Coaxing an error message out of PKCS7_verify()

Sat, 06 Mar 2010 14:43:26 -0800 

Hi all,
I am currently struggling to get to the bottom of a problem verifying a PKCS7 message, and before I can make any headway, I need access to the error message. 

The error message I am getting is this:

"error:21075075:PKCS7 routines:PKCS7_verify:certificate verify error"


which, given it is being thrown inside the PKCS7_verify(), is the  
equivalent of "an error has occurred", without revealing what the  
error is. An error exists underneath this error, but I am unable to  
retrieve it.


I am fetching this error using the following piece of code:

        while ((e = ERR_get_error())) {
            flag->error = apr_pstrcat(flag->pool, flag->error, ": ",
                    ERR_error_string(e, NULL), NULL);
        }


The above loop only executes once, meaning that only one single error  
is on the error stack (as I read it).



Digging into the openssl code, I find the error is thrown in  
pk7_smime.c:


                i = X509_verify_cert(&cert_ctx);
                if (i <= 0) j = X509_STORE_CTX_get_error(&cert_ctx);
                X509_STORE_CTX_cleanup(&cert_ctx);
                if (i <= 0) {

                         
PKCS7err(PKCS7_F_PKCS7_VERIFY,PKCS7_R_CERTIFICATE_VERIFY

_ERROR);
                        ERR_add_error_data(2, "Verify error:",

                                          
X509_verify_cert_error_string(j));

                        sk_X509_free(signers);
                        return 0;
                }


From my understanding of the code above, X509_verify_cert is failing,  
and the error I am seeing is created in this code:  
"PKCS7err(PKCS7_F_PKCS7_VERIFY,PKCS7_R_CERTIFICATE_VERIFY_ERROR)"



What follows directly afterwards is a call to ERR_add_error_data(),  
where the underlying error from X509_verify_cert() is placed,  and is  
the error message I am interested in.


I cannot see how to retrieve this error.


I can find nothing in the man page for ERR_add_error_data() that  
explains what the corresponding function is to retrieve this data  
afterwards, and I am stuck.



Can anyone tell me what function I should be using to retrieve the  
error saved by ERR_add_error_data()?


Regards,
Graham
--

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org






















					Reply via email to