Movatterモバイル変換

[0]ホーム
URL:

RFC 9788Cryptographic MIME Header ProtectionAugust 2025
Gillmor, et al.Standards Track[Page]
Stream:
Internet Engineering Task Force (IETF)
RFC:
9788
Updates:
8551
Category:
Standards Track
Published:
ISSN:
2070-1721
Authors:
D. K. Gillmor
American Civil Liberties Union
B. Hoeneisen
pEp Project
A. Melnikov
Isode Ltd

RFC 9788

Header Protection for Cryptographically Protected Email

Abstract

S/MIME version 3.1 introduced a mechanism to provide end-to-end cryptographic protection of email message headers.However, few implementations generate messages using this mechanism, and several legacy implementations have revealed rendering or security issues when handling such a message.

This document updates the S/MIME specification (RFC 8551) to offer a different mechanism that provides the same cryptographic protections but with fewer downsides when handled by legacy clients.Furthermore, it offers more explicit usability, privacy, and security guidance for clients when generating or handling email messages with cryptographic protection of message headers.

The Header Protection scheme defined here is also applicable to messages with PGP/MIME (Pretty Good Privacy with MIME) cryptographic protections.

Status of This Memo

This is an Internet Standards Track document.

This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 7841.

Information about the current status of this document, any errata, and how to provide feedback on it may be obtained athttps://www.rfc-editor.org/info/rfc9788.

Copyright Notice

Copyright (c) 2025 IETF Trust and the persons identified as the document authors. All rights reserved.

This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.

Table of Contents

1.Introduction

Privacy and security issues regarding email Header Protection in S/MIME and PGP/MIME have been identified for some time.Most current implementations of cryptographically protected email protect only the Body of the message, which leaves significant room for attacks against otherwise-protected messages.For example, lack of Header Protection allows an attacker to substitute the message subject and/or author.

This document describes how to cryptographically protect message headers and provides guidance for the implementer of a Mail User Agent (MUA) that generates, interprets, and replies to such a message.It uses the term "Legacy MUA" to refer to an MUA that does not implement this specification.This document takes particular care to ensure that messages interact reasonably well with Legacy MUAs.

1.1.Update to RFC 8551

An older scheme for Header Protection was specified in S/MIME 3.1[RFC8551], which involves wrapping amessage/rfc822 MIME object with a Cryptographic Envelope around the message to protect it.This document refers to that scheme as "RFC 8551 Header Protection", or "RFC8551HP".Substantial testing has shown that RFC8551HP does not interact well with some Legacy MUAs (seeSection 1.1.1).

This specification supersedes RFC8551HP, effectively replacing the final two paragraphs ofSection 3.1 of [RFC8551].

In this specification, all Header Fields gain end-to-end cryptographic integrity and authenticity by being copied directly into the Cryptographic Payload without using an interveningmessage/⁠rfc822 MIME object.In an encrypted message, some Header Fields can also be made confidential by removing or obscuring them from the Outer Header Section.

This specification also offers substantial security, privacy, and usability guidance for composing and rendering MUAs that was not considered in[RFC8551].

1.1.1.Problems with RFC 8551 Header Protection

Several Legacy MUAs have difficulty rendering a message that uses RFC8551HP. These problems can appear on signed-only messages, as well as signed-and-encrypted messages.

In some cases, some MUAs cannot rendermessage/rfc822 message subparts at all, which is in violation of baseline MIME requirements as defined in requirement 6 ofSection 2 of [RFC2049].A message using RFC8551HP is unreadable by any recipient using such an MUA.

In other cases, the user sees an attachment suggesting a forwarded email message that -- in fact -- contains the protected email message that should be rendered directly.In most of these cases, the user can click on the attachment to view the protected message.

However, viewing the protected message as an attachment in isolation may strip it of any security indications, leaving the user unable to assess the cryptographic properties of the message.Worse, for encrypted messages, interacting with the protected message in isolation may leak contents of the cleartext, for example, if the reply is not also encrypted.

Furthermore, RFC8551HP lacks any discussion of the following points, all of which are provided in this specification:

  • Which Header Fields should be given end-to-end cryptographic integrity and authenticity protections (this specification mandates protection of all Header Fields that the composing MUA knows about).

  • How to securely indicate the composer's intent to offer Header Protection and encryption, which lets a rendering MUA detect messages whose cryptographic properties may have been modified in transit (seeSection 2.1.1).

  • Which Header Fields should be given end-to-end cryptographic confidentiality protections in an encrypted message and how (seeSection 3).

  • How to securely indicate the composer's choices about which Header Fields were made confidential, which lets a rendering MUA reply or forward an encrypted message safely without accidentally leaking confidential material (seeSection 2.2).

These stumbling blocks with Legacy MUAs, missing mechanisms, and missing guidance create a strong disincentive for existing MUAs to generate messages using RFC8551HP.Because few messages have been produced, there has been little incentive for those MUAs capable of upgrading to bother interpreting them better.

In contrast, the mechanisms defined here are safe to adopt and produce messages with very few problems for Legacy MUAs.AndSection 4.10 provides useful guidance for rendering and replying to RFC8551HP messages.

1.2.Risks of Header Protection for Legacy MUA Recipients

Producing a signed-only message using this specification has no additional risks (compared to producing a signed-only message without Header Protection).Such a message will render in the same way on any Legacy MUA as a Legacy Signed Message (that is, a signed message without Header Protection).An MUA conformant to this specification that encounters such a message will be able to gain the benefits of end-to-end cryptographic integrity and authenticity for all Header Fields.

An encrypted message produced according to this specification that has some User-Facing Header Fields removed or obscured may not render as desired in a Legacy MUA.In particular, those Header Fields that were made confidential will not be visible to the user of a Legacy MUA.For example, if theSubject Header Field outside the Cryptographic Envelope is replaced with[...], a Legacy MUA will render the[...] anywhere theSubject is normally seen.This is the only additional risk of producing an encrypted message according to this specification (compared to producing an encrypted message without confidentiality for any Header Field).

A workaround "Legacy Display" mechanism is provided in this specification (seeSection 2.1.2).Legacy MUAs will render "Legacy Display Elements" to the user, albeit not in the same location that the Header Fields would normally be rendered.

Alternately, if the composer of an encrypted message is particularly concerned about the experience of a recipient using a Legacy MUA, and they are willing to accept leaking the User-Facing Header Fields, they can simply adopt the No Header Confidentiality Policy (seeSection 3.2.3).A signed-and-encrypted message composed using the No Header Confidentiality Policy offers no usability risk for a reader using a Legacy MUA and retains end-to-end cryptographic integrity and authenticity properties for all Header Fields for any reader using a conformant MUA.Of course, such a message has the same (non-existent) confidentiality properties for all Header Fields as a Legacy Encrypted Message (that is, an encrypted message made without Header Protection).

1.3.Motivation

Ordinary Users generally do not understand the distinction between email message Body and Header Section.When an email message has cryptographic protections that cover the message Body but not the Header Fields, several attacks become possible.

For example, a Legacy Signed Message has a signature that covers the Body but not the Header Fields.An attacker can therefore modify the Header Fields (including Subject) without invalidating the signature.Since most readers consider a message Body in the context of the message's Subject, the meaning of the message itself could change drastically (under the attacker's control) while still retaining the same cryptographic indicators of integrity and authenticity.

In another example, a Legacy Encrypted Message has its Body effectively hidden from an adversary that snoops on the message.But if the Header Fields are not also encrypted, significant information about the message (such as the message Subject) will leak to the inspecting adversary.

However, if the composing and rendering MUAs ensure that cryptographic protections cover the message Header Section as well as the message Body, these attacks are defeated.

1.3.1.Backward Compatibility

If the composing MUA is unwilling to generate such a fully protected message due to the potential for rendering, usability, deliverability, or security issues, these defenses cannot be realized.

The composer cannot know what MUA (or MUAs) the recipient will use to handle the message. Thus, an outbound message format that is backward compatible with as many legacy implementations as possible is a more effective vehicle for providing the whole-message cryptographic protections described above.

This document aims for backward compatibility with Legacy MUAs to the extent possible.In some cases, like when a user-visible Header Field like the Subject is cryptographically hidden, a Legacy MUA will not be able to render or reply to the message exactly the same way as a conformant MUA would.But accommodations are described here (in particular,Section 2.1.2) that ensure a rough semantic equivalence for a Legacy MUA even in these cases.

1.3.2.Deliverability

A message with perfect cryptographic protections that cannot be delivered is less useful than a message with imperfect cryptographic protections that can be delivered.Senders want their messages to reach the intended recipients.

Given the current state of the Internet mail ecosystem, encrypted messages in particular cannot shield all of their Header Fields from visibility and still be guaranteed delivery to their intended recipient.

This document accounts for this concern by providing a mechanism (Section 3) that prioritizes initial deliverability (at the cost of some header leakage) while facilitating future message variants that shield more header metadata from casual inspection.

1.4.Other Protocols to Protect Email Header Fields

A separate pair of protocols also provides some cryptographic protection for the email message header integrity: DomainKeys Identified Mail (DKIM)[RFC6376], as used in combination with Domain-based Message Authentication, Reporting, and Conformance (DMARC)[RFC7489].This pair of protocols provides a domain-based reputation mechanism that can be used to mitigate some forms of unsolicited email (spam).

However, the DKIM+DMARC suite provides cryptographic protection at a different scope, as it is usually applied by and evaluated by a mail transport agent (MTA).DKIM+DMARC typically provide MTA-to-MTA protection, whereas this specification provides MUA-to-MUA protection.This is because DKIM+DMARC are typically applied to messages by (and interpreted by) MTAs, whereas the mechanisms in this document are typically applied and interpreted by MUAs.

A rendering MUA that relies on DKIM+DMARC for sender authenticity should noteSection 10.1.

Furthermore, the DKIM+DMARC suite only provides cryptographic integrity and authentication, not encryption.So cryptographic confidentiality is not available from that suite.

The DKIM+DMARC suite can be used on any message, including messages formed as defined in this document.There should be no conflict between DKIM+DMARC and the specification here.

Though not strictly email, similar protections have been in use on Usenet for the signing and verification of message Header Fields for years.See[PGPCONTROL] and[PGPVERIFY-FORMAT] for more details.Like DKIM, these Usenet control protections offer only integrity and authentication, not confidentiality.

1.5.Applicability to PGP/MIME

This document specifies end-to-end cryptographic protections for email messages in reference to S/MIME[RFC8551].

Comparable end-to-end cryptographic protections can also be provided by PGP/MIME[RFC3156].

The mechanisms in this document should be applicable in the PGP/MIME protections as well as S/MIME protections, but analysis and implementation in this document focuses on S/MIME.

To the extent that any divergence from the mechanism defined here is necessary for PGP/MIME, that divergence is out of scope for this document.

1.6.Requirements Language

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14[RFC2119][RFC8174] when, and only when, they appear in all capitals, as shown here.

1.7.Terms

The following terms are defined for the scope of this document:

S/MIME:
Secure/Multipurpose Internet Mail Extensions (see[RFC8551])
PGP/MIME:
Pretty Good Privacy with MIME (see[RFC3156])
Message:
An email message consisting of Header Fields (collectively called "the Header Section of the message") optionally followed by a message Body; see[RFC5322].
Header Field:
A Header Field includes a field name, followed by a colon (":"), followed by a field Body (value), and is terminated by CRLF; seeSection 2.2 of [RFC5322] for more details.
Header Section:
The Header Section is a sequence of lines of characters with special syntax as defined in[RFC5322]. The Header Section of a message contains the Header Fields associated with the message itself. The Header Section of a MIME part (that is, a subpart of a message) typically contains Header Fields associated with that particular MIME part.
Outer Header Section:
The unprotected Header Section that MTAs and MUAs unaware of Header Protection treat as the Header Section of the Message.
Inner Header Section:
The Header Section at the root of the Cryptographic Payload. An MUA that implements Header Protection renders Header Fields from this section for the user.
Body:
The Body is the part of a message that follows the Header Section and is separated from the Header Section by an empty line (that is, a line with nothing preceding the CRLF); see[RFC5322]. It is the (bottom) section of a message containing the payload of a message. Typically, the Body consists of a (possibly multipart) MIME[RFC2045] construct.
Header Protection (HP):
The cryptographic protection of email Header Sections (or parts of it) by means of signatures and/or encryption.
Legacy MUA:
An MUA that does not understand Header Protection as defined in this document. A Legacy Non-Crypto MUA is incapable of doing any end-to-end cryptographic operations. A Legacy Crypto MUA is capable of doing cryptographic operations but does not understand or generate messages with Header Protection.
Legacy Signed Message:
An email message that was signed by a Legacy MUA and therefore has no cryptographic authenticity or integrity protections on its Header Fields.
Legacy Encrypted Message:
An email message that was signed and encrypted by a Legacy MUA and therefore has no cryptographic authenticity, integrity, or confidentiality protections on any of its Header Fields.
Header Confidentiality Policy (HCP):
A functional specification of which Header Fields should be removed or obscured when composing an encrypted message with Header Protection. An HCP is considered more "conservative" when it removes or obscures fewer Header Fields. When it removes or obscures more Header Fields, it is more "ambitious". SeeSection 3.
Ordinary User:
A user of an MUA who follows a simple and minimal experience, focused on sending and receiving emails. A user who opts into advanced configuration, expert mode, or the like is not an "Ordinary User".
Respond Function:

A function found in most MUAs that defines how to pre-populate the Header Fields of a new message in response to another message. SeeSection 6.1.1.

