On Fri, Dec 27, 2002, Tim Tassonis wrote: > Hi all > > I think I've encountered a bug in openssl smime. > > I try to verify a mail signed with outlook using the option not to include > the certificate in the signature. > > >From what I can figure out, this should be possible with openssl using the > options: > > openssl smime -verify -signer tim.crt -in message.txt -nointern -CAfile > cas.crt > > or > > openssl smime -verify -noverify -signer tim.crt -in message.txt -nointern > > However, I always get the error: > > 2278:error:2107C080:PKCS7 routines:PKCS7_get0_signers:signer certificate > not found:pk7_smime.c:317: > > It seems openssl always tries to retrieve the signers certificate, > althought I explicitely override this with -nointern. > > Is this a known bug and/or even already fixed in the openssl 0.9.7 betas? > >
As mentioned in the manual page the -signer when used with -verify is the file to write the signers certificate to. One ore more possible candidate signer certificates should be presented to the -certfile option. So if you do: openssl smime -verify -certfile tim.crt -in message.txt -CAfile cas.crt it should be OK. You don't need -nointern that just means that it always ignores certificates in the message, without -nointern it wil still look in those mentioned in -certfile if the signer's certificate can't be found in the message itself. Steve. -- Dr. Stephen Henson [EMAIL PROTECTED] OpenSSL Project http://www.openssl.org/~steve/ ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
