如何使用 m2crypto 在非 SSL 设置中验证 X509 证书链

How do I use m2crypto to validate a X509 certificate chain in a non-SSL setting(如何使用 m2crypto 在非 SSL 设置中验证 X509 证书链)

问题描述

我试图弄清楚如何使用 m2crypto 验证从 X509 证书的公钥版本到一组已知根 CA 的信任链，当链可能任意长时.SSL.Context 模块看起来很有希望，只是我不是在 SSL 连接的上下文中执行此操作，而且我看不到传递给 load_verify_locations 的信息是如何使用的.

I'm trying to figure out how to, using m2crypto, validate the chain of trust from a public key version of a X509 certificate back to one of a set of known root CA's when the chain may be arbitrarily long. The SSL.Context module looks promising except that I'm not doing this in the context of a SSL connection and I can't see how the information passed to load_verify_locations is used.

本质上，我正在寻找相当于以下内容的界面:openssl 验证 pub_key_x509_cert

Essentially, I'm looking for the interface that's equivalent to: openssl verify pub_key_x509_cert

m2crypto 中有类似的东西吗?

Is there something like that in m2crypto?

谢谢.

推荐答案

有一个可能需要稍微更新的补丁，我需要进行单元测试才能签入.欢迎贡献！

There is a patch that might need to be updated slightly, and it would need unit tests for me to check it in. Contributions welcome!

另一种复杂的方法是创建一个内存 SSL 会话，您可以在其中进行验证.Twisted wrapper 以这种方式有效地工作；Twisted 充当哑网络管道，对数据一无所知，而 M2Crypto 对内存中的数据进行加密/解密，同时进行证书验证.

Another convoluted way would be to create an in-memory SSL session where you do the validation. The Twisted wrapper effectively works this way; Twisted acts as dumb network pipe without knowing anything about the data, and M2Crypto encrypts/decrypts the data in memory, doing certificate validation on the side.

这篇关于如何使用 m2crypto 在非 SSL 设置中验证 X509 证书链的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持编程学习网！