|Important||This document may not represent best practices for current development, links to downloads and other resources may no longer be valid. Current recommended version can be found here. ArchiveDisclaimer|
Enveloped and Signed CMS/PKCS #7 Message
CMS/PKCS #7 provides the capability to both sign and envelope a message. This is possible because protected messages can be nested. Digitally signing and enveloping a message protects it by applying all the security services separately described in theand topics.
E-mail, using the S/MIME security standard, is an example of an application in which both signing and enveloping a message is useful. S/MIME specifies the ability to both sign and encrypt an e-mail message. If your application requires a high probability of both data authentication and data confidentiality, use a combination of digital signing and digital enveloping.
Although these security services can be applied in either order, it might be advantageous to first sign a message and then envelope it. As such, the data that was signed was intelligible because it was not yet encrypted.
Sign and envelope a message by using theand classes in conjunction with one another. For example, application requirements dictate first signing a message and then enveloping it. Sign the message using the SignedCms class as discussed in the topic . Encode the SignedCms message by invoking the method. This yields the encoding as a byte array. Use that byte array as the input to construct a object. Use the ContentInfo object as input to construct an EnvelopedCms object.
The EnvelopedCms object now has a SignedCms object nested inside it as its inner content. Now, envelope the message as described in.
For a code example that signs and envelopes a message, see thetopic.