Extract certificate information using openssl

Question

I would like to verify the sender and 'addressee' certificate information of an encrypted/signed file. So far, I came up with the following set of arguments to openssl:

openssl cms -inform DER -cmsout -print -recip my.crt -in cms_file

This returns the following information:

CMS_ContentInfo: 
  contentType: pkcs7-envelopedData (1.2.840.113549.1.7.3)
  d.envelopedData: 
    version: 2
    originatorInfo:
...
            issuer: O=TheirCompany, CN=TheirCA
...
            subject: O=TheirCompany, CN=TheirEndpoint
...
    recipientInfos:
...
          issuer: O=TheirCompany, CN=TheirCA
...

So I've got most of the information I'm looking for, except the subject of the recipient. How do I extract this information?

score 0 · Accepted Answer · edited Oct 07 '21 at 08:14

I'm not sure you can do this, since the recipientInfos structure is not defined, e.g. per RFC 5652, to contain a certificate. Keys, yes...but not certificates.

RFC 5652, Section 6.1 "EnvelopedData Type" specifies the structure of OriginatorInfo, which may contain a set of certificates. Section 6.2 "ReicipientInfo Type" and subsections describe the structure of the possible RecipientInfo types; none of those types' structures contain certificates. Thus it may not be possible, given the current structures, to achieve what you are looking for.

Extract certificate information using openssl

1 Answers1