[openssl-users] How to "unwrap" S/MIME messages using openssl?

Blumenthal, Uri - 0553 - MITLL uri at ll.mit.edu
Thu Apr 6 19:54:47 UTC 2017

    If the message is signed and then encrypted, you can then check the
    signature on the decrypted output. 

This is what the decrypted message looks like (it’s first few lines):

$ head ~/Documents/test-smime-decr.txt
Content-Type: multipart/signed;
Content-Transfer-Encoding: 7bit

Content-Type: multipart/alternative;

Hoping that it includes the signing certificate of the signer, I tried to verify its signature by:

$ openssl cms -verify -inform SMIME -in ~/Documents/test-smime-decr.txt
Verification failure
140735229702224:error:2E099064:CMS routines:CMS_SIGNERINFO_VERIFY_CERT:certificate verify error:cms_smime.c:287:Verify error:self signed certificate in certificate chain

How do I find out what certificate chain the signer used? How do I verify the signature? If I have a directory that holds files of all the CAs I use, is it enough to just give it in “-CApath ${HOME}/my_cert_dir”, or does that directory have to have a special structure (and the certs have to be in a certain format)? In my case they’re a mix of PEM and DER files (with extensions .pem and .cer).

And if I (failing to validate the certificate chain) want to just check whether the decrypted message was tampered with – is there a way to do that (without validating the certificate chain)?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5211 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20170406/781fcc19/attachment.bin>

More information about the openssl-users mailing list