Hi,
with PKCS7_verify() you can provide a list of certificates which OpenSSL can
use to build and verify the chain. Either within the PKCS7 *p7 or with
STACK_OF(X509) *certs.
Is there some way to figure out which certificates in p7/certs are used (or not
used) to verify the chain?
Regards
Thank you very much, it worked
Dikarev Evgeniy
28.5.2014 2:47:12 пользователь Dave Thompson (dthomp...@prinpay.com) написал:
The third arg of PKCS7_verify (indata) should only be used for an ‘external’
or ‘detached’ signature
Dave,
As I know the PKCS7_BINARY flag is used to prevent a binary data from
translation to MIME format. It always leads to data corruption. I advise to
use this flag when a binary data is to be signed.
2014-05-28 2:39 GMT+04:00 Dave Thompson :
> The third arg of PKCS7_verify (indata) sho
The third arg of PKCS7_verify (indata) should only be used for an ‘external’ or
‘detached’ signature
where the PKCS#7 does not contain the data. In your case it should be null.
Also note that the _BINARY flag isn’t actually used for “plain” PKCS#7, only
for SMIME.
And I don’t think it
Hey, guys.
I have a small problem when using the PKCS7_sign and PKCS7_verify. Do not check
the signature in the example, but is checked by using the openssl in command
line. What am I doing wrong?
code is attached.
Dikarev Evgeniy
Hi,
I am using dmalloc and "#define LEVITTE" to clean up my C code.
It reveals, that PKCS7_verify() allocates a lot of memory chunks, which are not
freed:
I tracked it down to the two functions
-> X509_STORE_CTX_set_default()
-> X509_verify_cert()
All the variables are f
Ok. Thanks for the clarification. I went over the code again and I now see
why it's failing. The calculated messagedigest doen't match the
messagedigest in the signature. It seems OpenSSL peels off only the [0]
EXPLICT tag of ContentInfo.content but leaves the type & length field on the
inner c
On Mon, Aug 15, 2011, Chang Lee wrote:
> I appreciate the timely response. So it is as I suspected then.
> PKSC_signatureVerify() is not digesting all of the authenticated attribute
> value SET, only the messagedigest. Will this be scheduled to be fixed?
>
No it is digesting the whole SET. Th
etc...
It just needs to be interpreted as an OCTET STRING.
-Chang
On Mon, Aug 15, 2011 at 12:27 PM, Dr. Stephen Henson wrote:
> On Mon, Aug 15, 2011, Chang Lee wrote:
>
> > Has anyone been able to use PKCS7_verify(...) to verify a SignedData
> > signature with authenticated
On Mon, Aug 15, 2011, Chang Lee wrote:
> Has anyone been able to use PKCS7_verify(...) to verify a SignedData
> signature with authenticated attributes? I've looked through the code and
> it seems PKCS7_signatureVerify() checks for the existence of authenticated
> att
Has anyone been able to use PKCS7_verify(...) to verify a SignedData
signature with authenticated attributes? I've looked through the code and
it seems PKCS7_signatureVerify() checks for the existence of authenticated
attributes and calls PKCS7_digest_from_attributes() which, along wit
..@hotmail.com
To: openssl-users@openssl.org
Subject: RE: Question regarding PKCS7_verify
Date: Thu, 10 Mar 2011 13:49:08 -0800
Thanks for quick response.
Adding -purpose any surely works.
I had to change my code to get certs from PKCS7 structure and create X509 store
context and set purpose
.
Currently openssl version I am using is 0.9.8g.
I remember it was working with 0.9.7. Or it never checked or ignored purpose.
Thanks for your help.
Prkj
> Date: Thu, 10 Mar 2011 22:05:03 +0100
> From: st...@openssl.org
> To: openssl-users@openssl.org
> Subject: Re: Question regarding
gn, CRL Sign
> CVC Sub- CA - Key usage (critical): Certificate Sign, CRL Sign
> CVC cert - Key usage (critical): Digital Signature, Key Encipherment.
> Extended Key Usage (critical): Code Signing
>
> PKCS#7 signature includes CVC Sub-CA and CVC certs. So when I verify the
> si
cert - Key usage (critical): Digital Signature, Key Encipherment. Extended
Key Usage (critical): Code Signing
PKCS#7 signature includes CVC Sub-CA and CVC certs. So when I verify the
signature using PKCS7_verify() I am getting
error: "unsupported certificate purpose".
I tried openss
error:certificate has expired
>
> The error message is correct - the certificate has expired - but - the
> certificate was valid when the message was originally signed.
>
> Is there a specific way I should format the effective date of the PKCS7
> smime message, so that PKCS7_veri
certificate has expired - but - the
certificate was valid when the message was originally signed.
Is there a specific way I should format the effective date of the
PKCS7 smime message, so that PKCS7_verify() will say "on the date this
message was signed, the attached certs were valid"
On 07 Mar 2010, at 12:13 AM, Graham Leggett wrote:
Can anyone tell me what function I should be using to retrieve the
error saved by ERR_add_error_data()?
