-
Notifications
You must be signed in to change notification settings - Fork 421
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Retrieve chain after certificate validation - what should API look like? #740
Comments
Are you interested in the chain returned by the peer or are you interested in the actual chain that has been used to verify the peer? These are two totally different things although they often look the same. |
Good question. I am interested in the entire chain that was used the validate the certificate/peer - that is, the chain that was built with the certificates in my store. Not the chain returned by the peer. |
OpenSSL 1.1.0 introduced |
I'm confused. What if I am not doing any SSL/TLS and just want to use verify_certificate without a network connection? This is my (original) use case (I have a certificate, retrieve from disk or from nginx header) and I want to verify it and also access the chain that resulted from the verification. The API that I linked exists since 0.9.8 at least, so that should be compatible with most implementations. |
Any other thoughts? |
Bump :) |
Add X509StoreContext.get_verified_chain using X509_STORE_CTX_get1_chain. Add Connection.get_verified_chain using SSL_get0_verified_chain if available (ie OpenSSL 1.1+) and X509StoreContext.get_verified_chain otherwise. Fixes pyca#740.
I've added support for accessing a connection's verified peer certification chain in #894. Edit: the API is |
Add X509StoreContext.get_verified_chain using X509_STORE_CTX_get1_chain. Add Connection.get_verified_chain using SSL_get0_verified_chain if available (ie OpenSSL 1.1+) and X509StoreContext.get_verified_chain otherwise. Fixes pyca#740.
* Allow accessing a connection's verfied certificate chain Add X509StoreContext.get_verified_chain using X509_STORE_CTX_get1_chain. Add Connection.get_verified_chain using SSL_get0_verified_chain if available (ie OpenSSL 1.1+) and X509StoreContext.get_verified_chain otherwise. Fixes #740. * TLSv1_METHOD -> SSLv23_METHOD * Use X509_up_ref instead of X509_dup * Add _openssl_assert where appropriate * SSL_get_peer_cert_chain should not be null * Reformat with black * Fix <OpenSSL.crypto.X509 object at 0x7fdbb59e8050> != <OpenSSL.crypto.X509 object at 0x7fdbb59daad0> * Add Changelog entry * Remove _add_chain
Thanks for that. I believe this is still only for a specific connection, as opposed to any certificate verification check, right? |
Yes I also added pyopenssl/src/OpenSSL/crypto.py Lines 1801 to 1811 in 33c5499
|
Great, thanks! |
It would be nice if we could fetch and examine the chain after calling verify_certificate (Which calls X509_verify_cert). https://pyopenssl.org/en/stable/api/crypto.html#OpenSSL.crypto.X509StoreContext)
I'm wondering what you think the API should look like. Fetch the entire chain at once and return it to the user, or allows the user to actually iterate over the chain?
Here's an example that shows how to parse the chain after a X509_verify_cert call: https://github.com/openssl/openssl/blob/master/apps/verify.c#L243
I'm willing to implement this feature - I don't think it should be too hard, but it can be quite valuable.
The text was updated successfully, but these errors were encountered: