Verify Certificate Chain Without Trust Store #12359
Comments
|
Why do you want to accomplish this? Verifying a certificate chains to any root CA provides no security properties, simply |
alex
added
the
waiting-on-reporter
|
@alex , this isn't about security, actually. This is about basic validation of a configuration on a network device. For this configuration type, clients provide their own certificates which must be signed by a root CA somewhere. I don't need to (nor am I even able to) validate that the root CA is valid or trusted; I only need to validate that the leaf certificate is signed and that the file contains a complete chain back to whatever root signed it. I know it's not exactly common use case, but it's what I'm working with right now. |
|
Sorry, I'm not sure I'm following. Is your input just the leaf certificate,
or do you have a nominally full chain and you want to verify that the leaf
really does chain to the root?
…On Wed, Jan 29, 2025 at 10:28 AM Wyko ***@***.***> wrote:
@alex <https://github.com/alex> , this isn't about security, actually.
This is about basic validation of a configuration on a network device. For
this configuration type, clients provide their own certificates which must
be signed by a root CA somewhere. I don't need to (nor am I even able to)
validate that the root CA is valid or trusted; I only need to validate that
the certificate has a complete chain back to whatever root signed it.
I know, not exactly common use case, but it's what I'm working with right
now.
—
Reply to this email directly, view it on GitHub
<#12359 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAAAGBCUP6YAWKIHKZYN6NL2NDXSDAVCNFSM6AAAAABWC6T74GVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDMMRRHE3DSOJRHE>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
--
All that is necessary for evil to succeed is for good people to do nothing.
|
|
The second one. As I put in my original post, once I have everything installed on my network device, I should be able to access it in my browser, like this:
This should show the entire chain. Sometimes, if a cert is misconfigured, it could be missing one of the certificates in the chain:
I need to diagnose these types of errors in my python validation tool. |
|
Ok. In that case what you need to do is:
a) Somehow find the root -- the server does not provide the root, so you'll
have to do something like implement Authority Information Access (AIA)
chasing to go from an intermediate to a root. (This is basically "choose an
intermediate, find its AIA extension, make an HTTP request to get the root
where it claims it is", but there's a bunch of fiddly bits)
b) Create a verifier using that root as the root, using the intermediates
provided as intermediates, and then verify.
…On Wed, Jan 29, 2025 at 10:39 AM Wyko ***@***.***> wrote:
The second one. As I put in my original post, once I have everything
installed on my network device, I should be able to access it in my
browser, like this:
echo "q" | openssl s_client -connect microsoft.com:443 -showcerts | grep
depth
This should show the entire chain. Sometimes, if a cert is misconfigured,
it could be missing one of the certificates in the chain:
echo "q" | openssl s_client -connect incomplete-chain.badssl.com:443
-showcerts | grep depth
I need to diagnose these types of errors in my python validation tool.
—
Reply to this email directly, view it on GitHub
<#12359 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAAAGBA4ICTGDTYGZN54I5L2NDY2VAVCNFSM6AAAAABWC6T74GVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDMMRRHE4TMOJUGM>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
--
All that is necessary for evil to succeed is for good people to do nothing.
|
|
Okay, fair enough. Is there a way to get the intermediates using Cryptography? So far I've seen this: |
|
Getting the intermediates from the TLS handshake is going to be a question
of your TLS libraries API.
https://docs.python.org/3/library/ssl.html#ssl.SSLSocket.get_unverified_chain
is probably what you want
…On Thu, Jan 30, 2025 at 7:55 AM Wyko ***@***.***> wrote:
Okay, fair enough. Is there a way to get the intermediates using
Cryptography? So far I've seen this:
leaf = load_pem_x509_certificate(ssl.get_server_certificate((subject,
443)).encode())
But as far as I can tell, that only returns the leaf, and not whatever
intermediates the server might also be presenting.
—
Reply to this email directly, view it on GitHub
<#12359 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAAAGBDOGXKVCPIUF7P762D2NIONRAVCNFSM6AAAAABWC6T74GVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDMMRUGQ2DEMRWGU>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
--
All that is necessary for evil to succeed is for good people to do nothing.
|
|
This issue has been waiting for a reporter response for 3 days. It will be auto-closed if no activity occurs in the next 5 days. |
|
This issue has not received a reporter response and has been auto-closed. If the issue is still relevant please leave a comment and we can reopen it. |
Good morning!
I have an application that needs to verify a certificate chain, ignoring the trustworthiness of the root. Specifically, I need to do the following:
The solutions I have found rely on the trust store of my computer to already contain the relevant root CAs. Can the package help me here?
The text was updated successfully, but these errors were encountered: