AttachSignature x509cert overload limits?

Aspose.Email Product Family
1

Hello,
If we use this overload:
AttachSignature(MapiMessage, X509Certificate2, SignatureOptions)
To avoid loading certificate into the cms signer, how to set:
CmsSigner > DigestAlgorithm IncludeOption and SignedAttributes.Add:New Pkcs9SigningTime

Thanks :slight_smile:

2

@australian.dev.nerds

The AttachSignature(MapiMessage, X509Certificate2, SignatureOptions) method in Aspose.Email allows signing a message using an X509Certificate2 without directly handling the CmsSigner object, as the signing process is abstracted through the SecureEmailManager class. However, this overload does not expose direct access to the underlying CmsSigner properties such as DigestAlgorithm, IncludeOption, or SignedAttributes.

Limitations of the X509Certificate2 Overload:

  • You cannot directly set CmsSigner.DigestAlgorithm or modify SignedAttributes (e.g., adding a custom Pkcs9SigningTime) when using this high-level overload .
  • The SignatureOptions parameter allows configuration of basic signature settings like signing time and signature level, but does not provide access to low-level CMS attributes or signer options .

Workaround / Alternative:

To gain full control over CmsSigner, including setting the digest algorithm and manually adding Pkcs9SigningTime, you should:

  1. Use the lower-level CmsSigner class directly.
  2. Manually create the CMS signature using SignedCms.
  3. Attach the resulting signature to the MapiMessage or MailMessage as needed.

Example (Manual CMS Signing with Full Control):

var certificate = new X509Certificate2("path_to_cert.pfx", "password");
ContentInfo contentInfo = new ContentInfo(Encoding.UTF8.GetBytes("Your message body"));
SignedCms signedCms = new SignedCms(contentInfo, true); // true for detached signature

CmsSigner signer = new CmsSigner(certificate);
signer.DigestAlgorithm = new Oid("1.3.14.3.2.26"); // SHA-1, or use "2.16.840.1.101.3.4.2.1" for SHA-256
signer.IncludeOption = X509IncludeOption.EndCertOnly;

// Add signing time attribute
signer.SignedAttributes.Add(new Pkcs9SigningTime(DateTime.Now));

signedCms.ComputeSignature(signer);

byte[] signatureBytes = signedCms.Encode();

Then embed or attach signatureBytes into your email as needed.

Note: This approach bypasses SecureEmailManager.AttachSignature, but gives full control over the signing process.

Conclusion:

The AttachSignature(MapiMessage, X509Certificate2, SignatureOptions) overload is convenient but limited. For advanced control over CmsSigner, you must use manual CMS signing with SignedCms and CmsSigner directly .

Execution did not complete due to an execution error; the code example is a hypothesis based on standard .NET behavior and not verified by running.

3

Hi @australian.dev.nerds

We don’t see a reason to avoid using the overload
AttachSignature(MapiMessage msg, CmsSigner signer, SignatureOptions options) in this case.

This overload is specifically designed for scenarios where you need full control over the CmsSigner configuration. It allows you to configure all required parameters in advance, including:

  • setting CmsSigner.DigestAlgorithm,
  • configuring CmsSigner.IncludeOption,
  • adding custom signed attributes, such as
    SignedAttributes.Add(new Pkcs9SigningTime()).

The overload
AttachSignature(MapiMessage, X509Certificate2, SignatureOptions) is intended for simpler use cases and internally creates and configures the CmsSigner instance for you. Because of that, it does not expose a way to customize DigestAlgorithm or SignedAttributes.

Therefore, if you need to avoid default CMS signer behavior and explicitly control these settings, using
AttachSignature(MapiMessage msg, CmsSigner signer, SignatureOptions options) is the recommended and correct approach.