Re: [openssl-users] How to "unwrap" S/MIME messages using openssl?

The "numeric code" is the *exit* status of the program. You can find it in "$?" directly after the execution of the command (in any POSIX shell). Got it, thanks! Luckily for me, it’s zero. ;-) > Is there an equivalent, either in openssl tool itself, or in the email > clients

Re: [openssl-users] How to "unwrap" S/MIME messages using openssl?

> On Apr 6, 2017, at 5:16 PM, Blumenthal, Uri - 0553 - MITLL > wrote: > >> $ openssl cms -verify -verify_retcode -CAfile ~/Certs/Our_Root_CA.pem >> -inform SMIME -signer $author -in ~/Documents/test-smime-decr.txt > > I saw no numeric code – but no error either. The

Re: [openssl-users] How to "unwrap" S/MIME messages using openssl?

> On Apr 6, 2017, at 5:00 PM, Blumenthal, Uri - 0553 - MITLL > wrote: Two problems here, the "Verification successful" message is just a diagnostic message to "stderr" and should not be considered a reliable indication of signature validity. You really should

Re: [openssl-users] How to "unwrap" S/MIME messages using openssl?

> On Apr 6, 2017, at 5:00 PM, Blumenthal, Uri - 0553 - MITLL > wrote: > > But with your help, and providing the top root in the “-CAfile …” argument, I > got it!! > > > $ openssl cms -verify -CAfile ~/Certs/Our_Root_CA.pem -inform SMIME -in >

Re: [openssl-users] How to "unwrap" S/MIME messages using openssl?

You really should peruse the cms(1) manpage, daunting as that might be. :-) Alas, it is! ;-) > And if I (failing to validate the certificate chain) want to just check > whether the decrypted message was tampered with – is there a way to do > that (without validating the

Re: [openssl-users] How to "unwrap" S/MIME messages using openssl?

> On Apr 6, 2017, at 3:54 PM, Blumenthal, Uri - 0553 - MITLL > wrote: > > Content-Type: multipart/signed; > ... > Hoping that it includes the signing certificate of the signer, I tried to > verify its signature by: > > $ openssl cms -verify -inform SMIME -in

Re: [openssl-users] How to "unwrap" S/MIME messages using openssl?

If the message is signed and then encrypted, you can then check the signature on the decrypted output. This is what the decrypted message looks like (it’s first few lines): $ head ~/Documents/test-smime-decr.txt Content-Type: multipart/signed;

Re: [openssl-users] How to "unwrap" S/MIME messages using openssl?

I have no experience with engines and little interest at present in going there. ( For CMS decryption without engines: $ openssl cms -decrypt -recip cert.pem -inkey key.pem -in cms.eml Thank you!! Decryption succeeded (using the signing key – which the sender

Re: [openssl-users] How to "unwrap" S/MIME messages using openssl?

> On Apr 6, 2017, at 2:47 PM, Blumenthal, Uri - 0553 - MITLL > wrote: > > Would you be able to provide me with a command line that would allow me to > *decrypt* the message? My keys are on a hardware token, so I’ll have to use > "–engine pkcs11 –keyform ENGINE" I have no

Re: [openssl-users] How to "unwrap" S/MIME messages using openssl?

For S/MIME input: $ openssl cms -in cms.eml -cmsout -print For DER input: $ openssl cms -inform DER -in cms.der -cmsout -print Thank you!!! The above gave me: CMS_ContentInfo: contentType: pkcs7-envelopedData (1.2.840.113549.1.7.3) . . . . .

Re: [openssl-users] How to "unwrap" S/MIME messages using openssl?

> On Apr 6, 2017, at 1:25 PM, Blumenthal, Uri - 0553 - MITLL > wrote: > > I’m trying to debug the case of a (bad) email client sending encrypted S/MIME > email that the recipient cannot decrypt (we suspect the problem is that the > sender chooses a wrong public

[openssl-users] How to "unwrap" S/MIME messages using openssl?

I’m trying to debug the case of a (bad) email client sending encrypted S/MIME email that the recipient cannot decrypt (we suspect the problem is that the sender chooses a wrong public key/certificate to encrypt to). Unfortunately, recipient email clients do not help figuring this out. All