Re: Problem with PKCS7 verify

Mon, 31 Dec 2001 10:35:54 -0800 

Frank Geck wrote:
> 
> Steve,
>     Thanks.  How did I " tells it to ignore verify errors.."?   Did not due
> that on purpose to my understanding.
> 

Well there's a tendency to copy some of the verify callback examples in
various files from OpenSSL. These are largely there for debugging
purposes and to give more information about errors. These will typically
return 1 in some or all circumstances when the supplied 'ok' parameter
is zero. From your example:

        if (!ok)
        {
                BIO_printf(bio_err,"verify error:num=%d:%s\n",err,
                        X509_verify_cert_error_string(err));
                if (depth < 6)
                {
                        ok=1;
                        X509_STORE_CTX_set_error(ctx,X509_V_OK);
                }
        ...

This is actually rather dangerous for real purposes in that its telling
the verify code to ignore all errors below a certain depth. Effectively
allowing any certificate (or chain) to be considered valid.

Unless you want to customize certificate verification in some way you
rarely need a verify callback at all.


>     Well I put the CA cert in the store with a link to the hashed name also
> with a .0 after it.  This worked on another program that I did but I seem to
> be having a problem now.  If you don't mine could you look at the piece of
> code that I have going this and see if you see any problems (attached)?
> 

Is there some reason you can't use PKCS7_verify()? Its somewhat simpler
to use that the low level stuff.

Also try verifying the structure using the 'smime' application. If you
can get it working with that it should be OK. Also you can use the
openssl utilities 'pkcs7' (to extract certifictates) and 'verify' to see
if you can get the certificate to verify. 

Usually the cause of such errors is that the root CA isn't included or
can't be found in the trusted certificate store.

Steve.
-- 
Dr Stephen N. Henson.   http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED] 
Senior crypto engineer, Gemplus: http://www.gemplus.com/
Core developer of the   OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to