diff --git a/cmd/csaf_checker/processor_test.go b/cmd/csaf_checker/processor_test.go
new file mode 100644
index 00000000..b8b1b1f8
--- /dev/null
+++ b/cmd/csaf_checker/processor_test.go
@@ -0,0 +1,103 @@
+// This file is Free Software under the Apache-2.0 License
+// without warranty, see README.md and LICENSES/Apache-2.0.txt for details.
+//
+// SPDX-License-Identifier: Apache-2.0
+//
+// SPDX-FileCopyrightText: 2023 German Federal Office for Information Security (BSI) <https://www.bsi.bund.de>
+// Software-Engineering: 2023 Intevation GmbH <https://intevation.de>
+
+package main
+
+import (
+	"net/http/httptest"
+	"testing"
+
+	"github.com/gocsaf/csaf/v3/internal/testutil"
+	"github.com/gocsaf/csaf/v3/util"
+)
+
+func TestShaMarking(t *testing.T) {
+	tests := []struct {
+		name              string
+		directoryProvider bool
+		enableSha256      bool
+		enableSha512      bool
+	}{
+		{
+			name:              "deliver sha256 and sha512",
+			directoryProvider: false,
+			enableSha256:      true,
+			enableSha512:      true,
+		},
+		{
+			name:              "only deliver sha256",
+			directoryProvider: false,
+			enableSha256:      true,
+			enableSha512:      false,
+		},
+		{
+			name:              "only deliver sha512",
+			directoryProvider: false,
+			enableSha256:      false,
+			enableSha512:      true,
+		},
+		{
+			name:              "only deliver sha256 and sha512, directory provider",
+			directoryProvider: true,
+			enableSha256:      true,
+			enableSha512:      true,
+		},
+		{
+			name:              "only deliver sha256, directory provider",
+			directoryProvider: true,
+			enableSha256:      true,
+			enableSha512:      false,
+		},
+		{
+			name:              "only deliver sha512, directory provider",
+			directoryProvider: true,
+			enableSha256:      false,
+			enableSha512:      true,
+		},
+	}
+
+	t.Parallel()
+	for _, testToRun := range tests {
+		test := testToRun
+		t.Run(test.name, func(tt *testing.T) {
+			tt.Parallel()
+			serverURL := ""
+			params := testutil.ProviderParams{
+				URL:          "",
+				EnableSha256: test.enableSha256,
+				EnableSha512: test.enableSha512,
+			}
+			server := httptest.NewTLSServer(testutil.ProviderHandler(&params, test.directoryProvider))
+			defer server.Close()
+
+			serverURL = server.URL
+			params.URL = server.URL
+
+			hClient := server.Client()
+			client := util.Client(hClient)
+
+			cfg := config{}
+			err := cfg.prepare()
+			if err != nil {
+				t.Fatalf("SHA marking config failed: %v", err)
+			}
+			p, err := newProcessor(&cfg)
+			if err != nil {
+				t.Fatalf("could not init downloader: %v", err)
+			}
+			p.client = client
+
+			// TODO check result of processor
+			_, err = p.run([]string{serverURL + "/provider-metadata.json"})
+			if err != nil {
+				t.Errorf("SHA marking %v: Expected no error, got: %v", test.name, err)
+			}
+			p.close()
+		})
+	}
+}
diff --git a/cmd/csaf_downloader/downloader_test.go b/cmd/csaf_downloader/downloader_test.go
index 1ae15242..d7eaae34 100644
--- a/cmd/csaf_downloader/downloader_test.go
+++ b/cmd/csaf_downloader/downloader_test.go
@@ -11,72 +11,16 @@ package main
 import (
 	"context"
 	"errors"
-	"html/template"
 	"log/slog"
-	"net/http"
 	"net/http/httptest"
 	"os"
-	"strings"
 	"testing"
 
 	"github.com/gocsaf/csaf/v3/internal/options"
+	"github.com/gocsaf/csaf/v3/internal/testutil"
 	"github.com/gocsaf/csaf/v3/util"
 )
 
