如何在 python 中验证 X509 证书(包括 CRL 检查)?
我正在尝试使用 python 验证 X509 证书。特别是我在执行此操作时需要检查 CRL。
现在,您可以使用 m2crypto 来执行此操作,但我找不到与 openssl 的 -crl_check 或 -crl_check_all 相对应的选项。
或者,我可以使用管道并直接调用 openssl:
p1 = Popen(["openssl", "verify", "-CApath", capath, "-crl_check_all"],
stdin = PIPE, stdout = PIPE, stderr = PIPE)
message, error = p1.communicate(certificate)
exit_code = p1.returncode
但是,似乎 openssl verify 总是返回退出代码 0,因此我必须以某种方式比较字符串来判断验证是否成功,但我不想这样做。
我在这里缺少一些简单的东西吗?
谢谢。
I'm trying to verify an X509 certificate using python. In particular I need to check CRLs when I do it.
Now, you can use m2crypto to do this, but I can't find an option corresponding to openssl's -crl_check or -crl_check_all.
Alternatively, I could use a pipe and call openssl directly:
p1 = Popen(["openssl", "verify", "-CApath", capath, "-crl_check_all"],
stdin = PIPE, stdout = PIPE, stderr = PIPE)
message, error = p1.communicate(certificate)
exit_code = p1.returncode
However, it seems that openssl verify always returns an exit code 0, so I would have to compare strings somehow to tell if the verification is successful, which I'd prefer not to do.
Am I missing something simple here?
Thanks.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
好吧,我所做的是:
这不是我会选择的。它已经通过了我的测试,但我不确定它是否永远有效。我对 C 不太了解,无法阅读 openssl 源代码并验证它。
如果有人能找到失败的情况,请发表评论。
OK, well what I've done is this:
It's not what I would have chosen. It has passed my tests, but I'm not certain that it will always work. I don't know C well enough to read the openssl source code and verify it.
If anyone can find a situation where this would fail, please comment.
我向 M2Crypto 提交了一个补丁,允许根据 CA 链以及多个 CRL 进行 X509 证书验证。
https://bugzilla.osafoundation.org/show_bug.cgi?id=12954# c2
请参阅此帖子了解更多信息:
如何使用 m2crypto 在非 SSL 设置中验证 X509 证书链
I submitted a patch to M2Crypto that allows X509 certificate verification against a chain of CAs as well as multiple CRLs.
https://bugzilla.osafoundation.org/show_bug.cgi?id=12954#c2
See this post for more info:
How do I use m2crypto to validate a X509 certificate chain in a non-SSL setting
查看openssl的verify.c的源代码,确实一直返回0,而且没有办法改变这一点。但是,您不需要在命令行上调用 openssl:该库有 python 绑定。
Looking at the source code of openssl's verify.c, it indeed returns 0 all the time, and there's no way to change that. However, you don't need to call openssl on the command line: there are python bindings for the library.