Additionally, Cryptographic Layer, Cryptographic Payload, Cryptographic Envelope, Cryptographic Summary, Structural Header Fields, Non-Structural Header Fields, Main Body Part, User-Facing Header Fields, and MUA are all used as defined in[RFC9787].

The policies "Specification Required" and "IETF Review" that appear in this document when used to describe namespace allocation are to be interpreted as described in[RFC8126].

Note: To avoid ambiguity, this document avoids using the terms "Header" or "Headers" in isolation, but instead always uses "Header Field" to refer to the individual field and "Header Section" to refer to the entire collection.

1.8.Document Scope

This document describes sensible, simple behavior for a program that generates an email message with standard end-to-end cryptographic protections, following the guidance in[RFC9787].An implementation conformant to this document will produce messages that have cryptographic protection that covers the message's Header Fields as well as its Body.

1.8.1.In Scope

This document also describes sensible, simple behavior for a program that interprets such a message in a way that can take advantage of these protections covering the Header Fields as well as the Body.

The message generation guidance aims to minimize negative interactions with any Legacy rendering MUA while providing actionable cryptographic properties for modern rendering MUAs.

In particular, this document focuses on two standard types of cryptographic protection that cover the entire message:

  • a cleartext message with a single signature and

  • an encrypted message that contains a single cryptographic signature.

1.8.2.Out of Scope

The message composition guidance in this document (inSection 5.2) aims to provide minimal disruption for any Legacy MUA that renders such a message.However, by definition, a Legacy MUA does not implement any of the guidance here.Therefore, the document does not attempt to provide guidance for Legacy MUAs directly.

Furthermore, this document does not explicitly contemplate other variants of cryptographic message protections, including any of these:

  • encrypted-only message (without a cryptographic signature; seeSection 5.3 of [RFC9787])

  • triple-wrapped message

  • signed message with multiple signatures

  • encrypted message with a cryptographic signature outside the encryption

All such messages are out of scope of this document.

1.9.Example

This section provides an example of MIME messages with Header Protection.

Consider the following MIME message:

A └┬╴application/pkcs7-mime; smime-type="enveloped-data"   ╧ (decrypts to)B  └┬╴application/pkcs7-mime; smime-type="signed-data"    ┴ (unwraps to)C   └┬╴multipart/alternative; hp="cipher"D    ├─╴text/plain; hp-legacy-display="1"E    └─╴text/html; hp-legacy-display="1"

Observe that:

  • Nodes A and B are collectively called the Cryptographic Envelope.Node C (including its subnodes D and E) is called the Cryptographic Payload[RFC9787].

  • Node A contains the (unprotected) outer Header Fields.Node C contains the (protected) inner Header Fields.

  • The presence of thehp attribute (seeSection 2.1.1) on theContent-Type of node C allows the renderer to know that the composer applied Header Protection.Its value allows the renderer to distinguish whether the composer intended for the message to be confidential (hp="cipher") or not (hp="clear"), since encryption may have been added in transit (seeSection 10.2).

The Outer Header Section on node A looks as follows:

Date: Wed, 11 Jan 2023 16:08:43 -0500From: Bob <bob@example.net>To: Alice <alice@example.net>Subject: [...]Message-ID: <20230111T210843Z.1234@lhp.example>Content-Type: application/pkcs7-mime; smime-type="enveloped-data"MIME-Version: 1.0

The Inner Header Section on node C looks as follows:

Date: Wed, 11 Jan 2023 16:08:43 -0500From: Bob <bob@example.net>To: Alice <alice@example.net>Subject: Handling the Jones contractKeywords: Contract, UrgentMessage-ID: <20230111T210843Z.1234@lhp.example>Content-Type: multipart/alternative; hp="cipher"MIME-Version: 1.0HP-Outer: Date: Wed, 11 Jan 2023 16:08:43 -0500HP-Outer: From: Bob <bob@example.net>HP-Outer: To: Alice <alice@example.net>HP-Outer: Subject: [...]HP-Outer: Message-ID: <20230111T210843Z.1234@lhp.example>

Observe that:

  • Between node C and node A, some Header Fields are copied as is (Date,From,To,Message-ID), some are obscured (Subject), and some are removed (Keywords).

  • TheHP-Outer Header Fields (seeSection 2.2) of node C contain a protected copy of the Header Fields in node A.The copy allows the renderer to recompute for which Header Fields the composer provided confidentiality by removing or obscuring them.

  • The copying/removing/obscuring and theHP-Outer only apply to Non-Structural Header Fields, not to Structural Header Fields likeContent-Type orMIME-Version (seeSection 1.1.1 of [RFC9787]).

  • If the composer intends no confidentiality and doesn't encrypt the message, it doesn't remove or obscure Header Fields.All Non-Structural Header Fields are copied as is.NoHP-Outer Header Fields are present.

Node D looks as follows:

Content-Type: text/plain; charset="us-ascii"; hp-legacy-display="1";Subject: Handling the Jones contractKeywords: Contract, UrgentPlease review and approve or decline by Thursday, it's critical!Thanks,Bob--Bob GonzalezACME, Inc.

Observe that:

  • The composer adds the removed and obscured User-Facing Header Fields (seeSection 1.1.2 of [RFC9787]) to the main Body (note the empty line after the Content-Type).This is called the Legacy Display Element.It allows a user with a Legacy MUA that doesn't implement this document to understand the message, since the Header Fields will be shown as part of the main Body.

  • Thehp-legacy-display="1" attribute (seeSection 2.1.2) indicates that the composer added a Legacy Display Element.This allows renderers that implement this document to recognize the Legacy Display Element and distinguish it from user-added content.The renderer then hides the Legacy Display Element and doesn't display it to the user.

  • hp-legacy-display is added to the node to which it applies, not on any outer nodes (e.g., not to node C).

For more examples, see AppendicesD andE.

2.Internet Message Format Extensions

This section describes relevant, backward-compatible extensions to the Internet Message Format[RFC5322].Subsequent sections offer concrete guidance for an MUA to make use of these mechanisms, including policy decisions and recommended pseudocode.

2.1.Content-Type Parameters

This document introduces two parameters for theContent-Type Header Field, which have distinct semantics and use cases.

2.1.1.Content-Type Parameter: hp

This specification defines a parameter for theContent-Type Header Field namedhp (for Header Protection).This parameter is only relevant on theContent-Type Header Field at the root of the Cryptographic Payload.The presence of this parameter at the root of the Cryptographic Payload indicates that the composer intends for this message to have end-to-end cryptographic protections for the Header Fields.

The parameter's defined values describe the composer's cryptographic intent when producing the message:

Table 1:hp Parameter for Content-Type Header Field
hp ValueAuthenticityIntegrityConfidentialityDescription
"clear"yesyesnoThis message has been signed by the composer, with Header Protection.
"cipher"yesyesyesThis message has been signed by the composer, with Header Protection, and is encrypted to the recipients.

A composing implementationMUST NOT produce a Cryptographic Payload with parameterhp="cipher" for an unencrypted message (that is, where none of the Cryptographic Layers in the Cryptographic Envelope of the message provide encryption).Likewise, if a composing implementation is constructing an encrypted message with Header Protection, itMUST emit anhp="cipher" parameter, regardless of which Header Fields were made confidential.

Note thathp="cipher" indicates that the message itself has been encrypted by the composer to the recipients but makes no assertions about which Header Fields have been removed or obscured.This can be derived from the Cryptographic Payload itself (seeSection 4.2).

A rendering implementationMUST NOT mistake the presence of anhp="cipher" parameter in the Cryptographic Payload for the actual presence of a Cryptographic Layer that provides encryption.

2.1.2.Content-Type Parameter: hp-legacy-display

This specification also defines anhp-legacy-display parameter for theContent-Type Header Field.The only defined value for this parameter is1.

This parameter is only relevant on a leaf MIME node ofContent-Typetext/html ortext/plain within a well-formed message with end-to-end cryptographic protections.Its presence indicates that the MIME node it is attached to contains a decorative "Legacy Display Element".The Legacy Display Element itself is used for backward-compatible visibility of any removed or obscured User-Facing Header Field in a Legacy MUA.

Such a Legacy Display Element need not be rendered to the user of an MUA that implements this specification, because the MUA already knows the correct Header Field information and can render it to the user in the appropriate part of the MUA's user interface rather than in the Body of the message.

SeeSection 5.2.2 for how to insert a Legacy Display Element into atext/plain Main Body Part.SeeSection 5.2.3 for how to insert a Legacy Display Element into atext/html Main Body Part.SeeSection 4.5.3 for how to avoid rendering a Legacy Display Element.

2.2.HP-Outer Header Field

This document also specifies a new Header Field:HP-Outer.

This Header Field is used only in the Header Section of the Cryptographic Payload of an encrypted message.It is not relevant for signed-only messages.It documents, with the same cryptographic guarantees shared by the rest of the message, the composer's choices about Header Field confidentiality.It does so by embedding a copy within the Cryptographic Envelope of every Non-Structural Header Field that the composer put outside the Cryptographic Envelope.This Header Field enables the MUA rendering the encrypted message to reliably identify whether the composing MUA intended to make a Header Field confidential (see alsoSection 11.3).

TheHP-Outer Header Fields in a message's Cryptographic Payload are useful for ensuring that any confidential Header Field will not be automatically leaked in the clear if the user replies to or forwards the message.They may also be useful for an MUA that indicates the confidentiality status of any given Header Field to the user.

An implementation that composes encrypted emailMUST include a copy of all Non-Structural Header Fields deliberately exposed to the outside of the Cryptographic Envelope using a series ofHP-Outer Header Fields within the Cryptographic Payload.TheseHP-Outer MIME Header Fields should only ever appear directly within the Header Section of the Cryptographic Payload of a Cryptographic Envelope offering confidentiality.TheyMUST be ignored for the purposes of evaluating the message's Header Protection if they appear in other places.

Each instance ofHP-Outer contains a Non-Structural Header Field name and the value that this Header Field was set to within the (unprotected) Outer Header Section.TheHP-Outer Header Field can appear multiple times in the Header Section of a Cryptographic Payload.

If a Non-Structural Header Field namedZ is present in Header Section of the Cryptographic Payload but doesn't appear in anHP-Outer Header Field value at all, then the composer is effectively asserting that every instance ofZ was made confidential by removal from the Outer Header Section.Specifically, it means that no Header FieldZ was included on the outside of the message's Cryptographic Envelope by the composer at the time the message was injected into the mail system.

SeeSection 5.2 for how to insertHP-Outer Header Fields into an encrypted message.SeeSection 4.3 for how to determine the end-to-end confidentiality of a given Header Field from an encrypted message with Header Protection usingHP-Outer.SeeSection 6.1 for how an MUA can safely reply to (or forward) an encrypted message without leaking confidential Header Fields by default.

2.2.1.HP-Outer Header Field Definition

The syntax of this Header Field is defined using the following ABNF[RFC5234], wherefield-name,WSP,VCHAR, andFWS are defined in[RFC5322]:

hp-outer     =   "HP-Outer:" [FWS] field-name ": "                    hp-outer-value CRLFhp-outer-value  =   (*([FWS] VCHAR) *WSP)

Note thathp-outer-value is the same asunstructured fromSection 3.2.5 of [RFC5322] but without the obsoleteobs-unstruct option.

3.Header Confidentiality Policy

An MUA composing an encrypted message according to this specification may make any given Header Field confidential by removing it from the Header Section outside the Cryptographic Envelope or by obscuring it by rewriting it to a different value in that Outer Header Section.The composing MUA faces a choice for any new message: Which Header Fields should be made confidential, and how?

This section defines the "Header Confidentiality Policy" (or HCP) as a well-defined abstraction to encourage MUA developers to consider, document, and share reasonable policies across the community.It establishes a registry of known HCPs, defines a small number of simple HCPs in that registry, and makes a recommendation for a reasonable default.

Note that such a policy is only needed when the end-to-end protections include encryption (confidentiality).No comparable policy is needed for other end-to-end cryptographic protections (integrity and authenticity), as they are simply uniformly applied so that all Header Fields known by the composer have these protections.

This asymmetry is a consequence of complexities in existing message delivery systems, some of which may reject, drop, or delay messages where all Header Fields are removed from the top-level MIME object.

Note that no representation of the HCP itself ever appears "on the wire".However, the consumer of the encrypted message can see the decisions that were made by the composer's HCP via theHP-Outer Header Fields (seeSection 2.2).

3.1.HCP Definition

In this document, we represent that HCP as a functionhcp:

  • hcp(name, val_in) -> val_out: This function takes a Non-Structural Header Field identified byname with the initial valueval_in as arguments and returns a replacement Header Field valueval_out.Ifval_out is the special valuenull, it means that the Header Field in question should be removed from the set of Header Fields visible outside the Cryptographic Envelope.

In the pseudocode descriptions of various choices of HCP in this document, any comparison with thename input is done case-insensitively.This is appropriate for Header Field names, as described in[RFC5322].

