On Tue, May 28, 2002 at 11:15:47PM -0700, Bob Steele wrote:
> A year ago I wrote some code to verify a PKCS7 signature. At the time
> that
> I wrote it, I believe it worked - the signature would verify. But when I
> run it now, it fails. A newer (current) version of this code, using a
> newer
> version of the OpenSSL library is also failing, but in a different way.
>
> The errors I get with the year-old code resemble this:
>
> depth=1 /O=VeriSign, Inc./OU=VeriSign Trust
> Network/OU=www.verisign.com/repository/RPA Incorp. By
> Ref.,LIAB.LTD(c)98/CN=VeriSign Class 1 CA Individual Subscriber-Persona
> Not Validated
> verify error:num=20:unable to get local issuer certificate
> verify return:1
Here the verification fails, but obviously your callback overrides the
verification failure and returns 1 (success).
Read the SSL_CTX_set_verify manual page for details about the
verify_callback function.
Read the "verify" manual page for an explanation on why this error message
means.
> depth=1 /O=VeriSign, Inc./OU=VeriSign Trust
> Network/OU=www.verisign.com/repository/RPA Incorp. By
> Ref.,LIAB.LTD(c)98/CN=VeriSign Class 1 CA Individual Subscriber-Persona
> Not Validated
> verify error:num=27:certificate not trusted
> verify return:1
Another verification failure, see above.
> depth=0 /O=VeriSign, Inc./OU=VeriSign Trust
> Network/OU=www.verisign.com/repository/RPA Incorp. by
> Ref.,LIAB.LTD(c)98/OU=Persona Not Validated/OU=Digital ID Class 1 -
> Microsoft Full Service/CN=Robert [EMAIL PROTECTED]
> verify error:num=10:Certificate has expired
> verify return:1
And another failure.
> depth=0 /O=VeriSign, Inc./OU=VeriSign Trust
> Network/OU=www.verisign.com/repository/RPA Incorp. by
> Ref.,LIAB.LTD(c)98/OU=Persona Not Validated/OU=Digital ID Class 1 -
> Microsoft Full Service/CN=Robert [EMAIL PROTECTED]
> verify return:1
>
>
> The error I get with the new code is this:
>
> 696:error:2106B00B:PKCS7 routines:PKCS7_dataVerify:X509
> lib:.\crypto\pkcs7\pk7_d
> oit.c:684:
See below.
> For your quick & easy reference, the relevant line is below, indicated
> with >>>>>
>
> \crypto\pkcs7\pk7_doit.c:
> =========================
>
> /* were we able to find the cert in passed to us */
> if (x509 == NULL)
> {
>
> PKCS7err(PKCS7_F_PKCS7_DATAVERIFY,PKCS7_R_UNABLE_TO_FIND_CERTIFICATE);
> goto err;
> }
>
> /* Lets verify */
> X509_STORE_CTX_init(ctx,cert_store,x509,cert);
> X509_STORE_CTX_set_purpose(ctx, X509_PURPOSE_SMIME_SIGN);
> i=X509_verify_cert(ctx);
> if (i <= 0)
> {
> >>>>> PKCS7err(PKCS7_F_PKCS7_DATAVERIFY,ERR_R_X509_LIB);
Obviously, X509_verify_cert() failed this time, probably there was no
callback function installed catching the verification failures.
You must use a verify_callback to learn about the details of the failure.
But well, you probably already now them from the discussion above.
Best regards,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
http://www.aet.TU-Cottbus.DE/personen/jaenicke/
BTU Cottbus, Allgemeine Elektrotechnik
Universitaetsplatz 3-4, D-03044 Cottbus
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
