Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
402 views
in Technique[技术] by (71.8m points)

python - How do I use m2crypto to validate a X509 certificate chain in a non-SSL setting

I'm trying to figure out how to, using m2crypto, validate the chain of trust from a public key version of a X509 certificate back to one of a set of known root CA's when the chain may be arbitrarily long. The SSL.Context module looks promising except that I'm not doing this in the context of a SSL connection and I can't see how the information passed to load_verify_locations is used.

Essentially, I'm looking for the interface that's equivalent to: openssl verify pub_key_x509_cert

Is there something like that in m2crypto?

Thanks.

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

I have modified a different M2Crypto patch and with this we are able to verify a X509 Certificate against a chain of CAs, plus it allows the usage of Certificate Revocation List (CRL)s.

The heart of allowing chain verification with M2Crypto is exposing "verify_cert()" on a X509_Store_Context. Basic flow is:

  1. Add your CAs/CRLs to a X509_Store
  2. Use a X509_Store_Context to verify the certificate of interest

My patch enhances CRL support as well as allowing chain verification. https://bugzilla.osafoundation.org/show_bug.cgi?id=12954#c2

We are using this patch as part of Pulp, we have a wiki page below which shares some more info on how we are doing the verification with a chain: https://fedorahosted.org/pulp/wiki/CertChainVerification


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

1.4m articles

1.4m replys

5 comments

57.0k users

...