-type ProviderParams struct {
-	URL          string
-	EnableSha256 bool
-	EnableSha512 bool
-}
-
-func ProviderHandler(params *ProviderParams, directoryProvider bool) http.HandlerFunc {
-	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		path := "../../testdata/"
-		if directoryProvider {
-			path += "simple-directory-provider"
-		} else {
-			path += "simple-rolie-provider"
-		}
-
-		path += r.URL.Path
-
-		if strings.HasSuffix(r.URL.Path, "/") {
-			path += "index.html"
-		}
-
-		content, err := os.ReadFile(path)
-		if err != nil {
-			w.WriteHeader(http.StatusNotFound)
-			return
-		}
-		switch {
-		case strings.HasSuffix(path, ".html"):
-			w.Header().Add("Content-Type", "text/html")
-		case strings.HasSuffix(path, ".json"):
-			w.Header().Add("Content-Type", "application/json")
-		case strings.HasSuffix(path, ".sha256") && directoryProvider && !params.EnableSha256:
-			w.WriteHeader(http.StatusNotFound)
-			return
-		case strings.HasSuffix(path, ".sha512") && directoryProvider && !params.EnableSha512:
-			w.WriteHeader(http.StatusNotFound)
-			return
-		default:
-			w.Header().Add("Content-Type", "text/plain")
-		}
-
-		tmplt, err := template.New("base").Parse(string(content))
-		if err != nil {
-			w.WriteHeader(http.StatusInternalServerError)
-			return
-		}
-		err = tmplt.Execute(w, params)
-		if err != nil {
-			w.WriteHeader(http.StatusInternalServerError)
-			return
-		}
-	})
-}
-
 func checkIfFileExists(path string, t *testing.T) bool {
 	if _, err := os.Stat(path); err == nil {
 		return true
@@ -169,12 +113,12 @@ func TestShaMarking(t *testing.T) {
 		t.Run(test.name, func(tt *testing.T) {
 			tt.Parallel()
 			serverURL := ""
-			params := ProviderParams{
+			params := testutil.ProviderParams{
 				URL:          "",
 				EnableSha256: test.enableSha256,
 				EnableSha512: test.enableSha512,
 			}
-			server := httptest.NewTLSServer(ProviderHandler(&params, test.directoryProvider))
+			server := httptest.NewTLSServer(testutil.ProviderHandler(&params, test.directoryProvider))
 			defer server.Close()
 
 			serverURL = server.URL
diff --git a/internal/testutil/testutil.go b/internal/testutil/testutil.go
new file mode 100644
index 00000000..455d217c
--- /dev/null
+++ b/internal/testutil/testutil.go
@@ -0,0 +1,73 @@
+// This file is Free Software under the Apache-2.0 License
+// without warranty, see README.md and LICENSES/Apache-2.0.txt for details.
+//
+// SPDX-License-Identifier: Apache-2.0
+//
+// SPDX-FileCopyrightText: 2023 German Federal Office for Information Security (BSI) <https://www.bsi.bund.de>
+// Software-Engineering: 2023 Intevation GmbH <https://intevation.de>
+
+// Package testutil contains shared helper functions for testing the application.
+package testutil
+
+import (
+	"html/template"
+	"net/http"
+	"os"
+	"strings"
+)
+
+// ProviderParams configures the test provider.
+type ProviderParams struct {
+	URL          string
+	EnableSha256 bool
+	EnableSha512 bool
+}
+
+// ProviderHandler returns a test provider handler with the specified configuration.
+func ProviderHandler(params *ProviderParams, directoryProvider bool) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		path := "../../testdata/"
+		if directoryProvider {
+			path += "simple-directory-provider"
+		} else {
+			path += "simple-rolie-provider"
+		}
+
+		path += r.URL.Path
+
+		if strings.HasSuffix(r.URL.Path, "/") {
+			path += "index.html"
+		}
+
+		content, err := os.ReadFile(path)
+		if err != nil {
+			w.WriteHeader(http.StatusNotFound)
+			return
+		}
+		switch {
+		case strings.HasSuffix(path, ".html"):
+			w.Header().Add("Content-Type", "text/html")
+		case strings.HasSuffix(path, ".json"):
+			w.Header().Add("Content-Type", "application/json")
+		case strings.HasSuffix(path, ".sha256") && directoryProvider && !params.EnableSha256:
+			w.WriteHeader(http.StatusNotFound)
+			return
+		case strings.HasSuffix(path, ".sha512") && directoryProvider && !params.EnableSha512:
+			w.WriteHeader(http.StatusNotFound)
+			return
+		default:
+			w.Header().Add("Content-Type", "text/plain")
+		}
+
+		tmplt, err := template.New("base").Parse(string(content))
+		if err != nil {
+			w.WriteHeader(http.StatusInternalServerError)
+			return
+		}
+		err = tmplt.Execute(w, params)
+		if err != nil {
+			w.WriteHeader(http.StatusInternalServerError)
+			return
+		}
+	}
+}