If the message is signed and then encrypted, you can then check the
signature on the decrypted output.
This is what the decrypted message looks like (it’s first few lines):
$ head ~/Documents/test-smime-decr.txt
Content-Type: multipart/signed;
boundary=Apple-Mail-D1CE77F5-394F-4A97-918E-2D73904720BC;
protocol="application/pkcs7-signature";
micalg=sha1
Content-Transfer-Encoding: 7bit
--Apple-Mail-D1CE77F5-394F-4A97-918E-2D73904720BC
Content-Type: multipart/alternative;
boundary=Apple-Mail-7BC1697A-2A03-429F-A5F0-817DB6DBCEB3
Hoping that it includes the signing certificate of the signer, I tried to verify its signature by:
$ openssl cms -verify -inform SMIME -in ~/Documents/test-smime-decr.txt
Verification failure
140735229702224:error:2E099064:CMS routines:CMS_SIGNERINFO_VERIFY_CERT:certificate verify error:cms_smime.c:287:Verify error:self signed certificate in certificate chain
$
How do I find out what certificate chain the signer used? How do I verify the signature? If I have a directory that holds files of all the CAs I use, is it enough to just give it in “-CApath ${HOME}/my_cert_dir”, or does that directory have to have a special structure (and the certs have to be in a certain format)? In my case they’re a mix of PEM and DER files (with extensions .pem and .cer).
And if I (failing to validate the certificate chain) want to just check whether the decrypted message was tampered with – is there a way to do that (without validating the certificate chain)?
Thanks!
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
-- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
