Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

What's the right way for a Python/Twisted program to validate an SSL certificate under Windows?

Is there a way for a Python/Twisted program to cleanly make use of the list of root certificates that Internet Explorer uses to validate an SSL connection to an HTTPS server? The answers provided to Validate SSL certificates with Python are very helpful but the example code gets the root certificates by reading the Unix specific directory /etc/ssl/certs/*.pem and it's not clear to me what the Windows equivalent of this would be.

like image 979
Paul Crowley Avatar asked Nov 10 '10 13:11

Paul Crowley


1 Answers

The Windows equivalent is "copy /etc/ssl/certs/*.pem from your Linux machine". Mac and Windows have different native APIs for getting at their respective certificate stores, which Twisted doesn't directly support. They don't use OpenSSL certificates natively, and they certainly don't put things in as straightforward a layout as 'directory of PEM files'. If you can export your trust roots as PEMs, you could then ask Twisted (well, really, OpenSSL via PyOpenSSL) to verify it that way.

I am abstractly interested in doing this in a super-portable way, but I've never actually tried it. Here are some links to get you started: SecureTransport reference, Microsoft Cryptography Functions.

In the SecureTransport reference, the documentation points out that SSLGetTrustedRoots is deprecated but doesn't mention the alternative SSLCopyTrustedRoots which isn't. That's probably the API you want to start with on a Mac (via PyObjC). On Windows, I'm really not sure, except somewhere in that pile of functions there's probably one that does what you would like, and maybe you can call it with ctypes :).

like image 84
Glyph Avatar answered Nov 15 '22 10:11

Glyph