What is a Enveloping PKCS7 CMS Signature?
A PKCS#7 enveloping CMS digital signature, typically stored as a .p7m file, is a CMS SignedData structure where the signed content is embedded inside the message — this is also called an opaque or enveloping signature.
What Is It?
- A CMS (Cryptographic Message Syntax) signature that:
- Includes the original content
- Includes one or more digital signatures
- The result is a single
.p7mfile containing both the data and its cryptographic signature(s)
Key Features
| Feature | Description |
|---|---|
| Embedded Content | Yes — content is wrapped (enveloped) inside |
| Signature Type | CMS SignedData with encapsulated content |
| Common Extension | .p7m (e.g., signed-document.p7m) |
| Typical Use Case | S/MIME signed email, signed data archival |
Structure (Simplified)
SignedData {
encapContentInfo {
eContentType = data,
eContent = <your original content>
},
signerInfos = [ { SignerInfo } ],
certificates = [ X.509 certs ]
}
- The signer creates a hash of the content and signs it
- The content itself is included inside the CMS structure
Compared to Detached Signature
| Type | Content Included | File Extension | Use Case |
|---|---|---|---|
| Detached | No | .p7s |
Signature-only, for separate content |
| Enveloping (opaque) | Yes | .p7m |
Signed content embedded in one file |
Summary
A PKCS#7 enveloping CMS signature is a single, self-contained .p7m file that holds both the original data and its digital signature, used commonly in S/MIME and document signing workflows.