> > 696:error:2106B00B:PKCS7 routines:PKCS7_dataVerify:X509 > > lib:.\crypto\pkcs7\pk7_doit.c:684: > > > Obviously, X509_verify_cert() failed this time, probably there was no > callback function installed catching the verification failures. > You must use a verify_callback to learn about the details of > the failure. > But well, you probably already now them from the discussion above.
Ah, thank you! I had this callback installed in my old version, but not my new version - I think I removed it once I believed the code debugged, concluding it was no longer needed. Wrong. So, with the callback in place, I do indeed get more detailed errors. I've added the lines of dashes for clarity, and numbered each block of the verify debug so I can refer to them below: [1] depth=2 /C=US/O=VeriSign, Inc./OU=Class 1 Public Primary Certification Authority verify return:1 ------------------------------------------------------------------------ [2] depth=1 /O=VeriSign, Inc./OU=VeriSign Trust Network/OU=www.verisign.co m/repository/RPA Incorp. By Ref.,LIAB.LTD(c)98/CN=VeriSign Class 1 CA Individual Subscriber-Persona Not Validated verify return:1 ----------------------------------------------------------------------- [3] depth=0 /O=VeriSign, Inc./OU=VeriSign Trust Network/OU=www.verisign.co m/repository/RPA Incorp. by Ref.,LIAB.LTD(c)98/OU=Persona Not Validated /OU=Digital ID Class 1 - Microsoft Full Service/CN=Robert Steele/Email= [EMAIL PROTECTED] verify error:num=10:certificate has expired verify return:1 ----------------------------------------------------------------------- [4] depth=0 /O=VeriSign, Inc./OU=VeriSign Trust Network/OU=www.verisign.co m/repository/RPA Incorp. by Ref.,LIAB.LTD(c)98/OU=Persona Not Validate d/OU=Digital ID Class 1 - Microsoft Full Service/CN=Robert Steele/Emai [EMAIL PROTECTED] verify return:1 ----------------------------------------------------------------------- Now, obviously #3 is a certificate that has expired - but are 1,2, and 4 references to other, distinct certificates that are valid? I don't see any way to distinguish these Certificates from each other at this level. Part of my problem clearly is I do not know which of these certificates, if any, is the one I would need to use to validate my signature. Is it possible to examine my signing certificate, determine which CA certificate was used to sign it, and then download it from VeriSign? This would make my testing much clearer, I think. Anyhow, adding the callback routine now changes the error I get back from OpenSSL: 1904:error:04077068:rsa routines:RSA_verify:bad signature:.\crypto\rs a\rsa_sign.c:210: 1904:error:21071069:PKCS7 routines:PKCS7_signatureVerify:signature fail ure:.\crypto\pkcs7\pk7_doit.c:806: (If I'm right that adding the callback has changed behavior, why is this?) It seems to be complaining that the signature itself is bad. (This is certainly possible. Although it was a VeriSign product that produced the signature, I may be presenting the detached data it is signing off on incorrectly.) Put very specifically, does this error mean that a corresponding and valid certificate was found, but that the signature itself is bad? I apologize for the scattershot nature of my questions, and appreciate all and any help. - Bob ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
