I'm stuck on really strange problem evolving aroung the CMS_verify() method in OpenSSL. I'm developing a method to sign and verify data in C++ with OpenSSL, but the verification throws a very strange error as seen in the following code stub:
// Sign
BIO_puts(in, "My test string.");
cms = CMS_sign(serverCert, privateKey, recips, in, CMS_BINARY);
if (!cms) {
cout << ERR_error_string(ERR_get_error(), NULL) << endl;
} else {
cout << "Successfully signed!" << endl;
}
// Verify
if (!CMS_verify(cms, certs, st, NULL, out, 0)) {
cout << ERR_error_string(ERR_get_error(), NULL) << endl;
} else {
cout << "Successfully verified!" << endl;
}
size = BIO_get_mem_data(out, &outString);
cout << "Verified string: " << string(outString, size) << endl;
BIO_ctrl(out, BIO_CTRL_RESET, 0, NULL);
// Verify without certificate verification
if (!CMS_verify(cms, certs, st, NULL, out, CMS_NO_SIGNER_CERT_VERIFY)) {
cout << ERR_error_string(ERR_get_error(), NULL) << endl;
} else {
cout << "Successfully verified!" << endl;
}
signers = CMS_get0_signers(cms);
for (int i = 0; i < sk_X509_num(signers); i++) {
X509_STORE_CTX_init(storeCtx, st, sk_X509_value(signers, i), NULL);
if (!X509_verify_cert(storeCtx)) {
cout << X509_verify_cert_error_string(storeCtx->error) << endl;
} else {
cout << "Signer certificate has been verified." << endl;
}
}
size = BIO_get_mem_data(out, &outString);
cout << "Verified string: " << string(outString, size) << endl;
The appropriate output:
Successfully signed!
error:2E099064:CMS routines:CMS_SIGNERINFO_VERIFY_CERT:certificate verify error
Verified string:
Successfully verified!
Signer certificate has been verified.
Verified string: My test string.
So as it can be seen, the certificates I use are valid, but somehow the CMS_Verify() method is not able to verify the enveloped certificates in my CMS structure.
My workaround seems to work though, but I'm really curious to know what I'm doing wrong.
So can someone please help me?