How can I verify an X509 certificate in python including a CRL check?

I'm trying to verify an X509 certificate using python. In particular I need to check CRLs when I do it.

Now, you can use m2crypto to do this, but I can't find an option corresponding to openssl's -crl_check or -crl_check_all.

Alternatively, I could use a pipe and call openssl directly:

p1 = Popen(["openssl", "verify", "-CApath", capath, "-crl_check_all"], 
           stdin = PIPE, stdout = PIPE, stderr = PIPE)

message, error = p1.communicate(certificate)
exit_code = p1.returncode

However, it seems that openssl verify always returns an exit code 0, so I would have to compare strings somehow to tell if the verification is successful, which I'd prefer not to do.

Am I missing something simple here?

Thanks.

OK, well what I've done is this:

p1 = Popen(["openssl", "verify", "-CApath", capath, "-crl_check_all"], 
           stdin = PIPE, stdout = PIPE, stderr = PIPE)

message, error = p1.communicate(certificate)

verified = ("OK" in message and not "error" in message)

It's not what I would have chosen. It has passed my tests, but I'm not certain that it will always work. I don't know C well enough to read the openssl source code and verify it.

If anyone can find a situation where this would fail, please comment.

I submitted a patch to M2Crypto that allows X509 certificate verification against a chain of CAs as well as multiple CRLs.

https://bugzilla.osafoundation.org/show_bug.cgi?id=12954#c2

See this post for more info: How do I use m2crypto to validate a X509 certificate chain in a non-SSL setting

Looking at the source code of openssl's verify.c, it indeed returns 0 all the time, and there's no way to change that. However, you don't need to call openssl on the command line: there are python bindings for the library.