Note thathcp is only applied to Non-Structural Header Fields.When composing a message, Structural Header Fields are dealt with separately, as described inSection 5.2.

As an example, an MUA that obscures theSubject Header Field by replacing it with the literal string "[...]", hides allCc'ed recipients, and does not offer confidentiality to any other Header Fields would be represented as (in pseudocode):

hcp_example_hide_cc(name, val_in) → val_out:    if lower(name) is 'subject':        return '[...]'    else if lower(name) is 'cc':        return null    else:        return val_in

For alignment with common practice as well as the ABNF inSection 2.2.1 forHP-Outer,val_outMUST be one of the following:

  • identical toval_in,

  • the special valuenull (meaning that the Header Field will be removed from the outside of the message), or

  • a sequence of printable 7-bit clean ASCII characters (of course, non-ASCII text can be encoded as ASCII using theencoded-word construct from[RFC2047]) and ASCII whitespace (specifically, space (0x20) and tab (0x09)).

The HCP can computeval_out using any technique describable in pseudocode, such as copying a fixed string or invocations of other pseudocode functions.If it alters the value, itMUST NOT include control or NUL characters inval_out.val_outSHOULD match the expected ABNF for the Header Field identified byname.

3.1.1.HCP Avoids Changing addr-spec of From Header Field

TheFrom Header Field should also be treated specially by the HCP to enable defense against possible email address spoofing (seeSection 10.1).In particular, forhcp("From", val_in), theaddr-spec ofval_in and theaddr-spec ofval_outSHOULD match according toSection 4.4.5, unless the composing MUA has additional knowledge coordinated with the rendering MUA about more subtleaddr-spec equivalence or certificate validity.

3.2.Initial Registered HCPs

This document formally defines three Header Confidentiality Policies with known and reasonably well-understood characteristics as a way to compare and contrast different possible behavioral choices for a composing MUA.These definitions are not meant to preclude the creation of other HCPs.

The purpose of the registry of HCPs is to facilitate HCP evolution and interoperability discussion among MUA developers and MTA operators.

(The example hypothetical HCP,hcp_example_hide_cc, described inSection 3.1 above is deliberately not formally registered, as it has not been evaluated in practice.)

3.2.1.Baseline Header Confidentiality Policy

The most conservative recommended HCP only provides confidentiality for Informational Fields, as defined inSection 3.6.5 of [RFC5322].These fields are "only human-readable content" and thus their content should not be relevant to transport agents.Since most Internet messages today do have aSubject Header Field, and some filtering engines might object to a message without aSubject, this policy is conservative and merely obscures that Header Field by replacing it with a fixed string[...].By contrast,Comments andKeywords Header Fields are comparatively rare, so these fields are removed entirely from the Outer Header Section.

hcp_baseline(name, val_in) → val_out:    if lower(name) is 'subject':        return '[...]'    else if lower(name) is in ['comments', 'keywords']:        return null    else:        return val_in

hcp_baseline is the recommended default HCP, as it provides meaningful confidentiality protections and is unlikely to cause deliverability or usability problems.

3.2.2.Shy Header Confidentiality Policy

Alternately, a slightly more ambitious (and therefore more privacy-preserving) HCP might avoid leaking human-interpretable data that MTAs generally don't care about.The additional protected data isn't related to message routing or transport but might reveal sensitive information about the composer or their relationship to the recipients.This "shy" HCP builds onhcp_baseline but also:

  • avoids revealing thedisplay-name of each identified email address and

  • avoids leaking the composer's locally configured time zone in theDate Header Field.

hcp_shy(name, val_in) → val_out:   if lower(name) is 'from':      if val_in is an RFC 5322 mailbox:         return the RFC 5322 addr-spec part of val_in   if lower(name) in ['to', 'cc']:      if val_in is an RFC 5322 mailbox-list:         let val_out be an empty mailbox-list         for each mailbox in val_in:            append the RFC 5322 addr-spec part of mailbox to val_out         return val_out   if lower(name) is 'date':      if val_in is an RFC 5322 date-time:          return the UTC form of val_in   else if lower(name) is 'subject':      return '[...]'   else if lower(name) is in ['comments', 'keywords']:      return null   return val_in

hcp_shy requires more sophisticated parsing and Header Field manipulation and is not recommended as a default HCP.

3.2.3.No Header Confidentiality Policy

Legacy MUAs can be conceptualized as offering a "No Header Confidentiality" Policy, which offers no confidentiality protection to any Header Field:

hcp_no_confidentiality(name, val_in) → val_out:    return val_in

A conformant MUA that is not modified by local policy or configurationMUST NOT usehcp_no_confidentiality by default.

3.3.Default Header Confidentiality Policy

An MUAMUST have a default HCP that offers confidentiality for theSubject Header Field at least.Local policy and configuration may alter this default, but the MUASHOULD NOT require the user to select an HCP.

hcp_baseline provides confidentiality for theSubject Header Field by replacing it with the literal string "[...]".It also provides confidentiality for the other less common Informational Header Fields (Comments andKeywords) by removing them entirely from the Outer Header Section.This is a sensible default because most users treat the Informational Fields of a message (particularly the Subject) the same way that they treat the Body, and they are surprised to find that the Subject of an encrypted message is visible.

3.4.HCP Evolution

This document does not mandate any particular HCP, though it offers guidance for MUA implementers in selecting one inSection 3.3.Future documents may recommend or mandate such a policy for an MUA with specific needs.Such a recommendation might be motivated by descriptions of metadata-derived attacks, stem from research about message deliverability, or describe new signaling mechanisms, but these topics are out of scope for this document.

3.4.1.Offering More Ambitious Header Confidentiality

An MUAMAY offer even more ambitious confidentiality for Header Fields of an encrypted message than defined inSection 3.2.2.For example, it might implement an HCP that removes theTo andCc Header Fields entirely, relying on the SMTP envelope to ensure proper routing.Or it might removeReferences andIn-Reply-To so that message threading is not visible to any MTA.Any more ambitious choice might result in deliverability, rendering, or usability issues for the relevant messages, so testing and documentation will be valuable to get this right.

The authors of this document hope that implementers with deployment experience will document their chosen HCP and the rationale behind their choice.

3.4.2.Expert Guidance for Registering Header Confidentiality Policies

There is no formal syntax specified for the HCP, but any attempt to specify an HCP for inclusion in the registry needs to provide:

  • a stable reference document clearly indicating the distinct name for the proposed HCP,

  • pseudocode that other implementers can clearly and unambiguously interpret,

  • a clear explanation of why this HCP is different from all other registered HCPs, and

  • any relevant considerations related to deployment of the HCP (for example, known or expected deliverability, rendering, or privacy challenges and possible mitigations).

When the proposed HCP produces any non-null output for a given Header Field name,val_outSHOULD match the expected ABNF for that Header Field. If the proposed HCP does not match the expected ABNF for that Header Field, the documentation should explicitly identify the relevant circumstances and provide a justification for the deviation.

An entry should not be marked as "Recommended" unless it has been shown to offer confidentiality or privacy improvements over the status quo and have minimal or mitigable negative impact on messages to which it is applied, considering factors such as message deliverability and security.Only one entry in the table (hcp_baseline) is initially marked as "Recommended".In the future, more than one entry may be marked as "Recommended".

4.Rendering Guidance (Receiving Side)

An MUA that receives a cryptographically protected email will render it for the user.

The rendering MUA will render the message Body, render a selected subset of Header Fields, and (as described inSection 3 of [RFC9787]) provide a summary of the cryptographic properties of the message.

Most MUAs only render a subset of Header Fields by default.For example, most MUAs render theFrom,To,Cc,Date, andSubject Header Fields to the user, but few renderMessage-Id orReceived.

An MUA that knows how to handle a message with Header Protection makes the following four changes to its behavior when rendering a message:

Note that an MUA that handles a message with Header Protection doesnot need to render any new Header Fields that it did not render before.

4.1.Identifying That a Message Has Header Protection

An incoming message can be identified as having Header Protection using the following test:

  • The Cryptographic Payload has parameterhp set to"clear" or"cipher". SeeSection 4.5 for rendering guidance.

When consuming a message, an MUAMUST ignore thehp parameter toContent-Type when it encounters it anywhere other than the root of the message's Cryptographic Payload.

4.2.Extracting Protected Header Fields From an Encrypted Message

When a message is encrypted and uses Header Protection, the rendering MUA extracts two lists of Header Fields (names and values):

  • The list of Header Fields that the composing MUA applied to the protected message.

  • Those Header Fields added by the composing MUA to the (unprotected) Outer Header Section of the message, intended for interpretation by MTAs and Legacy MUAs.

The following algorithm takes referenced messagerefmsg as input, which is encrypted with Header Protection as described in this document (that is, the Cryptographic Envelope includes a Cryptographic Layer that provides encryption, and thehp parameter for theContent-Type Header Field of the Cryptographic Payload iscipher).It produces as output a pair of lists of(h,v) Header Fields.

4.2.1.HeaderSetsFromMessage

Method signature:

HeaderSetsFromMessage(refmsg) -> (refouter, refprotected)

Procedure:

  1. Letrefheaders be the list of(h,v) protected Header Fields found in the root of the Cryptographic Payload ofrefmsg.

  2. Letrefouter be an empty list of Header Field names and values.

  3. Letrefprotected be an empty list of Header Field names and values.

  4. For each(h,v) inrefheaders:

    1. Ifh isHP-Outer:

      1. Splitv into(h1,v1) on the first colon (:), followed by any amount of whitespace.

      2. Append(h1,v1) torefouter.

    2. Else:

      1. Append(h,v) torefprotected.

  5. Returnrefouter,refprotected.

Note that this algorithm is independent of the Outer Header Section.It derives its output only from the normal Header Fields and theHP-Outer Header Fields, both contained inside the Cryptographic Payload.

4.3.Updating the Cryptographic Summary

Regardless of whether a cryptographically protected message has protected Header Fields, the Cryptographic Summary of the message should be modified to indicate what protections the Header Fields have.This field-by-field status is complex and isn't necessarily intended to be presented in full to the user.Rather, it represents the state of the message internally within the MUA and may be used to influence behavior like replying to or forwarding the message (seeSection 6.1).

Each Header Field individually has exactly one of the following protection states:

  • unprotected (has no Header Protection)

  • signed-only (bound into the same validated signature as the enclosing message, but also visible in transit)

  • encrypted-only (only appears within the Cryptographic Payload; the corresponding external Header Field was either removed or obscured)

  • signed-and-encrypted (same as encrypted-only, but additionally is under a validated signature)

If the message does not have Header Protection (as determined bySection 4.1), then all of the Header Fields are by definitionunprotected.

If the message has Header Protection, an MUASHOULD use the following algorithm to compute the protection state of a protected Header Field(h,v):

4.3.1.HeaderFieldProtection

Method signature:

HeaderFieldProtection(msg, h, v) -> protection_state

Procedure:

  1. Letct be theContent-Type of the root of the Cryptographic Payload ofmsg.

  2. Compute (refouter,refprotected) from HeaderSetsFromMessage(msg).

  3. If(h, v) is not inrefprotected:

    1. Abort,v is not a valid value for Header Fieldh.

  4. Letis_sig_valid befalse.

  5. If the message is signed:

    1. Letis_sig_valid be the result of validating the signature.

  6. If the message is encrypted, and ifct has a parameterhp="cipher", and if(h,v) is not inrefouter:

    1. Returnsigned-and-encrypted ifis_sig_valid, otherwise returnencrypted-only.

  7. Returnsigned-only ifis_sig_valid, otherwise returnunprotected.

Note that:

  • This algorithm is independent of the unprotected Header Fields.It derives the protection state only from(h,v) and the set ofHP-Outer Header Fields, both of which are inside the Cryptographic Envelope.

  • If the signature fails validation, the MUA lowers the affected state tounprotected orencrypted-only without any additional warning to the user (see alsoSection 3.1 of [RFC9787]).

  • Data fromsigned-and-encrypted andencrypted-only Header Fields may still not be fully private (seeSection 11.2).

  • Encryption may have been added in transit to an originally signed-only message. Thus, only consider Header Fields to be confidential if the composer indicates it with thehp="cipher" parameter.

  • The protection state of a Header Field may be weaker than that of the message Body.For example, a message Body can besigned-and-encrypted, but a Header Field that is copied unmodified to the Outer Header Section issigned-only.

If the message has Header Protection, the Header Fields that are not inrefprotected (e.g., because they were added in transit) areunprotected.

Rendering the cryptographic status of each Header Field is likely to be complex and messy -- users may not understand it.It is beyond the scope of this document to suggest any specific graphical affordances or user experience.Future work should include examples of successful rendering of this information.

4.4.Handling Mismatch of From Header Fields

End-to-end (MUA-to-MUA) Header Protection is good for authenticity, integrity, and confidentiality, but it potentially introduces new issues when an MUA depends on its MTA to authenticate parts of the Header Section.The latter is typically the case in modern email systems.

In particular, when an MUA depends on its MTA to ensure that the email address in the (unprotected)From Header Field is authentic, but the MUA renders the email address of the protectedFrom Header Field that differs from the address visible to the MTA, this could create a risk of sender address spoofing (seeSection 10.1).This potential risk applies to signed-only messages as well as signed-and-encrypted messages.

