Fix OCSP->CRL fallback

[padelsbach]

Description

The CRL fallback code was found to be unreachable in internal.c due to return code checking.

• Fix OCSP-to-CRL fallback when OCSP returns CERT_UNKNOWN status for both leaf and non-leaf (intermediate) certificate paths in ProcessPeerCerts().
• Add two TLS-level tests that verify CRL fallback works when OCSP returns CERT_UNKNOWN, covering the leaf path and the non-leaf (OCSP_CHECKALL + CRL_CHECKALL) path
• Add CERT_UNKNOWN support to the Python OCSP test blob generator and new test cert/CRL artifacts

Testing

Added new tests to exercise the CRL fallback for both intermediate and leaf certs, and generation scripts.

Checklist

• [x ] added tests
• updated/added doxygen
• updated appropriate READMEs
• Updated manual and documentation

[Copilot]

Pull request overview

This PR fixes the OCSP-to-CRL fallback mechanism when OCSP returns a CERT_UNKNOWN status. The fallback was previously unreachable due to incorrect return code checking in internal.c. The fix allows both leaf and non-leaf certificates to fall back to CRL verification when OCSP status is unknown.

Changes:

• Fixed return code checks in internal.c to enable CRL fallback when OCSP returns CERT_UNKNOWN
• Added two TLS-level integration tests verifying the fallback works for both leaf and intermediate certificates
• Enhanced the Python OCSP test blob generator to support CERT_UNKNOWN responses

Reviewed changes

Copilot reviewed 11 out of 12 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
src/internal.c	Modified return code checks to allow CRL fallback when OCSP returns CERT_UNKNOWN
tests/api/test_ocsp.c	Added two new test functions for leaf and non-leaf CRL fallback scenarios
tests/api/test_ocsp.h	Added declarations for the two new test functions
tests/api.c	Registered the two new tests in the test suite
tests/api/create_ocsp_test_blobs.py	Added CERT_UNKNOWN status support and two new test response configurations
tests/api/test_ocsp_test_blobs.h	Updated OCSP response blobs with new timestamps and two new CERT_UNKNOWN responses
certs/ocsp/server1-chain-noroot.pem	Added new certificate chain file for testing (server1 + intermediate1 without root)
certs/ocsp/root-ca-crl.pem	Added empty CRL from root CA for testing
certs/ocsp/renewcerts.sh	Added script commands to generate server1-chain-noroot.pem
certs/ocsp/include.am	Added new certificate and CRL files to distribution
certs/crl/gencrls.sh	Added steps to generate the root-ca CRL
.gitignore	Added Python cache directory to gitignore

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

This complex shell pipeline is fragile and hard to understand. The command assumes server1-cert.pem contains exactly two certificates and extracts everything up to the second 'END CERTIFICATE' marker. Consider adding a comment explaining what this does (extract server1 + intermediate1 certs) and why, or refactoring into a helper function with clearer intent.

Suggested change

	# (used by tests that need a chain where the root is not sent by the server)
	# (used by tests that need a chain where the root is not sent by the server)
	# Extract the first two certificates (server1 leaf + intermediate1) from server1-cert.pem:
	# - server1-cert.pem is expected to contain exactly two PEM certificates
	# - grep -n finds lines containing 'END CERTIFICATE' with line numbers
	# - head -2 | tail -1 selects the second 'END CERTIFICATE' line
	# - cut -d: -f1 extracts its line number
	# - head -n <line> server1-cert.pem outputs everything up to and including that line

[Copilot]

The step numbers are now out of sequence. The previous step was 'Step 30' at line 237, but this section starts with 'Step 31' despite being added after line 243. While the numbers still increment correctly within this new section, there's a gap between the existing code and the new code that could cause confusion during debugging or maintenance.