如何在非SSL设置中使用m2crypto验证X509证书链 [英] How do I use m2crypto to validate a X509 certificate chain in a non-SSL setting

问题描述

我试图找出如何使用m2crypto，验证从X509证书的公钥版本的信任链回到一组已知的根CA的链，当链可能任意长时。 SSL.Context模块看起来很有希望，除了我不是在SSL连接的上下文中这样做，我不能看到如何使用传递给load_verify_locations的信息。

基本上，我在寻找等价的接口：
openssl verify pub_key_x509_cert

在m2crypto中有类似的东西吗？

感谢。

解决方案

有一个补丁，可能需要稍微更新，它需要单元测试，我来检查它。贡献欢迎！ / p>

另一种复杂的方法是创建一个内存中的SSL会话，您可以在其中进行验证。 Twisted包装器实际上是以这种方式工作的; Twisted作为不知道数据的任何网络管道，M2Crypto加密/解密内存中的数据，在侧面进行证书验证。

I'm trying to figure out how to, using m2crypto, validate the chain of trust from a public key version of a X509 certificate back to one of a set of known root CA's when the chain may be arbitrarily long. The SSL.Context module looks promising except that I'm not doing this in the context of a SSL connection and I can't see how the information passed to load_verify_locations is used.

Essentially, I'm looking for the interface that's equivalent to: openssl verify pub_key_x509_cert

Is there something like that in m2crypto?

Thanks.

解决方案

There is a patch that might need to be updated slightly, and it would need unit tests for me to check it in. Contributions welcome!

Another convoluted way would be to create an in-memory SSL session where you do the validation. The Twisted wrapper effectively works this way; Twisted acts as dumb network pipe without knowing anything about the data, and M2Crypto encrypts/decrypts the data in memory, doing certificate validation on the side.

这篇关于如何在非SSL设置中使用m2crypto验证X509证书链的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！