Hellan,Kim KHE wrote:
>
> Using OpenSSL 0.9.5
>
> I am trying to verify a signature in an S/MIME message. I have tried the
> following:
> OpenSSL smime -verify -in mysmime.txt -signer mysigncert.p7c -CAfile
> myrootstore.pem
>
> It came back with a "Verification successful".
> So far, so good......
> I then tried using another signer cert instead of mysigncert.p7c and it
> still says "Verification successful".
> No matter what signer cert I use, the verification is always successful.
>
> Is this a bug or am I using the "OpenSSL smime" incorrectly ?
>
If you check the manual you'll see that the -signer option serves two
separate purposes.
When signing this specifies the signer's certificate.
When verifying it specifies the filename where it will write the
signer's certificate.
The signer's certificate is (usually) included in the S/MIME signed
message and the code works out which certificate to use automatically.
As such it will never use the wrong certificate to check a signature
against.
You can however tell it to ignore the signer's certificate included in
the message with the -nointern option. Then you must include the
certificate with the -certfile option. If don't include the correct
certificate it will say it can't find the correct signer's certificate.
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
