On Fri, Sep 06, 2002, Aonzo Emanuele wrote: > Hi, > I'm Emanuele Aonzo from Italy and I have a problem about signature > verification. The signed document is a pkcs#7 and I've tried to verify his > signature. The result was INVALID_PURPOSE because the signer certificate > doesn't have the "S/MIME signing" purpose. I need to sign with this kind of > certificates and I can't disable this control because if I set the > PKCS7_NOCHAIN falg the verification is OK but I can't verify the cert chain. > > I'd like a separation of chain verification and purpose verification > > > this is the openssl code > > if (!(flags & PKCS7_NOVERIFY)) for (k = 0; k < sk_X509_num(signers); > k++) { > signer = sk_X509_value (signers, k); > if (!(flags & PKCS7_NOCHAIN)) { > if(!X509_STORE_CTX_init(&cert_ctx, store, signer, > p7->d.sign->cert)) > { > > PKCS7err(PKCS7_F_PKCS7_VERIFY,ERR_R_X509_LIB); > sk_X509_free(signers); > return 0; > } > X509_STORE_CTX_set_purpose(&cert_ctx, > X509_PURPOSE_SMIME_SIGN); > } else if(!X509_STORE_CTX_init (&cert_ctx, store, signer, > NULL)) { > PKCS7err(PKCS7_F_PKCS7_VERIFY,ERR_R_X509_LIB); > sk_X509_free(signers); > return 0; > } > Why are the certificates failing the purpose check? Could you send me a sample certificate chain that fails?
You could set PKCS7_NOVERIFY and verify the chain manually. Alternatively you could set a verify callback and override the invalid purpose error. Steve. -- Dr. Stephen Henson [EMAIL PROTECTED] OpenSSL Project http://www.openssl.org/~steve/ ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]