如何使用 m2crypto 在非 SSL 设置中验证 X509 证书链
问题描述
我试图弄清楚如何使用 m2crypto 验证从 X509 证书的公钥版本到一组已知根 CA 的信任链,当链可能任意长时.SSL.Context 模块看起来很有希望,只是我不是在 SSL 连接的上下文中执行此操作,而且我看不到传递给 load_verify_locations 的信息是如何使用的.
I'm trying to figure out how to, using m2crypto, validate the chain of trust from a public key version of a X509 certificate back to one of a set of known root CA's when the chain may be arbitrarily long. The SSL.Context module looks promising except that I'm not doing this in the context of a SSL connection and I can't see how the information passed to load_verify_locations is used.
本质上,我正在寻找相当于以下内容的界面:openssl 验证 pub_key_x509_cert
Essentially, I'm looking for the interface that's equivalent to: openssl verify pub_key_x509_cert
m2crypto 中有类似的东西吗?
Is there something like that in m2crypto?
谢谢.
解决方案
有一个可能需要稍微更新的补丁,我需要进行单元测试才能签入.欢迎贡献!
There is a patch that might need to be updated slightly, and it would need unit tests for me to check it in. Contributions welcome!
另一种复杂的方法是创建一个内存 SSL 会话,您可以在其中进行验证.Twisted wrapper 以这种方式有效地工作;Twisted 充当哑网络管道,对数据一无所知,而 M2Crypto 对内存中的数据进行加密/解密,同时进行证书验证.
Another convoluted way would be to create an in-memory SSL session where you do the validation. The Twisted wrapper effectively works this way; Twisted acts as dumb network pipe without knowing anything about the data, and M2Crypto encrypts/decrypts the data in memory, doing certificate validation on the side.
相关文章