How to check if encrypted S/MIME message is also signed, without decrypting it

Alex picture Alex · Nov 22, 2012 · Viewed 12.9k times · Source

What is the easiest way (in terms of computing resources) to tell if an s/mime email message is signed with attached signature when this message is encrypted?

If a message is just signed, it's easy. It has somewhat like:

for attached signature

   Content-Type: application/x-pkcs7-mime; smime-type=signed-data;
    name="smime.p7m"

Or:

for detached signature

   Content-Type: multipart/signed; protocol="application/x-pkcs7-signature";
    micalg=SHA1; boundary="----=_NextPart_000_00D2_01CD5850.61030BF0"

in its headers.

But when a message is encrypted, you can't tell if it's also signed because the Content-Type header is the same for both cases (just encrypted and encrypted/signed):

  Content-Type: application/x-pkcs7-mime;
    smime-type=enveloped-data;
    boundary="----=_NextPart_000_000D_01CDC82B.98454D80";
    name="smime.p7m"

Does it mean that I have to decrypt the message just to tell if it's also signed? For now, it seems I cannot even tell if my message is signed before I decrypt it (because the signature is within the encrypted data). Or, maybe, S/MIME encrypted and signed data still has some pattern which could let me distinguish between encrypted/signed and encrypted/unsigned data without decryption (which may even be possible if I don't have the certificate for decryption)?

Answer

james.garriss picture james.garriss · Sep 12, 2013

S/MIME is flexible; you can sign and/or encrypt in any combination you want. Email clients, however, typically all behave the same way: Outlook 2010, Apple's Mail, and Thunderbird 17 all sign and then encrypt. The results for these 3 are nearly identical. They include these 3 headers in the message headers:

Content-Type: application/pkcs7-mime; smime-type=enveloped-data;
    name="smime.p7m"
Content-Disposition: attachment; filename="smime.p7m"
Content-Transfer-Encoding: base64

They encrypt and base64-encode the entire body of the message.

To answer your questions:

What is the easiest way (in terms of computing resources) to tell if an s/mime email message is signed with attached signature when this message is encrypted?

The only way is to decrypt it.

Does it mean that I have to decrypt the message just to tell if it's also signed?

Yes.