1

I am trying to verify the signer cert based on its issuer CA cert. I am using following OpenSSL API to verify the certs.

int CMS_verify(CMS_ContentInfo *cms, STACK_OF(X509) *certs, X509_STORE *store, BIO *indata, BIO *out, unsigned int flags);

The first parameter contains the base 64 encoded message. The second parameter is the Stack of both CA and signer certs, The third parameter is the pointer to the cert store, The fourth and fifth parameter is BIO pointers. The last parameter is set to 0.

When I try to verify signer certificate based on the CA certificate I get 

CMS routines:CMS_SIGNERINFO_VERIFY_CERT:certificate verify error

The issuer certificate for the signer cert is the CA cert and both CA and signer cert is valid.

Does anyone know what could be causing this verification failure? And any ways of getting around it?

Anusha_Mamidala
  • 397
  • 2
  • 11
Kaustubh
  • 27
  • 1
  • 3
  • (1) the 1st arg should not be the message in b64 or 'der' (binary) either, it should be a pointer to an internal structure created by _parsing_ the message (2) there is no case where both 4th and 5th args nonnull is needed (3) if you print the errstack/errentry correctly it should include the verify error, for which there are far too many possible causes to list in a Stack answer in less than a month – dave_thompson_085 Mar 24 '19 at 13:43

0 Answers0