On Fri, Sep 06, 2002, Aonzo Emanuele wrote:
> Hi,
> I'm Emanuele Aonzo from Italy and I have a problem about signature
> verification. The signed document is a pkcs#7 and I've tried to verify his
> signature. The result was INVALID_PURPOSE because the signer certificate
> doesn't have the "S/MIME signing" purpose. I need to sign with this kind of
> certificates and I can't disable this control because if I set the
> PKCS7_NOCHAIN falg the verification is OK but I can't verify the cert chain.
>
> I'd like a separation of chain verification and purpose verification
>
>
> this is the openssl code
>
> if (!(flags & PKCS7_NOVERIFY)) for (k = 0; k < sk_X509_num(signers);
> k++) {
> signer = sk_X509_value (signers, k);
> if (!(flags & PKCS7_NOCHAIN)) {
> if(!X509_STORE_CTX_init(&cert_ctx, store, signer,
> p7->d.sign->cert))
> {
>
> PKCS7err(PKCS7_F_PKCS7_VERIFY,ERR_R_X509_LIB);
> sk_X509_free(signers);
> return 0;
> }
> X509_STORE_CTX_set_purpose(&cert_ctx,
> X509_PURPOSE_SMIME_SIGN);
> } else if(!X509_STORE_CTX_init (&cert_ctx, store, signer,
> NULL)) {
> PKCS7err(PKCS7_F_PKCS7_VERIFY,ERR_R_X509_LIB);
> sk_X509_free(signers);
> return 0;
> }
>
Why are the certificates failing the purpose check? Could
you send me a sample certificate chain that fails?
You could set PKCS7_NOVERIFY and verify the chain manually.
Alternatively you could set a verify callback and override
the invalid purpose error.
Steve.
--
Dr. Stephen Henson [EMAIL PROTECTED]
OpenSSL Project http://www.openssl.org/~steve/
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
