Comment 9 for bug 892522
Revision history for this message
| Richard Moore (rich-kde) wrote Re: [Bug 892522] Re: pyOpenSSL has no support for verifying a certificate | #9 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
1b1ed1a
(Get the code!)
On 7 March 2013 16:08, Johannes Bauer <email address hidden> wrote:
> Yes, the API that I provided does not check a complete trust chain (like
> openssl verify with the CApath option does, i.e. it uses a whole
> directory as a truststore). It is only intended to tell the user: "Is
> the signature of certificate X by issuer Y correct?". Although it would
> be rather trivial to extend the API to the latter case (i.e. insert many
> certificates in the store and require a complete chain of trust until a
> root CA is hit), that's not what I intended.
>
> If that would be what is wanted, the issuer parameter could be changed
> into a tuple of X509 objects which would all be inserted in the
> truststore. Then also add a kwarg "trustchain" in which you can specify
> a bool that tells if you would only want to check the *immediate*
> relationship between two certificates (that's what I need) or if you
> would want to build a complete trustchain (that is what you need, if I
> understand correctly).
I'm not sure I'm following you here, could you give an example? In the
scenario I describe, the intermediates are not trusted and shouldn't
form part of the trust store, they merely allow you to build a chain
from the leaf to one of the roots. I suspect we're probably describing
the same thing, but I'm not quite sure.
I think having the ability to verify a whole chain would be a great
improvement to pyopenssl.
Cheers
Rich.