Hi,
I'm Emanuele Aonzo from Italy and I have a problem about signature
verification. The signed document is a pkcs#7 and I've tried to verify his
signature. The result was INVALID_PURPOSE because the signer certificate
doesn't have the "S/MIME signing" purpose. I need to sign with this kind of
certificates and I can't disable this control because if I set the
PKCS7_NOCHAIN falg the verification is OK but I can't verify the cert chain.
I'd like a separation of chain verification and purpose verification
this is the openssl code
if (!(flags & PKCS7_NOVERIFY)) for (k = 0; k < sk_X509_num(signers);
k++) {
signer = sk_X509_value (signers, k);
if (!(flags & PKCS7_NOCHAIN)) {
if(!X509_STORE_CTX_init(&cert_ctx, store, signer,
p7->d.sign->cert))
{
PKCS7err(PKCS7_F_PKCS7_VERIFY,ERR_R_X509_LIB);
sk_X509_free(signers);
return 0;
}
X509_STORE_CTX_set_purpose(&cert_ctx,
X509_PURPOSE_SMIME_SIGN);
} else if(!X509_STORE_CTX_init (&cert_ctx, store, signer,
NULL)) {
PKCS7err(PKCS7_F_PKCS7_VERIFY,ERR_R_X509_LIB);
sk_X509_free(signers);
return 0;
}
Thank you
regards,
Emanuele Aonzo
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
