I would like to verify the sender and 'addressee' certificate information of an encrypted/signed file. So far, I came up with the following set of arguments to openssl:
openssl cms -inform DER -cmsout -print -recip my.crt -in cms_file
This returns the following information:
CMS_ContentInfo:
contentType: pkcs7-envelopedData (1.2.840.113549.1.7.3)
d.envelopedData:
version: 2
originatorInfo:
...
issuer: O=TheirCompany, CN=TheirCA
...
subject: O=TheirCompany, CN=TheirEndpoint
...
recipientInfos:
...
issuer: O=TheirCompany, CN=TheirCA
...
So I've got most of the information I'm looking for, except the subject of the recipient. How do I extract this information?
I'm not sure you can do this, since the
recipientInfosstructure is not defined, e.g. per RFC 5652, to contain a certificate. Keys, yes...but not certificates.RFC 5652, Section 6.1 "EnvelopedData Type" specifies the structure of
OriginatorInfo, which may contain a set of certificates. Section 6.2 "ReicipientInfo Type" and subsections describe the structure of the possibleRecipientInfotypes; none of those types' structures contain certificates. Thus it may not be possible, given the current structures, to achieve what you are looking for.