I'm trying to verify an X509 certificate using python. In particular I need to check CRLs when I do it.
开发者_如何学编程Now, you can use m2crypto to do this, but I can't find an option corresponding to openssl's -crl_check or -crl_check_all.
Alternatively, I could use a pipe and call openssl directly:
p1 = Popen(["openssl", "verify", "-CApath", capath, "-crl_check_all"],
stdin = PIPE, stdout = PIPE, stderr = PIPE)
message, error = p1.communicate(certificate)
exit_code = p1.returncode
However, it seems that openssl verify always returns an exit code 0, so I would have to compare strings somehow to tell if the verification is successful, which I'd prefer not to do.
Am I missing something simple here?
Thanks.
OK, well what I've done is this:
p1 = Popen(["openssl", "verify", "-CApath", capath, "-crl_check_all"],
stdin = PIPE, stdout = PIPE, stderr = PIPE)
message, error = p1.communicate(certificate)
verified = ("OK" in message and not "error" in message)
It's not what I would have chosen. It has passed my tests, but I'm not certain that it will always work. I don't know C well enough to read the openssl source code and verify it.
If anyone can find a situation where this would fail, please comment.
I submitted a patch to M2Crypto that allows X509 certificate verification against a chain of CAs as well as multiple CRLs.
https://bugzilla.osafoundation.org/show_bug.cgi?id=12954#c2
See this post for more info: How do I use m2crypto to validate a X509 certificate chain in a non-SSL setting
Looking at the source code of openssl's verify.c, it indeed returns 0 all the time, and there's no way to change that. However, you don't need to call openssl on the command line: there are python bindings for the library.
精彩评论