[openssl-users] How to "unwrap" S/MIME messages using openssl?

[Blumenthal, Uri - 0553 - MITLL]

    You really should peruse the cms(1) manpage, daunting as that might be. :-)

Alas, it is! ;-)
    
    > And if I (failing to validate the certificate chain) want to just check
    > whether the decrypted message was tampered with – is there a way to do
    > that (without validating the certificate chain)?
    
    If a single self-signed certificate is the expected signer, then you
    can dispense with all the PKI nonsense and just test for the expected
    signer.  With OpenSSL 1.1.0:
    
       openssl cms -CAfile signer.pem -no-CApath ...
    
    with older versions:
    
       empty=$(mktemp -d empty.XXXXXX)
       openssl cms -CAfile signer.pem -CApath "$empty" ...
       rmdir "$empty"


Well, no – somehow it mistook the Root CA cert for “self-signed”. There actually are three levels: Root CA -> Cert-issuing CA -> Signer Cert. I verified that all the three certificates are present in that CMS message. So I need to either somehow tell openssl that one of those is the root, or point to an external PEM file containing the root ca cert copy.

But with your help, and providing the top root in the “-CAfile …” argument, I got it!! 


$ openssl cms -verify -CAfile ~/Certs/Our_Root_CA.pem -inform SMIME -in ~/Documents/test-smime-decr.txt
Content-Type: multipart/alternative;
	boundary=Apple-Mail-7BC1697A-2A03-429F-A5F0-817DB6DBCEB3
Content-Transfer-Encoding: 7bit


--Apple-Mail-7BC1697A-2A03-429F-A5F0-817DB6DBCEB3
Content-Type: text/plain;
	charset=us-ascii
. . . . .
--Apple-Mail-7BC1697A-2A03-429F-A5F0-817DB6DBCEB3--
Verification successful
$
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5211 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20170406/65e7d972/attachment-0001.bin>