All geek questions in one place

How to authenticate a public key with a certification authority using Python?

import OpenSSL key = ... signature = ... data = ... x509 = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_ASN1, key) OpenSSL.crypto.verify(x509, signature, data, 'sha1')

Until now, I could do all this without a problem. However, this does not seem to be enough to ensure security, since the key itself is provided to me through the URL (which I must trust *), and the method of creating the signature is publicly available.

So, say the key is said to be verified by โ€œVeriSign Class 3 Code Signing 2010 CAโ€, can someone tell me how I can verify that this is a valid requirement?

I assume that I need to have VeriSign certificate locally on my machine. Assuming what I'm doing, where am I from there?

Thanks!

* The URL is provided to me as a parameter in the JSON request. Of course, the URL will be HTTPS, and I can check the domain name and all that. But it seems to me that I should do checks of the certificate itself

+6
source share
2 answers

You are correct that you must verify the certificate itself. And yes, you need the VeriSign root certificate (and any other intermediate certificates for the complete trust chain) that signed the verified certificate.

Current Symantec root certificates (VeriSign) can be found here in the zipfile .

Download and unzip the zip file and find all the certificates you want to trust and put them together (in pem format) in one certificate package file.

Now you need to do the actual check. Unfortunately, an OpenSSL call you need X509_verify_certificate . I looked at the source for both pyopenssl and M2Crypto, and do not make this call, so there is no direct Python code that you can call to verify the certificate with any of these packages.

However, since you are using pyopenssl, you obviously have the openssl library available. That way, you probably already have or can easily install the openssl command-line toolkit. If so, you can invoke the openssl verify through the pipe by doing something like this:

 cert = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_ASN1, key) # the command like likes pem format cert_pem = OpenSSL.crypto.dump_certificate(OpenSSL.crypto.FILETYPE_PEM, cert) # the bundle that you created from the zip extraction certificate_bundle = 'verisign-root-bundle.pem' # Pipe the cert to the openssl verify command and check the return code # a return code of 0 is successful verify import subprocess p = subprocess.Popen(['openssl', 'verify', '-CAfile', certificate_bundle], stdin=subprocess.PIPE) p.communicate(input=cert_pem) p.wait() if (p.returncode == 0): print('Certificate Verified.') else: print('Problem with certificate')

The above channel executes the command

 openssl verify -CAfile ca.bundle certificate.pem

Finally, if you are not familiar with openssl, a command to display certificates

 openssl x509 -inform PEM -text -in certificate.pem

Hope this helps!

+2
source

Perhaps I will only partially solve your question. It seems like your biggest concern is the security of the channel through which you receive the key. You do not show the code of how you receive this key, but you said that you received it via HTTPS, and now you want to verify the authenticity of this connection by verifying the certificate.

You can do this comfortably using the well-established third-party requests web client platform.

Quote from the docs :

Requests can verify SSL certificates for HTTPS requests, just like a web browser. To verify the host SSL certificate, you can use the Verify argument:

 requests.get(url, verify=True)

also:

You can transfer the path to the CA_BUNDLE file with certificates of trusted CAs.

The latter may look like

 requests.get(url, verify='/path/to/cert.pem')

If you really want to take control (and reduce complexity), download the desired file from http://www.symantec.com/page.jsp?id=roots and take the verify='/path/to/cert.pem' approach. I think you need http://www.symantec.com/content/en/us/enterprise/verisign/roots/Class-3-Public-Primary-Certification-Authority-G2.pem

+2
source

Source: https://habr.com/ru/post/981272/

More articles:


All Articles