I have a pkcs7 message that contains a chain of certificates. The root certificate is the Apple CA. I am using ruby to verify the message and I have something that I think works, but I am wondering if there is a much easier method of doing what I am doing....
My specific question is in regards to OpenSSL::PKCS7::NOVERIFY which I am using to verify the message internally. The message passes this verification, but I want to verify all the certificates trace back to a real root CA. So I added a loop to check each of the certificates included and store them in an X509 store if they pass verification. I seed the store with the Apple root CA. However, if I try to verify the pkcs7 message without OpenSSL::PKCS7::NOVERIFY, even with the store containing all of the certs, it fails. I must be doing something dumb here, but unfortunately the ruby openssl docs are terrible to non-existant. #!/bin/ruby require 'rubygems' require 'openssl' require 'plist' signed_response_data='' #wget http://www.apple.com/appleca/AppleIncRootCertificate.cer #openssl x509 -inform der -in AppleIncRootCertificate.cer -out certificate.pem store = OpenSSL::X509::Store.new cert=OpenSSL::X509::Certificate.new(File.read("certificate.pem")) store.add_cert(cert) File.open('sign.dat', 'r') {|f| signed_response_data=f.read() } p7sign = OpenSSL::PKCS7.new(signed_response_data) puts p7sign.verify(nil, store, nil, OpenSSL::PKCS7::NOVERIFY) # This outputs true, but I am not verifying the certificates # This works p7sign.certificates.reverse.each{|c| if store.verify(c) store.add_cert(c) else raise("fail") end } puts p7sign.verify(nil, store, nil) #this outputs false. Why? ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
