pkcs7-signature message

When creating a s/mime message where you in the second part (the first part is the actual message) are supposed to provide BOTH the certificate you signed the message with, AND the result of the signing, i.e the digest, how are you supposed to concatenate them?

I dont use any libraries like bouncy castle or similar. I am building the message by hand. Are you just supposed to concatenate them after each other, or with a new line between or how is it done? I did try to look how it is done in BC, and some googling without any cl开发者_如何学运维ear answers.

The S/MIME format is based on the CMS specification (Cryptographic Message Syntax), which standardize the data structures to carry encrypted, authenticated or signed data. S/MIME (and CMS) uses ASN.1 notation for these data structures.

In a S/MIME signed message, both the message digital signature and the signing certificates are encapsulated in the second part of the e-mail MIME multipart. It is possible to manually build the message multipart, but the S/MIME signature is a binary format which requires a dedicated library to be computed.

Some technical details:

• the last version of the S/MIME ASN.1 module is described in the RFC 5911
• the message signature is ContentInfo containing a SignedData structure
• the SignedData contains a SignerInfo (most of the time only one since the e-mail is signed by a single sender). A SignerInfo contains the message digital signature, the signature algorithm and a signer certificate unique identifier (for instance the certificate issuer & serial number)
• the certificates can be added in the SignedData (this is optinal since certificates are public objects, they can be downloaded from a repository or the recipient may already have the signing certificate chain stored in her mail application)