Decrypting PKCS #7 Enveloped Messages

M. Gallant 10/31/2002

PKCS #7 is the established standard for cryptographic representation of digitally signed and enveloped messages using X509 certificate technology. The secure mail standard S/MIME builds on pkcs #7 standards. PKCS #7 messages can be decoded and verified using different technologies. Windows cryptoAPI technology provides extensive capability for dealing with CMS/PKCS #7. CAPICOM 2 exposes much of the useful functionality of cryptoAPI to COM object automation.

The details of the content actually encrypted into a pkcs #7 enveloped object depend to some extent on the technology used. Some technologies will represent string data as UNICODE-encoded bytes, while others will simply use text data as ANSI data (one character per byte). This can cause confusion in the process of decryption or verifying signature pkcs #7 data.

The WSH vbs script DenvelopAll.vbs is a utility which demonstrates one approach to decryption of enveloped pkcs #7 message files. This includes enveloped data produced by CAPICOM EnvelopedData.Encrypt(), or encryption data blocks wrapped in S-MIME format in S-MIME capable email clients. DenvelopAll.vbs has been tested with S-MIME enveloped data from Outlook Express 6 and Netscape Messenger 4.7. DenvelopAll.vbs can also decrypt binary der encrypted blocks (if ADODB is installed) containing arbitrary binary data.



Michel I. Gallant