Retrieve chain after certificate validation - what should API look like?

[MerlijnWajer]

It would be nice if we could fetch and examine the chain after calling verify_certificate (Which calls X509_verify_cert). https://pyopenssl.org/en/stable/api/crypto.html#OpenSSL.crypto.X509StoreContext)

I'm wondering what you think the API should look like. Fetch the entire chain at once and return it to the user, or allows the user to actually iterate over the chain?

Here's an example that shows how to parse the chain after a X509_verify_cert call: https://github.com/openssl/openssl/blob/master/apps/verify.c#L243

I'm willing to implement this feature - I don't think it should be too hard, but it can be quite valuable.

[tiran]

Are you interested in the chain returned by the peer or are you interested in the actual chain that has been used to verify the peer? These are two totally different things although they often look the same.

[MerlijnWajer]

Good question. I am interested in the entire chain that was used the validate the certificate/peer - that is, the chain that was built with the certificates in my store. Not the chain returned by the peer.

[tiran]

OpenSSL 1.1.0 introduced SSL_get0_verified_chain(). The feature is not available with LibreSSL and OpenSSL 1.0.2.

[MerlijnWajer]

I'm confused. What if I am not doing any SSL/TLS and just want to use verify_certificate without a network connection? This is my (original) use case (I have a certificate, retrieve from disk or from nginx header) and I want to verify it and also access the chain that resulted from the verification. The API that I linked exists since 0.9.8 at least, so that should be compatible with most implementations.

[MerlijnWajer]

Any other thoughts?

[MerlijnWajer]

Bump :)

[ShaneHarvey]

I've added support for accessing a connection's verified peer certification chain in #894.

Edit: the API is chain = connection.get_verified_chain() which should be in the next release 20.0.

[MerlijnWajer]

Thanks for that. I believe this is still only for a specific connection, as opposed to any certificate verification check, right?

[ShaneHarvey]

It would be nice if we could fetch and examine the chain after calling verify_certificate (Which calls X509_verify_cert). https://pyopenssl.org/en/stable/api/crypto.html#OpenSSL.crypto.X509StoreContext)

Yes I also added X509StoreContext.get_verified_chain() which returns the verified chain:

pyopenssl/src/OpenSSL/crypto.py

Lines 1801 to 1811 in 33c5499

	def get_verified_chain(self):
	"""
	Verify a certificate in a context and return the complete validated
	chain.
	:raises X509StoreContextError: If an error occurred when validating a
	certificate in the context. Sets ``certificate`` attribute to
	indicate which certificate caused the error.
	.. versionadded:: 20.0
	"""