You really should peruse the cms(1) manpage, daunting as that might be. :-)
Alas, it is! ;-)
> And if I (failing to validate the certificate chain) want to just check
> whether the decrypted message was tampered with – is there a way to do
> that (without validating the certificate chain)?
If a single self-signed certificate is the expected signer, then you
can dispense with all the PKI nonsense and just test for the expected
signer. With OpenSSL 1.1.0:
openssl cms -CAfile signer.pem -no-CApath ...
with older versions:
empty=$(mktemp -d empty.XXXXXX)
openssl cms -CAfile signer.pem -CApath "$empty" ...
rmdir "$empty"
Well, no – somehow it mistook the Root CA cert for “self-signed”. There
actually are three levels: Root CA -> Cert-issuing CA -> Signer Cert. I
verified that all the three certificates are present in that CMS message. So I
need to either somehow tell openssl that one of those is the root, or point to
an external PEM file containing the root ca cert copy.
But with your help, and providing the top root in the “-CAfile …” argument, I
got it!!
$ openssl cms -verify -CAfile ~/Certs/Our_Root_CA.pem -inform SMIME -in
~/Documents/test-smime-decr.txt
Content-Type: multipart/alternative;
boundary=Apple-Mail-7BC1697A-2A03-429F-A5F0-817DB6DBCEB3
Content-Transfer-Encoding: 7bit
--Apple-Mail-7BC1697A-2A03-429F-A5F0-817DB6DBCEB3
Content-Type: text/plain;
charset=us-ascii
. . . . .
--Apple-Mail-7BC1697A-2A03-429F-A5F0-817DB6DBCEB3--
Verification successful
$
smime.p7s
Description: S/MIME cryptographic signature
-- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
