5

I'm trying to verify an X509 certificate using python. In particular I need to check CRLs when I do it.

Now, you can use m2crypto to do this, but I can't find an option corresponding to openssl's -crl_check or -crl_check_all.

Alternatively, I could use a pipe and call openssl directly:

p1 = Popen(["openssl", "verify", "-CApath", capath, "-crl_check_all"], 
           stdin = PIPE, stdout = PIPE, stderr = PIPE)

message, error = p1.communicate(certificate)
exit_code = p1.returncode

However, it seems that openssl verify always returns an exit code 0, so I would have to compare strings somehow to tell if the verification is successful, which I'd prefer not to do.

Am I missing something simple here?

Thanks.

wrgrs
  • 2,467
  • 1
  • 19
  • 24
  • possible duplicate of [How do I verify an SSL certificate in python?](http://stackoverflow.com/questions/4403012/how-do-i-verify-an-ssl-certificate-in-python) – phihag Oct 05 '11 at 11:08
  • In his code, there's: '# Skip step 4 (no CRLs to add)'. So it doesn't cover the CRL part which I'm interested in. – wrgrs Oct 05 '11 at 13:32

3 Answers3

1

OK, well what I've done is this:

p1 = Popen(["openssl", "verify", "-CApath", capath, "-crl_check_all"], 
           stdin = PIPE, stdout = PIPE, stderr = PIPE)

message, error = p1.communicate(certificate)

verified = ("OK" in message and not "error" in message)

It's not what I would have chosen. It has passed my tests, but I'm not certain that it will always work. I don't know C well enough to read the openssl source code and verify it.

If anyone can find a situation where this would fail, please comment.

wrgrs
  • 2,467
  • 1
  • 19
  • 24
1

I submitted a patch to M2Crypto that allows X509 certificate verification against a chain of CAs as well as multiple CRLs.

https://bugzilla.osafoundation.org/show_bug.cgi?id=12954#c2

See this post for more info: How do I use m2crypto to validate a X509 certificate chain in a non-SSL setting

Community
  • 1
  • 1
John Matthews
  • 131
  • 4
0

Looking at the source code of openssl's verify.c, it indeed returns 0 all the time, and there's no way to change that. However, you don't need to call openssl on the command line: there are python bindings for the library.

phihag
  • 278,196
  • 72
  • 453
  • 469
  • M2Crypto is one of the 'python bindings for OpenSSL' library… and last time I checked all of those libraries had problems (limited functionality) and M2Crypto seemed the best for me at that time. SSL/TLS support in Python sucks :-( And sometimes calling the openssl binary may be still the best choice. – Jacek Konieczny Oct 05 '11 at 12:10
  • I just can't find the particular CRL functions in either pyopenssl or M2Crypto. I would be happy to be wrong on this. – wrgrs Oct 05 '11 at 13:34