pyOpenSSL

Using pyOpenSSL to have a custom CA verify certificates

Asked by Gabriel Kho

Hi,

I'm using pyOpenSSL to generate certificates and build a custom certificate authority that will verify these certificates.

I was wondering how to give my CA the power to verify certificates. The examples I've seen online talk about distributing the public key of a CA and using that to decrypt certificates and see if the data matches how you think it should, however I noticed a verify function in the crypto library which takes in a signature. I was wondering what was the intended use of this function.

In addition, I'm using the SSL module in python, and it requires a ca_certs file which lists the CAs you trust. If I add my custom CA to this list, do I not need to worry about typing code myself to verify the certificates myself.

Sorry, I'm a bit lost with whole thing.

Question information

Language:
English Edit question
Status:
Answered
For:
pyOpenSSL Edit question
Assignee:
No assignee Edit question
Last query:
Last reply:
Revision history for this message
Jean-Paul Calderone (exarkun) said : 		#1

I don't really understand what you're trying to do.

You can use pyOpenSSL to create private keys and certificate requests and to sign certificate requests. You can also use pyOpenSSL to set up SSL connections using a private key and a certificate, and you can configure those connections to require certain signature relationships to exist between the peer's certificate and some "trust roots" - often called "root certificates" or "certificate authority certificates".

If you have a particular certificate authority certificate (perhaps one you created) and you want to require that peers you communicate use a certificate which was signed by it, then you specify this by adding that certificate to the Context's "cert store" and setting a VERIFY flag to require verification. For example, consider this code from Twisted's CertificateOptions class:

        verifyFlags = SSL.VERIFY_NONE
        if self.verify:
            verifyFlags = SSL.VERIFY_PEER
            if self.requireCertificate:
                verifyFlags |= SSL.VERIFY_FAIL_IF_NO_PEER_CERT
            if self.verifyOnce:
                verifyFlags |= SSL.VERIFY_CLIENT_ONCE
            if self.caCerts:
                store = ctx.get_cert_store()
                for cert in self.caCerts:
                    store.add_cert(cert)

        # It'd be nice if pyOpenSSL let us pass None here for this behavior (as
        # the underlying OpenSSL API call allows NULL to be passed). It
        # doesn't, so we'll supply a function which does the same thing.
        def _verifyCallback(conn, cert, errno, depth, preverify_ok):
            return preverify_ok
        ctx.set_verify(verifyFlags, _verifyCallback)

Revision history for this message
Gabriel Kho (gabriel-d-kho) said : 		#2

Oh, that clarifies a lot of things. Thanks a lot for clarifying regarding the certstore.

I should have phrased my question better. One thing that I was looking for was some demo code on how to use the crypto sign and verify functions in order to determine if a certain CA signed a signature. Is this possible?

Revision history for this message
Jean-Paul Calderone (exarkun) said : 		#3

> One thing that I was looking for was some demo code on how to use the crypto sign and verify functions in order to determine if a certain CA signed a signature. Is this possible?

No, it isn't currently possible (at least not without largely implementing the functionality yourself). pyOpenSSL open offers APIs for verifying a certificate when it is used in a handshake.

Revision history for this message
Erik Trauschke (erik-trauschke) said : 		#4

>No, it isn't currently possible (at least not without largely implementing the functionality yourself). pyOpenSSL open offers >APIs for verifying a certificate when it is used in a handshake.

Actually I filed a bug and provided all the necessary code and test cases for this sort of thing a while ago but as far as I can tell it hasn't even been looked at. With this verifying a certificate against a CA's public key is straight forward. Just look at the test cases where this is done.

Revision history for this message
Erik Trauschke (erik-trauschke) said : 		#5

I forgot: https://bugs.launchpad.net/bugs/1197490

Can you help with this problem?

Provide an answer of your own, or ask Gabriel Kho for more information if necessary.

To post a message you must log in.