Is there a way for a Python/Twisted program to cleanly make use of the list of root certificates that Internet Explorer uses to validate an SSL connection to an HTTPS server? The answers provided to Validate SSL certificates with Python are very helpful but the example code gets the root certificates by reading the Unix specific directory /etc/ssl/certs/*.pem and it's not clear to me what the Windows equivalent of this would be.
The Windows equivalent is "copy /etc/ssl/certs/*.pem from your Linux machine". Mac and Windows have different native APIs for getting at their respective certificate stores, which Twisted doesn't directly support. They don't use OpenSSL
certificates natively, and they certainly don't put things in as straightforward a layout as 'directory of PEM files'. If you can export your trust roots as PEMs, you could then ask Twisted (well, really, OpenSSL
via PyOpenSSL
) to verify it that way.
I am abstractly interested in doing this in a super-portable way, but I've never actually tried it. Here are some links to get you started: SecureTransport reference, Microsoft Cryptography Functions.
In the SecureTransport reference, the documentation points out that SSLGetTrustedRoots
is deprecated but doesn't mention the alternative SSLCopyTrustedRoots
which isn't. That's probably the API you want to start with on a Mac (via PyObjC). On Windows, I'm really not sure, except somewhere in that pile of functions there's probably one that does what you would like, and maybe you can call it with ctypes :).
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With