[openssl-users] How to "unwrap" S/MIME messages using openssl?

Blumenthal, Uri - 0553 - MITLL uri at ll.mit.edu
Thu Apr 6 19:54:47 UTC 2017


    If the message is signed and then encrypted, you can then check the
    signature on the decrypted output. 

This is what the decrypted message looks like (it’s first few lines):

$ head ~/Documents/test-smime-decr.txt
Content-Type: multipart/signed;
	boundary=Apple-Mail-D1CE77F5-394F-4A97-918E-2D73904720BC;
	protocol="application/pkcs7-signature";
	micalg=sha1
Content-Transfer-Encoding: 7bit


--Apple-Mail-D1CE77F5-394F-4A97-918E-2D73904720BC
Content-Type: multipart/alternative;
	boundary=Apple-Mail-7BC1697A-2A03-429F-A5F0-817DB6DBCEB3


Hoping that it includes the signing certificate of the signer, I tried to verify its signature by:

$ openssl cms -verify -inform SMIME -in ~/Documents/test-smime-decr.txt
Verification failure
140735229702224:error:2E099064:CMS routines:CMS_SIGNERINFO_VERIFY_CERT:certificate verify error:cms_smime.c:287:Verify error:self signed certificate in certificate chain
$


How do I find out what certificate chain the signer used? How do I verify the signature? If I have a directory that holds files of all the CAs I use, is it enough to just give it in “-CApath ${HOME}/my_cert_dir”, or does that directory have to have a special structure (and the certs have to be in a certain format)? In my case they’re a mix of PEM and DER files (with extensions .pem and .cer).

And if I (failing to validate the certificate chain) want to just check whether the decrypted message was tampered with – is there a way to do that (without validating the certificate chain)?

Thanks!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5211 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20170406/781fcc19/attachment.bin>


More information about the openssl-users mailing list