<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
Hi all,<br>
<br>
I was looking at the behavior of PKCS7_verify(). It seems that, if
the flags are set to 0, then the function will assume that the
"smime_sign" purpose is to be used when verifying the certificate,
however, if the PKCS7_NOCHAIN is actually used, it seems that the
purpose is not checked. From the code (crypto/pkcs7/pk7_smime.c -
line ~320 - function PKCS7_verify() ):<br>
<blockquote>
<pre> if (!(flags & PKCS7_NOVERIFY)) for (k = 0; k < sk_X509_num(signers); k++) {
signer = sk_X509_value (signers, k);
if (!(flags & PKCS7_NOCHAIN)) {
if(!X509_STORE_CTX_init(&cert_ctx, store, signer,
p7->d.sign->cert))
{
PKCS7err(PKCS7_F_PKCS7_VERIFY,ERR_R_X509_LIB);
sk_X509_free(signers);
return 0;
}
X509_STORE_CTX_set_default(&cert_ctx, "smime_sign");
} else if(!X509_STORE_CTX_init (&cert_ctx, store, signer, NULL)) {
PKCS7err(PKCS7_F_PKCS7_VERIFY,ERR_R_X509_LIB);
sk_X509_free(signers);
return 0;
}
if (!(flags & PKCS7_NOCRL))
X509_STORE_CTX_set0_crls(&cert_ctx, p7->d.sign->crl);
i = X509_verify_cert(&cert_ctx);
if (i <= 0) j = X509_STORE_CTX_get_error(&cert_ctx);
X509_STORE_CTX_cleanup(&cert_ctx);
if (i <= 0) {
PKCS7err(PKCS7_F_PKCS7_VERIFY,PKCS7_R_CERTIFICATE_VERIFY_ERROR);
ERR_add_error_data(2, "Verify error:",
X509_verify_cert_error_string(j));
sk_X509_free(signers);
return 0;
}
/* Check for revocation status here */
}
</pre>
</blockquote>
Is this the desired behavior or if this is an error ? In other
words, shouldn't the "smime_sign" purpose be checked in both cases ?
I am asking because I am trying to understand if this behavior is
going to be fixed / changed in the future or not (i.e., can we rely
on the fact that by using the PKCS7_NOCHAIN flag the "smime_sign"
purpose will not be checked) ?.<br>
<br>
Thanks,<br>
Max<br>
<br>
<br>
</body>
</html>