[openssl-dev] PKCS7_verify() behavior - possible bug ?
Massimiliano Pala
director at openca.org
Thu Apr 9 17:30:43 UTC 2015
Hi all,
I was looking at the behavior of PKCS7_verify(). It seems that, if the
flags are set to 0, then the function will assume that the "smime_sign"
purpose is to be used when verifying the certificate, however, if the
PKCS7_NOCHAIN is actually used, it seems that the purpose is not
checked. From the code (crypto/pkcs7/pk7_smime.c - line ~320 - function
PKCS7_verify() ):
if (!(flags & PKCS7_NOVERIFY)) for (k = 0; k < sk_X509_num(signers); k++) {
signer = sk_X509_value (signers, k);
if (!(flags & PKCS7_NOCHAIN)) {
if(!X509_STORE_CTX_init(&cert_ctx, store, signer,
p7->d.sign->cert))
{
PKCS7err(PKCS7_F_PKCS7_VERIFY,ERR_R_X509_LIB);
sk_X509_free(signers);
return 0;
}
X509_STORE_CTX_set_default(&cert_ctx, "smime_sign");
} else if(!X509_STORE_CTX_init (&cert_ctx, store, signer, NULL)) {
PKCS7err(PKCS7_F_PKCS7_VERIFY,ERR_R_X509_LIB);
sk_X509_free(signers);
return 0;
}
if (!(flags & PKCS7_NOCRL))
X509_STORE_CTX_set0_crls(&cert_ctx, p7->d.sign->crl);
i = X509_verify_cert(&cert_ctx);
if (i <= 0) j = X509_STORE_CTX_get_error(&cert_ctx);
X509_STORE_CTX_cleanup(&cert_ctx);
if (i <= 0) {
PKCS7err(PKCS7_F_PKCS7_VERIFY,PKCS7_R_CERTIFICATE_VERIFY_ERROR);
ERR_add_error_data(2, "Verify error:",
X509_verify_cert_error_string(j));
sk_X509_free(signers);
return 0;
}
/* Check for revocation status here */
}
Is this the desired behavior or if this is an error ? In other words,
shouldn't the "smime_sign" purpose be checked in both cases ? I am
asking because I am trying to understand if this behavior is going to be
fixed / changed in the future or not (i.e., can we rely on the fact that
by using the PKCS7_NOCHAIN flag the "smime_sign" purpose will not be
checked) ?.
Thanks,
Max
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20150409/82501fa2/attachment.html>
More information about the openssl-dev
mailing list