How to check if encrypted S/MIME message is also signed, without decrypting it

email encryption digital-signature smime
Alex picture Alex · Nov 22, 2012 · Viewed 12.9k times · Source

What is the easiest way (in terms of computing resources) to tell if an s/mime email message is signed with attached signature when this message is encrypted?

If a message is just signed, it's easy. It has somewhat like:

for attached signature

   Content-Type: application/x-pkcs7-mime; smime-type=signed-data;
    name="smime.p7m"

Or:

for detached signature

   Content-Type: multipart/signed; protocol="application/x-pkcs7-signature";
    micalg=SHA1; boundary="----=_NextPart_000_00D2_01CD5850.61030BF0"

in its headers.

But when a message is encrypted, you can't tell if it's also signed because the Content-Type header is the same for both cases (just encrypted and encrypted/signed):

  Content-Type: application/x-pkcs7-mime;
    smime-type=enveloped-data;
    boundary="----=_NextPart_000_000D_01CDC82B.98454D80";
    name="smime.p7m"

Does it mean that I have to decrypt the message just to tell if it's also signed? For now, it seems I cannot even tell if my message is signed before I decrypt it (because the signature is within the encrypted data). Or, maybe, S/MIME encrypted and signed data still has some pattern which could let me distinguish between encrypted/signed and encrypted/unsigned data without decryption (which may even be possible if I don't have the certificate for decryption)?

Answer

james.garriss picture james.garriss · Sep 12, 2013

S/MIME is flexible; you can sign and/or encrypt in any combination you want. Email clients, however, typically all behave the same way: Outlook 2010, Apple's Mail, and Thunderbird 17 all sign and then encrypt. The results for these 3 are nearly identical. They include these 3 headers in the message headers:

Content-Type: application/pkcs7-mime; smime-type=enveloped-data;
    name="smime.p7m"
Content-Disposition: attachment; filename="smime.p7m"
Content-Transfer-Encoding: base64

They encrypt and base64-encode the entire body of the message.

To answer your questions:

What is the easiest way (in terms of computing resources) to tell if an s/mime email message is signed with attached signature when this message is encrypted?

The only way is to decrypt it.

Does it mean that I have to decrypt the message just to tell if it's also signed?

Yes.

Related questions

How do I encrypt plaintext with GnuPG?

I've been working a great deal with GnuPG lately and have come to depend on its ability to encrypt files, etc. However, I am currently working on a couple of projects that involve communication (i.e. chat,email, etc) where …

Read More
Sending email from Python using STARTTLS

I want to send emails with a Python script by using Python's smtplib. The script should only send the email, if an encrypted connection to the server can be established. To encrypt the connection to port 587 I want to use …

Read More
using bouncy castle to create public PGP key usable by Thunderbird

I created public and private PGP keys using org.bouncycastle.openpgp.PGPKeyRingGenerator. After making a change suggested by GregS, the public key is a .asc file, and the private key is a .skr file. I need to distribute the public …

Read More