[openssl-users] How to "unwrap" S/MIME messages using openssl?

Blumenthal, Uri - 0553 - MITLL uri at ll.mit.edu
Thu Apr 6 21:16:35 UTC 2017

> On Apr 6, 2017, at 5:00 PM, Blumenthal, Uri - 0553 - MITLL <uri at ll.mit.edu> wrote:
    Two problems here, the "Verification successful" message is just a
    diagnostic message to "stderr" and should not be considered a
    reliable indication of signature validity.  You really should
    use the "-verify_retcode" option to ensure that verification
    failure leads to a non-zero exit code.

$ openssl cms -verify -verify_retcode -CAfile ~/Certs/Our_Root_CA.pem -inform SMIME -signer $author -in ~/Documents/test-smime-decr.txt
. . . . .
Verification successful

I saw no numeric code – but no error either.

    Secondly, you would typically care *who* signed the message, and
    just that it was signed by some random certificate issued by
    a trusted root. 

That’s right. ;-)

    Therefore, you should also use the:
    	author=$(mktemp author.XXXXXX)
    	... -signer $author ...
    option to capture the signer's certificate, and then inspect it
    somehow (check the subject name or serial number, or ...).

Yes, thanks! Done that. Checks out correctly.

    Further issues arise if the data is expected to remain verifiable
    past the lifetime of the signer's certificate.  It that case, it
    should be verified on arrival and re-encrypted for long-term
    storage using an integrity protection mechanism that does not
    depend on the long-term validity of the signer's key.

This is the trickiest one.

With Java code signing tool (aka “jarsigner”) I can provide a “digital notary” – timestamping authority that would digitally sign a timestamp to deal with this “past the lifetime of the signer’s certificate” issue. Done with “-tsa https://whatever.timestamping.authority.com”

Is there an equivalent, either in openssl tool itself, or in the email clients that you know of?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5211 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20170406/143d6e7c/attachment.bin>

More information about the openssl-users mailing list