Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Problem with PKCS7 verify

449 views
Skip to first unread message

Dr S N Henson

unread,
Dec 31, 2001, 1:38:04 PM12/31/01
to
Frank Geck wrote:
>
> Steve,
> Thanks. How did I " tells it to ignore verify errors.."? Did not due
> that on purpose to my understanding.
>

Well there's a tendency to copy some of the verify callback examples in
various files from OpenSSL. These are largely there for debugging
purposes and to give more information about errors. These will typically
return 1 in some or all circumstances when the supplied 'ok' parameter
is zero. From your example:

if (!ok)
{
BIO_printf(bio_err,"verify error:num=%d:%s\n",err,
X509_verify_cert_error_string(err));
if (depth < 6)
{
ok=1;
X509_STORE_CTX_set_error(ctx,X509_V_OK);
}
...

This is actually rather dangerous for real purposes in that its telling
the verify code to ignore all errors below a certain depth. Effectively
allowing any certificate (or chain) to be considered valid.

Unless you want to customize certificate verification in some way you
rarely need a verify callback at all.


> Well I put the CA cert in the store with a link to the hashed name also
> with a .0 after it. This worked on another program that I did but I seem to
> be having a problem now. If you don't mine could you look at the piece of
> code that I have going this and see if you see any problems (attached)?
>

Is there some reason you can't use PKCS7_verify()? Its somewhat simpler
to use that the low level stuff.

Also try verifying the structure using the 'smime' application. If you
can get it working with that it should be OK. Also you can use the
openssl utilities 'pkcs7' (to extract certifictates) and 'verify' to see
if you can get the certificate to verify.

Usually the cause of such errors is that the root CA isn't included or
can't be found in the trusted certificate store.

Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: she...@drh-consultancy.demon.co.uk
Senior crypto engineer, Gemplus: http://www.gemplus.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: d...@celocom.com PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openss...@openssl.org
Automated List Manager majo...@openssl.org

Frank Geck

unread,
Dec 31, 2001, 6:43:22 PM12/31/01
to
Thanks. Well did not use PKCS7_verify() because I could not find examples using
it. Since you wrote it I guess you might have some examples?

As you know lots of this is undocumented and it's hard to figure out what to use.

Thanks,

Frank

Frank Geck

unread,
Jan 3, 2002, 3:44:41 PM1/3/02
to
Steve,
I seem to have narrowed the problem down to a platform issue I think. On
Solaris 2.8 it is not working but when I move it to Linux RH7.0 it works fine.
I'm using 0.9.6b. Any Solaris issues other than the random number generator
problem?

Frank Geck

unread,
Jan 4, 2002, 9:08:28 AM1/4/02
to
I've done that and in both cases it verified the cert just fine. Please let me just
check with you what I did to make sure I did it correctly.

First take the PKCS7 file and get certs out
openssl pkcs7 -in data.signed -print_certs -out certs.pem

Then verify cert(s)
openssl verify -CApath <path to ca cert> certs.pem
openssl verify -CAfile <full qualified path to ca cert> certs.pem

So this tells me that the PKCS7 file is being written correctly but I'm not able to
verify it correctly for some reason.


Thanks,

Frank

Dr S N Henson wrote:

> Frank Geck wrote:
> >
> > Steve,
> > I seem to have narrowed the problem down to a platform issue I think. On
> > Solaris 2.8 it is not working but when I move it to Linux RH7.0 it works fine.
> > I'm using 0.9.6b. Any Solaris issues other than the random number generator
> > problem?
> >
>

> Try extracting the signers certificate and verifying manually with the
> openssl verify utility. Try both the -CAfile and -CApath options for the
> root CA.
>
> If both work then there's some problem with the program or its setup. If
> one or both options fails then it may be something else.

Frank Geck

unread,
Jan 4, 2002, 12:24:49 PM1/4/02
to
Ok, I did that and both commands hung (using both 0.9.6b and c).

I just installed openssl 0.9.6c. and recompiled my code with those lib's and it worked
perfectly just like on Linux with 0.9.6b.

I made zero code changes between the two, any thoughts? Or just chalk this up to some
query bug with Solaris 2.8/openssl 0.9.6b?

Thanks,

Frank

Dr S N Henson wrote:

> Frank Geck wrote:
> >
> > I've done that and in both cases it verified the cert just fine. Please let me just
> > check with you what I did to make sure I did it correctly.
> >
> > First take the PKCS7 file and get certs out
> > openssl pkcs7 -in data.signed -print_certs -out certs.pem
> >
> > Then verify cert(s)
> > openssl verify -CApath <path to ca cert> certs.pem
> > openssl verify -CAfile <full qualified path to ca cert> certs.pem
> >
> > So this tells me that the PKCS7 file is being written correctly but I'm not able to
> > verify it correctly for some reason.
>

> Check you have only the signer's certificate in certs.pem in fact its
> probably easiest to do:
>
> openssl smime -verify -inform PEM data.signer -CApath XXX
> openssl smime -verify -inform PEM data.signer -CAfile XXX
>
> and see if that works.

0 new messages