On Thu, Mar 10, 2011, prk j wrote: > > Hi, > > I am new at using openssl API's. Here is my situation. > > I have following set of certificates with X509 extensions defined for code > signing in PKCS#7 format. > > Root CA - Key usage (critical): Certificate Sign, CRL Sign > CVC Sub- CA - Key usage (critical): Certificate Sign, CRL Sign > CVC cert - Key usage (critical): Digital Signature, Key Encipherment. > Extended Key Usage (critical): Code Signing > > PKCS#7 signature includes CVC Sub-CA and CVC certs. So when I verify the > signature using PKCS7_verify() I am getting > error: "unsupported certificate purpose". > > I tried openssl smime command line utility. It fails with same error. > Following is the command I am using: > > openssl smime -verify -CAfile Root-CA -inform PEM -in pk7blob -content > data-signed > Verification failure > 3420:error:21075075:PKCS7 routines:PKCS7_verify:certificate verify > error:pk7_smi > me.c:231:Verify error:unsupported certificate purpose > > If I use '-noverify', signature itself is verified successfully. > > I am not sure why it is failing even "Code Signing" is mentioned in Extended > Key usage. > > Any help is appreciated. >
It is failing because the smime utility by default checks for email siging and the extended key usage is critical and doesn't support that. See if adding -purpose any to the command line helps. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
