How to validate s/mime signature using OpenSSL. Through command line we can verify with:
openssl smime -verify -in detachedsign.pem -content content.txt
What is the equivalent method for openssl smime -verify command on Mac OSX?
what is the equalant method for openssl smime -verify command in mac osx apps
There is none out of the box. Mac OS X provides OpenSSL 0.9.8y. openssl smime was added at OpenSSL 1.0.0. See smime(1) for details.
0.9.8 is also missing cms. And I don't believe you can use pkcs7 - the sub commands look anemic.
You can use OpenSSL if you build and install OpenSSL on OS X. If you build it, configure with Configure darwin64-x86_64-cc. Once installed, the newer OpenSSL will be located at /usr/local/ssl/bin by default.
Out of the box, for verifiying s/mime signatures on OSX, you have
security cms -D -i smime-message-in-der-format.der
I think you need the message to be in DER instead of PEM format. I don't know about -content, could that be the equivalent of -envelope?
Related
I am trying to generate a Ed25519 key/pair using
openssl genpkey -algorithm Ed25519 -out ed25519key.pem
However, on my MacOS I get this:
Algorithm Ed25519 not found
I am running OpenSSL / LibreSSL 3.2.5 but I have no idea why this algorithm wouldn't be available.
Is there something I'm missing / need to install?
It seems that the default OpenSSL (LibreSSL) that comes with MacOS (even in MacOS 11.2.3) simply doesn't have the algorithm.
I installed OpenSSL 1.1.1k via brew separately (in /usr/local/opt/openssl#1.1 ) and using that binary the command works.
OS: macOS Big Sur
Applications: wget/openssl1.1 both via brew
I want to download some files from a webserver with wget via https, but I get the error message: Unable to locally verify the issuer's authority. However, I can connect to this server with curl which comes with macOS. Of course I could use --no-check-certificate, but I'd like to understand the background and do it the proper way.
As I understand it curl uses macOS' libressl and wget uses openssl as backend. For wget I've tried to export all system root certificates as a pem file from keychain and passed this pem file via --ca-certificate to wget. Still the same error.
Why can curl verify the certificate without doing anything while wget can not?
╰─$ brew info openssl
openssl#1.1: stable 1.1.1i (bottled) [keg-only]
Cryptography and SSL/TLS Toolkit
https://openssl.org/
/usr/local/Cellar/openssl#1.1/1.1.1i (8,067 files, 18.5MB)
Poured from bottle on 2021-01-28 at 07:11:37
From: https://github.com/Homebrew/homebrew-core/blob/HEAD/Formula/openssl#1.1.rb
License: OpenSSL
==> Caveats
A CA file has been bootstrapped using certificates from the system
keychain. To add additional certificates, place .pem files in
/usr/local/etc/openssl#1.1/certs
and run
/usr/local/opt/openssl#1.1/bin/c_rehash
openssl#1.1 is keg-only, which means it was not symlinked into /usr/local,
because macOS provides LibreSSL.
Edit: This is what I've tried so far:
download via system curl -> no problem
installed (and reinstalled) curl and wget via brew (openssl as dependency) -> both can not verify the certificate, although it is a normal root CA certificate and OpenSSL via brew claims to export all these certificates to its own storage.
system curl with verbose option says it uses /etc/ssl/cert.pem for lookup, so I've tried to pass this file via --cacert resp. --ca-certificate to curl/wget -> same error.
I also tried to export the root CA explicitly in pem format and pass it on, still not working
Download the site's certificate manually via openssl: openssl s_client -showcerts -servername domain -connect domain, save the certificate as .pem and use it with wget -> works
I also checked that the certificate key for the root ca 'Digicert Global Root CA' is present in both /etc/ssl/cert.pem as well as in openssl's /usr/local/etc/openssl#1.1/cert.pem
I still don't understand why it won't work when OpenSSL via brew is supposed to export all the Root CAs to its own storage during install.
There is not enough information in your post to nail down the exact issue, but here are some suggestions that may help you forward:
Download the server's certificate bundle and locally analyse its verification using the openssl verify command.
Leverage the openssl s_client command to set up a TLS connection to the server directly and inspect the logged information, or dig deeper using its debug option(s). It has an undocumented debug option -security_debug_verbose that may help. If your OpenSSL is built with the the enable-ssl-trace option (which is not the case for the brew formula), you could use the -trace option for more output.
Run curl with -v or some --trace flags to get more insight in its verification behavior.
You could do all of this with both the OpenSSL and LibreSSL versions of openssl and curl and observe the differences. The openssl version of curl can be installed with brew.
You could also use another (non-OpenSSL) client to set up a connection and see if it fails with more information. For example gnutls-cli, which you can install via brew install gnutls, provides quite a bit of debug information.
I am using macOS version 10.13.5 and whenever I open a new shell I get this error printed to shell:
bad decrypt
140735978677192:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22.50.2/libressl/crypto/evp/evp_enc.c:529:
Openssl version is : LibreSSL 2.2.7
Here is the related command that cause problem :
openssl aes-128-cbc -a -d -salt -in ~/.foo/bar/credentials -k $cred_enc_key
Maybe this code helps : libressl-portable related source code
Also this post on Stackoverflow : two different openssl versions
How can we generate a Curve25519 key pair from the command line?
We have a MacBook Air with Homebrew installed.
Should we use OpenSSL or another command line tool?
How do we use that tool to generate a Curve25519 key pair?
You can use the following command for generating the key pair:
openssl genpkey -algorithm x25519 -out x25519-priv.pem
And for extracting public key:
openssl pkey -in x25519-priv.pem -pubout -out x25519-pub.pem
openssl in MacOS is apples own openssl that does not support Curve25519
you need to install it with brew
brew install openssl
and then link using PATH or using brew link --force openssl(not recommended) for example if you are using zsh
echo 'export PATH="/usr/local/opt/openssl#1.1/bin:$PATH"' >> ~/.zshrc
source ~/.zshrc
to check. if it worked just use the which command
which openssl
now if you see output like this you are good to go
/usr/local/opt/openssl#1.1/bin/openssl
now you can generate Curve25519 keys with using openssl
openssl genpkey -algorithm x25519 -out x25519-priv.pem
I need to revoke x509 client certificates in Ruby. I can do so via the openssl command:
openssl ca -revoke certificate.pem
but there does not appear to be an API to do this, at least not in Ruby's OpenSSL module.
Is there an API in OpenSSL or another tool (that runs on Linux) that can do this?
See this question.
%x( openssl ca -revoke certificate.pem )