Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Smime utility meets "unsupported certificate purpose" problem

1,185 views
Skip to first unread message

刘伟

unread,
May 9, 2012, 11:26:00 PM5/9/12
to

Hi,

 

I meet a "unsupported certificate purpose" when using smime utilitythe signed file is produced by iOS device, the cert is issued by

MS cert addon.

My openssl version is OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008.

Blow is my trouble shooting detail, Please check and give some suggestions, thanks a lot!

 

Signature verify failed, seems the cert chain verify is passed, the only problem is the purpose problem.

# openssl smime -verify -inform DER -in second_profile_post.der

Verification failure

8480:error:21075075:PKCS7 routines:PKCS7_verify:certificate verify error:pk7_smime.c:245:Verify error:unable to get local issuer certificate

 

# openssl smime -verify -inform DER -in second_profile_post.der -CAfile good.pem

Verification failure

8479:error:21075075:PKCS7 routines:PKCS7_verify:certificate verify error:pk7_smime.c:245:Verify error:unsupported certificate purpose

 

Get cert info using pkcs7 utility, please check the x509 v3 extensions

============================================== T

# openssl pkcs7 -inform DER -in second_profile_post.der -print_certs -text -noout

Certificate:

    Data:

        Version: 3 (0x2)

        Serial Number:

            1a:2e:11:7e:00:00:00:00:00:0f

        Signature Algorithm: sha1WithRSAEncryption

        Issuer: DC=com, DC=goodtest, CN=iOSEnrollment

        Validity

            Not Before: May  8 08:36:01 2012 GMT

            Not After : May  8 08:36:01 2014 GMT

        Subject: O=Example, Inc., CN=User Device Cert

        Subject Public Key Info:

            Public Key Algorithm: rsaEncryption

            RSA Public Key: (1024 bit)

                ......

        X509v3 extensions:

            X509v3 Key Usage:

                Digital Signature, Key Encipherment

            X509v3 Subject Key Identifier:

                C9:52:F5:71:BB:59:69:BE:E5:0A:64:1D:38:40:F0:C7:BF:FB:0E:42

            X509v3 Authority Key Identifier:

                keyid:FE:F4:50:09:DD:C1:C6:DD:F3:55:5E:05:2A:90:01:B2:FA:38:1D:A3

 

            X509v3 CRL Distribution Points:

                                     ......

            Authority Information Access:

                                     ......

            1.3.6.1.4.1.311.20.2:

                .0.I.P.S.E.C.I.n.t.e.r.m.e.d.i.a.t.e.O.f.f.l.i.n.e

            X509v3 Basic Constraints: critical

                CA:FALSE

            X509v3 Extended Key Usage:

                1.3.6.1.5.5.8.2.2

 

Detailed purpose info from X509 utility:

####################### Blow is the purpose info from the cert imported from previous command

# openssl x509 -purpose -in goodcert.pem -noout

Certificate purposes:

SSL client : No

SSL client CA : No

SSL server : No

SSL server CA : No

Netscape SSL server : No

Netscape SSL server CA : No

S/MIME signing : No

S/MIME signing CA : No

S/MIME encryption : No

S/MIME encryption CA : No

CRL signing : No

CRL signing CA : No

Any Purpose : Yes

Any Purpose CA : Yes

OCSP helper : Yes

OCSP helper CA : No

 

Dr. Stephen Henson

unread,
May 10, 2012, 7:19:55 AM5/10/12
to
On Thu, May 10, 2012, ???? wrote:

> Hi,
>
>
>
> I meet a "unsupported certificate purpose" when using smime utility??the
> signed file is produced by iOS device, the cert is issued by
>
> MS cert addon.
>
>
> X509v3 Extended Key Usage:
>
> 1.3.6.1.5.5.8.2.2
>

The EXTKU extension above is the problem it should either be omitted or
contain the email protection usage for S/MIME signing.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openss...@openssl.org
Automated List Manager majo...@openssl.org

0 new messages