Add S/MIME decryption

[BastianZim]

Feature request

It would be nice if cryptography could be used to decrypt S/MIME encrypted emails.

This could be low-level right now, similar to https://cryptography.io/en/latest/hazmat/primitives/asymmetric/serialization/?highlight=s%2Fmime#cryptography.hazmat.primitives.serialization.pkcs7.PKCS7SignatureBuilder or something more high level later.

The respective OpenSSL command would be openssl smime -decrypt -in smime-ok.eml -recip myself.pem

But since there is currently no stable python tool to decrypt S/MIME (That I know of), anything is already very much appreciated. :)

[BastianZim]

I formulated this quite vague as I'm not sure how much info is needed but please let me know if I should add more. Also, I saw some attempts at creating an issue to track all S/MIME-related features from a more high-level approach (https://github.com/pyca/cryptography/issues/1621#issuecomment-695810113) to bring it out of the hazards area but from what I can see, that hasn't happened yet. Happy to create something, if required.

[pirm-in]

I am pretty new to this topic, but came to work on a project recently where we need to handle email messages with S/MIME signed and encrypted attachments in python. we started to implement a POC with M2crypto, just to realize that the other party, which is sending us the messages, uses openssl cms for encryption, and we could not verify/decrypt the messages. so i did some research and came across this: https://security.stackexchange.com/questions/41399/openssl-pkcs7-vs-s-mime where the author of the accepted answer basically tells, that cms is used for the newer versions of S/MIME (current version is v4)
in a nutshell: i think what we actually would want/need is an API which supports the high-level features of the openssl CLI cms command, not the older version openssl smime

for a short term solution in our project at hand we will probably fall back on just calling the openssl command via python-subprocess, but it's not something we want to stay with obviously.

what i am wondering right now is

• what is the progress since the More SMIME please! issue has been closed
• what is the actual state of S/MIME encryption
• what exactly needs to be done to satisfy this comment
• is it possible to do all this with the current state of pyca/cryptography (with an acceptable effort from a business perspective)
• what on earth have i been gotten into :sweat_smile:

[reaperhulk]

CMS is an enormous (and terrible) specification so you'll need to very precisely define what it is you need. This really means spelunking through RFCs and determining the minimal set of supported structures.

No one has stepped up to try to even define the scope of this work, much less determine how we would actually accomplish it. As for SMIME, no API has been proposed for encryption/decryption and no API has been proposed for verification so those remain items for future work. They're definitely more tractable than expanding to full CMS support, but carry a variety of challenges of their own.

None of this is impossible, but making progress will require consistent commitment since we need to agree on a design, discuss implementation, and then it needs to get written and go through what will likely be several cycles of significant feedback.