[openssl-users] How to "unwrap" S/MIME messages using openssl?

Viktor Dukhovni openssl-users at dukhovni.org
Thu Apr 6 21:22:24 UTC 2017

> On Apr 6, 2017, at 5:16 PM, Blumenthal, Uri - 0553 - MITLL <uri at ll.mit.edu> wrote:
>> $ openssl cms -verify -verify_retcode -CAfile ~/Certs/Our_Root_CA.pem -inform SMIME -signer $author -in ~/Documents/test-smime-decr.txt
> I saw no numeric code – but no error either.

The "numeric code" is the *exit* status of the program.  You can
find it in "$?" directly after the execution of the command (in
any POSIX shell).

> Yes, thanks! Done that. Checks out correctly.
>    Further issues arise if the data is expected to remain verifiable
>    past the lifetime of the signer's certificate.  It that case, it
>    should be verified on arrival and re-encrypted for long-term
>    storage using an integrity protection mechanism that does not
>    depend on the long-term validity of the signer's key.
> This is the trickiest one.
> With Java code signing tool (aka “jarsigner”) I can provide a “digital
> notary” – timestamping authority that would digitally sign a timestamp
> to deal with this “past the lifetime of the signer’s certificate” issue.
> Done with “-tsa https://whatever.timestamping.authority.com”
> Is there an equivalent, either in openssl tool itself, or in the email
> clients that you know of?

I don't know of any email clients that handle this properly, and I'm
not familiar with the openssl time stamping CLI.  The manpage is at:



More information about the openssl-users mailing list