Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) Standard preamble: ========================================================================
NAMECMS_verify, CMS_get0_signers - verify a CMS SignedData structure
#include <openssl/cms.h> int CMS_verify(CMS_ContentInfo *cms, STACK_OF(X509) *certs, X509_STORE *store, BIO *indata, BIO *out, unsigned int flags); STACK_OF(X509) *CMS_get0_signers(CMS_ContentInfo *cms);
DESCRIPTIONCMS_verify() verifies a
flags is an optional set of flags, which can be used to modify the verify operation.
CMS_get0_signers() retrieves the signing certificate(s) from cms, it must be called after a successful CMS_verify() operation.
VERIFY PROCESSNormally the verify process proceeds as follows.
Initially some sanity checks are performed on cms. The type of cms must be SignedData. There must be at least one signature on the data and if the content is detached indata cannot be
An attempt is made to locate all the signing certificate(s), first looking in the certs parameter (if it is not
Each signing certificate is chain verified using the smimesign purpose and the supplied trusted certificate store. Any internal certificates in the message are used as untrusted CAs. If
Finally the signed content is read (and written to out is it is not
If all signature's verify correctly then the function is successful.
Any of the following flags (ored together) can be passed in the flags parameter to change the default verify behaviour.
NOTESOne application of
In some cases the standard techniques for looking up and validating certificates are not appropriate: for example an application may wish to lookup certificates in a database or perform customised verification. This can be achieved by setting and verifying the signers certificates manually using the signed data utility functions.
Care should be taken when modifying the default verify behaviour, for example setting
Chain verification should arguably be performed using the signing time rather than the current time. However since the signing time is supplied by the signer it cannot be trusted without additional evidence (such as a trusted timestamp).
RETURN VALUESCMS_verify() returns 1 for a successful verification and zero if an error occurred.
CMS_get0_signers() returns all signers or
The error can be obtained from ERR_get_error(3)
BUGSThe trusted certificate store is not searched for the signing certificate, this is primarily due to the inadequacies of the current X509_STORE functionality.
The lack of single pass processing means that the signed content must all be held in memory if it is not detached.