How to sign and unsign an email in C# and VB.NET
GemBox.Email enables you to create signed (S/MIME) messages. It supports clear-signed (multipart/signed) and opaque-signed (application/pkcs7-mime) formats according to the latest S/MIME standard RFC 8551.
You can convert a regular (unsigned) MailMessage
to a signed message by calling MailMessage.Sign
, which will add a signature to the MailMessage
, making it read-only. This method receives an instance of DigitalSignatureOptions
as a parameter, which contains:
- The certificate to be used while creating the signature through the
DigitalSignatureOptions.Certificate
property. - A boolean indicating if this should be a clear-signed (
true
) or an opaque-signed (false
) message through theDigitalSignatureOptions.ClearSigned
property.
Calling MailMessage.Sign
from a signed message will result in an InvalidOperationException
being thrown.
The following example shows how you can load and sign a regular message.
using GemBox.Email;
using System.Security.Cryptography.X509Certificates;
class Program
{
static void Main()
{
// If using the Professional version, put your serial key below.
ComponentInfo.SetLicense("FREE-LIMITED-KEY");
// Load message from email file normally.
var message = MailMessage.Load("%InputFileName%");
// Signing an already signed message would throw an exception!
if (message.IsSigned)
return;
var options = new DigitalSignatureOptions()
{
Certificate = new X509Certificate2("%InputDigitalId%", "GemBoxPassword"),
ClearSigned = true
};
// Sign message as clear-signed.
message.Sign(options);
// Save the signed message.
message.Save("Signed.%OutputFileType%");
}
}
Imports GemBox.Email
Imports System.Security.Cryptography.X509Certificates
Module Program
Sub Main()
' If using the Professional version, put your serial key below.
ComponentInfo.SetLicense("FREE-LIMITED-KEY")
' Load message from email file normally.
Dim message = MailMessage.Load("%InputFileName%")
' Signing an already signed message would throw an exception!
If message.IsSigned Then Return
' Load certificate data.
Dim options As New DigitalSignatureOptions() With
{
.Certificate = New X509Certificate2("%InputDigitalId%", "GemBoxPassword"),
.ClearSigned = True
}
' Sign message as clear-signed.
message.Sign(options)
' Save the signed message.
message.Save("Signed.%OutputFileType%")
End Sub
End Module
A signed MailMessage
has some differences compared to a "normal" MailMessage
that you should consider:
MailMessage.IsSigned
will be set totrue
, andMailMessage.MessageSecurity
will indicate the type of signature applied to this message.- Signed messages will be
read-only
. Changing the message's content (BodyText
,BodyTextCharset
,BodyHtml
orAttachments
) will result in anInvalidOperationException
being thrown. - It will be possible to validate the message's signature or to unsign it.
To remove the signature or enable changing the content of a signed MailMessage
it is necessary to call MailMessage.Unsign
, which will remove the message's signature and it's read-only estate, exposing the content as a "normal" message. If necessary, it is also possible to re-sign the message.
If you call MailMessage.Unsign
from an unsigned message, an InvalidOperationException
being thrown.
The following example shows how to unsign a message.
using GemBox.Email;
class Program
{
static void Main()
{
// If using the Professional version, put your serial key below.
ComponentInfo.SetLicense("FREE-LIMITED-KEY");
// Load message from email file normally.
var message = MailMessage.Load("%InputFileName%");
// To unsign a not-signed message would throw an exception!
if (!message.IsSigned)
return;
message.Unsign();
// Save the unsigned message.
message.Save("Unsigned.%OutputFileType%");
}
}
Imports GemBox.Email
Module Program
Sub Main()
' If using the Professional version, put your serial key below.
ComponentInfo.SetLicense("FREE-LIMITED-KEY")
' Load message from email file normally.
Dim message = MailMessage.Load("%InputFileName%")
' To unsign a Not-signed message would throw an exception!
If Not message.IsSigned Then Return
message.Unsign()
' Save the unsigned message.
message.Save("Unsigned.%OutputFileType%")
End Sub
End Module
Digital ID notes
Digital ID files used in the preceding examples are part of a simple Public Key Infrastructure (PKI) created just for this demonstration which contains the following hierarchy of certificates and CRLs:
- Root Certificate Authority certificate GemBoxCA.crt
- Intermediate Certificate Authority certificate GemBoxRSA.crt
- Digital ID GemBoxRSA1024.pfx and its certificate GemBoxRSA1024.crt
- Digital ID GemBoxRSA2048.pfx and its certificate GemBoxRSA2048.crt (revoked)
- Digital ID GemBoxRSA4096.pfx and its certificate GemBoxRSA4096.crt
- CRL GemBoxRSA.crl that revokes the certificate with the serial number 02 (GemBoxRSA2048.crt)
- Intermediate Certificate Authority certificate GemBoxECDsa.crt
- Digital ID GemBoxECDsa192.pfx and its certificate GemBoxECDsa192.crt
- Digital ID GemBoxECDsa224.pfx and its certificate GemBoxECDsa224.crt (revoked)
- Digital ID GemBoxECDsa521.pfx and its certificate GemBoxECDsa521.crt
- CRL GemBoxECDsa.crl that revokes the certificate with the serial number 02 (GemBoxECDsa224.crt)
- CRL GemBoxCA.crl that doesn't revoke any certificate
- Intermediate Certificate Authority certificate GemBoxRSA.crt
To get a valid signature in Outlook you will have to add GemBoxCA.crt certificate to the list of Trusted Certificates on your machine using the following steps:
- Download GemBoxCA.crt certificate.
- Open the file and click Install Certificate....
- If you are adding a Root Certificate, choose the option "Place all certificates in the following store" and Browse for "Trusted Root Certification Authorities".
- After the installation is finished, you can see the certificate under "User Accounts" > "Manage User Certificates" in the Control Panel.
- Once you finish the verification, it is safer to uninstall the certificate.