[ssh_x509] OCSP validation request to all the certificate in chain except root CA certificate

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Fri May 1 18:31:07 EEST 2020

Hi Mohit,

ssh_x509 at roumenpetrov.info wrote:
> Hi Roumen,
> Thanks for your response. With the changes in ssh_x509store_cb  in
> statement after check for revoked, OCSP request is being sent for each
> certificate.
> But the order of certificate validation is root CA, intermediate CA (if
> any) and then user certificate. I want it to be in opposite order i.e.
> certificate validation should start with
> user certificate, intermediate CA (if any) and then at last root CA. This
> is required for delegated OCSP model.
> Would you be able to help in reversing the order in which certificate chain
> is being sent for validation ?
Order is from openssl library .

There is a function ssh_x509store_build_certchain that returns "chain" for specified certificate . For untrusted pass NULL.

Also you could call X509_STORE_CTX_get1_chain. If PKIX-SSH code where is called ssh_ocsp_validate the chain is "complete and validated", i.e. ssh_verify_cert call X509_verify_cert and result is positive.

> Thanks & Regards
> Mohit Gupta


More information about the ssh_x509 mailing list