On Sun, Mar 07, 2010, Graham Leggett wrote:
> Hi all,
>
> I am currently struggling to get to the bottom of a problem verifying a
> PKCS7 message, and before I can make any headway, I need access to the
> error message.
>
> The error message I am getting is this:
>
> "error:21075075:PKCS7 routines:PKCS7_verify:certificate verify error"
>
> which, given it is being thrown inside the PKCS7_verify(), is the
> equivalent of "an error has occurred", without revealing what the error is.
> An error exists underneath this error, but I am unable to retrieve it.
>
Well actually it's saying it can't verify the signer's certificate as opposed
to there being a problem with the signature itself.
> I am fetching this error using the following piece of code:
>
> while ((e = ERR_get_error())) {
> flag->error = apr_pstrcat(flag->pool, flag->error, ": ",
> ERR_error_string(e, NULL), NULL);
> }
>
> The above loop only executes once, meaning that only one single error is on
> the error stack (as I read it).
>
> Digging into the openssl code, I find the error is thrown in pk7_smime.c:
>
> i = X509_verify_cert(&cert_ctx);
> if (i <= 0) j = X509_STORE_CTX_get_error(&cert_ctx);
> X509_STORE_CTX_cleanup(&cert_ctx);
> if (i <= 0) {
>
> PKCS7err(PKCS7_F_PKCS7_VERIFY,PKCS7_R_CERTIFICATE_VERIFY
> _ERROR);
> ERR_add_error_data(2, "Verify error:",
> X509_verify_cert_error_string(j));
> sk_X509_free(signers);
> return 0;
> }
>
> From my understanding of the code above, X509_verify_cert is failing, and
> the error I am seeing is created in this code:
> "PKCS7err(PKCS7_F_PKCS7_VERIFY,PKCS7_R_CERTIFICATE_VERIFY_ERROR)"
>
> What follows directly afterwards is a call to ERR_add_error_data(), where
> the underlying error from X509_verify_cert() is placed, and is the error
> message I am interested in.
>
> I cannot see how to retrieve this error.
>
> I can find nothing in the man page for ERR_add_error_data() that explains
> what the corresponding function is to retrieve this data afterwards, and I
> am stuck.
>
> Can anyone tell me what function I should be using to retrieve the error
> saved by ERR_add_error_data()?
>
The usual way is to call ERR_print_errors(bio) or ERR_print_errors_fp(fp)
which prints everything including the additional data. If you want to reformat
the error data manually (e.g. put times of additional data in there) that
isn't always appropriate.
You can call ERR_get_error_line_data() to retrieve that additional info.
See the file crypto/err/err_prn.c for an example.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
