How do I use m2crypto to validate a X509 certificate chain in a non-SSL setting

Question

I'm trying to figure out how to, using m2crypto, validate the chain of trust from a public key version of a X509 certificate back to one of a set of known root CA's when the chain may be arbitrarily long. The SSL.Context module looks promising except that I'm not doing this in the context of a SSL connection and I can't see how the information passed to load_verify_locations is used.

Essentially, I'm looking for the interface that's equivalent to: openssl verify pub_key_x509_cert

Is there something like that in m2crypto?

Thanks.

Answer 1

There is a patch that might need to be updated slightly, and it would need unit tests for me to check it in. Contributions welcome!

Another convoluted way would be to create an in-memory SSL session where you do the validation. The Twisted wrapper effectively works this way; Twisted acts as dumb network pipe without knowing anything about the data, and M2Crypto encrypts/decrypts the data in memory, doing certificate validation on the side.

Answer 2

I have modified a different M2Crypto patch and with this we are able to verify a X509 Certificate against a chain of CAs, plus it allows the usage of Certificate Revocation List (CRL)s.

The heart of allowing chain verification with M2Crypto is exposing "verify_cert()" on a X509_Store_Context. Basic flow is:

1. Add your CAs/CRLs to a X509_Store
2. Use a X509_Store_Context to verify the certificate of interest

My patch enhances CRL support as well as allowing chain verification. https://bugzilla.osafoundation.org/show_bug.cgi?id=12954#c2

We are using this patch as part of Pulp, we have a wiki page below which shares some more info on how we are doing the verification with a chain: https://fedorahosted.org/pulp/wiki/CertChainVerification