It includes examples on why this is a terrible idea. Trusted cert (maybe add_trusted_cert would be a better name?). If we look at the documentation, add_cert itself adds a We see this code makes no distinction between the root_cert and the I found this thread on Python's cryptography-dev mailing lists (which links back to this answer): The code found in pyOpenSSL's tests are flawed! That means that in the case where the intermediate is sent, as well as the client certificate, the entire chain is trusted.ĭo not do this. While the response of Avi Das is valid for the trivial case of verifying a single trust anchor with a single leaf certificate, it places trust in the intermediate certificate. Is there a simple, straightforward way to go about validating my certificates chain of trust in Python? There's also this answer on a similar thread here in which John Matthews claims to have a patch written which will do it, but unfortunately the patch link is now dead - and anyway there is a comment on that thread stating that the patch did not work with openssl 0.9.8e.Īll answers relating to validating a certificates chain of trust in python seem to either link to the dead patch or go back to m2ext. If not ctx.validate_certificate(cert): # always happens On another thread about this problem (at ) abbot explains that m2crypto is incapable of doing this validation and says that he has written an extension to allow validation (using the module m2ext) but his patch never seems work, always returning false even though I know it's valid: from m2ext import SSLĬtx.load_verify_locations(capath='/etc/ssl/certs/') # I have run c_rehash in this directory to generate a list of cert files with signature based names I also do not have any open connections and so using a connection based validation solution (like is mentioned in this answer / thread: ) will not work either. It is not feasible for me to write the certificate to disk in order to use a command line utility like openssl through something like subprocess, so it must be done through python. However, validating the certificate chain is a problem. The certificate is easily grabbed and loaded using requests and M2Crypto import requestsĬert = X509.load_cert_string(str(mypem.text), X509.FORMAT_PEM) I am having a hard time doing this in python and my research into the subject is not yielding anything useful. During a response, the API server sends over a link to an X509 certificate (in PEM format, composed of a signing certificate and one or more intermediate certificates to a root CA certificate ) that I must download and use to do further verification.īefore using the certificate, I need to ensure that all certificates in the chain combine to create a chain of trust to a trusted root CA certificate (to detect and avoid any malicious requests). I am working on implementing a web application that utilizes an API.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |