Verifying S/MIME signed message with OpenSSL without checking the certificate's purpose

Question

The problem:

When I sign a message with a certificate which is used for a HTTPS webserver, OpenSSL does not want to verify it back.

Signing a message:

echo "TestMessage" | openssl smime \
    -sign \
    -inkey server-key.pem \
    -signer server-crt.pem \
    -certfile server-crt.pem \
    -noattr -nodetach \
    -outform DER \
    -out signedmessage.dat

Verifying the message:

openssl smime \
    -verify \
    -in signedmessage.dat \
    -inform DER \
    -signer server-crt.pem \
    -CAfile ca-crt.pem \
Verification failure
34379118248:error:21075075:PKCS7 routines:PKCS7_verify:certificate verify error:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/pkcs7/pk7_smime.c:342:Verify error:unsupported certificate purpose

Now, I know I should have signed my message using a certificate that allows that purpose.

But is there any way to bypass that check and verify the signature anyway?

Here's how the CA and certificate were created:

CA creation:

openssl req -x509 -new -newkey rsa:4096 -keyout ca-key.pem -out ca-crt.pem

Certificate creation:

openssl req -new -newkey rsa:4096 -keyout server-key.pem -out server-csr.pem -nodes
openssl ca -config openssl.cnf -extensions server -cert ca-crt.pem -keyfile ca-key.pem -in server-csr.pem -out server-crt.pem

Extension definition in openssl.cnf:

[ server ]
extendedKeyUsage       = serverAuth
keyUsage               = digitalSignature, keyEncipherment
...

Answer 1

Openssl smime, in verify mode, passes the -purpose option through to an invocation of openssl verify. In consequence, you should be able to add -purpose sslserver and have it validate. I tested this on version 1.0.2d and it worked well.