S/MIME Signature Verification

M. Gallant 05/08/2004

To manually verify a signed S/MIME message with detached content, the entire MIME entity representing the content must be passed to the verification routine. If the signature includes "Authenticated Attributes" , then there are at least 2 such authenticated attributes: Content Type and Message Digest. (Other common authenticated attributes are Signing Time, and SMIME Capabilities.) In this case, the authenticated attributes, rather than the content itself, is what is hashed and then signed (encrypted with private key).

In the first S/MIME email sample appended below, the MIME entity that is actually signed is:

Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit

Test

where a final CR/LF is included in the data to be hashed/signed. If the content to be signed for S/MIME is binary or not 7 bit ASCII, the data is transfer encoded, typically as BASE64 which is then signed, packaged as pkcs #7, base64 encoded and finally wrapped as a MIME entity application/x-pkcs7-signature, similar to the text content sample below.
CDO facilitates constructing, signing and verification of S/MIME messages.

To: "Mitch Gallant" <neutron@istar.ca> Subject: Signed from OE Date: Sun, 30 Jun 2002 15:12:08 -0400 MIME-Version: 1.0 Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=SHA1; boundary="----=_NextPart_000_0012_01C22048.805E6800" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 X-Mozilla-Status: 8009 X-Mozilla-Status2: 00000000 X-UIDL: 5ec7c9d390588171ba025db7cd30de8e This is a multi-part message in MIME format. ------=_NextPart_000_0012_01C22048.805E6800 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Test ------=_NextPart_000_0012_01C22048.805E6800 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIKGDCCAjww ggGlAhAyUDPPUNFW81yBrWVcT8glMA0GCSqGSIb3DQEBAgUAMF8xCzAJBgNVBAYTAlVTMRcwFQYD VQQKEw5WZXJpU2lnbiwgSW5jLjE3MDUGA1UECxMuQ2xhc3MgMSBQdWJsaWMgUHJpbWFyeSBDZXJ0 aWZpY2F0aW9uIEF1dGhvcml0eTAeFw05NjAxMjkwMDAwMDBaFw0yMDAxMDcyMzU5NTlaMF8xCzAJ BgNVBAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE3MDUGA1UECxMuQ2xhc3MgMSBQdWJs aWMgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTCBnzANBgkqhkiG9w0BAQEFAAOBjQAw gYkCgYEA5Rm/baNWYS2ZSHH2Z965jeu3noaACpEO+jglr0aIguVzqKCbJF0NH8xlbgyw0FaEGIea BpsQoXPftFg5a27B9hXVqKg/qhIGjTGsf7A01480Z4gJzRQR4k5FVmkfeAKA2txHkSm7NsljXMXg 1y2He6G3MrB7MLoqLzGq7qNn2tsCAwEAATANBgkqhkiG9w0BAQIFAAOBgQBLRGZgaGTkmBvzsHLm lYl83XuzlcAdLtjYGdAtND3GUJoQhoyqPzuoBPw3UpXD2cnbzfKGBsSxG/CCiDBCjhdQHGR6uD6Z SXSX/KwCQ/uWDFYEJQx8fIedJKfY8DIptaTfXaJMxRYyqEL2Raa2Nrngv2U2k8LS12vc3lnWojX4 RTCCAy4wggKXoAMCAQICEQDSdi6NFAw9fbKoJV2v7g11MA0GCSqGSIb3DQEBAgUAMF8xCzAJBgNV BAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE3MDUGA1UECxMuQ2xhc3MgMSBQdWJsaWMg UHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw05ODA1MTIwMDAwMDBaFw0wODA1MTIy MzU5NTlaMIHMMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UECxMWVmVyaVNpZ24gVHJ1 c3QgTmV0d29yazFGMEQGA1UECxM9d3d3LnZlcmlzaWduLmNvbS9yZXBvc2l0b3J5L1JQQSBJbmNv cnAuIEJ5IFJlZi4sTElBQi5MVEQoYyk5ODFIMEYGA1UEAxM/VmVyaVNpZ24gQ2xhc3MgMSBDQSBJ bmRpdmlkdWFsIFN1YnNjcmliZXItUGVyc29uYSBOb3QgVmFsaWRhdGVkMIGfMA0GCSqGSIb3DQEB AQUAA4GNADCBiQKBgQC7WkSKBBa7Vf0DeootlE8VeDa4DUqyb5xUv7zodyqdufBou5XZMUFweoFL uUgTVi3HCOGEQqvAopKrRFyqQvCCDgLpL/vCO7u+yScKXbawNkIztW5UiE+HSr8Z2vkV6A+Hthzj zMaajn9qJJLj/OBluqexfu/J2zdqyErICQbkmQIDAQABo3wwejARBglghkgBhvhCAQEEBAMCAQYw RwYDVR0gBEAwPjA8BgtghkgBhvhFAQcBATAtMCsGCCsGAQUFBwIBFh93d3cudmVyaXNpZ24uY29t L3JlcG9zaXRvcnkvUlBBMA8GA1UdEwQIMAYBAf8CAQAwCwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEB AgUAA4GBAIi4Nzvd2pQ3AK2qn+GBAXEekmptL/bxndPKZDjcG5gMB4ZbhRVqD7lJhaSV8Rd9Z7R/ LSzdmkKewz60jqrlCwbe8lYq+jPHvhnXU0zDvcjjF7WkSUJj7MKmFw9dWBpJPJBcVaNlIAD9GCDl X4KmsaiSxVhqwY0DPOvDzQWikK5uMIIEojCCBAugAwIBAgIQBUy90AsJrAtbnO8CULdhXDANBgkq hkiG9w0BAQIFADCBzDEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdBgNVBAsTFlZlcmlTaWdu IFRydXN0IE5ldHdvcmsxRjBEBgNVBAsTPXd3dy52ZXJpc2lnbi5jb20vcmVwb3NpdG9yeS9SUEEg SW5jb3JwLiBCeSBSZWYuLExJQUIuTFREKGMpOTgxSDBGBgNVBAMTP1ZlcmlTaWduIENsYXNzIDEg Q0EgSW5kaXZpZHVhbCBTdWJzY3JpYmVyLVBlcnNvbmEgTm90IFZhbGlkYXRlZDAeFw0wMTA3MTYw MDAwMDBaFw0wMjA3MTYyMzU5NTlaMIIBFDEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdBgNV BAsTFlZlcmlTaWduIFRydXN0IE5ldHdvcmsxRjBEBgNVBAsTPXd3dy52ZXJpc2lnbi5jb20vcmVw b3NpdG9yeS9SUEEgSW5jb3JwLiBieSBSZWYuLExJQUIuTFREKGMpOTgxHjAcBgNVBAsTFVBlcnNv bmEgTm90IFZhbGlkYXRlZDEzMDEGA1UECxMqRGlnaXRhbCBJRCBDbGFzcyAxIC0gTmV0c2NhcGUg RnVsbCBTZXJ2aWNlMRowGAYDVQQDFBFNaWNoZWwgSS4gR2FsbGFudDEfMB0GCSqGSIb3DQEJARYQ bmV1dHJvbkBpc3Rhci5jYTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEArhVFIlTAjJT15fRb 5ApeSTR2qCHRTEd84dqW7vTUhDMHmeW7yi2u9j22OjvmguowBhuss7Nb+nvx7zyXGC0DUjjRFDHa 1Zfb88MCcFIY4TLrmsOKpuIgYA9/p96nMFrZ94ycklxJdf4qgDpsxfOX2IL6B697dLEaGrsJe0mg xgECAwEAAaOCATgwggE0MAkGA1UdEwQCMAAwgawGA1UdIASBpDCBoTCBngYLYIZIAYb4RQEHAQEw gY4wKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9DUFMwYgYIKwYBBQUHAgIw VjAVFg5WZXJpU2lnbiwgSW5jLjADAgEBGj1WZXJpU2lnbidzIENQUyBpbmNvcnAuIGJ5IHJlZmVy ZW5jZSBsaWFiLiBsdGQuIChjKTk3IFZlcmlTaWduMBEGCWCGSAGG+EIBAQQEAwIHgDAwBgpghkgB hvhFAQYHBCIWIDU2NzlmNWRkY2IwMjdiYTVlY2JlNDM4ODNmM2IxZjQ5MDMGA1UdHwQsMCowKKAm oCSGImh0dHA6Ly9jcmwudmVyaXNpZ24uY29tL2NsYXNzMS5jcmwwDQYJKoZIhvcNAQECBQADgYEA T4VgN9GjbFMUl9M4KSBnpn++i7QLZt1oQMXfVySIzIFxwBVlxNeG8Lnnij8JEtHR69BaLmzJC0mH HfDiS1dlqX5cADfKNI921HjTdNy5c1cgLQ9LLp6CRnX39ahkCtCp5i7TlvSdw42Gf+bWNGifNfxI 8JQ4t3e0L8l+IaeG2h0xggJFMIICQQIBATCB4TCBzDEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4x HzAdBgNVBAsTFlZlcmlTaWduIFRydXN0IE5ldHdvcmsxRjBEBgNVBAsTPXd3dy52ZXJpc2lnbi5j b20vcmVwb3NpdG9yeS9SUEEgSW5jb3JwLiBCeSBSZWYuLExJQUIuTFREKGMpOTgxSDBGBgNVBAMT P1ZlcmlTaWduIENsYXNzIDEgQ0EgSW5kaXZpZHVhbCBTdWJzY3JpYmVyLVBlcnNvbmEgTm90IFZh bGlkYXRlZAIQBUy90AsJrAtbnO8CULdhXDAJBgUrDgMCGgUAoIG6MBgGCSqGSIb3DQEJAzELBgkq hkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTAyMDYzMDE5MTIwOFowIwYJKoZIhvcNAQkEMRYEFEsU ojJZ7zb2jyeLK36X+8NFEY05MFsGCSqGSIb3DQEJDzFOMEwwCgYIKoZIhvcNAwcwDgYIKoZIhvcN AwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEoMAcGBSsOAwIdMA0G CSqGSIb3DQEBAQUABIGArKLcgRxQAyuy92T6WHKZwXsQdXeEFlUOQBiAqwkn2V3r4iwnWHLlcCLW 0VBPfQTO1+NjxbcE2wQ8mVCdiK7gqA9LSoJLP8pjdtF2k/AgHijxB/ELzrHD1SmuVCX5ypkHl8Bk dJc/xuc/vxQ4XJtWZfd415pR5GZ1KcbHDDbjcBsAAAAAAAA= ------=_NextPart_000_0012_01C22048.805E6800--

More Advanced Example (generated by Outlook 2003)

The following detached signature S/MIME example is slightly more complicated than the simple example above. It encapsulated a Content-Type: multipart/alternative; mime structure.

message source (from OE6 Properties | Details | Secure Message Source)
cleartext content
B64 CMS/PKCS #7 signature blob
ASN.1 dump of binary signature blob

(Note: Similar to the first example above, the plaintext content used for detached signature verification is the text bounded by first S/MIME boundary line:

     ------=_NextPart_000_0000_01C433BA.F769B490

and the same second boundary line marking the start of the signature line beginning with:

     Content-Type: application/x-pkcs7-signature;

(Note that the S/MIME message source, if viewed from Netscape Messenger, may change any Tab characters to several spaces; in this case the cleartext content extracted from the source would not verify properly)

Michel I. Gallant
neutron@istar.ca