Hi, I received an smime signed email but I had a problem verifying the signature. What I get was 3 certificates in the chain, but it didn't look for the certificate in my CApath.
The orders of the certs as shown by pkcs7 -print_certs was: 2 3 1 Where 1 was the end user certificate, 2 is the is an intermediate CA and 3 is one in my CApath but in't a self signed certificate but issued by an other certificate. The problem now is that it's trying to find the issuer of certificate 3 which is not in my CApath and then fail with this message: 139720205891240:error:21075075:PKCS7 routines:PKCS7_verify:certificate verify error:pk7_smime.c:342:Verify error:unable to get local issuer certificate When only certificate 2 and 1 are send, I the verififcation is succesful because it's now trying to find the issuer of 2, being 3, and does find that in my CApath. I assume this would also work if the 3rd certificate was a self signed version instead of the something that was signed by someone else. The issuer would then be itself and it would look that up. Wouldn't it make sense to check that any of the certificates that are send are in the CApath rather than just the issuer of the last one in the chain? Kurt ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
