[ssh_x509] OCSP validation request to all the certificate in chain except root CA certificate

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Wed Apr 29 17:38:13 EEST 2020


Hi Roumen,
Thanks for your response. With the changes in ssh_x509store_cb  in
statement after check for revoked, OCSP request is being sent for each
certificate.
But the order of certificate validation is root CA, intermediate CA (if
any) and then user certificate. I want it to be in opposite order i.e.
certificate validation should start with
user certificate, intermediate CA (if any) and then at last root CA. This
is required for delegated OCSP model.
Would you be able to help in reversing the order in which certificate chain
is being sent for validation ?

Thanks & Regards
Mohit Gupta

On Tue, Apr 28, 2020 at 11:23 PM <ssh_x509 at roumenpetrov.info> wrote:

> Hi Mohit,
> ssh_x509 at roumenpetrov.info wrote:
> > Hi Roumen,
> > While browsing through the code, I found following comment in x509store.c
> >
> > /* To minimize network latency and keeping in mind 1.) we send
> >   * 'OCSP request' only for the last certificate in the chain, i.e.
> >   * sended client or server certificate.
> >   *
> >   * Therefore instead to send OCSP request in ssh_x509revoked_cb()
> >   * we do this here.
> >   */
> > ret = ssh_ocsp_validate(_cert, x509store);
> >
> > Would you be able to help me in getting the changes so that OCSP request
> > can be sent for all the certificates in the chain except root CA
> > certificate ?
>
> One place is X509 verify callback, i.e. ssh_x509store_cb in statement
> after check for revoked.
> To avoid root check for self-issued - function ssh_X509_is_selfsigned().
> Remark: Function name is not perfect.
>
> Note existing check for self-issued is quite specific.
>
> >
> > Thanks in advance,
> > Mohit Gupta
>
> Roumen
>
> _______________________________________________
> ssh_x509 mailing list
> ssh_x509 at roumenpetrov.info
> http://roumenpetrov.info/mailman/listinfo/ssh_x509_roumenpetrov.info
>


More information about the ssh_x509 mailing list