From heikki at OSAFOUNDATION.ORG  Mon Dec  3 19:39:01 2007
From: heikki at OSAFOUNDATION.ORG (Heikki Toivonen)
Date: Mon, 3 Dec 2007 10:39:01 -0800
Subject: [PYTHON-CRYPTO] PKCS7 verification with CA hierarchy
In-Reply-To: <200711301901.28338.sebastien@fluendo.com>
References: <200711301901.28338.sebastien@fluendo.com>
Message-ID: <47544D45.7070709@osafoundation.org>

S?bastien Merle wrote:
> If the signer has been issued by another sub CA
> or if the signer has been issued directly by
> the root CA, I want the verification to fail,
> even if the pkc7 contains its own certification chain.

Hmm, I am not completely sure I understood what you want.

> How could I do this in python ? Is it even possible ?

Can you do it using C and OpenSSL? If the answer is yes, then there is a
very high likelyhood you can do it with M2Crypto. The only problem I
could see (beyond bugs of course) is that some OpenSSL API you'd need
has not yet been wrapped. If that turns out to be the case I'd be happy
to wrap the needed API(s) and include them in the next release.

-- 
  Heikki Toivonen


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 252 bytes
Desc: OpenPGP digital signature
URL: <http://mail.python.org/pipermail/python-crypto/attachments/20071203/e4b8e84d/attachment.pgp>

From sebastien at FLUENDO.COM  Tue Dec 11 11:39:04 2007
From: sebastien at FLUENDO.COM (=?iso-8859-15?q?S=E9bastien_Merle?=)
Date: Tue, 11 Dec 2007 11:39:04 +0100
Subject: [PYTHON-CRYPTO] PKCS7 verification with CA hierarchy
In-Reply-To: <47544D45.7070709@osafoundation.org>
References: <200711301901.28338.sebastien@fluendo.com>
            <47544D45.7070709@osafoundation.org>
Message-ID: <200712111139.04165.sebastien@fluendo.com>

Hi,

Thank you Heikki, I didn't hop for a response after seeing
my question was the only entry of November :)

> Hmm, I am not completely sure I understood what you want.

What I want is to be able to check the direct issuer of the
signer of a PKCS7, it could be done by looking at the key identifier
of the signer's direct issuer (X509v3 Authority Key Identifier).

What's needed is to be able to extract certificate from PKCS7,
and retrieve certificate extensions from a certificate.
I didn't find out if it's possible to do it with M2Crypto yet
without having to enter in the arcane of OpenSSL C API.

I got another question, do you know for what is used the
certificate stack when verifying a PKCS7 ?

Thank you,
Bye.

On Monday 03 December 2007 19:39:01 Heikki Toivonen wrote:
> S?bastien Merle wrote:
> > If the signer has been issued by another sub CA
> > or if the signer has been issued directly by
> > the root CA, I want the verification to fail,
> > even if the pkc7 contains its own certification chain.
>

>
> > How could I do this in python ? Is it even possible ?
>
> Can you do it using C and OpenSSL? If the answer is yes, then there is a
> very high likelyhood you can do it with M2Crypto. The only problem I
> could see (beyond bugs of course) is that some OpenSSL API you'd need
> has not yet been wrapped. If that turns out to be the case I'd be happy
> to wrap the needed API(s) and include them in the next release.

-- 
S?bastien Merle