[PYTHON-CRYPTO] X509 certificates for authorization using M2Crypto

Ng Pheng Siong ngps at POST1.COM
Mon May 31 06:47:30 CEST 2004 

On Tue, May 25, 2004 at 10:52:53AM +0200, Henrik Thostrup Jensen wrote:
> How should the certificates be loaded - and which should be loaded, that is,
> can i do without my public key and only use the x509 certificate, or do i
> need both? I've looked at the examples in the M2Crypto distribution
> (echoserver and such), but have not been able to solve this problem.

Hi,

An X. 509 certificate certifies the public key it contains. The
certification is done by digitally signing said public key using the CA's
private key.

The CA's public key corresponding to its signing private key is itself
certified in the CA's certificate. This CA certificate may be certified by
a higher-level CA or by itself; in the latter case the certificate is
called a self-signed certificate.

All top-level CA certificates are self-signed certificates. (By definition,
one may say. ;-)

Thus, your public key is already in the certificate. As part of the SSL
protocol, your program will be asked to demonstrate it possesses the
corresponding private key.

If you look inside the various [client|server].pem in demo/, each contains
the following:

-----BEGIN CERTIFICATE-----
<PEM encoding of X.509.>
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
<PEM encoding of RSA keypair, may or may not be encrypted.>
-----END RSA PRIVATE KEY-----

Both cert (i.e., public key) and private key are there.

Note that an SSL end point may use a certificate certified by CA X, whereas
it is only willing to accept a peer certifcate certified by CA Y.

In this general case, the SSL end point needs to transmit a cert chain,
i.e., a chain of certificates up to and including CA X's or Y's cert.

In your case, both SSL end points are using your own CA, so presumably both
load that CA cert upon startup and is able to verify the peer cert
correctly.

So the following (client-side) code /should/ do what you want:

    ctx = SSL.Context()
    ctx.load_cert_chain('client.pem')
    ctx.load_verify_locations('ca.pem', '')
    ctx.set_verify(SSL.verify_peer, 10, SSL.cb.ssl_verify_callback)

Cheers.

--
Ng Pheng Siong <ngps at netmemetic.com>

http://firewall.rulemaker.net -+- Firewall Change Management & Version Control
http://sandbox.rulemaker.net/ngps -+- ZServerSSL/Zope Windows Installers

More information about the python-crypto mailing list