New post
Question
· Jan 23

X509 Certificate - how to save it?

#XML #InterSystems IRIS for Health

Given a sting beginning with "-----BEGIN CERTIFICATE-----" and ending with "-----END CERTIFICATE-----", how do I save the string as X509 certificate in ObjectScript?

Product version: IRIS 2024.1
Discussion (6)2
Log in or sign up to continue
Oliver Wilms · Jan 24

def verify_chain(signer_cert, ca_bundle_path):
"""Verify that the signer certificate chains up to a trusted CA in the bundle."""
# Load trusted CAs
ca_store = crypto.X509Store()

with open(ca_bundle_path, "rb") as f:
    pem_data = f.read()

# Split bundle into individual certs
for chunk in pem_data.split(b"-----END CERTIFICATE-----"):
    block = chunk.strip()
    if not block:
        continue
    block += b"\n-----END CERTIFICATE-----\n"
    try:
        ca = crypto.load_certificate(crypto.FILETYPE_PEM, block)
        ca_store.add_cert(ca)
    except Exception:
        # Skip things that aren't PEMs
        continue

# Convert cryptography.x509.Certificate -> OpenSSL.crypto.X509
signer_pem = signer_cert.public_bytes(encoding=serialization.Encoding.PEM)
signer_x509 = crypto.load_certificate(crypto.FILETYPE_PEM, signer_pem)

# Now verify
store_ctx = crypto.X509StoreContext(ca_store, signer_x509)
try:
    store_ctx.verify_certificate()
    print("✔ Certificate chain validation passed.")
except Exception as e:
    raise ValueError(f"Certificate chain validation failed: {e}")
0 0
Enrico Parisi · Jan 24

To verify a certificate against a CA Certificate Chain you can use:

Set Result=$SYSTEM.Encryption.X509VerifyCertChain(Certificate, CAChainFileName)

See X509VerifyCertChain() documentation for details.

To verify the validity of a signature you can use:

Set SignIsValid=$system.Encryption.RSASHAVerify(Bitlength,Payload,Signature,SignCertificate)

See RSASHAVerify() documentation for details.

1 0