Login/Register
How do I use m2crypto to validate a X509 certificate chain in a non-SSL setting
Asked Answered
Solved pythoncryptographyx509certificatem2cryptox509
D

2

5

I'm trying to figure out how to, using m2crypto, validate the chain of trust from a public key version of a X509 certificate back to one of a set of known root CA's when the chain may be arbitrarily long. The SSL.Context module looks promising except that I'm not doing this in the context of a SSL connection and I can't see how the information passed to load_verify_locations is used.

Essentially, I'm looking for the interface that's equivalent to: openssl verify pub_key_x509_cert

Is there something like that in m2crypto?

Thanks.

Dreibund answered 13/4, 2010 at 3:29 Comment(1)
related https://mcmap.net/q/751916/-how-do-i-verify-an-ssl-certificate-in-python/4279Abernethy
D
1

There is a patch that might need to be updated slightly, and it would need unit tests for me to check it in. Contributions welcome!

Another convoluted way would be to create an in-memory SSL session where you do the validation. The Twisted wrapper effectively works this way; Twisted acts as dumb network pipe without knowing anything about the data, and M2Crypto encrypts/decrypts the data in memory, doing certificate validation on the side.

Donny answered 14/4, 2010 at 3:43 Comment(0)
A
2

I have modified a different M2Crypto patch and with this we are able to verify a X509 Certificate against a chain of CAs, plus it allows the usage of Certificate Revocation List (CRL)s.

The heart of allowing chain verification with M2Crypto is exposing "verify_cert()" on a X509_Store_Context. Basic flow is:

  1. Add your CAs/CRLs to a X509_Store
  2. Use a X509_Store_Context to verify the certificate of interest

My patch enhances CRL support as well as allowing chain verification. https://bugzilla.osafoundation.org/show_bug.cgi?id=12954#c2

We are using this patch as part of Pulp, we have a wiki page below which shares some more info on how we are doing the verification with a chain: https://fedorahosted.org/pulp/wiki/CertChainVerification

Ashleaashlee answered 25/1, 2012 at 18:5 Comment(1)
Additionally we have a set of unittests showing basic chain verification below: git.fedorahosted.org/git/?p=pulp.git;a=blob;f=playpen/certs/… Scripts to setup the test data are here: git.fedorahosted.org/git/?p=pulp.git;a=tree;f=playpen/certs/…Ashleaashlee
D
1

There is a patch that might need to be updated slightly, and it would need unit tests for me to check it in. Contributions welcome!

Another convoluted way would be to create an in-memory SSL session where you do the validation. The Twisted wrapper effectively works this way; Twisted acts as dumb network pipe without knowing anything about the data, and M2Crypto encrypts/decrypts the data in memory, doing certificate validation on the side.

Donny answered 14/4, 2010 at 3:43 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.