4.4.1.Definitions

4.4.1.1.From Header Field Mismatch

"From Header Field Mismatch" is defined as follows:

Theaddr-spec of the innerFrom Header Field doesn't match theaddr-spec of the outerFrom Header Field (seeSection 4.4.5).

Note: The unprotectedFrom Header Field used in this comparison is the actual Header Field found in the Outer Header Section (as seen by the MTA), not the value indicated by any potential innerHP-Outer Header Field.

4.4.1.2.No Valid and Correctly Bound Signature

"No Valid and Correctly Bound Signature" is defined as follows:

There is no valid signature made by a certificate for which the MUA has a valid binding to the protectedFrom address.This includes:

  • the message has no signature

  • the message has a broken signature

  • the message has a valid signature, but the rendering MUA does not see any valid binding between the signing certificate and theaddr-spec of the innerFrom Header Field

Note: There are many possible ways that an MUA could choose to validate a certificate-to-address binding.For example, the MUA could ensure the certificate is issued by one of a set of trusted certification authorities, it could rely on the user to do a manual out-of-band comparison, it could rely on a DNSSEC signal ([RFC7929] or[RFC8162]), and so on.It is beyond the scope of this document to describe all possible ways an MUA might validate the certificate-to-address binding or to choose among them.

4.4.2.Warning for From Header Field Mismatch

To mitigate the above described risk of sender address spoofing, an MUASHOULD warn the user whenever both of the following conditions are met:

This warning should be comparable to the MUA's warning about messages that are likely spam or phishing, and itSHOULD show both of the non-matchingFrom Header Fields.

4.4.3.From Header Field Rendering

Furthermore, a rendering MUA that depends on its MTA to authenticate the (unprotected) outerFrom Header FieldSHOULD render the outerFrom Header Field (as an exception to the guidance in the beginning ofSection 4) if both of the following conditions are met:

An MUAMAY apply a local preference to render a different display name (e.g., from an address book).

SeeSection 10.1.1 for a detailed explanation of this rendering guidance.

4.4.4.Handling the Protected From Header Field When Responding

When responding to a message, an MUA has different ways to populate the recipients of the new message.Depending on whether it is a Reply, a Reply All, or a Forward, an MUA may populate the composer view using a combination of the referenced message'sFrom,To,Cc,Reply-To, orMail-Followup-To Header Fields as well as any other signals.

When responding to a message with Header Protection, an MUAMUST only use the protected Header Fields when populating the recipients of the new message.

This avoids compromise of message confidentiality when a machine-in-the-middle (MITM) attacker modifies the unprotectedFrom address of an encrypted message, attempting to learn the contents through a misdirected reply.Note that with the rendering guidance above, a MITM attacker can cause the unprotectedFrom Header Field to be displayed.Thus, when responding, the populatedTo address may differ from the renderedFrom address.However, this change in addresses should not cause more user confusion than the address change caused by aReply-To in a Legacy Message does.

4.4.5.Matching addr-specs

When generating (Section 3.1.1) or consuming (Section 4.4) a protectedFrom Header Field, the MUA considers the equivalence of two differentaddr-spec values.

First, the MUAMUST check whether thedomain part of anaddr-spec being compared contains a U-label[RFC5890].If it does, itMUST be converted to the A-label form as described in[RFC5891].We call a domain converted in this way (or the original domain if it didn't contain any U-label) "the ASCII version of thedomain part".Second, the MUAMUST compare the ASCII version of thedomain part of the twoaddr-specs by standard DNS comparison: Assume ASCII text and compare alphabetic characters case-insensitively, as described inSection 3.1 of [RFC1035].If thedomain parts match, then the twolocal-parts are matched against each other.The simplest and most common comparison for thelocal-part is also an ASCII-based, case-insensitive match.If the MUA has special knowledge about thedomain and, when composing, it can reasonably expect the rendering MUAs to have the same information, itMAY match thelocal-part using a more sophisticated and inclusive matching algorithm.

It is beyond the scope of this document to recommend a more sophisticated and inclusive matching algorithm.

4.5.Rendering a Message with Header Protection

When the Cryptographic Payload'sContent-Type has the parameterhp set to"clear" or"cipher", the values of the protected Header Fields are drawn from the Header Fields of the Cryptographic Payload, and the Body that is rendered is the content of the Cryptographic Payload itself.

4.5.1.Example Signed-Only Message

Consider a message with this structure, where the MUA is able to validate the cryptographic signature:

A └┬╴application/pkcs7-mime; smime-type="signed-data"   ┴ (unwraps to)B  └┬╴multipart/alternative [Cryptographic Payload + Rendered Body]C   ├─╴text/plainD   └─╴text/html

The message Body should be rendered the same way as this message:

B └┬╴multipart/alternativeC  ├─╴text/plainD  └─╴text/html

The MUA should render Header Fields taken from partB.

Its Cryptographic Summary should indicate that the message was signed and all rendered Header Fields were included in the signature.

Because this message is signed-only, none of its parts will have a Legacy Display Element.

The MUA should ignore Header Fields from partA for the purposes of rendering.

4.5.2.Example Signed-and-Encrypted Message

Consider a message with this structure, where the MUA is able to validate the cryptographic signature:

E └┬╴application/pkcs7-mime; smime-type="enveloped-data"   ╧ (decrypts to)F  └┬╴application/pkcs7-mime; smime-type="signed-data"    ┴ (unwraps to)G   └┬╴multipart/alternative [Cryptographic Payload + Rendered Body]H    ├─╴text/plainI    └─╴text/html

The message Body should be rendered the same way as this message:

G └┬╴multipart/alternativeH  ├─╴text/plainI  └─╴text/html

It should render Header Fields taken from partG.

Its Cryptographic Summary should indicate that the message issigned-and-encrypted.

When rendering the Cryptographic Status of a Header Field and when composing a reply (or forward), each Header Field found inG should be considered against allHP-Outer Header Fields found inG.If anHP-Outer Header Field that matches both the name and value is found, the Header Field's Cryptographic Status is justsigned-only, even though the message itself issigned-and-encrypted.If no matchingHP-Outer Header Field is found, the Header Field's Cryptographic Status issigned-and-encrypted, like the rest of the message (seeSection 4.3).

If any of the User-Facing Header Fields are removed or obscured, the composer of this message may have placed Legacy Display Elements in parts H and I.

The MUA should ignore Header Fields from partE for the purposes of rendering.

4.5.3.Do Not Render Legacy Display Elements

As described inSection 2.1.2, a message with cryptographic confidentiality protectionMAY include Legacy Display Elements for backward compatibility with Legacy MUAs. These Legacy Display Elements are strictly decorative and unambiguously identifiable and will be discarded by compliant implementations.

The rendering MUAMUST completely avoid rendering the identified Legacy Display Elements to the user, since it is aware of Header Protection and can render the actual protected Header Fields.

If atext/html ortext/plain part within the Cryptographic Envelope is identified as containing Legacy Display Elements, those elementsMUST be hidden when rendering andMUST be dropped when generating a draft reply or inline forwarded message.Whenever a message or a MIME subtree is exported, downloaded, or otherwise further processed, if there is no need to retain a valid cryptographic signature, the implementerMAY drop the Legacy Display Elements.

4.5.3.1.Identifying a Part with Legacy Display Elements

A rendering MUA acting on a message that contains an encrypting Cryptographic Layer identifies a MIME subpart within the Cryptographic Payload as containing Legacy Display Elements based on the Content-Type of the subpart.The subpart's Content-Type:

Note that the term "subpart" above is used in the general sense: If the Cryptographic Payload is a single part, that part itself may contain a Legacy Display Element if it is marked with thehp-legacy-display="1" parameter.

4.5.3.2.Omitting Legacy Display Elements from text/plain

If atext/plain part within the Cryptographic Payload has the Content-Type parameterhp-legacy-display="1", it should be processed before rendering in the following fashion:

  • Discard the leading lines of the content of the MIME part up to and including the first entirely blank line.

Note that implementing this strategy is dependent on the charset used by the MIME part.

SeeAppendix E.1 for an example.

4.5.3.3.Omitting Legacy Display Elements from text/html

If atext/html part within the Cryptographic Payload has the Content-Type parameterhp-legacy-display="1", it should be processed before rendering in the following fashion:

  • If any element of the HTML<body> is a<div> withclass attributeheader-protection-legacy-display, that entire element should be omitted.

This cleanup could be done, for example, as a custom rule in the MUA's HTML sanitizer, if one exists.Another implementation strategy for an HTML-capable MUA would be to add an entry to the[CSS] style sheet for such a part:

body div.header-protection-legacy-display { display: none; }

4.6.Implicitly Rendered Header Fields

While theFrom,To,Cc,Subject, andDate Header Fields are often explicitly rendered to the user, some Header Fields do affect message display without being explicitly rendered.

For example, theMessage-Id,References, andIn-Reply-To Header Fields may collectively be used to place a message in a "thread" or series of messages.

In another example,Section 6.2 notes that the value of theReply-To Header Field can influence the draft reply message.So while the user may never see theReply-To Header Field directly, it is implicitly "rendered" when the user interacts with the message by replying to it.

An MUA that depends on any implicitly rendered Header Field in a message with Header ProtectionMUST use the value from the protected Header Field andSHOULD NOT use any value found outside the cryptographic protection unless it is known to be a Header Field added in transit, as specified inSection 7.

4.7.Handling Undecryptable Messages

An MUA might receive an apparently encrypted message that it cannot currently decrypt.For example, when an MUA does not have regular access to the secret key material needed for decryption, it cannot know the cryptographically protected Header Fields or even whether the message has any cryptographically protected Header Fields.

Such an undecrypted message will be rendered by the MUA as a message without any Header Protection.This means that the message summary may well change how it is rendered when the user is finally able to supply the secret key.

For example, the rendering of theSubject Header Field in a mailbox summary might change from[...] to the real message subject when the message is decrypted.Or the message's placement in a message thread might change if, say,References orIn-Reply-To have been removed or obscured (seeSection 4.6).

Additionally, if the MUA does not retain access to the decrypting secret key, and it drops the decrypted form of a message, the message's rendering may revert to the encrypted form.For example, if an MUA follows this behavior, theSubject Header Field in a mailbox summary might change from the real message subject back to[...].Or the message might be displayed outside of its current thread if the MUA loses access to a removedReferences orIn-Reply-To Header Field.

These behaviors are likely to surprise the user.However, an MUA has several possible ways of reducing or avoiding all of these surprises, including:

  • Ensuring that the MUA always has access to decryption-capable secret key material.

  • Rendering undecrypted messages in a special quarantine view until the decryption-capable secret key material is available.

To reduce or avoid the surprises associated with a decrypted message with removed or obscured Header Fields becoming undecryptable, the MUA could also:

  • Securely cache metadata from a decrypted message's protected Header Fields so that its rendering doesn't change after the first decryption.

  • Securely store the session key associated with a decrypted message so that attempts to read the message when the long-term secret key is unavailable can proceed using only the session key itself. For example, see the discussion about stashing session keys inSection 9.1 of [RFC9787].

4.8.Guidance for Automated Message Handling

Some automated systems have a control channel that is operated by email.For example, an incoming email message could subscribe someone to a mailing list, initiate the purchase of a specific product, approve another message for redistribution, or adjust the state of some shared object.

To the extent that such a system depends on end-to-end cryptographic guarantees about the email control message, Header Protection as defined in this document should improve the system's security.This section provides some specific guidance for systems that use email messages as a control channel that want to benefit from these security improvements.

4.8.1.Only Interpret Protected Header Fields

Consider the situation where an email-based control channel depends on the message's cryptographic signature and the action taken depends on some Header Field of the message.

In this case, the automated systemMUST rely on information from the Header Field that is protected by the mechanism defined in this document.ItMUST NOT rely on any Header Field found outside the Cryptographic Payload.

For example, consider an administrative interface for a mailing list manager that only accepts control messages that are signed by one of its administrators.When an inbound message for the list arrives, it is queued (waiting for administrative approval) and the system generates and listens for two distinct email addresses related to the queued message -- one that approves the message and one that rejects it.If an administrator sends a signed control message to the approval address, the mailing list verifies that the protectedTo Header Field of the signed control message contains the approval address before approving the queued message for redistribution.If the protectedTo Header Field does not contain that address, or there is no protectedTo Header Field, then the mailing list logs or reports the error and does not act on that control message.

4.8.2.Ignore Legacy Display Elements

Consider the situation where an email-based control channel expects to receive an end-to-end encrypted message -- for example, where the control messages need confidentiality guarantees -- and where the action taken depends on the contents of some MIME part within the message Body.

In this case, the automated system that decrypts the incoming messages and scans the relevant MIME partMUST identify when the MIME part contains a Legacy Display Element (seeSection 4.5.3.1), and itMUST parse the relevant MIME part with the Legacy Display Element removed.

For example, consider an administrative interface of a confidential issue tracking software.An authorized user can confidentially adjust the status of a tracked issue by a specially formatted first line of the message Body (for example,severity #183 serious).When the user's MUA encrypts a plaintext control message to this issue tracker, depending on the MUA's HCP and its choice oflegacy value, it may add a Legacy Display Element.If it does so, then the first line of the message Body will contain a decorative copy of the confidentialSubject Header Field.The issue tracking software decrypts the incoming control message, identifies that there is a Legacy Display Element in the part (seeSection 4.5.3.1), strips the lines comprising the Legacy Display Element (including the first blank line), and only then parses the remaining top line to look for the expected special formatting.

