pyOpenSSL

Bug #892522
Comment #7

Comment 7 for bug 892522

Revision history for this message

Richard Moore (rich-kde) wrote on 2013-03-07: Re: [Bug 892522] Re: pyOpenSSL has no support for verifying a certificate

On 7 March 2013 13:33, Johannes Bauer <email address hidden> wrote:
> To explain a bit furhter what the code does: It inserts the issuer into
> an otherwise empty truststore. Then it tries to check the certificate
> with that. Now there are three cases:
>
> 1. If the direct signature issuer -> subject is broken, verify will fail at depth 0 and the function will throw an exception.
> 2. If the direct signature issuer -> subject is correct and issuer is a self-signed certificate, verify will succeed, the function returns None.
> 3. If the direct signature issuer -> subject is correct and the issuer is an intermediate CA, verify will fail at depth 1 (!), the function returns None (!).

I was thinking of the case where the root CA has issued a cert using
an intermediate. An SSL server in this case would transmit the leaf
and the intermediate. I don't see that this API would let you test the
leaf against an existing trust store. In terms of the openssl command
line, this would be something like:

openssl verify -CApath /etc/ssl/certs -untrusted intermediate.pem leaf.pem

Given what you've said above, it sounds like you did not intend to
support this case.

Cheers

Rich.

>
> Hope that clears it up,
> Johannes
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/892522
>
> Title:
> pyOpenSSL has no support for verifying a certificate
>
> Status in pyOpenSSL:
> New
>
> Bug description:
> Currently, whilst pyopenssl /can/ verify a certificate when connecting
> to an SSL server, it does not have a facility to verify a certificate
> chain on its own. The functionality required is provided in openssl
> (eg. the openssl verify command allows this to be done on the command
> line). Adding the required functionality is relatively
> straightforward, and I've implemented it for the Qt project before.
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/pyopenssl/+bug/892522/+subscriptions

On 7 March 2013 13:33, Johannes Bauer <892522@bugs.launchpad.net> wrote:
> To explain a bit furhter what the code does: It inserts the issuer into
> an otherwise empty truststore. Then it tries to check the certificate
> with that. Now there are three cases:
>
> 1. If the direct signature issuer -> subject is broken, verify will fail at depth 0 and the function will throw an exception.
> 2. If the direct signature issuer -> subject is correct and issuer is a self-signed certificate, verify will succeed, the function returns None.
> 3. If the direct signature issuer -> subject is correct and the issuer is an intermediate CA, verify will fail at depth 1 (!), the function returns None (!).

openssl verify -CApath /etc/ssl/certs -untrusted intermediate.pem leaf.pem

Given what you've said above, it sounds like you did not intend to
support this case.

Cheers

Rich.

>
> Hope that clears it up,
> Johannes
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/892522
>
> Title:
>   pyOpenSSL has no support for verifying a certificate
>
> Status in pyOpenSSL:
>   New
>
> Bug description:
>   Currently, whilst pyopenssl /can/ verify a certificate when connecting
>   to an SSL server, it does not have a facility to verify a certificate
>   chain on its own. The functionality required is provided in openssl
>   (eg. the openssl verify command allows this to be done on the command
>   line). Adding the required functionality is relatively
>   straightforward, and I've implemented it for the Qt project before.
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/pyopenssl/+bug/892522/+subscriptions