I use PyOpenSSL verify_certificate() to verify certificate chains. My code seems to work. But I was wondering if the function also checks the signatures along the certificate chain. Lets assume we have the chain ca_cert -> i_ca_cert -> s_cert. Thus ca_cert signed i_ca_cert and i_ca_cert signed s_cert. Does verify_certificate() check whether the signer's (RSA) key was used to sign the certificate and whether the signature is correct, for every certificate along the chain?
Asked
Active
Viewed 637 times
0
Hansi
- 127
- 1
- 8
-
Related... OpenSSL 1.0.2 and earlier *does not* perform hostname matching. OpenSSL 1.1.0 *does* perform hostname matching. Also see [SSL/TLS Client | Verification](https://wiki.openssl.org/index.php/SSL/TLS_Client#Verification) on the OpenSSL wiki. – jww Nov 15 '16 at 01:57
-
When in doubt, I always check https://www.openssl.org/docs/man1.0.2/man1/verify.html – rustyMagnet Nov 10 '20 at 16:46
1 Answers
0
But I was wondering if the function also checks the signatures along the certificate chain
Of course it does. Otherwise what is the purpose of chain verification? From the OpenSSL documentation (man 1ssl verify on linux):
The final operation is to check the validity of the certificate chain. The validity period is checked against the current system time and the notBefore and notAfter dates in the certificate. The certificate signatures are also checked at this point.
Oleg Andriyanov
- 5,069
- 1
- 22
- 36