Enveloped and Signed CMS/PKCS #7 MessageĀ
CMS/PKCS #7 provides the capability to both sign and envelope a message. This is possible because protected messages can be nested. Digitally signing and enveloping a message protects it by applying all the security services separately described in the SignedCms Message and EnvelopedCms Message topics.
E-mail, using the S/MIME security standard, is an example of an application in which both signing and enveloping a message is useful. S/MIME specifies the ability to both sign and encrypt an e-mail message. If your application requires a high probability of both data authentication and data confidentiality, use a combination of digital signing and digital enveloping.
Although these security services can be applied in either order, it might be advantageous to first sign a message and then envelope it. As such, the data that was signed was intelligible because it was not yet encrypted.
Sign and envelope a message by using the SignedCms and EnvelopedCms classes in conjunction with one another. For example, application requirements dictate first signing a message and then enveloping it. Sign the message using the SignedCms class as discussed in the topic SignedCms Message. Encode the SignedCms message by invoking the System.Security.Cryptography.Pkcs.SignedCms.Encode method. This yields the encoding as a byte array. Use that byte array as the input to construct a ContentInfo object. Use the ContentInfo object as input to construct an EnvelopedCms object.
The EnvelopedCms object now has a SignedCms object nested inside it as its inner content. Now, envelope the message as described in EnvelopedCms Message.
For a code example that signs and envelopes a message, see the How to: Sign and Envelop a Message topic.
See Also
Concepts
How to: Sign and Envelop a Message
Types of CMS/PKCS #7 Messages