Hansi Hansi - 19 days ago 5
Python Question

Does PyOpenSSL verify_certificate() do signature verification

I use PyOpenSSL

verify_certificate()
to verify certificate chains. My code seems to work. But I was wondering if the function also checks the signatures along the certificate chain. Lets assume we have the chain ca_cert -> i_ca_cert -> s_cert. Thus ca_cert signed i_ca_cert and i_ca_cert signed s_cert. Does
verify_certificate()
check whether the signer's (RSA) key was used to sign the certificate and whether the signature is correct, for every certificate along the chain?

Answer

But I was wondering if the function also checks the signatures along the certificate chain

Of course it does. Otherwise what is the purpose of chain verification? From the OpenSSL documentation (man 1ssl verify on linux):

The final operation is to check the validity of the certificate chain. The validity period is checked against the current system time and the notBefore and notAfter dates in the certificate. The certificate signatures are also checked at this point.

Comments