On Fri, May 06, 2011, Stef Hoeben wrote: > Hi, > > > CMS_verify() works fine if you have the signer cert, but now we have > > a CMS file for which only the (trusted) signer public key is available. > > > > Q: is there a high level function like CMS_verify() that works with a > > public key? > > > > If not: what would be the best alternative for us? > > - Rewrite the CMS_verify() function to use public keys? > > - Create a cert (with fake signature) with the public key? > > In case someone should have to do the same: below is the code > to make a fake cert (if only 1 signerInfo is present). > After that you can call CMS_Verify() with flags = CMS_NO_SIGNER_CERT_VERIFY. > > There's another catch: CMS_verify() changes the CMS_ContentInfo struct > in the sense the signer cert is added if it's not already present, > so subsequence CMS_verify() calls will keep using the added cert. > Don't know if that's intentional, but in our case, where we read > candidate certs/pubkeys from disk and try them one by one, we had > to work around this. >
If the CMS structure is using public keys without certificates then it presumably has some way of matching the public key to a key identifier: AFAIK there is no standard way to do this though. If so that would be a more efficient way of handling it rather than trial and error. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
