1

The problem:

When I sign a message with a certificate which is used for a HTTPS webserver, OpenSSL does not want to verify it back.

Signing a message:

 echo "TestMessage" | openssl smime \ -sign \ -inkey server-key.pem \ -signer server-crt.pem \ -certfile server-crt.pem \ -noattr -nodetach \ -outform DER \ -out signedmessage.dat

Verifying the message:

 openssl smime \ -verify \ -in signedmessage.dat \ -inform DER \ -signer server-crt.pem \ -CAfile ca-crt.pem \ Verification failure 34379118248:error:21075075:PKCS7 routines:PKCS7_verify:certificate verify error:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/pkcs7/pk7_smime.c:342:Verify error:unsupported certificate purpose

Now, I know I should have signed my message using a certificate that allows that purpose.

But is there any way to bypass that check and verify the signature anyway?

Here's how the CA and certificate were created:

CA creation:

openssl req -x509 -new -newkey rsa:4096 -keyout ca-key.pem -out ca-crt.pem

Certificate creation:

openssl req -new -newkey rsa:4096 -keyout server-key.pem -out server-csr.pem -nodes openssl ca -config openssl.cnf -extensions server -cert ca-crt.pem -keyfile ca-key.pem -in server-csr.pem -out server-crt.pem

Extension definition in openssl.cnf:

 [ server ] extendedKeyUsage = serverAuth keyUsage = digitalSignature, keyEncipherment ...
Improve this question

1 Answer 1

Reset to default
2

Openssl smime, in verify mode, passes the -purpose option through to an invocation of openssl verify. In consequence, you should be able to add -purpose sslserver and have it validate. I tested this on version 1.0.2d and it worked well.

Improve this answer
1
  • 1
    This works. This option is not in the usage output, but it's mentioned in the man page. Commented Nov 6, 2015 at 9:20

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.