X509StoreContext.verify_certificate() not checking certificate signature (by default?)

[ellepdesk]

I'n trying to set up a system to generate and check certificates using pyopenssl. In my test suite I am generating certificates, with all sorts of faults.

When I generate a, properly signed, certificate with a 'not valid after' date in the past, verify_certificate() correctly throws an error. However, when I then set the 'not valid after' date to a new date in the future, but not re-signing it, verify_certificate() returns true, indicating the certificate is valid.

When I export the modified certificate and use the openssl command line to verify the certificate it correctly reports the signature to be (correctly) invalid.

Am I missing some setting, or did I hit a bug?

I've compressed my project into a single file to illustrate my problem: pyopenssl_test.py

[trav1th]

crypto.py, in def __init__ for X509StoreContext:

1596         ret = _lib.X509_STORE_CTX_init(
1597             self._store_ctx, self._store._store, self._cert._x509, _ffi.NULL
1598         )

The store context is not being populated with the CA chain. In the code above, the _ffi.NULL is being passed as the trusted CA stack and should be populated. I'm still looking for how to create the appropriate Cryptography_STACK_OF_X509 pointer to pass as a parameter there.

[reaperhulk]

You can create a Cryptography_STACK_OF_X509 object with sk_X509_new_null(void). You can then push X509 objects onto it via sk_X509_push(X509 *). These are both bound in cryptography's bindings. However, you'll need to carefully investigate the memory handling of that to be sure it's safe to add an X509 object's underlying X509 * to it (does it retain and take ownership?).