Hello,
we use PKCS#7 signature format; please see attachement of my initial
mail (there are signing certificate, signature, signed data and issuer
certificate) - http://marc.info/?l=openssl-users&m=125751029707705&w=1
(attachment.zip).
There are calling openssl for signature ano / or certificate
verification by using meantioned files on this mail too.
We use command line only for calling openssl, so we cann't directly
control X509_STORE.
I'am afraid we cann't call no modified openssl by command line for
verification signature with purpose verification certificate if certificate
includes both X509v3 Key Usage and X509v3 Extended Key Usage.
There is "Digital Signature" value on X509v3 Key Usage so imho openssl
wouldn't return error "unsupported certificate purpose" becouse this
certificate can be used for digital signing.
Imho issuer created this certificate correctly and this certificate can
be used for digital signing.
Thank you V. Benes
-----Original Message-----
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org]
On Behalf Of Dr. Stephen Henson
Sent: Friday, November 06, 2009 6:08 PM
To: openssl-users@openssl.org
Subject: Re: Certificate - if "Extended Key Usage" is defined, openssl ignore
"Key Usage"
On Fri, Nov 06, 2009, Bene? Vladimr wrote:
> Hi,
>
> we have no influence to issuer. Issuer is a standard Certification
> Authority on Czech Republic (http://www.ica.cz/gb/). Signature is
> valid, certificate is valid too and can be used for create digital
> signature.
>
> So our program now verifies signatures by example 2 and example 3
> (instead example 1): extra signature without certificate test and
> extra certificate test without purpose test. But it is not pure
> solution becouse purpose of certifikace is not tested.
>
> Pure solution is by example 1 or example 2 + 4 (it's equal). But
> openssl reports below mentioned problem.
>
You don't mention what kind of signature but I'd guess S/MIME using PKCS#7 or
CMS. By default that is checked for the email purpose which is why you get the
error. If you want an alternative purpose you can set that at the X509_STORE
level or on the command line.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