4.9.Affordances for Debugging and Troubleshooting

Note that advanced users of an MUA may need access to the original message, for example, to troubleshoot problems with the rendering MUA itself or problems with the SMTP transport path taken by the message.

An MUA that applies these rendering guidelinesSHOULD ensure that the full original source of the message as it was received remains available to such a user for debugging and troubleshooting.

If a troubleshooting scenario demands information about the cryptographically protected values of Header Fields, and the message is encrypted, the debugging interfaceSHOULD also provide a "source" view of the Cryptographic Payload itself, alongside the full original source of the message as received.

4.10.Handling RFC8551HP Messages (Backward Compatibility)

Section 1.1.1 describes some drawbacks to the Header Protection scheme defined in[RFC8551], referred to here as RFC8551HP.An MUAMUST NOT generate an RFC8551HP message.However, for backward compatibility, an MUAMAY try to render or respond to such a message as though the message has standard Header Protection.

The following two sections contain guidance for identifying, rendering, replying to, and forwarding RFC8551HP messages.Corresponding test vectors are provided in AppendicesC.2.5,C.2.6, andC.3.17.

4.10.1.Identifying an RFC8551HP Message

An RFC8551HP message can be identified by its MIME structure, given that all of the following conditions are met:

  • It has a well-formed Cryptographic Envelope consisting of at least one Cryptographic Layer as the outermost MIME object.

  • The Cryptographic Payload is a singlemessage/rfc822 object.

  • The message that constitutes the Cryptographic Payload does not itself have a well-formed Cryptographic Envelope; that is, its outermost MIME object is not a Cryptographic Layer.

  • NoContent-Type parameter ofhp= is set on either the Cryptographic Payload or its immediate MIME child.

Here is the MIME structure of an example signed-and-encrypted RFC8551HP message:

A └┬╴application/pkcs7-mime; smime-type="enveloped-data"   ╧ (decrypts to)B  └┬╴application/pkcs7-mime; smime-type="signed-data"    ┴ (unwraps to)C   └┬╴message/rfc822 [Cryptographic Payload]D    └┬╴multipart/alternative [Rendered Body]E     ├─╴text/plainF     └─╴text/html

This meets the definition of an RFC8551HP message because:

  • Cryptographic LayersA andB form the Cryptographic Envelope.

  • The Cryptographic Payload, rooted in partC, hasContent-Type: message/rfc822.

  • PartD (the MIME root of the message atC) is itself not a Cryptographic Layer.

  • Neither partC nor partD have anyhp parameters set on theirContent-Type.

4.10.2.Rendering or Responding to an RFC8551HP Message

When an MUA has precisely identified a message as an RFC8551HP message, the MUAMAY render or respond to that message as though it were a message with Header Protection as defined in this document by making the following adjustments:

  • Rather than rendering the message Body as the Cryptographic Payload itself (partC in the example above), render the RFC8551HP message's Body as the MIME subtree that is the Cryptographic Payload's immediate child (partD).

  • Make a comparable modification to HeaderSetsFromMessage (Section 4.2.1) and HeaderFieldProtection (Section 4.3.1): Both algorithms currently look for the protected Header Fields on the Cryptographic Payload (partC), but they should instead look at the Cryptographic Payload's immediate child (partD).

  • If the Cryptographic Envelope is signed-only, behave as though there is anhp="clear" parameter for the Cryptographic Payload; if the Envelope contains encryption, behave as though there is anhp="cipher" parameter.That is, infer the composer's cryptographic intent from the structure of the message.

  • If the Cryptographic Envelope contains encryption, further modify HeaderSetsFromMessage to deriverefouter from the actual Outer Header Section (those Header Fields found in partA in the example above) rather than looking forHP-Outer Header Fields with the other protected Header Fields.That is, infer Header Field confidentiality based on the unprotected Header Fields.

The inferences in the above modifications are not based on any strong end-to-end guarantees.An intervening MTA may tamper with the message's Outer Header Section or wrap the message in an encryption layer to undetectably change the recipient's understanding of the confidentiality of the message's Header Fields or the message Body itself.

4.11.Rendering Other Schemes

Other MUAs may have generated different structures of messages that aim to offer end-to-end cryptographic protections that include Header Protection.This document is not normative for those schemes, and it isNOT RECOMMENDED to generate these other schemes, as they can either have structural flaws or simply render poorly on Legacy MUAs.A conformant MUAMAY attempt to infer Header Protection when rendering an existing message that appears to use some other scheme not documented here.Pointers to some known other schemes can be found inAppendix F.

5.Composing Guidance (Sending Side)

This section describes the process an MUA should use to apply cryptographic protection to an email message with Header Protection.

When composing a message with end-to-end cryptographic protections, an MUASHOULD apply Header Protection.

When generating such a message, an MUAMUST add thehp parameter (seeSection 2.1.1) only to theContent-Type Header Field at the root of the message's Cryptographic Payload.The value of the parameterMUST indicate whether the Cryptographic Envelope contains a layer that provides encryption.

5.1.Composing a Cryptographically Protected Message Without Header Protection

For contrast, we first consider the typical message composition process of a Legacy Crypto MUA, which does not provide any Header Protection.

This process is described inSection 5.1 of [RFC9787].We replicate it here for reference.The inputs to the algorithm are:

  • origbody: The unprotected message Body as a well-formed MIME tree (possibly just a single MIME leaf part).As a well-formed MIME tree,origbody already has Structural Header Fields (Content-*) present.

  • origheaders: The intended Non-Structural Header Fields for the message, represented here as a list of(h,v) pairs, whereh is a Header Field name andv is the associated value.Note that these are Header Fields that the MUA intends to be visible to the recipient of the message.In particular, if the MUA uses theBcc Header Field during composition but plans to omit it from the message (seeSection 3.6.3 of [RFC5322]), it will not be inorigheaders.

  • crypto: The series of cryptographic protections to apply (for example, "sign with the secret key corresponding to X.509 certificate X, then encrypt to X.509 certificates X and Y").This is a routine that accepts a MIME tree as input (the Cryptographic Payload), wraps the input in the appropriate Cryptographic Envelope, and returns the resultant MIME tree as output.

The algorithm returns a MIME object that is ready to be injected into the mail system.

5.1.1.ComposeNoHeaderProtection

Method signature:

ComposeNoHeaderProtection(origbody, origheaders, crypto) -> mime_message

Procedure:

  1. Applycrypto to MIME partorigbody, producing MIME treeoutput.

  2. For each Header Field name and value(h,v) inorigheaders:

    1. Add Header Fieldh tooutput with valuev.

  3. Returnoutput.

5.2.Composing a Message with Header Protection

To compose a message using Header Protection, the composing MUA uses the following inputs:

  • all the inputs described inSection 5.1

  • hcp: an HCP, as defined inSection 3

  • respond: if the new message is a response to another message, the MUA's Respond Function corresponding to the user's action (seeSection 6.1.1), otherwisenull

  • refmsg: if the new message is a response to another message, the message being responded to, otherwisenull

  • legacy: a boolean value, indicating whether any recipient of the message is believed to have a Legacy MUA.If all recipients are known to implement this document,legacy should be set tofalse.(How an MUA determines the value oflegacy is out of scope for this document; an initial implementation can simply set it totrue.)

To enable visibility of User-Facing but now removed/obscured Header Fields for decryption-capable Legacy MUAs, the Header Fields are included as a decorative Legacy Display Element in specially marked parts of the message (seeSection 2.1.2).This document recommends two mechanisms for such a decorative adjustment: one for atext/plain Main Body Part (seeSection 5.2.2) and one for atext/html Main Body Part (seeSection 5.2.3) of the email message.This document does not recommend adding a Legacy Display Element to any other part.

Please seeSection 7.1 of [RFC9787] for guidance on identifying the parts of a message that are a Main Body Part.

5.2.1.Compose

Method signature:

Compose(origbody, origheaders, crypto, hcp, respond, refmsg, legacy) -> mime_message

Procedure:

  1. Letnewbody be a copy oforigbody.

  2. Ifcrypto contains encryption andlegacy istrue:

    1. Createldlist, an empty list of(header, value) pairs.

    2. For each Header Field name and value(h,v) inorigheaders:

      1. Ifh is User-Facing (seeSection 1.1.2 of [RFC9787]):

        1. Ifhcp(h,v) is notv:

          1. Add(h,v) toldlist.

    3. Ifldlist is not empty:

      1. Identify each leaf MIME part ofnewbody that represents a "Main Body Part" of the message.

      2. For each "Main Body Part"bodypart of typetext/plain ortext/html:

        1. Adjustbodypart by inserting a Legacy Display Element Header Field listldlist into its content and adding aContent-Type parameterhp-legacy-display with value1 (seeSection 5.2.2 fortext/plain andSection 5.2.3 fortext/html).

  3. For each Header Field name and value(h,v) inorigheaders:

    1. Add Header Fieldh to MIME partnewbody with valuev.

  4. Ifcrypto does not contain encryption:

    1. Set thehp parameter on theContent-Type of MIME partnewbody toclear.

    2. Letnewheaders be a copy oforigheaders.

  5. Else (ifcrypto contains encryption):

    1. Set thehp parameter on theContent-Type of MIME partnewbody tocipher.

    2. Letresponse_hcp be an ephemeral HCP, the output ofReferenceHCP(refmsg, respond) (seeSection 6.1.2).

    3. Create a new empty list of Header Field names and valuesnewheaders.

    4. For each Header Field name and value(h,v) inorigheaders:

      1. Letnewval behcp(h,v).

      2. Ifnewval isv:

        1. Letnewval beresponse_hcp(h,v).

      3. Ifnewval is notnull:

        1. Add(h,newval) tonewheaders.

    5. For each Header Field name and value(h,v) innewheaders:

      1. Let stringrecord be the concatenation ofh, a literal "" (ASCII colon (0x3A) followed by ASCII space (0x20)), andv.

      2. Add Header Field "HP-Outer" to MIME partnewbody with valuerecord.

  6. Applycrypto to MIME partnewbody, producing MIME treeoutput.

  7. For each Header Field name and value(h,v) innewheaders:

    1. Add Header Fieldh tooutput with valuev.

  8. Returnoutput.

Note that both new parameters (hcp andlegacy) are effectively ignored ifcrypto does not contain encryption.This is by design, because they are irrelevant for signed-only cryptographic protections.

5.2.2.Adding a Legacy Display Element to a text/plain Part

For a list of obscured and removed User-Facing Header Fields represented as(header, value) pairs, concatenate them as a set of lines, with one newline at the end of each pair.Add an additional trailing newline after the resultant text, and prepend the entire list to the content of thetext/plain part.

The MUAMUST also add aContent-Type parameter ofhp-legacy-display with value1 to the MIME part to indicate that a Legacy Display Element was added.

For example, if the list of obscured Header Fields was[("Cc", "alice@example.net"), ("Subject", "Thursday's meeting")], then atext/plain Main Body Part that originally looked like this:

Content-Type: text/plain; charset=UTF-8I think we should skip the meeting.

would become:

Content-Type: text/plain; charset=UTF-8; hp-legacy-display=1Subject: Thursday's meetingCc: alice@example.netI think we should skip the meeting.

Note that the Legacy Display Element (the lines beginning withSubject: andCc:) is part of the content of the MIME part in question.

This example assumes that the Main Body Part in question is not the root of the Cryptographic Payload.For instance, it could be a leaf of amultipart/alternative Cryptographic Payload.This is why there are no additional Header Fields in the MIME part of this example.

5.2.3.Adding a Legacy Display Element to a text/html Part

Adding a Legacy Display Element to atext/html part is similar to how it is added to atext/plain part (seeSection 5.2.2).Instead of adding the obscured or removed User-Facing Header Fields to a block of text delimited by a blank line, the composing MUA injects them in an HTML<div> element annotated with aclass attribute ofheader-protection-legacy-display.

The content and formatting of this decorative<div> have no strict requirements, but theyMUST represent all the obscured and removed User-Facing Header Fields in a readable fashion.A simple approach is to assemble the text in the same way asSection 5.2.2, wrap it in a verbatim<pre> element, and put that element in the annotated<div>.

The annotated<div> should be placed as close to the start of the<body> as possible, where it will be visible when viewed with a standard HTML renderer.

The MUAMUST also add aContent-Type parameter ofhp-legacy-display with value1 to the MIME part to indicate that a Legacy Display Element was added.

For example, if the list of obscured Header Fields was[("Cc", "alice@example.net"), ("Subject", "Thursday's meeting")], then atext/html Main Body Part that originally looked like this:

Content-Type: text/html; charset=UTF-8<html><head><title></title></head><body><p>I think we should skip the meeting.</p></body></html>

would become:

Content-Type: text/html; charset=UTF-8; hp-legacy-display=1<html><head><title></title></head><body><div><pre>Subject: Thursday's meetingCc: alice@example.net</pre></div><p>I think we should skip the meeting.</p></body></html>

This example assumes that the Main Body Part in question is not the root of the Cryptographic Payload.For instance, it could be a leaf of amultipart/alternative Cryptographic Payload.This is why there are no additional Header Fields in the MIME part of this example.

