Hi list-admin / Bert Koster,
I keep receiving NDRs like the one attached for every mail I send to this list. Looks like someone using the email [EMAIL PROTECTED] or [EMAIL PROTECTED] has an invalid forward on his account.
If you are using this eMail maybe you should check your settings. Otherwise I'd ask for that adress to be removed from the mailing list.
Ted ;)
-- PGP Public Key Information Download complete Key from http://www.convey.de/ted/tedkey_convey.asc Key fingerprint = 31B0 E029 BCF9 6605 DAC1 B2E1 0CC8 70F4 7AFB 8D26
--- Begin Message ---The recipient is unknownWarning, delivery failure! This is a status message indicating that a message could not be delivered to 1 or more recipients. Original message subject: Re: Questions about cert verification Date received: 04-Mar-2005 10:02:44 +0100 Recipients and delivery history [EMAIL PROTECTED] ---- Transcript of session follows --- 04-Mar-2005 10:02:44 +0100 Received via SMTP from MMX1.ENGELSCHALL.COM 04-Mar-2005 10:02:50 +0100 Forwarding from [EMAIL PROTECTED] to [EMAIL PROTECTED] 04-Mar-2005 10:03:08 +0100 [EMAIL PROTECTED] is unknownReporting-MTA: dns;hemelwijs.aweka.org. Final-Recipient: rfc822;sysadm1@aweka.org Action: failed Status: 5.0.0 (permanent failure)--- Begin Message ---This is a cryptographically signed message in MIME format.Edward Chan wrote:
I've been trying to follow the examples in "Network Security with OpenSSL". But I just don't get it. I know, I'm an idiot. Can somebody point me in the right direction with the appropriate API's to use for doing the following:I'm giving this a try, but I'm not very sure of myself in this area. If something sounds not plausible (or you know that it's wrong) please correct me.
I have a digital signature that I want to verify. As part of my verification, I want to
1. get the certificate information from the signature. I want to know who created the signature (so I want to look at the cert that was used to create the signature). I also want to know the the root CA who signed this cert.
2. how do I get an X509* to these certs?
3. how do I verify that the root cert is that of a specific CA. For this, can I simply compare the public key in this root cert with the public key that is known for the CA of interest. Is that enough to determine identity of the root cert? Nobody else can create a self signed cert with the same public key can they?
Does this make any sense? I'm not sure if I'm explaining myself correctly, so this may seem like jibberish. If so, please let me know. And thanks for any help you can give.
Thanks,
Ed
The "digital signature" in a technical sense (like it is used in Chapter 8 of the O'Reilly book) consists of the encrypted checksum of the data. So it does not contain a certificate or even an ID of the key used to generate it. You have to know the key in advance before you can check the signature.
Applications which digitally sign data (like S/MIME) usually transfer additional information to specify the used key and its certificates. In the case of S/MIME a PKCS#7 container is used to this effect.
So you cannot verify a "naked" signature without knowing the public key. On the other hand, if you have a PKCS#7 container you can use the approach described in the book's Chapter 10 (PKCS7_verify) or use other PKCS7 APIs to extract public key and certificate from the container.
To be sure a certificate is issued by a specific CA you should use this CA's certificate as the only trusted CA in the verification process. If you don't trust the CA for issuing Sub-CA-certs you can additionally check the length of the certificat chain. This should take care of the issue in the most appropriate way.
Comparing public keys may also work, but why to repeat the job that has already be done by OpenSSL in the verification process?
Hope it helps Ted ;)
-- PGP Public Key Information Download complete Key from http://www.convey.de/ted/tedkey_convey.asc Key fingerprint = 31B0 E029 BCF9 6605 DAC1 B2E1 0CC8 70F4 7AFB 8D26
smime.p7s
Description: S/MIME Cryptographic Signature
--- End Message ---
--- End Message ---
smime.p7s
Description: S/MIME Cryptographic Signature
