> On Apr 6, 2017, at 5:00 PM, Blumenthal, Uri - 0553 - MITLL <uri@xxxxxxxxxx> wrote:
Two problems here, the "Verification successful" message is just a
diagnostic message to "stderr" and should not be considered a
reliable indication of signature validity. You really should
use the "-verify_retcode" option to ensure that verification
failure leads to a non-zero exit code.
$ openssl cms -verify -verify_retcode -CAfile ~/Certs/Our_Root_CA.pem -inform SMIME -signer $author -in ~/Documents/test-smime-decr.txt
. . . . .
--Apple-Mail-7BC1697A-2A03-429F-A5F0-817DB6DBCEB3--
Verification successful
I saw no numeric code – but no error either.
Secondly, you would typically care *who* signed the message, and
just that it was signed by some random certificate issued by
a trusted root.
That’s right. ;-)
Therefore, you should also use the:
author=$(mktemp author.XXXXXX)
... -signer $author ...
option to capture the signer's certificate, and then inspect it
somehow (check the subject name or serial number, or ...).
Yes, thanks! Done that. Checks out correctly.
Further issues arise if the data is expected to remain verifiable
past the lifetime of the signer's certificate. It that case, it
should be verified on arrival and re-encrypted for long-term
storage using an integrity protection mechanism that does not
depend on the long-term validity of the signer's key.
This is the trickiest one.
With Java code signing tool (aka “jarsigner”) I can provide a “digital notary” – timestamping authority that would digitally sign a timestamp to deal with this “past the lifetime of the signer’s certificate” issue. Done with “-tsa https://whatever.timestamping.authority.com”;
Is there an equivalent, either in openssl tool itself, or in the email clients that you know of?
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
-- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
