[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[Pulp-list] M2Crypto patch submitted upstream for cert verification against a chain of CAs and CRL support



We have submitted a request to upstream M2Crypto asking that a patch be accepted which will allow us to verify a certificate against a chain of CAs as well as honor all CRLs which are available.  Additionally we have filed a BZ requesting that this patch be included in the Fedora version of M2Crypto.  In the meantime we will continue to carry a patched M2Crypto in the Pulp repos.

The heart of the patch is adding a "verify_cert" call to the X509_Store_Context.  This allows us to essentially perform the same certificate verification done by "openssl verify".

Below is information relating to this:

Fedora Bug asking to apply patch submitted to upstream:
Bug 784616 - Patch to allow certificate verification against a chain of CAs and a stack of CRLs 
https://bugzilla.redhat.com/show_bug.cgi?id=784616

Upstream, M2Crypto bug:
https://bugzilla.osafoundation.org/show_bug.cgi?id=12954


Pulp Wiki Pages:
 https://fedorahosted.org/pulp/wiki/CertChainVerification
 https://fedorahosted.org/pulp/wiki/CertRevocationList

For those interested in seeing some examples, we have sample scripts and code in our 'playpen' directory in git.
 http://git.fedorahosted.org/git/?p=pulp.git;a=tree;f=playpen/certs/chain_example;hb=HEAD


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]