python - How do I use m2crypto to validate a X509 certificate chain in a non-SSL setting

Question

I'm trying to figure out how to, using m2crypto, validate the chain of trust from a public key version of a X509 certificate back to one of a set of known root CA's when the chain may be arbitrarily long. The SSL.Context module looks promising except that I'm not doing this in the context of a SSL connection and I can't see how the information passed to load_verify_locations is used.

Essentially, I'm looking for the interface that's equivalent to: openssl verify pub_key_x509_cert

Is there something like that in m2crypto?

Thanks.

Answer 1

I have modified a different M2Crypto patch and with this we are able to verify a X509 Certificate against a chain of CAs, plus it allows the usage of Certificate Revocation List (CRL)s.

The heart of allowing chain verification with M2Crypto is exposing "verify_cert()" on a X509_Store_Context. Basic flow is:

1. Add your CAs/CRLs to a X509_Store
2. Use a X509_Store_Context to verify the certificate of interest

My patch enhances CRL support as well as allowing chain verification. https://bugzilla.osafoundation.org/show_bug.cgi?id=12954#c2

We are using this patch as part of Pulp, we have a wiki page below which shares some more info on how we are doing the verification with a chain: https://fedorahosted.org/pulp/wiki/CertChainVerification