I've run into an question I've traced to pkcs7_verify.
I use this for non-MIME-specific content (and hence the certs don't
necessarily have 'smime-sig' as a key usage (or extended or whatever)).
Yet PKCS7_verify seems to assume smime (and in fact both PKCS7_sign
and PKCS7_verify are in p7_smime.c). What happens is that just before
the certificates are verified the following occurs:
X509_STORE_CTX_set_purpose(&cert_ctx,
X509_PURPOSE_SMIME_SIGN);
I'm surprised to see S/MIME stuff being checked inside of a function
who's purpose seems to be to check the signatures on a PKCS7.
I think policy checks about the certs should probably be done before
or after calling this function. I'd be happy to reorganize this code a
bit, possibly moving these functions to p7_verify.c or somesuch (open
to suggestions), and maybe creating some smime-wrappers for this so
that smime code isn't impacted.
Or perhaps I'm missing some historical reason why it needs to stay the
way it is?
Regards,
jan
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [EMAIL PROTECTED]
