[ssh_x509] OCSP validation request to all the certificate in chain except root CA certificate

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Tue May 5 17:00:34 EEST 2020

Hi Roumen,

I have tried adding the ssh_ocsp_validate() in ssh_x509store_cb after
statement check for revoked but I am unable to get the issuer
certificate for user certificate because of which OCSP validation is
failing for user certificate and even OCSP request is not sent for user
certificate. Kindly find below logs from sshd and suggest solution to fix
this issue.

debug3: ssh_ocsp_validate: for root CA
debug3: ssh_ocsp_validate4cert: no OCSP 'Service Locator' URL    .>> root
Certificate no OCSP URL

debug3: ssh_ocsp_validate: for Intermediate CA
debug3: ssh_ocsp_get_basicresp: OK                             >>
Intermediate certificate which is validated successfully by OCSP.
debug3: ssh_ocsp_check_validity: cert[0]=''
debug1: ssh_ocsp_check_validity: status=good
debug3: ssh_ocsp_check_validity: This Update=May 5 13:35:46 2020 GMT
debug3: ssh_ocsp_check_validity: return 1
debug3: ssh_ocsp_validate4cert: validation result=1

debug3: ssh_ocsp_validate: for User certificate
ssh_ocspreq_addcert: cannot found issuer certificate     >> user
certificate, I am getting this error.
debug3: ssh_ocsp_validate4cert: validation result=-1

Thanks & Regards
Mohit Gupta

On Fri, May 1, 2020 at 9:01 PM <ssh_x509 at roumenpetrov.info> wrote:

> Hi Mohit,
> ssh_x509 at roumenpetrov.info wrote:
> > Hi Roumen,
> > Thanks for your response. With the changes in ssh_x509store_cb  in
> > statement after check for revoked, OCSP request is being sent for each
> > certificate.
> > But the order of certificate validation is root CA, intermediate CA (if
> > any) and then user certificate. I want it to be in opposite order i.e.
> > certificate validation should start with
> > user certificate, intermediate CA (if any) and then at last root CA. This
> > is required for delegated OCSP model.
> > Would you be able to help in reversing the order in which certificate
> chain
> > is being sent for validation ?
> Order is from openssl library .
> There is a function ssh_x509store_build_certchain that returns "chain" for
> specified certificate . For untrusted pass NULL.
> Also you could call X509_STORE_CTX_get1_chain. If PKIX-SSH code where is
> called ssh_ocsp_validate the chain is "complete and validated", i.e.
> ssh_verify_cert call X509_verify_cert and result is positive.
> > Thanks & Regards
> > Mohit Gupta
> >
> [SNIP]
> Roumen
> _______________________________________________
> ssh_x509 mailing list
> ssh_x509 at roumenpetrov.info
> http://roumenpetrov.info/mailman/listinfo/ssh_x509_roumenpetrov.info

More information about the ssh_x509 mailing list