Databases
StackOverflow2013
Postsdbo
POHow do I verify an SSL certificate in python?
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POHow do I verify an SSL certificate in python?
    primarykey
    data
    text
    <p>I need to verify that a certificate was signed by my custom CA. Using OpenSSL command-line utilities this is easy to do:</p> <pre><code># Custom CA file: ca-cert.pem # Cert signed by above CA: bob.cert $ openssl verify -CAfile test-ca-cert.pem bob.cert bob.cert: OK </code></pre> <p>But I need to do the same thing in Python, and I really don't want to call out to command-line utilities. As far as I'm aware, M2Crypto is the "most complete" python wrapper for OpenSSL, but I can't figure out how to accomplish what the command-line utility does!</p> <p>Referencing <a href="https://stackoverflow.com/questions/3288694/validating-x-509-certificate-on-linux">this question</a> for how to accomplish this same task in C code, I've been able to get about half-way. <em>The variable names I chose are the same ones used in the source code for the openssl verify command-line utility, see <code>openssl-xxx/apps/verify.c</code>.</em></p> <pre><code>import M2Crypto as m2 # Load the certificates cacert = m2.X509.load_cert('test-ca-cert.pem') # Create cert object from CA cert file bobcert = m2.X509.load_cert('bob.cert') # Create cert object from Bob's cert file cert_ctx = m2.X509.X509_Store() # Step 1 from referenced C code steps csc = m2.X509.X509_Store_Context(cert_ctx) # Step 2 &amp; 5 cert_ctx.add_cert(cacert) # Step 3 cert_ctx.add_cert(bobcert) # ditto # Skip step 4 (no CRLs to add) # Step 5 is combined with step 2...I think. (X509_STORE_CTX_init: Python creates and # initialises an object in the same step) # Skip step 6? (can't find anything corresponding to # X509_STORE_CTX_set_purpose, not sure if we need to anyway???) # # It all falls apart at this point, as steps 7 and 8 don't have any corresponding # functions in M2Crypto -- I even grepped the entire source code of M2Crypto, and # neither of the following functions are present in it: # Step 7: X509_STORE_CTX_set_cert - Tell the context which certificate to validate. # Step 8: X509_verify_cert - Finally, validate it </code></pre> <p>So I'm halfway there, but I can't seem to actually get the validation done! Am I missing something? Is there some other function I should be using from M2Crypto? Should I be looking for a completely different python wrapper of OpenSSL? How can I accomplish this task in python!?!?</p> <p><em>Note that I'm using certificates to encrypt/decrypt FILES, so I'm not interested in using the SSL-connection-based peer certificate verification (which has <a href="https://stackoverflow.com/questions/1087227/validate-ssl-certificates-with-python">already been answered</a>), because I don't have any SSL connections going.</em> </p>
    singulars
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. PTQuestion
    1. USCommunity
    1. USNathan
    plurals
    1. PL
      singulars
      1. LTLinked
    2. PL
      singulars
      1. LTLinked
    3. PL
      singulars
      1. LTLinked
    1. PL
      singulars
      1. LTLinked
    1. This table or related slice is empty.
    1. PO
      singulars
      1. PTAnswer
    2. PO
      singulars
      1. PTAnswer
    3. PO
      singulars
      1. PTAnswer
    1. VO
      singulars
      1. POHow do I verify an SSL certificate in python?
      1. This table or related slice is empty.
      1. VTUpMod
    2. VO
      singulars
      1. POHow do I verify an SSL certificate in python?
      1. This table or related slice is empty.
      1. VTUpMod
    3. VO
      singulars
      1. POHow do I verify an SSL certificate in python?
      1. This table or related slice is empty.
      1. VTUpMod
    1. COIs there any reason you don't want to call out to command-line utilities? Seems you could save yourself a _lot_ of headache...
      singulars
      1. POHow do I verify an SSL certificate in python?
      1. USKatriel
    2. COYes, this is for software that will be deployed across many different operating systems, new and old, large and small -- including potentially embedded systems (large enough to include python on them). I want maximum portability and maximum performance. I don't want to be making potentially thousands of calls out to the command-line if I can possibly avoid it. Large numbers of certificates are involved.
      singulars
      1. POHow do I verify an SSL certificate in python?
      1. USNathan
    3. COrelated http://stackoverflow.com/q/2626792/4279
      singulars
      1. POHow do I verify an SSL certificate in python?
      1. USjfs
 

Querying!

 
Guidance
A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload