Thanks. Well did not use PKCS7_verify() because I could not find examples using
it. Since you wrote it I guess you might have some examples?
As you know lots of this is undocumented and it's hard to figure out what to use.
Thanks,
Frank
Dr S N Henson wrote:
> Frank Geck wrote:
> >
> > Steve,
> > Thanks. How did I " tells it to ignore verify errors.."? Did not due
> > that on purpose to my understanding.
> >
>
> Well there's a tendency to copy some of the verify callback examples in
> various files from OpenSSL. These are largely there for debugging
> purposes and to give more information about errors. These will typically
> return 1 in some or all circumstances when the supplied 'ok' parameter
> is zero. From your example:
>
> if (!ok)
> {
> BIO_printf(bio_err,"verify error:num=%d:%s\n",err,
> X509_verify_cert_error_string(err));
> if (depth < 6)
> {
> ok=1;
> X509_STORE_CTX_set_error(ctx,X509_V_OK);
> }
> ...
>
> This is actually rather dangerous for real purposes in that its telling
> the verify code to ignore all errors below a certain depth. Effectively
> allowing any certificate (or chain) to be considered valid.
>
> Unless you want to customize certificate verification in some way you
> rarely need a verify callback at all.
>
> > Well I put the CA cert in the store with a link to the hashed name also
> > with a .0 after it. This worked on another program that I did but I seem to
> > be having a problem now. If you don't mine could you look at the piece of
> > code that I have going this and see if you see any problems (attached)?
> >
>
> Is there some reason you can't use PKCS7_verify()? Its somewhat simpler
> to use that the low level stuff.
>
> Also try verifying the structure using the 'smime' application. If you
> can get it working with that it should be OK. Also you can use the
> openssl utilities 'pkcs7' (to extract certifictates) and 'verify' to see
> if you can get the certificate to verify.
>
> Usually the cause of such errors is that the root CA isn't included or
> can't be found in the trusted certificate store.
>
> Steve.
> --
> Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
> Personal Email: [EMAIL PROTECTED]
> Senior crypto engineer, Gemplus: http://www.gemplus.com/
> Core developer of the OpenSSL project: http://www.openssl.org/
> Business Email: [EMAIL PROTECTED] PGP key: via homepage.
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
