_ "github.com/zmap/zlint/v3/profiles"
 )
@@ -169,19 +170,14 @@ func doLint(inputFile *os.File, inform string, registry lint.Registry) {
 	}
 
 	var asn1Data []byte
-	var isCRL bool
 	switch inform {
 	case "pem":
 		p, _ := pem.Decode(fileBytes)
 		if p == nil {
 			log.Fatal("unable to parse PEM")
 		}
-		switch p.Type {
-		case "CERTIFICATE":
-		case "X509 CRL":
-			isCRL = true
-		default:
-			log.Fatalf("unknown PEM type (%s)", p.Type)
+		if p.Type != "CERTIFICATE" && p.Type != "X509 CRL" {
+			log.Fatalf("unknown PEM type %s", p.Type)
 		}
 		asn1Data = p.Bytes
 	case "der":
@@ -195,18 +191,28 @@ func doLint(inputFile *os.File, inform string, registry lint.Registry) {
 		log.Fatalf("unknown input format %s", format)
 	}
 	var zlintResult *zlint.ResultSet
-	if isCRL {
-		crl, err := x509.ParseRevocationList(asn1Data)
-		if err != nil {
-			log.Fatalf("unable to parse certificate revocation list: %s", err)
-		}
-		zlintResult = zlint.LintRevocationListEx(crl, registry)
+	var errs []error
+	if cert, err := x509.ParseCertificate(asn1Data); err == nil {
+		zlintResult = zlint.LintCertificateEx(cert, registry)
 	} else {
-		c, err := x509.ParseCertificate(asn1Data)
-		if err != nil {
-			log.Fatalf("unable to parse certificate: %s", err)
+		errs = append(errs, fmt.Errorf("parsing as certificate: %v", err))
+	}
+	if zlintResult == nil {
+		if crl, err := x509.ParseRevocationList(asn1Data); err == nil {
+			zlintResult = zlint.LintRevocationListEx(crl, registry)
+		} else {
+			errs = append(errs, fmt.Errorf("parsing as CRL: %v", err))
 		}
-		zlintResult = zlint.LintCertificateEx(c, registry)
+	}
+	if zlintResult == nil {
+		if resp, err := ocsp.ParseResponse(asn1Data, nil); err == nil {
+			zlintResult = zlint.LintOcspResponseEx(resp, registry)
+		} else {
+			errs = append(errs, fmt.Errorf("parsing as OCSP response: %v", err))
+		}
+	}
+	if zlintResult == nil {
+		log.Fatalf("unable to parse input as any known type, errors: %v", errs)
 	}
 	jsonBytes, err := json.Marshal(zlintResult.Results)
 	if err != nil {
 
@@ -34,6 +34,14 @@ func TestOCSPThisUpdateNotAfterProducedAt(t *testing.T) {
 			inputPath: "ocspThisUpdateAfterProducedAt",
 			want:      lint.Error,
 		},
+		{
+			inputPath: "ocspThisUpdateNotAfterProducedAt.der",
+			want:      lint.Pass,
+		},
+		{
+			inputPath: "ocspThisUpdateAfterProducedAt.der",
+			want:      lint.Error,
+		},
 	}
 	for _, tc := range cases {
 		t.Run(tc.inputPath, func(t *testing.T) {
 
@@ -218,13 +218,14 @@ func ReadTestRevocationList(tb testing.TB, inPath string) *x509.RevocationList {
 
 	if strings.Contains(string(data), "-BEGIN X509 CRL-") {
 		block, _ := pem.Decode(data)
-		if block == nil { //nolint: staticcheck // tb.Fatalf exits
+		if block == nil {
 			tb.Fatalf(
 				"Failed to PEM decode test revocation list from %q - "+
 					"Does a unit test have a buggy test cert file?\n",
 				fullPath)
+		} else {
+			data = block.Bytes
 		}
-		data = block.Bytes //nolint: staticcheck // tb.Fatalf exits
 	}
 
 	theCrl, err := x509.ParseRevocationList(data)
@@ -238,28 +239,30 @@ func ReadTestRevocationList(tb testing.TB, inPath string) *x509.RevocationList {
 	return theCrl
 }
 
-// ReadTestOCSPResponse loads a ocsp.Response from the given inPath which is assumed
-// to be relative to `testdata/`. The OCSP file must contain the OCSP response in
-// Base64 encoding. openssl ocsp -resp_text -respin <(base64 -d the_filename)
-// To decode it using OpenSSL, store the base64-encoded in string in a file, and run:
-// Important: ReadTestOCSPResponse is only appropriate for unit tests. It will panic if
-// the inPath file can not be loaded.
+// ReadTestOCSPResponse loads an OCSP response from the given inPath, which should be
+// relative to `testdata/`. If the filename ends with `.der`, the file is treated as a
+// binary DER-encoded OCSP response. Otherwise, the file is expected to contain a base64-encoded
+// OCSP response.
+//
+// This function is intended for use in unit tests only. It will call tb.Fatalf if the file cannot
+// be read, decoded, or parsed.
 func ReadTestOCSPResponse(tb testing.TB, inPath string) *ocsp.Response {
 	tb.Helper()
 	fullPath := "../../testdata/" + inPath
-	base64Data, err := os.ReadFile(fullPath)
+	fileContent, err := os.ReadFile(fullPath)
 	if err != nil {
 		tb.Fatalf("Failed to read file: %v", err)
 	}
-	data, err := base64.StdEncoding.DecodeString(string(base64Data))
-	if err != nil {
-		tb.Fatalf("Failed to decode base64 data: %v", err)
-	}
-	if err != nil {
-		tb.Fatalf(
-			"Unable to read test ocsp response from %q - %q "+
-				"Does a unit test have an incorrect test file name?\n",
-			fullPath, err)
+
+	var data []byte
+	switch {
+	case strings.HasSuffix(inPath, ".der"):
+		data = fileContent
+	default:
+		data, err = base64.StdEncoding.DecodeString(string(fileContent))
+		if err != nil {
+			tb.Fatalf("Failed to decode base64 data: %v", err)
+		}
 	}
 
 	theOcspResponse, err := ocsp.ParseResponse(data, nil)