5.2.3.1.Step-by-Step Example for Inserting a Legacy Display Element into text/html

A composing MUAMAY insert the Legacy Display Element anywhere reasonable within the message as long as it prioritizes visibility for the reader using a Legacy MUA that is capable of decryption.This decision may take into account special message-specific HTML formatting expectations if the MUA is aware of them.However, some MUAs may not have any special insight into the user's preferred HTML formatting and still want to insert a Legacy Display Element.This section offers a non-normative, simple, and minimal step-by-step approach for a composing MUA that has no other information or preferences to fall back on.

The process below assumes that the MUA already has the full HTML object that it intends to send, including all of the text supplied by the user.

  1. Assemble the text exactly as specified fortext/plain (seeSection 5.2.2).

  2. Wrap that text in a verbatim<pre> element.

  3. Wrap that<pre> element in a<div> element annotated with the classheader-protection-legacy-display.

  4. Find the<body> element of the full HTML object.

  5. Insert the<div> element as the first child of the<body> element.

5.2.4.Only Add a Legacy Display Element to Main Body Parts

Some messages may contain atext/plain ortext/html subpart that isnot a Main Body Part.For example, an email message might contain an attached text file or a downloaded web page.Attached documents need to be preserved as intended in the transmission, without modification.

The composing MUAMUST NOT add a Legacy Display Element to any part of the message that is not a Main Body Part.In particular, if a part is annotated withContent-Disposition: attachment, or if it does not descend via the first child of any of itsmultipart/mixed ormultipart/related ancestors, it is not a Main Body Part andMUST NOT be modified.

SeeSection 7.1 of [RFC9787] for more guidance about common ways to distinguish Main Body Parts from other MIME parts in a message.

5.2.5.Do Not Add a Legacy Display Element to Other Content-Types

The purpose of injecting a Legacy Display Element into each Main Body Part is to enable rendering of otherwise obscured Header Fields in Legacy MUAs that are capable of message decryption but don't know how to follow the rest of the guidance in this document.

The authors are unaware of any Legacy MUA that would render any MIME part type other thantext/plain andtext/html as the Main Body.A generating MUASHOULD NOT add a Legacy Display Element to any MIME part with any otherContent-Type.

6.Replying and Forwarding Guidance

An MUA might create a new message in response to another message, thus acting both as a rendering MUA and as a composing MUA.For example, the user of an MUA viewing any given message might take an action like "Reply", "Reply All", "Forward", or some comparable action to start the composition of a new message.The new message created this way effectively references the original message that was viewed at the time.

For encrypted messages, special guidance applies, because information can leak in at least two ways: leaking previously confidential Header Fields and leaking the entire message by sending the reply or forward to the wrong party.

6.1.Avoid Leaking Encrypted Header Fields in Replies and Forwards

As noted inSection 5.4 of [RFC9787], an MUA in this positionMUST NOT leak previously encrypted content in the clear in a follow-up message.The same is true for protected Header Fields.

Values from any Header Field that was identified as eitherencrypted-only orsigned-and-encrypted based on the steps outlined inSection 4.3MUST NOT be sent in cleartext in a reply or forwarded message.

For example, ifSubject was encrypted, and it is copied into the draft encrypted reply'sSubject, the replying MUA will automatically obscure the reply'sSubject Header Field.

When crafting the Header Fields for a reply or forwarded message, the composing MUASHOULD make use of theHP-Outer Header Fields from within the Cryptographic Envelope of the referenced message to ensure that Header Fields derived from the referenced message do not leak in the reply or forwarded message.

On a high level, this can be achieved as follows:Consider a Header Field in a reply message that is generated by derivation from a Header Field in the referenced message.For example, theTo Header Field is typically derived from the referenced message'sReply-To orFrom Header Fields.When generating this Header Field for the Outer Header Section, the composing MUA first applies its own HCP.If the Header Field's value is changed by that HCP, then the resulting value is used for the Outer Header Section.If the Header Field's value is unchanged, the composing MUA re-generates the Header Field using the Header Fields that had been in the Outer Header Section of the original message at composition time.These are inferred from theHP-Outer Header Fields located within the Cryptographic Payload of the referenced message.If the value is itself different than the protected value, then it is applied to the Outer Header Section.If the value is the same as the protected value, then it is simply copied to the Outer Header Section directly.As long as the resulting value is notnull, it is noted (whether identical to the protected value or not) in the protected Header Section usingHP-Outer, as described inSection 2.2.1.

SeeAppendix D.2 for a simple worked example of this process.

Below we describe a supporting algorithm to handle this.It produces a list of Header Fields that should be obscured or removed in the new message even if the composer's choice of HCP wouldn't normally remove or obscure the Header Field in question.This is effectively a single-use HCP.The normal composing guidance inSection 5.2 applies this single-use HCP to implement the high-level guidance above.

6.1.1.The Respond Function

The mechanism described below depends on an abstraction referred to in this document as a Respond Function.

The Respond Function takes a list of Header Fields from a referenced message as input and generates a list of initial candidate message Header Field names and values that are used to populate the message composition interface.

Something like this function already exists in most MUAs, though it may differ across responsive actions.For example, the Respond Function that implements "Reply All" is likely to be different from the Respond Function that implements "Reply", which is in turn different from the Respond Function that implements "Forward".

6.1.2.ReferenceHCP

The algorithm takes two inputs:

  • refmsg: a single referenced message

  • respond: the MUA's Respond Function associated with the user's action (seeSection 6.1.1)

As an output, it produces an ephemeral single-use HCP, specific to this kind of response to this specific message.

Method signature:

ReferenceHCP(refmsg, respond) -> response_hcp

Procedure:

  1. Ifrespond isnull,refmsg isnull, orrefmsg is not encrypted with Header Protection:

    1. Returnhcp_no_confidentiality (there is no header confidentiality in any referenced message that needs protection).

  2. Extractrefouter,refprotected fromrefmsg as described inSection 4.2.

  3. Letgenprotected be a list of(h,v) pairs generated byrespond(refprotected).

  4. Letgenouter be a list of(h,v) pairs generated byrespond(refouter).

  5. For each(h,v) ingenprotected:

    1. If(h,v) is ingenouter:

      1. Remove(h,v) from bothgenprotected andgenouter (this Header Field does not need additional confidentiality).

  6. Letconfmap be a mapping from a Header Field name and value(h,v) to either a string or the special valuenull (this mapping is initially empty).

  7. For each(h,v) remaining ingenprotected:

    1. Setresult to the special valuenull.

    2. For each(h1,v1) ingenouter:

      1. Ifh1 ish:

        1. Setresult tov1.

    3. Insert(h,v) -> result intoconfmap.

  8. Return a new HCP fromconfmap that tests whether the(name,val_in) tuple is inconfmap; if so, returnconfmap[(name,val_in)]; otherwise, returnval_in.

Note that the key idea here is to reuse the MUA's existing Respond Function.The algorithm simulates how the MUA would pre-populate a reply to (or forward of) two messages whose Header Fields have the valuesrefouter andrefprotected, respectively (independent of any cryptographic protections).Then, it uses the difference to derive a one-time HCP.This HCP takes into account both the referenced message's composer's preferences and the derivations that can happen to Header Field values when responding.Note that while some of these derivations are straightforward (e.g.,In-Reply-To is usually derived fromMessage-ID), others are non-trivial.For example, theFrom address may be derived fromTo,Cc, or the MUA's local address preference (especially when the MUA received the referenced message viaBcc).Similarly,To may be derived fromTo,From, and/orCc Header Fields depending on the MUA implementation and depending on whether the user clicked "Reply", "Reply All", "Forward", or any other action that generates a response to a message.Reusing the MUA's existing Respond Function incorporates these nuances without requiring any extra configuration choices or additional maintenance burden.

6.2.Avoid Misdirected Replies

When replying to a message, the composing MUA typically decides who to send the reply to based on:

  • theReply-To,Mail-Followup-To, orFrom Header Fields

  • optionally, the otherTo orCc Header Fields (if the user chose to "Reply All")

When a message has Header Protection, the replying MUAMUST populate the destination fields of the draft message using the protected Header Fields and ignore any unprotected Header Fields.

This mitigates against an attack where Mallory gets a copy of an encrypted message from Alice to Bob and then replays the message to Bob with an additionalCc to Mallory's own email address in the message's (unprotected) Outer Header Section.

If Bob knows Mallory's certificate already, and he replies to such a message without following the guidance in this section, it's likely that his MUA will encrypt the cleartext of the message directly to Mallory.

7.Unprotected Header Fields Added in Transit

Some Header Fields are legitimately added in transit and could not have been known to the composer at message composition time.

The most common of these Header Fields areReceived andDKIM-Signature, neither of which are typically rendered, either explicitly or implicitly.

If a rendering MUA has specific knowledge about a given Header Field, including that:

then the MUAMAY decide to operate on the value of that Header Field from the Outer Header Section, even though the message has Header Protection.

The MUAMAY prefer to verify that the Header Fields in question have additional transit-derived cryptographic protections before rendering or acting on them.For example, the MUA could verify whether these Header Fields are covered by an appropriate and validARC-Authentication-Results (see[RFC8617]) orDKIM-Signature (see[RFC6376]) Header Field.

Specific examples of Header Fields added in transit that are meaningful to the user can be found in the following section.

7.1.Mailing List Header Fields: List-* and Archived-At

If the message arrives through a mailing list, the list manager itself may inject Header Fields (most have aList- prefix) in the message. Header Fields commonly added by list managers include:

  • List-Archive

  • List-Subscribe

  • List-Unsubscribe

  • List-Id

  • List-Help

  • List-Post

  • Archived-At

Some MUAs render these Header Fields implicitly by providing buttons for actions like "Subscribe", "View Archived Version", "Reply List", "List Info", etc.

An MUA rendering a message with Header Protection that contains any of these Header Fields in the Outer Header Section and that has reason to believe the message arrived through a mailing listMAY decide to render them to the user (explicitly or implicitly) even though they are not protected.

8.Email Ecosystem Evolution

The email ecosystem is the set of client-side and server-side software and policies that are used in the creation, transmission, storage, rendering, and indexing of email over the Internet.

This document is intended to offer tooling needed to improve the state of the email ecosystem in a way that can be deployed without significant disruption.Some elements of this specification are present for transitional purposes but would not exist if the system were designed from scratch.

This section describes these transitional mechanisms, as well as some suggestions for how they might eventually be phased out.

8.1.Dropping Legacy Display Elements

Any decorative Legacy Display Element added to an encrypted message that uses Header Protection is present strictly for enabling Header Field visibility (most importantly, the Subject Header Field) when the message is viewed with a decryption-capable Legacy MUA.

Eventually, the hope is that most decryption-capable MUAs will conform to this specification and there will be no need for injection of Legacy Display Elements in the message Body.A survey of widely used decryption-capable MUAs might be able to establish when most of them do support this specification.

At that point, a composing MUA could set thelegacy parameter defined inSection 5.2 tofalse by default or could even hard-code it tofalse, yielding a much simpler message construction set.

Until that point, an end user might want to signal that their rendering MUAs are conformant to this document so that a peer composing a message to them can setlegacy tofalse.A signal indicating capability of handling messages with Header Protection might be placed in the user's cryptographic certificate or in outbound messages.

This document does not attempt to define the syntax or semantics of such a signal.

8.2.More Ambitious Default HCP

This document defines a few different forms of HCP.An MUA implementing an HCP for the first timeSHOULD deployhcp_baseline as recommended inSection 3.3.This HCP offers the most commonly expected protection (obscuring the Subject Header Field) without risking deliverability or rendering issues.

The HCPs proposed in this document are relatively conservative and still leak a significant amount of metadata for encrypted messages. This is largely done to ensure deliverability (seeSection 1.3.2) and usability (seeSection 2 of [RFC9787] andSection 9), as messages without some critical Header Fields are more likely to not reach their intended recipient.

In the future, some mail transport systems may accept and deliver messages with even less publicly visible metadata.Many MTA operators today would ask for additional guarantees about such a message to limit the risks associated with abusive or spam mail.

This specification offers the HCP formalism itself as a way for MUA developers and MTA operators to describe their expectations around message deliverability.MUA developers can propose a more ambitious default HCP and ask MTA operators (or simply test) whether their MTAs would be likely to deliver or reject encrypted mail with that HCP applied.Proponents of a more ambitious HCP should explicitly document the HCP and name it clearly and unambiguously to facilitate this kind of interoperability discussion.

Reaching widespread consensus around a more ambitious global default HCP is a challenging problem of coordinating many different actors.A piecemeal approach might be more feasible, where some signaling mechanism allows a message recipient, MTA operator, or third-party clearinghouse to announce what kinds of HCPs are likely to be deliverable for a given recipient.In such a situation, the default HCP for an MUA might involve consulting the signaled acceptable HCPs for all recipients and combining them (along with a default for when no signal is present) in some way.

If such a signal were to reach widespread use, it could also be used to guide reasonable statistical default HCP choices for recipients with no signal.

This document does not attempt to define the syntax or semantics of such a signal.

8.3.Deprecation of Messages Without Header Protection

At some point, when the majority of MUA clients that can generate cryptographically protected messages can do so with Header Protection, it should be possible to deprecate any cryptographically protected message that does not have Header Protection.

