10

I am Alice and I've received signed email from Bob.

I use Web e-Mail client (e.g. GMail) and I see that one of attachements is smime.p7s.

I've found option "show original message" and saved contents into message.orig.

Assuming Bob signed email, how can I verify it from command line ?

(Let's assume Bob uses certified key signed by some of respected authorities - I do not know which, but I suppose that)

(Alice don't want to install email client with appropriate feature, just for just one message)

Grzegorz Wierzowiecki
  • 13,865
  • 23
  • 89
  • 137

1 Answers1

9
openssl smime -verify -in message.orig

Add a -CAfile or -CApath option to specify a different list of trusted certificates from the system's default.

You may obtain information from the certificate that was used to sign the email with:

openssl smime -noverify -in message.orig -pk7out |
  openssl pkcs7 -print_certs -text -noout

Or from the smime.p7s if you've already extracted it:

openssl pkcs7 -in smime.p7s -text -inform DER -print_certs -noout
Stéphane Chazelas
  • 522,931
  • 91
  • 1,010
  • 1,501
  • ok, I've just updated my `ca-certificates` (Arch `pacman -S ca-certificates`) but I get error: `Verification failure 140717529130664:error:21071065:PKCS7 routines:PKCS7_signatureVerify:digest failure:pk7_doit.c:1048: 140717529130664:error:21075069:PKCS7 routines:PKCS7_verify:signature failure:pk7_smime.c:410:` Do you have any clue what does it mean? Maybe "open original messaage" and then saving source, made some transformations to message source? – Grzegorz Wierzowiecki Oct 18 '12 at 20:36
  • Does `openssl pkcs7 -in smime.p7s -text -inform DER -print_certs -noout` work (to tell you info about the certificate in the pk7 file)? – Stéphane Chazelas Oct 18 '12 at 20:51
  • Yes. (btw. That's very useful command, please add it to your answer, I believe other users will benefit as well.) – Grzegorz Wierzowiecki Oct 18 '12 at 20:58
  • New command does not help too: http://pastebin.com/xNMG2gwQ – Grzegorz Wierzowiecki Oct 18 '12 at 21:45
  • I've just tried "show original" in gmail, then used "save page as" in firefox and the command worked fine. I also noticed that gmail showed a "signed-by" header when expanding them. – Stéphane Chazelas Oct 18 '12 at 21:54
  • Extracting from p7s works, while in case of extracting from previous I encounter errors: http://pastebin.com/Huvma4sX – Grzegorz Wierzowiecki Oct 18 '12 at 23:09