我需要驗證證書是否由我的自定義CA簽名。使用OpenSSL命令行實用程序很容易做到：# Custom CA file: ca-cert.pem

# Cert signed by above CA: bob.cert

$ openssl verify -CAfile test-ca-cert.pem bob.cert

bob.cert: OK

但是我需要在Python中做同樣的事情，我真的不想調用命令行實用程序。據我所知，m2cypto是OpenSSL的“最完整”python包裝器，但我不知道如何完成命令行實用程序的功能！

參考this question了解如何在C代碼中完成相同的任務，我已經能夠得到大約一半的結果。我選擇的變量名與openssl verify命令行實用程序的源代碼中使用的變量名相同，請參見openssl-xxx/apps/verify.c。import M2Crypto as m2

# Load the certificates

cacert = m2.X509.load_cert('test-ca-cert.pem') # Create cert object from CA cert file

bobcert = m2.X509.load_cert('bob.cert') # Create cert object from Bob's cert file

cert_ctx = m2.X509.X509_Store() # Step 1 from referenced C code steps

csc = m2.X509.X509_Store_Context(cert_ctx) # Step 2 & 5

cert_ctx.add_cert(cacert) # Step 3

cert_ctx.add_cert(bobcert) # ditto

# Skip step 4 (no CRLs to add)

# Step 5 is combined with step 2...I think. (X509_STORE_CTX_init: Python creates and

# initialises an object in the same step)

# Skip step 6? (can't find anything corresponding to

# X509_STORE_CTX_set_purpose, not sure if we need to anyway???)

#

# It all falls apart at this point, as steps 7 and 8 don't have any corresponding

# functions in M2Crypto -- I even grepped the entire source code of M2Crypto, and

# neither of the following functions are present in it:

# Step 7: X509_STORE_CTX_set_cert - Tell the context which certificate to validate.

# Step 8: X509_verify_cert - Finally, validate it

所以我已經走到一半了，但我似乎無法真正完成驗證！我遺漏了什么嗎？M2Crypto中是否還有其他函數需要我使用？我應該尋找一個完全不同的OpenSSL的python包裝器嗎？我怎樣才能用python！？！？

請注意，我使用證書來加密/解密文件，所以我不想使用基于SSL連接的對等證書驗證（它有already been answered），因為我沒有任何SSL連接。

總結

以上是生活随笔為你收集整理的怎么证明会python_如何在python中验证SSL证书？的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。