如何在 python 中验证 SSL 证书? [英] How do I verify an SSL certificate in python?
问题描述
我需要验证证书是否由我的自定义 CA 签名.使用 OpenSSL 命令行实用程序,这很容易做到:
I need to verify that a certificate was signed by my custom CA. Using OpenSSL command-line utilities this is easy to do:
# Custom CA file: ca-cert.pem
# Cert signed by above CA: bob.cert
$ openssl verify -CAfile test-ca-cert.pem bob.cert
bob.cert: OK
但我需要在 Python 中做同样的事情,而且我真的不想调用命令行实用程序.据我所知,M2Crypto 是 OpenSSL 的最完整的"python 包装器,但我不知道如何完成命令行实用程序的功能!
But I need to do the same thing in Python, and I really don't want to call out to command-line utilities. As far as I'm aware, M2Crypto is the "most complete" python wrapper for OpenSSL, but I can't figure out how to accomplish what the command-line utility does!
参考这个问题,了解如何用 C 代码完成同样的任务,我已经能够得到大约一半.我选择的变量名称与 openssl verify 命令行实用程序的源代码中使用的变量名称相同,请参阅 openssl-xxx/apps/verify.c.
Referencing this question for how to accomplish this same task in C code, I've been able to get about half-way. The variable names I chose are the same ones used in the source code for the openssl verify command-line utility, see openssl-xxx/apps/verify.c.
import M2Crypto as m2
# Load the certificates
cacert = m2.X509.load_cert('test-ca-cert.pem') # Create cert object from CA cert file
bobcert = m2.X509.load_cert('bob.cert') # Create cert object from Bob's cert file
cert_ctx = m2.X509.X509_Store() # Step 1 from referenced C code steps
csc = m2.X509.X509_Store_Context(cert_ctx) # Step 2 & 5
cert_ctx.add_cert(cacert) # Step 3
cert_ctx.add_cert(bobcert) # ditto
# Skip step 4 (no CRLs to add)
# Step 5 is combined with step 2...I think. (X509_STORE_CTX_init: Python creates and
# initialises an object in the same step)
# Skip step 6? (can't find anything corresponding to
# X509_STORE_CTX_set_purpose, not sure if we need to anyway???)
#
# It all falls apart at this point, as steps 7 and 8 don't have any corresponding
# functions in M2Crypto -- I even grepped the entire source code of M2Crypto, and
# neither of the following functions are present in it:
# Step 7: X509_STORE_CTX_set_cert - Tell the context which certificate to validate.
# Step 8: X509_verify_cert - Finally, validate it
所以我已经完成了一半,但我似乎无法真正完成验证!我错过了什么吗?我应该从 M2Crypto 使用其他一些功能吗?我应该寻找一个完全不同的 OpenSSL 的 Python 包装器吗?我怎样才能在python中完成这个任务!?!?
So I'm halfway there, but I can't seem to actually get the validation done! Am I missing something? Is there some other function I should be using from M2Crypto? Should I be looking for a completely different python wrapper of OpenSSL? How can I accomplish this task in python!?!?
请注意,我使用证书来加密/解密文件,因此我对使用基于 SSL 连接的对等证书验证(具有 已经回答),因为我没有任何 SSL 连接.
Note that I'm using certificates to encrypt/decrypt FILES, so I'm not interested in using the SSL-connection-based peer certificate verification (which has already been answered), because I don't have any SSL connections going.
推荐答案
你不能用普通的 M2Crypto 做到这一点,因为它没有包装一些必需的功能.好消息是,如果您安装了 SWIG,您可以自己包装它们并与 M2Crypto 代码一起使用.前段时间我为自己制作了一个带有一些额外功能的模块,并决定现在发布它,因为它进行了这种验证.您可以在此处查看:https://github.com/abbot/m2ext.这是如何使用此模块验证证书的示例:
You can't do this with plain M2Crypto, since it does not wrap some of the required functions. Good news is if you have SWIG installed you can wrap those yourself and use with M2Crypto code. I've made a module with some extra functions for myself some time ago, and decided to publish it now, since it does this kind of validation. You can check it here: https://github.com/abbot/m2ext. This is an example how to validate a certificate using this module:
import sys
from m2ext import SSL
from M2Crypto import X509
print "Validating certificate %s using CApath %s" % (sys.argv[1], sys.argv[2])
cert = X509.load_cert(sys.argv[1])
ctx = SSL.Context()
ctx.load_verify_locations(capath=sys.argv[2])
if ctx.validate_certificate(cert):
print "valid"
else:
print "invalid"
不幸的是,M2Crypto 的开发似乎停滞不前(过去两年在错误跟踪器中没有解决问题)并且维护者忽略了我的错误和电子邮件以及这些和其他一些补丁......
Unfortunately M2Crypto development seems to be stagnant (no closed issues in bug tracker for the last two years) and the maintainer was ignoring my bugs and emails with these and some other patches...
这篇关于如何在 python 中验证 SSL 证书?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
