[PYTHON-CRYPTO] M2Crypto questions
Heikki Toivonen
hjtoi at COMCAST.NET
Sat Oct 4 07:22:14 CEST 2008
(I replied to Tim earlier privately, but the list message didn't come
through.)
Tim Newsham wrote:
> > - Is there any code to load in the certificate roots from the
> > windows certificate store?
No.
But you might want to find my post about where to get root certificates
of some interest:
http://www.heikkitoivonen.net/blog/2008/09/30/root-certificates-for-python-programs-using-python/
> > - Is it possible to validate the certificate against a set of roots
> > after the connection has been made (ie. not using ctx.set_verify()
> > to force verification at connection time)?
I believe it will be possible with 0.19, there were some bugs/missing
APIs that prevented/made it hard to do this with earlier releases (see
https://bugzilla.osafoundation.org/show_bug.cgi?id=11690). I have never
done this personally, though, so you'd be better off getting the details
from elsewhere. You could search/ask on the openssl-users list, for example.
> > - Is it possible to view the certificate chain used in the validation?
Yes. One way is to set up a custom verification callback, which let's
you look at the whole chain or the currently-being-tested-cert as you
like. See for example the implementation in Chandler here:
http://svn.osafoundation.org/chandler/trunk/chandler/parcels/osaf/framework/certstore/ssl.py
(specifically, look at the verifyCallback method).
> > - Is it possible to get a specific error about certificate validation
> > failures that describes the cause of the validation failure?
Yes, see for example the Chandler code above (look for store.get_error()).
--
Heikki Toivonen - http://heikkitoivonen.net
--
Heikki Toivonen - http://heikkitoivonen.net
More information about the python-crypto
mailing list