Kate Wang wrote:
> 
> Hi, all,
> 
> It seems to me that for SMIME siganture verification, ALL CA certificates
> (including root and intermediate CAs) have to be included in the CA file
> specified in -CAfile option. I don't really understand why this should be
> enforced. In earlier version of OpenSSL there is an option -NOCHAIN for
> verification, but it seems to me that it has been removed in OpenSSL 0.9.6a.
> Does anybody know the reason?
> 

Only the root CA and any intermediate CAs missing in the message need to
be included.

> If the intermediate CA certificates is included in the signature, why do I
> have to put intermediate CA certs in the CA files again? Do I have a work
> arround for this?
> 
> During the signature verification process, I also want to check the signer
> cert included in the signature matches a cert installed in my system. Does
> anyone know what is the best way to do this? If I specify -nointern and
> -certfile like following the proper way to do this?
> 
> openssl smime -verify -nointern -certfile usercert.pem -CAfile cafile.pem
> -in signature
> 

That should be OK. If you include -noverify as well you don't actually
need the CA certificate in this case because the -certfile certificates
are trusted. 

Steve.
-- 
Dr Stephen N. Henson.   http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED] 
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the   OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to