After some reverse engineering, it turns out ERR_get_error_line_data()
does the trick. It was the file and line parameters that threw me
> "error:21075075:PKCS7 routines:PKCS7_verify:certificate verify error"
>
> which, given it is being thrown inside the PKCS7_verify(), is the
> equivalent of "an error has occurred", without revealing what the error is.
> An error exists underneath this error, but
ich, given it is being thrown inside the PKCS7_verify(), is the
equivalent of "an error has occurred", without revealing what the
error is. An error exists underneath this error, but I am unable to
retrieve it.
I am fetching this error using the following piece of code
I got it !
thank you very much for your reply
(what a response time ! ;)
very best,
Valéry.
--
View this message in context:
http://www.nabble.com/PKCS7_verify-mystery-%3A%29-tf1999114.html#a546
Sent from the OpenSSL - User forum at Nabble.com
On Tue, Jul 25, 2006, euhmoins (sent by Nabble.com) wrote:
>
>
> "We now have to 'read' from p7bio to calculate digests etc." -> Why so ?
>
> Why do we have to read the content of BIO *p7bio and write it to BIO *tmpout
> to get PKCS7_signatureVerify to work properly ?
>
> I hope you can unde
Hello !
1/ I've read the FAQs and did not find an answer to my question
2/ thanks for reading this ;)
As I was taking a walk through the "pk7_mime.c" code,
I stepped against a piece of code I could'nt really understand,
actually not the code itselfs, but its purpose.
Hello !
1/ I've read the FAQs and did not find an answer to my question
2/ thanks for reading this ;)
As I was taking a walk through the "pk7_mime.c" code,
I stepped against a piece of code I could'nt really understand,
actually not the code itselfs, but its purpose.
ever, when a X509_STORE_CTX structure is
> initialized from the same X509_STORE (like in PKCS7_verify), only the
> flags are propagated
> not the time value itself. Ís this a bug, or am I missing something?
There isn't an X509_STORE_set_time() function. Do you mean the verify param
function
X509_STORE (like in PKCS7_verify), only the
flags are propagated
not the time value itself. Ís this a bug, or am I missing something?
__
OpenSSL Project http://www.openssl.org
User Support Mailing List
On Thursday 13 April 2006 22:26 pm, Dr. Stephen Henson wrote:
> On Thu, Apr 13, 2006, Brad Hards wrote:
> > I'm trying to do detached CMS signatures and verification using the
> > PKCS7_sign() and PKCS7_verify() functions. It appears to work OK, except
> > that my test ca
On Thu, Apr 13, 2006, Brad Hards wrote:
> I'm trying to do detached CMS signatures and verification using the
> PKCS7_sign() and PKCS7_verify() functions. It appears to work OK, except that
> my test case for a zero length array fails to verify() - looks like the
> signa
I'm trying to do detached CMS signatures and verification using the
PKCS7_sign() and PKCS7_verify() functions. It appears to work OK, except that
my test case for a zero length array fails to verify() - looks like the
signature is OK though.
The documentation suggests that PKCS7_verify()
Hi,
Thanks for the reply.
I want to perform only a CRL check and not a chain verification. My CRL is
present in the store parameter. I have set the flag for CRL_CHECK for the
store parameter.
May I know the flag that needs to be set for the
int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs
below:
>
> int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store, BIO
> *indata, BIO *out, int flags);
>
> Does the method PKCS7_verify verify the certificates in 'certs' against the
> CRLs present in the 'store'?
>
If the crl checking flags are set
Hi
I have the PKCS7 object signed by a certificate. The certificate is revoked
and I have the corresponding CRL. I have the certificate in the certs
variable and the CRL in the store variable. I am using the method below:
int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store, BIO
On Fri, Jan 07, 2005, Perry L. Jones wrote:
> I have some code that is useing PKCS7_verify and SMIME_write_PKCS7 and
> on large files these functions are noticable slow. I have looked
> through the openssl code and see that these function are only reading
> and writing from arr
On Fri, Jan 07, 2005, Perry L. Jones wrote:
> I have some code that is useing PKCS7_verify and SMIME_write_PKCS7 and
> on large files these functions are noticable slow. I have looked
> through the openssl code and see that these function are only reading
> and writing from arr
I have some code that is useing PKCS7_verify and SMIME_write_PKCS7 and
on large files these functions are noticable slow. I have looked
through the openssl code and see that these function are only reading
and writing from arrays that are only 4096 bytes in size. I need to
speed up these
Hi all
has anyone used pkcs7_sign and pkcs7_verify to sign and verify files?
if yes could you give me a sample of how it works;
thank you
Charles Chebli
Ingénieur Informatique,Telecom;
Adresse: 212, Rue de Tolbiac, Paris 75013
Portable: 0677703467
CC
Hi
Can someone tell me how to layout the result of the
pkcs7_verify function, I mean the content of the bio out.
I'm also wondering if I can put all my CA certificats
and CRLs in the same directory and how to access to it
for verifying a pkcs7 object with create_store().
Thanks
Hi.
We have a database in which we store certificates for our collaborating peers.
This allows us to quite efficiently retrieve peer certificates based on
issuer and serial number, and we have implemented a X509_LOOKUP_METHOD to
do this. The idea was that PKCS7_verify would drive this
38 matches
Mail list logo
