Sign a file with SSL certificate for iOS "Shared Web Credentials" API

Question

I got a web server certificate from Symantec, which is enabled for the Digital Signature X509v3 key usage, and that I'd like to use to sign the apple-app-site-association JSON file required by the Shared Web Credentials API.

When I sign a file using the following command:

$ openssl smime \
-sign \
-inkey my.key \
-signer certificate.pem \
-certfile SymantecSSG4.crt \
-noattr -nodetach \
-in content \
-outform DER -out result

…I get no error. But when I try to verify result it fails with an error:

$ openssl smime -verify -inform DER -in result
Verification failure
140735229006672:error:21075075:PKCS7 routines:PKCS7_verify:certificate verify error:pk7_smime.c:328:Verify error:unsupported certificate purpose

Any idea of what I'm missing?

Answer 1

Section 4.4.4 Extended Key Usage Extension of RFC 5750 is clear that a certificate's Extended Key Usage extension must include the emailProtection OID in order for the public key in the certificate to be used to verify signed S/MIME messages.

If the extended key usage extension is present in the certificate, then interpersonal message S/MIME receiving agents MUST check that it contains either the emailProtection or the anyExtendedKeyUsage OID as defined in [KEYM].

This is why OpenSSL complains when trying to verify the signed S/MIME payload. For it to become really valid, I would need to request a new certificate with the emailProtection extended key usage.

In practice, though, I could verify that iOS 8.3 happily accepts such a signed file when used for Shared Web Credentials, which was my intended usage.