[openssl-users] How to "unwrap" S/MIME messages using openssl?

Viktor Dukhovni openssl-users at dukhovni.org
Thu Apr 6 18:27:27 UTC 2017

> On Apr 6, 2017, at 1:25 PM, Blumenthal, Uri - 0553 - MITLL <uri at ll.mit.edu> wrote:
> I’m trying to debug the case of a (bad) email client sending encrypted S/MIME email that the recipient cannot decrypt (we suspect the problem is that the sender chooses a wrong public key/certificate to encrypt to).
> Unfortunately, recipient email clients do not help figuring this out. All they say is “you do not have the right key…”.
> My goal is to “unwrap” the CMS/SMIME message, and print out some identity of the recipient key/cert (anything that would allow me to tie this email to any of the keys I have, or to ascertain that it’s none of those) would help greatly. Printing out other details, such as “algorithms used” would also be helpful.
> I’m sure it’s possible to write an application to do that. But I strongly suspect that the “openssl” command line tool would be able to address this problem. 
> Would somebody on this list please show me how I can print the “metadata” (yes, that big word ☺) of the S/MIME email using openssl?

For S/MIME input:

   $ openssl cms -in cms.eml -cmsout -print

For DER input:

   $ openssl cms -inform DER -in cms.der -cmsout -print


More information about the openssl-users mailing list