A year ago I wrote some code to verify a PKCS7 signature. At the time
that
I wrote it, I believe it worked - the signature would verify. But when I
run it now, it fails. A newer (current) version of this code, using a
newer
version of the OpenSSL library is also failing, but in a different way.
The errors I get with the year-old code resemble this:
depth=1 /O=VeriSign, Inc./OU=VeriSign Trust
Network/OU=www.verisign.com/repository/RPA Incorp. By
Ref.,LIAB.LTD(c)98/CN=VeriSign Class 1 CA Individual Subscriber-Persona
Not Validated
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=1 /O=VeriSign, Inc./OU=VeriSign Trust
Network/OU=www.verisign.com/repository/RPA Incorp. By
Ref.,LIAB.LTD(c)98/CN=VeriSign Class 1 CA Individual Subscriber-Persona
Not Validated
verify error:num=27:certificate not trusted
verify return:1
depth=0 /O=VeriSign, Inc./OU=VeriSign Trust
Network/OU=www.verisign.com/repository/RPA Incorp. by
Ref.,LIAB.LTD(c)98/OU=Persona Not Validated/OU=Digital ID Class 1 -
Microsoft Full Service/CN=Robert [EMAIL PROTECTED]
verify error:num=10:Certificate has expired
verify return:1
depth=0 /O=VeriSign, Inc./OU=VeriSign Trust
Network/OU=www.verisign.com/repository/RPA Incorp. by
Ref.,LIAB.LTD(c)98/OU=Persona Not Validated/OU=Digital ID Class 1 -
Microsoft Full Service/CN=Robert [EMAIL PROTECTED]
verify return:1
The error I get with the new code is this:
696:error:2106B00B:PKCS7 routines:PKCS7_dataVerify:X509
lib:.\crypto\pkcs7\pk7_d
oit.c:684:
For your quick & easy reference, the relevant line is below, indicated
with >>>>>
\crypto\pkcs7\pk7_doit.c:
=========================
/* were we able to find the cert in passed to us */
if (x509 == NULL)
{
PKCS7err(PKCS7_F_PKCS7_DATAVERIFY,PKCS7_R_UNABLE_TO_FIND_CERTIFICATE);
goto err;
}
/* Lets verify */
X509_STORE_CTX_init(ctx,cert_store,x509,cert);
X509_STORE_CTX_set_purpose(ctx, X509_PURPOSE_SMIME_SIGN);
i=X509_verify_cert(ctx);
if (i <= 0)
{
>>>>> PKCS7err(PKCS7_F_PKCS7_DATAVERIFY,ERR_R_X509_LIB);
X509_STORE_CTX_cleanup(ctx);
goto err;
}
So, evidently the new code could not verify the certificate either. (Why
am I getting
different errors with what I think is essentially the same code,
incidentally?)
The signature was produced using a VeriSign certificate a year ago, and
my verification
certificates are at least a year old.
I gather that Certificates and the signatures produced with them expire.
Which, in this
case, has expired? What do I need to update in order to be able to
verify this signature
again, or can't I?
I'm confused. Can someone suggest how to start on understanding this?
Thanks!
- Bob
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
