You really should peruse the cms(1) manpage, daunting as that might be. :-) Alas, it is! ;-) > And if I (failing to validate the certificate chain) want to just check > whether the decrypted message was tampered with – is there a way to do > that (without validating the certificate chain)? If a single self-signed certificate is the expected signer, then you can dispense with all the PKI nonsense and just test for the expected signer. With OpenSSL 1.1.0: openssl cms -CAfile signer.pem -no-CApath ... with older versions: empty=$(mktemp -d empty.XXXXXX) openssl cms -CAfile signer.pem -CApath "$empty" ... rmdir "$empty" Well, no – somehow it mistook the Root CA cert for “self-signed”. There actually are three levels: Root CA -> Cert-issuing CA -> Signer Cert. I verified that all the three certificates are present in that CMS message. So I need to either somehow tell openssl that one of those is the root, or point to an external PEM file containing the root ca cert copy. But with your help, and providing the top root in the “-CAfile …” argument, I got it!! $ openssl cms -verify -CAfile ~/Certs/Our_Root_CA.pem -inform SMIME -in ~/Documents/test-smime-decr.txt Content-Type: multipart/alternative; boundary=Apple-Mail-7BC1697A-2A03-429F-A5F0-817DB6DBCEB3 Content-Transfer-Encoding: 7bit --Apple-Mail-7BC1697A-2A03-429F-A5F0-817DB6DBCEB3 Content-Type: text/plain; charset=us-ascii . . . . . --Apple-Mail-7BC1697A-2A03-429F-A5F0-817DB6DBCEB3-- Verification successful $
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
-- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users