For example, as noted inSection 9.1, it's possible for an MUA to render asigned-only message that has no Header Protection the same as anunprotected message.And asigned-and-encrypted message without Header Protection could likewise be marked as not fully protected.

These stricter rules could be adopted immediately for all messages.Or an MUA developer could roll them out immediately for any new message but still treat an old message (based on the Date Header Field and cryptographic signature timestamp) more leniently.

A decision like this by any popular rendering MUA could drive adoption of this standard for composing MUAs.

9.Usability Considerations

This section describes concerns for MUAs that are interested in easy adoption of Header Protection by normal users.

While they are not protocol-level artifacts, these concerns motivate the protocol features described in this document.

See also the usability commentary inSection 2 of [RFC9787].

9.1.Mixed Protections Within a Message Are Hard to Understand

When rendering a message to the user, the ideal circumstance is to present a single cryptographic status for any given message.However, when message Header Fields are present, some message Header Fields do not have the same cryptographic protections as the main message.

Representing such a mixed set of protection statuses is very difficult to do in a way that an Ordinary User can understand.There are at least three scenarios that are likely to be common and poorly understood:

  • A signed message with no Header Protection.

  • A signed-and-encrypted message with no Header Protection.

  • A signed-and-encrypted message with Header Protection as defined in this document, where some User-Facing Header Fields have confidentiality but some do not.

An MUA should have a reasonable strategy for clearly communicating each of these scenarios to the user.For example, an MUA operating in an environment where it expects most cryptographically protected messages to have Header Protection could use the following rendering strategy:

  • When rendering a message with asigned-only cryptographic status but no Header Protection, an MUA may decline to indicate a positive security status overall and only indicate the cryptographic status to a user in a message properties or diagnostic view.That is, the message may appear identical to an unsigned message except if a user verifies the properties through a menu option.

  • When rendering a message with asigned-and-encrypted orencrypted-only cryptographic status but no Header Protection, overlay a warning flag on the typical cryptographic status indicator.That is, if a typicalsigned-and-encrypted message displays a lock icon, display a lock icon with a warning sign (e.g., an exclamation point in a triangle) overlaid.For example, see the graphics in[chrome-indicators].

  • When rendering a message with asigned-and-encrypted orencrypted-only cryptographic status with Header Protection but where the Subject Header Field has not been removed or obscured, place a warning sign on the Subject line.

Other simple rendering strategies could also be reasonable.

9.2.Users Should Not Have to Choose a Header Confidentiality Policy

This document defines the abstraction of an HCP object for the sake of communication between implementers and deployments.

Most email users are unlikely to understand the trade-offs between different policies.In particular, the potential negative side effects (e.g., poor deliverability) may not be easily attributable by a normal user to a particular HCP.

Therefore, MUA implementers should be conservative in their choice of default HCP and should not require the Ordinary User to make an incomprehensible choice that could cause unfixable, undiagnosable problems.The safest option is for the MUA developer to select a known, stable HCP (this document recommendshcp_baseline inSection 3.3) on the user's behalf.An MUA should not expose the Ordinary User to a configuration option where they are expected to manually select (let alone define) an HCP.

10.Security Considerations

Header Protection improves the security of cryptographically protected email messages.Following the guidance in this document improves security for users by more directly aligning the underlying messages with user expectations about confidentiality, authenticity, and integrity.

Nevertheless, helping the user distinguish between cryptographic protections of various messages remains a security challenge for MUAs.This is exacerbated by the fact that many existing messages with cryptographic protections do not employ Header Protection.MUAs encountering these messages (e.g., in an archive) will need to handle older forms (without Header Protection) for quite some time, possibly forever.

For any MUA that offers S/MIME cryptographic protections, the security considerations fromSection 6 of [RFC8551] (S/MIME),Section 3 of [RFC5083] (Authenticated-Enveloped-Data in Cryptographic Message Syntax (CMS)), andSection 14 of [RFC5652] (CMS more broadly) continue to apply.Likewise, for any MUA that offers PGP/MIME cryptographic protections, the security considerations fromSection 8 of [RFC3156] (PGP with MIME) as well asSection 13 of [RFC9580] (OpenPGP itself) continue to apply.In addition, these underlying security considerations are now also applicable to the contents of the message Header Section, not just the message Body.

10.1.From Address Spoofing

For a rendering MUA that depends on its MTA to authenticate the origin of the message, applying this specification could enable sender address spoofing.

To prevent sender spoofing, many rendering MUAs implicitly rely on their receiving MTA to inspect the Outer Header Section and verify that theFrom Header Field is authentic.If a rendering MUA displays aFrom address (from the protected part) that doesn't match theFrom address the MTA used to authenticate and/or filter (see alsoSection 4.4.1.1), the MUA may be vulnerable to spoofing.

Consider a malicious MUA that sets the following Header Fields on an encrypted message with Header Protection:

  • Outer:From: <alice@example.com>

  • Inner:HP-Outer: From: <alice@example.com>

  • Inner:From: <bob@example.org>

During sending, the MTA ofexample.com validates that the sending MUA is authorized to send fromalice@example.com.Since the message is encrypted, the sending and receiving MTAs cannot see the protected Header Fields.A naive rendering MUA might follow the algorithms in this document without special consideration for theFrom Header Field.Such an MUA might display the email as coming frombob@example.org to the user, resulting in a spoofed address.

This problem applies both between domains and within a domain.

This problem always applies to signed-and-encrypted messages.This problem also applies to signed-only messages because MTAs typically do not look at the protected Header Fields when confirmingFrom address authenticity.

Sender address spoofing is relevant for two distinct security properties:

  • Sender authenticity: relevant for rendering the message (which address to show the user?)

  • Message confidentiality: relevant when replying to a message (a reply to the wrong address can leak the message contents)

10.1.1.From Rendering Reasoning

Section 4.4.3 provides guidance for rendering theFrom Header Field. It recommends a rendering MUA that depends on its MTA to authenticate the (unprotected) outerFrom Header Field to render the outerFrom Header Field if both of the following conditions are met:

Note: The second condition effectively means that the inner (expected to be protected)From Header Field appears to have insufficient protection.

This may seem surprising since it causes the MUA to render a mix of both protected and unprotected values.This section provides an argument as to why this guidance makes sense.

We proceed by case distinction:

  • Case 1: Malicious composing MUA.

    • Attack situation: The composing MUA puts a different innerFrom Header Field to spoof the sender address.

    • In this case, it is "better" to fall back and render the outerFrom Header Field because this is what the receiving MTA can validate.Otherwise, this document would introduce a new way for senders to spoof theFrom address of the message.

    • This does not preclude a future document from updating this document to specify a protocol for legitimate sender address hiding.

  • Case 2: Malicious sending/transiting/receiving MTA (or anyone meddling between MTAs).

    • Attack situation: An on-path attacker changes the outerFrom Header Field (possibly with other meddling to invalidate the signature; see below).Their goal is to get the rendering MUA to show a differentFrom address than the composing MUA intended (breaking MUA-to-MUA sender authenticity).

    • Case 2.a: The composing MUA submitted an unsigned or encrypted-only message to the email system.In this case, there can be no sender authenticity anyway.

    • Case 2.b: The composing MUA submitted a signed-only message to the email system.

      • Case 2.b.i: The attacker removes or invalidates the signature.In this case, the attacker can also modify the innerFrom Header Field to their liking.

      • Case 2.b.ii: The signature is valid, but the rendering MUA does not see any valid binding between the signing certificate and theaddr-spec of the innerFrom Header Field.In this case, there can be no sender authenticity anyways (the certificate could have been generated by the on-path attacker).This case is indistinguishable from a malicious composing MUA; hence, it is "better" to fall back to the outerFrom Header Field that the MTA can validate.Note that once the binding is validated (e.g., after an out-of-band comparison), the rendering may change from showing the outerFrom address (and a warning) to showing the inner, now validatedFrom address.In some cases, the binding may be instantly validated even for previously unseen certificates (e.g., if the certificate is issued by a trusted certification authority).

    • Case 2.c: The composing MUA submitted a signed-and-encrypted message to the email system.

      • Case 2.c.i: The attacker removes or invalidates the signature.Note that the signature is inside the ciphertext (seeSection 5.2 of [RFC9787]).Thus, assuming the encryption is non-malleable, any on-path attacker cannot invalidate the signature while ensuring that the message still decrypts successfully.

      • Case 2.c.ii: The signature is valid, but the rendering MUA does not see any valid binding between the signing certificate and theaddr-spec of the innerFrom Header Field.See case 2.b.ii.

As the case distinction shows, the outerFrom Header Field is either the preferred fallback (in particular, to avoid introducing a new spoofing channel) or just as good (because just as modifiable) as the innerFrom Header Field.

Rendering the outerFrom Header Field does carry the risk of a "temporary downgrade attack" in cases 2.b.ii and 2.c.ii, where a malicious MTA keeps the signature intact but modifies the outerFrom Header Field.The MUA can resolve this temporary downgrade by validating the certificate-to-addr-spec binding.If the MUA never does this validation, the entire message could be fake.

If there were a signaling channel where the MTA can tell the MUA whether it authenticated theFrom Header Field, an MUA could use this in its rendering decision.In the absence of such a signal, and when end-to-end authenticity is unavailable, this document prefers to fall back to the outerFrom Header Field.This default is based on the assumption that most MTAs apply some filtering based on the outerFrom Header Field (whether the MTA can authenticate it or not).Rendering the unprotected outerFrom Header Field (instead of the protected inner one) in case of a mismatch retains this ability for MTAs.

If the MUA decides not to rely on the MTA to authenticate the outerFrom Header Field, it may prefer the innerFrom Header Field.

10.2.Avoid Cryptographic Summary Confusion from the hp Parameter

When parsing a message, the recipient MUA infers the message's Cryptographic Status from the Cryptographic Layers, as described inSection 4.6 of [RFC9787].

The Cryptographic Layers that make up the Cryptographic Envelope describe an ordered list of cryptographic properties as present in the message after it has been delivered.By contrast, thehp parameter to theContent-Type Header Field contains a simpler indication: whether the composer originally tried to encrypt the message or not (seeSection 2.1.1).In particular, for a message with Header Protection, the Cryptographic PayloadMUST have ahp parameter ofcipher if the message is encrypted (in addition to signed) andclear if no encryption is present (that is, the message issigned-only).

As noted inSection 2.1.1, the rendering implementationMUST NOT inflate its estimation of the confidentiality of the message or its Header Fields based on the composer's intent if it can see that the message was not actually encrypted.A signed-only message that happens to have anhp parameter ofcipher is still signed-only.

Conversely, since the encrypting Cryptographic Layer is typically outside the signature layer (seeSection 5.2 of [RFC9787]), an originally signed-only message could have been wrapped in an encryption layer by an intervening party before receipt to appear encrypted.

If a message appears to be wrapped in an encryption layer, and thehp parameter is present but is not set tocipher, then it is likely that the encryption layer was not added by the original composer.For such a message, the lack of anyHP-Outer Header Field (seeSection 2.2) in the Header Section of the Cryptographic PayloadMUST NOT be used to infer that all Header Fields were removed from the Outer Header Section by the original composer.In such a case, the rendering MUASHOULD treat every Header Field as though it was not confidential.

10.3.Caution About Composing with Legacy Display Elements

When composing a message, it's possible for a Legacy Display Element (seeSection 2.1.2) to contain risky data that could trigger errors in a rendering client.

For example, if the value for a Header Field to be included in a Legacy Display Element within a given Body part contains folding whitespace, itSHOULD be "unfolded" before generating the Legacy Display Element: All contiguous folding whitespaceSHOULD be replaced with a single space character.Likewise, if the Header Field value was originally encoded per[RFC2047], itSHOULD be decoded first to a standard string and re-encoded using the charset appropriate to the target part.

When including a Legacy Display Element in atext/plain part (seeSection 5.2.2), if the decoded Subject Header Field contains a pair of newlines (e.g., if it is broken across multiple lines by encoded newlines), the composing MUAMUST strip any newline from the Legacy Display Element.If the pair of newlines is not stripped, a rendering MUA that follows the guidance inSection 4.5.3.2 might leave the later part of the Legacy Display Element in the rendered message.

When including a Legacy Display Element in atext/html part (seeSection 5.2.3), any material in the Header Field valuesMUST be explicitly HTML escaped to avoid being rendered as part of the HTML.At a minimum, the characters<,>,',", and&MUST be escaped to&lt;,&gt;,&apos;,&quot;, and&amp;, respectively (for example, see[HTML-ESCAPES]).If unescaped characters from removed or obscured Header Field values end up in the Legacy Display Element, a rendering MUA that follows the guidance inSection 4.5.3.3 might fail to identify the boundaries of the Legacy Display Element, cutting out more than it should or leaving remnants visible.And a Legacy MUA parsing such a message might misrender the entire HTML stream, depending on the content of the removed or obscured Header Field values.

The Legacy Display Element is a decorative addition solely to enable visibility of obscured or removed Header Fields in decryption-capable Legacy MUAs.When it is produced, it should be generated minimally and strictly, as described above, to avoid damaging the rest of the message.

