我需要验证我的自定义CA签署了证书.使用OpenSSL命令行实用程序很容易做到：

# Custom CA file: ca-cert.pem

# Cert signed by above CA: bob.cert

$openssl verify -CAfile test-ca-cert.pem bob.cert

bob.cert: OK

但是我需要在Python中做同样的事情,而且我真的不想调用命令行实用程序.据我所知,M2Crypto是OpenSSL的“最完整”的python包装,但是我无法弄清楚如何完成命令行实用程序的功能！

参考this question如何在C代码中完成同样的任务,我已经能够得到一半的.我选择的变量名称与openssl verify命令行实用程序的源代码中使用的变量名相同,请参阅openssl-xxx / apps / verify.c.

import M2Crypto as m2

# Load the certificates

cacert = m2.X509.load_cert('test-ca-cert.pem') # Create cert object from CA cert file

bobcert = m2.X509.load_cert('bob.cert') # Create cert object from Bob's cert file

cert_ctx = m2.X509.X509_Store() # Step 1 from referenced C code steps

csc = m2.X509.X509_Store_Context(cert_ctx) # Step 2 & 5

cert_ctx.add_cert(cacert) # Step 3

cert_ctx.add_cert(bobcert) # ditto

# Skip step 4 (no CRLs to add)

# Step 5 is combined with step 2...I think. (X509_STORE_CTX_init: Python creates and

# initialises an object in the same step)

# Skip step 6? (can't find anything corresponding to

# X509_STORE_CTX_set_purpose, not sure if we need to anyway???)

#

# It all falls apart at this point, as steps 7 and 8 don't have any corresponding

# functions in M2Crypto -- I even grepped the entire source code of M2Crypto, and

# neither of the following functions are present in it:

# Step 7: X509_STORE_CTX_set_cert - Tell the context which certificate to validate.

# Step 8: X509_verify_cert - Finally, validate it

所以我在那里的一半,但我似乎实际上不能完成验证！我错过了什么吗？有没有其他的功能我应该使用从M2Crypto？我应该寻找一个完全不同的OpenSSL的python包装？如何在python中完成这个任务？

请注意,我正在使用证书加密/解密FILES,所以我不喜欢使用基于SSL连接的对等证书验证(其中有already been answered),因为我没有任何SSL连接.