Hi, I am having trouble again with verifying certs in PKCS7 structure. Setting purpose to 'any' using openssl api worked for very first time. >From second run onwards it keep throwing >errror:0B086079:lib(11):fun(134):reason(121) I believe the error is - x509 certificate routines:X509_STORE_CTX_purpose_inherit:unknown purpose id. But on openssl commans line it verifies fine. I could not figure out what the problem is here. Could someone tell me what wrong with setting purpose to 'any'? Any help is greatly appreciated. Thanks, Prkj
From: prkj...@hotmail.com To: openssl-users@openssl.org Subject: RE: Question regarding PKCS7_verify Date: Thu, 10 Mar 2011 13:49:08 -0800 Thanks for quick response. Adding -purpose any surely works. I had to change my code to get certs from PKCS7 structure and create X509 store context and set purpose to X509_PURPOSE_ANY. This approach works. But was wondering if it is problem with certificates or with openssl API itself. Currently openssl version I am using is 0.9.8g. I remember it was working with 0.9.7. Or it never checked or ignored purpose. Thanks for your help. Prkj > Date: Thu, 10 Mar 2011 22:05:03 +0100 > From: st...@openssl.org > To: openssl-users@openssl.org > Subject: Re: Question regarding PKCS7_verify > > On Thu, Mar 10, 2011, prk j wrote: > > > > > Hi, > > > > I am new at using openssl API's. Here is my situation. > > > > I have following set of certificates with X509 extensions defined for code > > signing in PKCS#7 format. > > > > Root CA - Key usage (critical): Certificate Sign, CRL Sign > > CVC Sub- CA - Key usage (critical): Certificate Sign, CRL Sign > > CVC cert - Key usage (critical): Digital Signature, Key Encipherment. > > Extended Key Usage (critical): Code Signing > > > > PKCS#7 signature includes CVC Sub-CA and CVC certs. So when I verify the > > signature using PKCS7_verify() I am getting > > error: "unsupported certificate purpose". > > > > I tried openssl smime command line utility. It fails with same error. > > Following is the command I am using: > > > > openssl smime -verify -CAfile Root-CA -inform PEM -in pk7blob -content > > data-signed > > Verification failure > > 3420:error:21075075:PKCS7 routines:PKCS7_verify:certificate verify > > error:pk7_smi > > me.c:231:Verify error:unsupported certificate purpose > > > > If I use '-noverify', signature itself is verified successfully. > > > > I am not sure why it is failing even "Code Signing" is mentioned in > > Extended Key usage. > > > > Any help is appreciated. > > > > It is failing because the smime utility by default checks for email siging and > the extended key usage is critical and doesn't support that. > > See if adding -purpose any to the command line helps. > > Steve. > -- > Dr Stephen N. Henson. OpenSSL project core developer. > Commercial tech support now available see: http://www.openssl.org > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org
