[openssl.org #1167] allow to use -nocerts in "smime -decrypt" or look for private key anyway if no matching cert found

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[openssl.org #1167] allow to use -nocerts in "smime -decrypt" or look for private key anyway if no matching cert found

Rich Salz via RT

Some knowledgeable hints for implementing this I just got:

> > > There isn't a command line option to do this, it would require
> > > some modification of the OpenSSL S/MIME code.
> > >
> > > Typically an S/MIME message will have several several
> > > RecipientInfo structures even if there is only one recipient (many
> > > S/MIME clients make sure the sender is also included in
> > > RecipientInfo) and the order is arbitrary. This
> > > makes it a hit and miss process.
...

> Well this is strictly a "hack" solution...
>
> In crypto/pkcs7/pk7_smime.c you need to disable the
> X509_check_private_key()
> call in PKCS7_decrypt() by commenting it out.
>
> Then in pk7_doit.c in the function PKCS7_dataDecode there is a section
> where it matches a certificate to a RecipientInfo. You need to either
> set that to use a specific RecipientInfo or have it loop round
> checking if EVP_PKEY_decrypt() works (as happens lower down).
>
> You may also have to modify the 'smime' utility to no longer expect a
> certificate.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]