On Tue, Jun 03, 2008, Jan Vilhuber wrote: > I've run into an question I've traced to pkcs7_verify. > > I use this for non-MIME-specific content (and hence the certs don't > necessarily have 'smime-sig' as a key usage (or extended or whatever)). > > Yet PKCS7_verify seems to assume smime (and in fact both PKCS7_sign and > PKCS7_verify are in p7_smime.c). What happens is that just before the > certificates are verified the following occurs: > > X509_STORE_CTX_set_purpose(&cert_ctx, > X509_PURPOSE_SMIME_SIGN); > > I'm surprised to see S/MIME stuff being checked inside of a function who's > purpose seems to be to check the signatures on a PKCS7. > > I think policy checks about the certs should probably be done before or > after calling this function. I'd be happy to reorganize this code a bit, > possibly moving these functions to p7_verify.c or somesuch (open to > suggestions), and maybe creating some smime-wrappers for this so that smime > code isn't impacted. > > Or perhaps I'm missing some historical reason why it needs to stay the way > it is? >
You can disable the default verification using PKCS7_NOVERIFY and then perform whatever verification you want externally. The code should really only set SMIME verification if no other type is set rather than forceably setting it each time. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [EMAIL PROTECTED]
