Dr. Henson,
Thank you for your response and suggestion. I know the 1st email I sent was a
bit too long, but buried in the code I included in the first post was the
PKCS7_verify() call (shortened code is attached). I think the problem I may be
having lies in the fact that I'm not getting a certificate from the other
product's interface, but only a public key. As you know, PKCS7_verify requires
a STACKOF certs and a cert store setup. I think I was able to set up the stack
and cert store correctly, but am concerned my approach to setting up the cert
itself is incorrect.
To be brief, when I've used the function: X509_set_pubkey(X509*, EVP_PKEY*) in
creating a new certificate, it has been to assign public key compliment public
key of the argument EVP_PKEY private key to the certificate. Is there a way to
assign a public key to a certificate as is, or does the X509_set_pubkey know
the difference between a public and private key.
Thank you again for your time. The support on this list is remarkable.
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Dr.
> Stephen Henson
> Sent: Wednesday, April 13, 2005 5:55 PM
> To: openssl-users@openssl.org
> Subject: Re: PKCS7 verification using a public key.
>
>
> On Wed, Apr 13, 2005, Glenn Bullock wrote:
>
> > Gentlemen (et al ;),
> >
> > I am trying to verify a pkcs7 based signature generated by
> the Crypto win32 libraries and am having limited success.
> Limited, I write, since I am able to successfully call
> d2i_PKCS7, PKCS7_type_is_signed (yes), and
> PKCS7_type_is_enveloped (no) on the signature.
> >
> > The problem (I believe) I'm facing is that the existing
> interface to the product with which I am attempting to
> integrate supplies me with a public key, and not an entire
> certificate. When I attempt to verify it I get errors such
> as the following:
> >
> > SSL Error (67567722): "error:0407006A:rsa
> routines:RSA_padding_check_PKCS1_type_1:block type is not 01"
> occurred in filename: rsa_pk1.c, linenum 100.
> > SSL Error (67530866): "error:04067072:rsa
> routines:RSA_EAY_PUBLIC_DECRYPT:padding check failed"
> occurred in filename: rsa_eay.c, linenum 541.
> > SSL Error (554111081): "error:21071069:PKCS7
> routines:PKCS7_signatureVerify:signature failure" occurred in
> filename: pk7_doit.c, linenum 834.
> > SSL Error (554127465): "error:21075069:PKCS7
> routines:PKCS7_verify:signature failure" occurred in
> filename: pk7_smime.c, linenum 265.
> >
> > ... which, if I'm not mistaken, say: "It doesn't verify."
> >
> > Here is the code I using to setup the cert store / stack in
> order to call PKCS7_verify. Please could you take a gander
> to see if there's anything obvious I am doing wrong, or
> should one occur, suggest a more reasonable, intelligent
> approach to verifying with a public key.
> >
> > Thank you very much.
> >
> [stuff deleted]
>
> You should try PKCS7_verify(). You can try this on the
> command line first
> with:
>
> openssl smime -verify -inform DER -in p7file.der
>
> Steve.
> --
> Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
> OpenSSL project core developer and freelance consultant.
> Funding needed! Details on homepage.
> Homepage: http://www.drh-consultancy.demon.co.uk
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List openssl-users@openssl.org
> Automated List Manager [EMAIL PROTECTED]
>
m_certificate = X509_new();
X509_set_pubkey(m_certificate, m_publicKey);
STACK_OF(PKCS7_SIGNER_INFO) *sinfos = PKCS7_get_signer_info(pkcs7Signature);
PKCS7_SIGNER_INFO *si = sk_PKCS7_SIGNER_INFO_value(sinfos, 0);
PKCS7_ISSUER_AND_SERIAL *ias = si->issuer_and_serial;
X509_set_issuer_name(m_certificate, ias->issuer);
X509_set_serialNumber(m_certificate, ias->serial);
m_certStack = sk_X509_new_null();
sk_X509_push(m_certStack, m_certificate);
m_certStore = X509_STORE_new();
X509_STORE_add_cert(m_certStore, m_certificate);
d2i_PKCS7(&pkcs7Signature, &p, signatureBuff.size());
BIO* trkBIO = BIO_new_mem_buf((void*)&*document.begin(), document.size());
BIO_set_close(trkBIO, BIO_NOCLOSE);
if (PKCS7_verify(pkcs7Signature, m_certStack, m_certStore, trkBIO, NULL,
PKCS7_NOVERIFY) > 0)
{
// Yeah!
}
