\r
#include <openssl/objects.h>\r
#include <openssl/x509.h>\r
+#include <openssl/x509v3.h>\r
#include <openssl/pkcs7.h>\r
\r
UINT8 mOidValue[9] = { 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x07, 0x02 };\r
)\r
{\r
PKCS7 *Pkcs7;\r
- BIO *CertBio;\r
BIO *DataBio;\r
BOOLEAN Status;\r
X509 *Cert;\r
}\r
\r
Pkcs7 = NULL;\r
- CertBio = NULL;\r
DataBio = NULL;\r
Cert = NULL;\r
CertStore = NULL;\r
//\r
// Read DER-encoded root certificate and Construct X509 Certificate\r
//\r
- CertBio = BIO_new (BIO_s_mem ());\r
- BIO_write (CertBio, TrustedCert, (int)CertLength);\r
- if (CertBio == NULL) {\r
- goto _Exit;\r
- }\r
- Cert = d2i_X509_bio (CertBio, NULL);\r
+ Cert = d2i_X509 (NULL, &TrustedCert, (long) CertLength);\r
if (Cert == NULL) {\r
goto _Exit;\r
}\r
DataBio = BIO_new (BIO_s_mem ());\r
BIO_write (DataBio, InData, (int)DataLength);\r
\r
+ //\r
+ // OpenSSL PKCS7 Verification by default checks for SMIME (email signing) and\r
+ // doesn't support the extended key usage for Authenticode Code Signing.\r
+ // Bypass the certificate purpose checking by enabling any purposes setting.\r
+ //\r
+ X509_STORE_set_purpose (CertStore, X509_PURPOSE_ANY);\r
+\r
//\r
// Verifies the PKCS#7 signedData structure\r
//\r
// Release Resources\r
//\r
BIO_free (DataBio);\r
- BIO_free (CertBio);\r
X509_free (Cert);\r
X509_STORE_free (CertStore);\r
PKCS7_free (Pkcs7);\r