Hi,
I am new at using openssl API's. Here is my situation.
I have following set of certificates with X509 extensions defined for code
signing in PKCS#7 format.
Root CA - Key usage (critical): Certificate Sign, CRL Sign
CVC Sub- CA - Key usage (critical): Certificate Sign, CRL Sign
CVC cert - Key usage (critical): Digital Signature, Key Encipherment. Extended
Key Usage (critical): Code Signing
PKCS#7 signature includes CVC Sub-CA and CVC certs. So when I verify the
signature using PKCS7_verify() I am getting
error: "unsupported certificate purpose".
I tried openssl smime command line utility. It fails with same error. Following
is the command I am using:
openssl smime -verify -CAfile Root-CA -inform PEM -in pk7blob -content
data-signed
Verification failure
3420:error:21075075:PKCS7 routines:PKCS7_verify:certificate verify error:pk7_smi
me.c:231:Verify error:unsupported certificate purpose
If I use '-noverify', signature itself is verified successfully.
I am not sure why it is failing even "Code Signing" is mentioned in Extended
Key usage.
Any help is appreciated.
Thanks,
Prkj
