Like OpenPGP, S/MIME messages may be signed, encrypted, or both. This section will show how S/MIME messages are structured in all three forms.

S/MIME uses the multipart/signed MIME type for signing messages, just like OpenPGP. It uses the application/x-pkcs7-signature protocol for digital signatures and either the SHA.1 or MD5 cryptographic algorithms for message integrity checks. The micalg parameter is therefore set to either “sha1” or “md5”.

You may recall from Chapter 4, Creating MIME-Compliant Messages, that MIME messages are often constructed with a bit of text at the top of the message body that reads “This is a multi-part message in MIME format.” This is used to inform MUAs (and humans) that can’t handle MIME of the message structure. Similarly, S/MIME messages often include a comment along the lines of “This is a cryptographically signed message in MIME format”, which serves the same purpose.

The following example shows a simple textual message that has been signed with an S/MIME digital signature. The first part is the actual message content of MIME type text/plain. The second part is a (truncated) signature, which is of type application/xpkcs7-signature. Note that the MIME type of the second part and the “protocol” parameter used in the multipart/signed header must match exactly.

The signature data itself is encoded with base64, so that it may pass easily through the Internet mail system. Since signatures may not be altered by MTAs, they must be “7-bit clean”.

Return-Path: <[email protected]>
Received: from mailhost.plugged.net.au
        by fetchmail-4.6.2 POP3
        for <dwood/localhost> (single-drop); Wed, 30 Dec 1998
        11:22:20 EST
Received: from plugged.net.au (in.plugged.net.au [203.20.51.50])
        by mailhost.plugged.net.au (8.8.8/8.8.8) with ESMTP id LAA22862;
        Wed, 30 Dec 1998 11:21:08 +1000
Sender: [email protected]
Message-ID: <[email protected]>
Date: Wed, 30 Dec 1998 01:21:06 +0000
From: Chris Ryan <[email protected]>
Organization: Plugged In Software
X-Mailer: Mozilla 4.5 [en] (X11; I; Linux 2.0.36 i586)
X-Accept-Language: en
MIME-Version: 1.0
To: David Wood <[email protected]>
Subject: Sample signed S/MIME e-mail
Content-Type: multipart/signed;
         protocol="application/x-pkcs7-signature";
         micalg=sha1; boundary="------------ms22A2EDD782D29FC8A5E8694B"

This is a cryptographically signed message in MIME format.

--------------ms22A2EDD782D29FC8A5E8694B
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

This is a sample signed S/MIME e-mail.
--
Chris Ryan           | BH: http://www.plugged.net.au/
[email protected] | AH: http://storm-wolves.plugged.net.au/
--------------ms22A2EDD782D29FC8A5E8694B
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature

MIIJsgYJKoZIhvcNAQcCoIIJozCCCZ8CAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHAaCC
B7QwggR+MIID56ADAgECAhAHvCcPP2Kg5hngAQMAVO4rMA0GCSqGSIb3DQEBBAUAMIHMMRcw
...
Sy0f0+CuYad/vb1CA5V7nHefHMt0G0DIBjhmDYLxFBQzZzERXeTaOUipE+nQVG6rzCWFftRV
6hk=
--------------ms22A2EDD782D29FC8A5E8694B--

If a message is to be encrypted, it is placed in a MIME entity of type application/xpkcs7-mime. Again, the content is encoded with base64 to make it 7-bit clean. The following example shows such a message, with the encrypted MIME entity filling the message body.

The original content to be encrypted is first made into a MIME entity of appropriate content type. The entity is then encrypted, headers and all, with the appropriate protocol.

If an S/MIME message is to be both signed and encrypted, the data is first made into a MIME entity and signed, as in the preceding example. The resulting MIME entity (of type multipart/signed) is then encrypted. Therefore, it is impossible to tell an encrypted message from an encrypted and signed one prior to decoding.

Return-Path: <[email protected]>
Received: from mailhost.plugged.net.au
        by fetchmail-4.6.2 POP3
        for <dwood/localhost> (single-drop); Wed, 30 Dec 1998
        11:48:23 EST
Received: from plugged.net.au ([email protected]
        [192.168.20.61]) by morris.staff.plugged.com.au (8.8.7/8.8.7)
        with ESMTP id LAA10141; Wed, 30 Dec 1998 11:47:27 +1000
Sender: [email protected]
Message-ID: <[email protected]>
Date: Wed, 30 Dec 1998 11:47:26 +1000
From: David Wood <[email protected]>
Organization: Plugged In Software pty Ltd
X-Mailer: Mozilla 4.07 [en] (X11; I; Linux 2.0.36 i586)
MIME-Version: 1.0
To: Chris Ryan <[email protected]>
Subject: Test of signed and encrypted S/MIME e-mail
References: <[email protected]>
Content-Type: application/x-pkcs7-mime; name="smime.p7m"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7m"
Content-Description: S/MIME Encrypted Message

MIAGCSqGSIb3DQEHA6CAMIACAQAxggJ4MIIBOAIBADCB4TCBzDEXMBUGA1UEChMOVmVyaVNp
Z24sIE1uYy4xHzAdBgNVBAsTF1Z1cm1TaWduIFRydXN0IE51dHdvcmsxRjBEBgNVBAsTPXd3
...
IcrBF+q1yec2xg52nYhrAUStP9HzNmsyRrniwS1sXcmj6hUxbD6fBAjAfhKcEZnJAwAAAAAA
AAAAAAA=

This chapter could not fully explain the details of the two competing proposals for a secure email standard. However, it did explain the formats used by both, which should allow you to properly understand and even parse these sort of messages when they are found.

Freely available APIs and code libraries exist for both the OpenPGP and S/MIME proposals. If you desire, you can use them to create or decode the MIME entities described here.