After extensive research, the closest thing we have to that is in Net::SSLeay, which has bindings to a ton of low-level openssl functions. In v1.83 2018-01-06 they added these:
X509_STORE_CTX_new and X509_verify_cert
but I couldn't get past related segfaults and there's not much documentation on there. So I ended up doing:
- use Convert::ASN1 to re-encode the tbsCertificate data I had decoded in my PKCS#7 file ("tbs" it turns out is "to-be-signed")
- get the signature from the PCKS#7 file
- get the subjectPublicKeyInfo.subjectPublic Key from the cert that signed this cert
- feed that to $signer_key = Crypt::OpenSSL::RSA->new_public_key($signer_key_pem);
- and then do $signer_key->verify($cert_as_signed, $signature)
and wash, rinse, repeat for each of the certs in the chain.