RE: Question regarding PKCS7_verify

Thu, 10 Mar 2011 13:50:24 -0800 

Thanks for quick response.

Adding -purpose any surely works.

I had to change my code to get certs from PKCS7 structure and create X509 store 
context and set purpose to X509_PURPOSE_ANY.
This approach works.

But was wondering if it is problem with certificates or with openssl API itself.
Currently openssl version I am using is 0.9.8g. 

I remember it was working with 0.9.7. Or it never checked or ignored purpose.

Thanks for your help.
Prkj


> Date: Thu, 10 Mar 2011 22:05:03 +0100
> From: st...@openssl.org
> To: openssl-users@openssl.org
> Subject: Re: Question regarding PKCS7_verify
> 
> On Thu, Mar 10, 2011, prk j wrote:
> 
> > 
> > Hi,
> > 
> > I am new at using openssl API's. Here is my situation.
> > 
> > I have following set of certificates with X509 extensions defined for code 
> > signing in PKCS#7 format.
> > 
> > Root CA - Key usage (critical): Certificate Sign, CRL Sign
> > CVC Sub- CA - Key usage (critical): Certificate Sign, CRL Sign
> > CVC cert - Key usage (critical): Digital Signature, Key Encipherment. 
> > Extended Key Usage (critical): Code Signing
> > 
> > PKCS#7 signature includes CVC Sub-CA and CVC certs. So when I verify the 
> > signature using PKCS7_verify() I am getting 
> > error: "unsupported certificate purpose".
> > 
> > I tried openssl smime command line utility. It fails with same error. 
> > Following is the command I am using:
> > 
> > openssl smime -verify -CAfile Root-CA -inform PEM -in pk7blob -content 
> > data-signed
> > Verification failure
> > 3420:error:21075075:PKCS7 routines:PKCS7_verify:certificate verify 
> > error:pk7_smi
> > me.c:231:Verify error:unsupported certificate purpose
> > 
> > If I use '-noverify', signature itself is verified successfully.
> > 
> > I am not sure why it is failing even "Code Signing" is mentioned in 
> > Extended Key usage.
> > 
> > Any help is appreciated.
> > 
> 
> It is failing because the smime utility by default checks for email siging and
> the extended key usage is critical and doesn't support that.
> 
> See if adding -purpose any to the command line helps.
> 
> Steve.
> --
> Dr Stephen N. Henson. OpenSSL project core developer.
> Commercial tech support now available see: http://www.openssl.org
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    openssl-users@openssl.org
> Automated List Manager                           majord...@openssl.org

Reply via email to