Re: How to "unwrap" S/MIME messages using openssl?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



    You really should peruse the cms(1) manpage, daunting as that might be. :-)

Alas, it is! ;-)
    
    > And if I (failing to validate the certificate chain) want to just check
    > whether the decrypted message was tampered with – is there a way to do
    > that (without validating the certificate chain)?
    
    If a single self-signed certificate is the expected signer, then you
    can dispense with all the PKI nonsense and just test for the expected
    signer.  With OpenSSL 1.1.0:
    
       openssl cms -CAfile signer.pem -no-CApath ...
    
    with older versions:
    
       empty=$(mktemp -d empty.XXXXXX)
       openssl cms -CAfile signer.pem -CApath "$empty" ...
       rmdir "$empty"


Well, no – somehow it mistook the Root CA cert for “self-signed”. There actually are three levels: Root CA -> Cert-issuing CA -> Signer Cert. I verified that all the three certificates are present in that CMS message. So I need to either somehow tell openssl that one of those is the root, or point to an external PEM file containing the root ca cert copy.

But with your help, and providing the top root in the “-CAfile …” argument, I got it!! 


$ openssl cms -verify -CAfile ~/Certs/Our_Root_CA.pem -inform SMIME -in ~/Documents/test-smime-decr.txt
Content-Type: multipart/alternative;
	boundary=Apple-Mail-7BC1697A-2A03-429F-A5F0-817DB6DBCEB3
Content-Transfer-Encoding: 7bit


--Apple-Mail-7BC1697A-2A03-429F-A5F0-817DB6DBCEB3
Content-Type: text/plain;
	charset=us-ascii
. . . . .
--Apple-Mail-7BC1697A-2A03-429F-A5F0-817DB6DBCEB3--
Verification successful
$

Attachment: smime.p7s
Description: S/MIME cryptographic signature

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux