Thanks once again for the help, Steve. I've gotten beyond the
segmentation fault using your suggestions. Now I'm getting the
following error on the PKCS7_verify call:
error:2106906D:PKCS7 routines:PKCS7_dataInit:unknown digest type
Once again, I suspect it's something I'm doing. Given a file
"pt2.out", which has a DER-encoded SignedData, and a file "data.out",
which has the detached data whose signature is in the SignedData
structure, the following command works:
$ openssl smime -verify -inform DER -in pt2.out -content data.out -noverify
Verification successful
Right now I'm not concerned with verifying the certs, just the
signature itself.
Here's my code to (I think) do the same thing the "openssl" command
above does, and gives the error I pasted above:
main()
{
int ret;
unsigned long err;
FILE *fp = fopen("pt2.out","rb");
BIO *Out, *In;
PKCS7 *p7 = NULL;
ERR_load_PKCS7_strings();
ERR_load_X509_strings();
p7 = d2i_PKCS7_fp(fp,NULL);
fclose(fp);
if (p7==NULL)
{
printf("NULL pkcs7\n");
return -1;
}
In = BIO_new_file("data.out","rb");
Out = BIO_new_file("data2.out","wb");
ret = PKCS7_verify(p7,NULL,NULL,In,Out,PKCS7_NOVERIFY);
printf("Call returned %d\n",ret);
err = ERR_get_error();
printf("%d: %s\n",err,ERR_error_string(err,NULL));
}
All I'm trying to do right now is verify the signature, which was
created with some crypto hardware on Windows via the CryptoAPI. It's
just a proof of concept.
Any ideas on why I'm getting the "unknown digest type" error?
Thanks in advance,
Fred
On 7/7/05, Dr. Stephen Henson <[EMAIL PROTECTED]> wrote:
> On Thu, Jul 07, 2005, Fred Anderson wrote:
>
> > Steve,
> >
> > Thanks for the reply. I was able to verify the signature using
> > "openssl smime" like you suggested, and the d2i_PKCS7_fp function is
> > returning a non-null value.
> >
> > I'm thinking now that the problem may be in the BIO structures I'm
> > creating and passing to the verify function. Here's what I have:
> >
> > int ret;
> > FILE *fp = fopen("pt2.out","rb");
> > int fd = open("data.out",O_RDONLY);
> > BIO *In, *Out;
> > PKCS7 *p7 = NULL;
> >
> >
> > p7 = d2i_PKCS7_fp(fp,NULL);
> >
> > In = BIO_new_fd(fd,BIO_NOCLOSE);
> > Out = BIO_new(BIO_s_null());
> >
> > ret = PKCS7_verify(p7,NULL,NULL,In,Out,0);
> > printf("Call returned %d\n",ret);
> >
> >
> > where 'fd' is a file descriptor to a file containing the data
> > (detached) for the signature I wish to verify. As the code stands, the
> > PKCS7_verify is segfaulting.
> >
> > My apologies if this is basic stuff; I'm still a beginner with OpenSSL
> > coding and having a hard time finding docs to explain the usage of the
> > calls and how the calls all tie together.
> >
>
> You might find it easier to use:
>
> BIO *foo = BIO_new_file("filename", "rb");
>
> which is a BIO version of "fopen".
>
> Also you need to include a trusted certificate store which includes the CAs
> you trust. If you include the flag PKCS7_NOVERIFY it wont try to verify the
> signers certificates: that's not useful for anything other than debugging
> because anyone could create a PKCS#7 structure it would then verify as OK.
>
> Steve.
> --
> Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
> OpenSSL project core developer and freelance consultant.
> Funding needed! Details on homepage.
> Homepage: http://www.drh-consultancy.demon.co.uk
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List openssl-users@openssl.org
> Automated List Manager [EMAIL PROTECTED]
>
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
