Anyone have an opinion on this? Should I be posting this to openssl-
users instead (forgive me if I chose the wrong list)?
jan
On Jun 3, 2008, at 6:43 PM, Jan Vilhuber wrote:
I've run into an question I've traced to pkcs7_verify.
I use this for non-MIME-specific content (and hence the certs don't
necessarily have 'smime-sig' as a key usage (or extended or
whatever)).
Yet PKCS7_verify seems to assume smime (and in fact both PKCS7_sign
and PKCS7_verify are in p7_smime.c). What happens is that just
before the certificates are verified the following occurs:
X509_STORE_CTX_set_purpose(&cert_ctx,
X509_PURPOSE_SMIME_SIGN);
I'm surprised to see S/MIME stuff being checked inside of a function
who's purpose seems to be to check the signatures on a PKCS7.
I think policy checks about the certs should probably be done before
or after calling this function. I'd be happy to reorganize this code
a bit, possibly moving these functions to p7_verify.c or somesuch
(open to suggestions), and maybe creating some smime-wrappers for
this so that smime code isn't impacted.
Or perhaps I'm missing some historical reason why it needs to stay
the way it is?
Regards,
jan
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [EMAIL PROTECTED]
