On 2009.05.15 at 21:16:12 +0200, Lasse Kliemann wrote: > Ok. There is another thing that I do not understand. The output > of 'openssl smime -verify ...' is rather sparse in case that > verification is successful. How can I know which certificate was > responsible? I cannot see why verification would make sense at > all without knowing the DN of the signer (which is the subject > DN of the correct certificate).
Use -signer option of smime -verify. It would write out signer's certificate into file and you can then examine it using openssl x509. Really, I think that such behavoir of openssl smime command is misfeature. But openssl utility is just a demo of OpenSSL librariy API. It demonstrates that signer certificate CAN be extracted (or, if it doesn't present inside, can be found using information contained in signer info). OpenSSL PKCS7 API does allow you to extract signer information. (see PKCS7_get_signer_info function). And there are API function to extract every bit of information you want from the PKCS7_SIGNER_INFO structure. So, if you don't mind little C programming, you can write verification program which would print out everithing you want in 300 or so lines. Unfortinately, it involves some work with quite poorly documented X509_STORE object - store for trusted CA certificates which are used to build chain of trust from signer certificate to some previously trusted CA certificate. But code which does this work can be just cut'n'pasted from openssl utility code. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
