On Mon, Feb 22, 2010, Andre Dieball wrote: > Hi there > > I have some trouble using ssl in Apples Mail. > I have two certificates, one for private (j...@me.com) and one for business > (j...@acme.com). > Both are valid certificates from Verisign. > > With both certificates I can sign and encrypt (ok, encrypt not really depends > on my cert), but I can decrypt only with the company cert. > For whatever reason Mail alway reports that it cannot decrypt the email for > my private account. > > So I exported the email as plain file (.eml extension). I also exported the > corresponding certificate plus the key as .cert files and converted them > using openssl (e.g. openssl x509 -inform der -in key2.cer -out key2.pem). > > If I now use openssl to decrypt, I get the following message: > > ---cut--- > Dilbert:test user$ openssl smime -decrypt -recip cert.pem -inkey key2.pem -in > smime.p7m > Enter pass phrase for key2.pem: > Error reading S/MIME message > 3040:error:2107A087:PKCS7 routines:SMIME_read_PKCS7:no content > type:/SourceCache/OpenSSL098/OpenSSL098-30/src/crypto/pkcs7/pk7_mime.c:296:
Well you'd need the -inform DER option for that. > Dilbert:test adieball$ openssl smime -decrypt -recip cert.pem -inkey key2.pem > -in testmail.eml > Enter pass phrase for key2.pem: > Error decrypting PKCS#7 structure > 3111:error:21070073:PKCS7 routines:PKCS7_dataDecode:no recipient matches > certificate:/SourceCache/OpenSSL098/OpenSSL098-30/src/crypto/pkcs7/pk7_doit.c:450: > 3111:error:21072077:PKCS7 routines:PKCS7_decrypt:decrypt > error:/SourceCache/OpenSSL098/OpenSSL098-30/src/crypto/pkcs7/pk7_smime.c:470: > Dilbert:test user$ > ---cut--- > > I double-checked the mail for recipient Name and email and both are correct > (case sensitivity checked). > That error is telling you the issuer name and serial number of the recipient in the message doesn't match the certificate you have supplied. With that version of OpenSSL you can't really see what issuer name and serial number if expected. If you can compile up OpenSSL 1.0.0 and later the command line: openssl cms -cmsout -in email.eml -print Will tell you. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
