[openssl-users] How to "unwrap" S/MIME messages using openssl?

Blumenthal, Uri - 0553 - MITLL uri at ll.mit.edu
Thu Apr 6 21:00:46 UTC 2017

    You really should peruse the cms(1) manpage, daunting as that might be. :-)

Alas, it is! ;-)
    > And if I (failing to validate the certificate chain) want to just check
    > whether the decrypted message was tampered with – is there a way to do
    > that (without validating the certificate chain)?
    If a single self-signed certificate is the expected signer, then you
    can dispense with all the PKI nonsense and just test for the expected
    signer.  With OpenSSL 1.1.0:
       openssl cms -CAfile signer.pem -no-CApath ...
    with older versions:
       empty=$(mktemp -d empty.XXXXXX)
       openssl cms -CAfile signer.pem -CApath "$empty" ...
       rmdir "$empty"

Well, no – somehow it mistook the Root CA cert for “self-signed”. There actually are three levels: Root CA -> Cert-issuing CA -> Signer Cert. I verified that all the three certificates are present in that CMS message. So I need to either somehow tell openssl that one of those is the root, or point to an external PEM file containing the root ca cert copy.

But with your help, and providing the top root in the “-CAfile …” argument, I got it!! 

$ openssl cms -verify -CAfile ~/Certs/Our_Root_CA.pem -inform SMIME -in ~/Documents/test-smime-decr.txt
Content-Type: multipart/alternative;
Content-Transfer-Encoding: 7bit

Content-Type: text/plain;
. . . . .
Verification successful
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5211 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20170406/65e7d972/attachment-0001.bin>

More information about the openssl-users mailing list