10.4.Plaintext Attacks

An encrypted email message using S/MIME or PGP/MIME tends to have some amount of predictable plaintext.For example, the standard MIME Header Fields of the Cryptographic Payload of a message are often a predictable sequence of bytes, even without Header Protection, when they only include the Structural Header FieldsMIME-Version andContent-Type.This is a potential risk for known-plaintext attacks.

Including protected Header Fields as defined in this document increases the amount of known plaintext.Since some of those Header Fields in a reply will be derived from the message being replied to, this also creates a potential risk for chosen-plaintext attacks, in addition to known-plaintext attacks.This potential risk also applies in a similar manner to forwarded messages.

Modern message encryption mechanisms are expected to be secure against both known-plaintext attacks and chosen-plaintext attacks.An MUA composing an encrypted message should ensure that it is using such a mechanism, regardless of whether it does Header Protection.

11.Privacy Considerations

11.1.Leaks When Replying

The encrypted Header Fields of a message may accidentally leak when replying to the message.See the guidance inSection 6.

11.2.Encrypted Header Fields Are Not Always Private

For encrypted messages, depending on the composer's HCP, some Header Fields may appear both within the Cryptographic Envelope and on the outside of the message (e.g.,Date might exist identically in both places).Section 4.3 identifies such a Header Field assigned-only.These Header Fields are clearlynot private at all, despite a copy being inside the Cryptographic Envelope.

A Header Field whose name and value are not matched verbatim by anyHP-Outer Header Field from the same part will have anencrypted-only orsigned-and-encrypted status.But even Header Fields with these stronger levels of cryptographic confidentiality protection might not be as private as the user would like.

See the examples below.

This concern is true for any encrypted data, including the Body of the message, not just the Header Fields:If the composer isn't careful, the message contents or session keys can leak in many ways that are beyond the scope of this document.The message recipient has no way in principle to tell whether the apparent confidentiality of any given piece of encrypted content has been broken via channels that they cannot perceive.Additionally, an active intermediary aware of the recipient's public key can always encrypt a cleartext message in transit to give the recipient a false sense of security (see alsoSection 10.2).

11.2.1.Encrypted Header Fields Can Leak Unwanted Information to the Recipient

For an encrypted message, even with an ambitious HCP that successfully obscures most Header Fields from all transport agents, Header Fields will be ultimately visible to each intended recipient.This can be especially problematic for a Header Field that is not User-Facing; the composer may not expect such a Header Field to be injected by their MUA.Consider the three following examples:

  • The MUA may inject aUser-Agent Header Field that describes itself to every recipient, even though the composer may not want a recipient to know the exact version of their OS, hardware platform, or MUA.

  • The MUA may have an idiosyncratic way of generating aMessage-ID Header Field, which could embed the choice of MUA, time zone, hostname, or other subtle information to a knowledgeable recipient.

  • The MUA may erroneously include aBcc Header Field in theorigheaders of a copy of a message sent to a named recipient, defeating the purpose of usingBcc instead ofCc (seeSection 11.4 for more details about risks related toBcc).

Clearly, no end-to-end cryptographic protection of any Header Field as defined in this document will hide such a sensitive field from an intended recipient.Instead, the composing MUAMUST populate theorigheaders list for any outbound message with only information each recipient should have access to.This is true for any message without any cryptographic protection as well, of course, and it is even worse there: Such a leak is exposed to the transport agents as well as all recipients.An encrypted message with Header Protection and a more ambitious HCP avoids these leaks that expose information to the transport agents, but it cannot defend against such a leak to a recipient.

11.2.2.Encrypted Header Fields Can Be Inferred from External or Internal Metadata

For example, if theTo andCc Header Fields are removed from the Outer Header Section, the values in those fields might still be inferred with high probability by an adversary who looks at the message either in transit or at rest.For example, if the message is found in a mailbox, or being delivered to a mailbox, and the mailbox is known to be associated with the email addressbob@example.org, it's likely that Bob was in eitherTo orCc.Furthermore, encrypted message ciphertext may hint at the recipients: For S/MIME messages, theRecipientInfo, and for PGP/MIME messages, the key ID in the Public Key Encrypted Session Key (PKESK) packets will all hint at a specific set of recipients.Additionally, an MTA that handles the message may add aReceived Header Field (or some other custom Header Field) that leaks some information about the nature of the delivery.

11.2.3.Encrypted Header Fields May Not Be Fully Masked by HCP

In another example, if the HCP modifies theDate Header Field to mask out high-resolution timestamps (e.g., rounding to the most recent hour), some information about the date of delivery will still be attached to the email.At the very least, the low-resolution, global version of the date will be present on the message.Additionally, Header Fields likeReceived that are added during message delivery might include higher-resolution timestamps.And if the message lands in a mailbox that is ordered by time of receipt, even its placement in the mailbox and the unobscuredDate Header Fields of the surrounding messages could leak this information.

Some Header Fields likeFrom may be impossible to fully obscure, as many modern message delivery systems depend on at least domain information in theFrom Header Field for determining whether a message is coming from a domain with "good reputation" (that is, from a domain that is not known for leaking spam).So even if an ambitious HCP opts to remove the human-readable part from anyFrom Header Field and to standardize/genericize the local part of theFrom address, the domain will still leak.

11.3.A Naive Recipient May Overestimate the Cryptographic Status of a Header Field in an Encrypted Message

When an encrypted (or signed-and-encrypted) message is in transit, an active intermediary can strip or tamper with any Header Field that appears outside the Cryptographic Envelope.A rendering MUA that naively infers cryptographic status from differences between the external Header Fields and those found in the Cryptographic Envelope could be tricked into overestimating the protections afforded to some Header Fields.

For example, if the original composer's HCP passes through theCc Header Field unchanged, a cleanly delivered message would indicate that theCc Header Field has a cryptographic status ofsigned.But if an intermediary attacker simply removes the Header Field from the Outer Header Section before forwarding the message, then the naive recipient might believe that the field has a cryptographic status ofsigned-and-encrypted.

This document offers protection against such an attack by way of theHP-Outer Header Fields (seeSection 2.2) that can be found on the Cryptographic Payload.If a Header Field appears to have been obscured by inspection of the Outer Header Section but anHP-Outer Header Field matches it exactly, then the rendering MUA can indicate to the user that the Header Field in question may not have been confidential.

In such a case, a cautious MUA may render the Header Field in question assigned (because the composer did not hide it) but still treat it assigned-and-encrypted during reply to avoid accidental leakage of the cleartext value in the reply message, as described inSection 6.1.

11.4.Privacy and Deliverability Risks with Bcc and Encrypted Messages

As noted inSection 9.3 of [RFC9787], handlingBcc when generating an encrypted email message can be particularly tricky.With Header Protection, there is an additional wrinkle.When an encrypted email message with Header Protection has aBcc'ed recipient, and the composing MUA explicitly includes theBcc'ed recipient's address in their copy of the message (see the "second method" inSection 3.6.3 of [RFC5322]), thatBcc Header Field will always be visible to theBcc'ed recipient.

In this scenario, though, the composing MUA has one additional choice: whether or not to hide theBcc Header Field from intervening message transport agents by returningnull when the HCP is invoked forBcc.If the composing MUA's rationale for including an explicitBcc in the copy of the message sent to theBcc recipient is to ensure deliverability via a message transport agent that inspects message Header Fields, then stripping theBcc field during encryption may cause the intervening transport agent to drop the message entirely.This is whyBcc is not explicitly stripped inhcp_baseline.

On the other hand, if deliverability to aBcc'ed recipient is not a concern, the most privacy-preserving option is to simply omit theBcc Header Field from the protected Header Section in the first place.An MUA that is capable of receiving and processing such a message can infer that since their user's address was not mentioned in anyTo orCc Header Field, they were likely aBcc recipient.

Please also seeSection 9.4 of [RFC9787] for more discussion aboutBcc and encrypted messages.

12.IANA Considerations

This document registers an email Header Field, describes parameters for theContent-Type Header Field, and establishes a registry for Header Confidentiality Policies to facilitate HCP evolution.

12.1.Registration of the HP-Outer Header Field

IANA has registered the following Header Field in the "Permanent Message Header Field Names" registry within the "Message Headers" registry group<https://www.iana.org/assignments/message-headers> in accordance with[RFC3864].

Table 2:Addition to the Permanent Message Header Field Names Registry
Header Field NameProtocolStatusReference
HP-OutermailstandardSection 2.2.1 of RFC 9788

Note that the Template and Trace columns are empty and therefore not included in the table.

The Author/Change Controller (Section 4.5 of [RFC3864]) for this entry is the IETF.

12.2.Reference Update for the Content-Type Header Field

This document defines theContent-Type parameters known ashp (inSection 2.1.1) andhp-legacy-display (inSection 2.1.2). Consequently, IANA has added this document as a reference forContent-Type in the "Permanent Message Header Field Names" registry as shown below.

Table 3:Permanent Message Header Field Names Registry
Header Field NameProtocolReference
Content-TypeMIME[RFC4021] and RFC 9788

Note that the Template and Trace columns are empty and therefore not included in the table.

12.3.New Mail Header Confidentiality Policies Registry

IANA has created a new registry titled "Mail Header Confidentiality Policies" within the "MAIL Parameters" registry group<https://www.iana.org/assignments/mail-parameters/> with the following content:

Table 4:Mail Header Confidentiality Policies Registry
Header Confidentiality Policy NameDescriptionRecommendedReference
hcp_no_confidentialityNo header confidentialityNSection 3.2.3 of RFC 9788
hcp_baselineConfidentiality for Informational Header Fields:Subject Header Field is obscured,Keywords andComments are removedYSection 3.2.1 of RFC 9788
hcp_shyObscureSubject, removeKeywords andComments, remove the time zone fromDate, and removedisplay-names fromFrom,To, andCcNSection 3.2.2 of RFC 9788

Note thathcp_example_hide_cc is offered as an example inSection 3.1 but is not formally registered by this document.

The following textual note has been added to this registry:

Adding an entry to this registry with anN in the "Recommended" column follows the registration policy of Specification Required. Adding an entry to this registry with aY in the "Recommended" column or changing the "Recommended" column in an existing entry (fromN toY or vice versa) requires IETF Review.

Note that during IETF Review, the designated expert must be consulted. Guidance for the designated expert can be found inSection 3.4.2.

Additionally, this textual note has been added to the registry:

The Header Confidentiality Policy Name never appears on the wire.This registry merely tracks stable references to implementable descriptions of distinct policies.Any addition to this registry should be governed by guidance inSection 3.4.2 of RFC 9788.

13.References

13.1.Normative References

[RFC2045]
Freed, N. andN. Borenstein,"Multipurpose Internet Mail Extensions (MIME) Part One: Format of Internet Message Bodies",RFC 2045,DOI 10.17487/RFC2045,,<https://www.rfc-editor.org/info/rfc2045>.
[RFC2119]
Bradner, S.,"Key words for use in RFCs to Indicate Requirement Levels",BCP 14,RFC 2119,DOI 10.17487/RFC2119,,<https://www.rfc-editor.org/info/rfc2119>.
[RFC3864]
Klyne, G.,Nottingham, M., andJ. Mogul,"Registration Procedures for Message Header Fields",BCP 90,RFC 3864,DOI 10.17487/RFC3864,,<https://www.rfc-editor.org/info/rfc3864>.
[RFC5083]
Housley, R.,"Cryptographic Message Syntax (CMS) Authenticated-Enveloped-Data Content Type",RFC 5083,DOI 10.17487/RFC5083,,<https://www.rfc-editor.org/info/rfc5083>.
[RFC5234]
Crocker, D., Ed. andP. Overell,"Augmented BNF for Syntax Specifications: ABNF",STD 68,RFC 5234,DOI 10.17487/RFC5234,,<https://www.rfc-editor.org/info/rfc5234>.
[RFC5322]
Resnick, P., Ed.,"Internet Message Format",RFC 5322,DOI 10.17487/RFC5322,,<https://www.rfc-editor.org/info/rfc5322>.
[RFC5652]
Housley, R.,"Cryptographic Message Syntax (CMS)",STD 70,RFC 5652,DOI 10.17487/RFC5652,,<https://www.rfc-editor.org/info/rfc5652>.
[RFC8126]
Cotton, M.,Leiba, B., andT. Narten,"Guidelines for Writing an IANA Considerations Section in RFCs",BCP 26,RFC 8126,DOI 10.17487/RFC8126,,<https://www.rfc-editor.org/info/rfc8126>.
[RFC8174]
Leiba, B.,"Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words",BCP 14,RFC 8174,DOI 10.17487/RFC8174,,<https://www.rfc-editor.org/info/rfc8174>.
[RFC8551]
Schaad, J.,Ramsdell, B., andS. Turner,"Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 4.0 Message Specification",RFC 8551,DOI 10.17487/RFC8551,,<https://www.rfc-editor.org/info/rfc8551>.
[RFC9580]
Wouters, P., Ed.,Huigens, D.,Winter, J., andY. Niibe,"OpenPGP",RFC 9580,DOI 10.17487/RFC9580,,<https://www.rfc-editor.org/info/rfc9580>.
[RFC9787]
Gillmor, D. K., Ed.,Melnikov, A., Ed., andB. Hoeneisen, Ed.,"Guidance on End-to-End Email Security",RFC 9787,DOI 10.17487/RFC9787,,<https://www.rfc-editor.org/info/rfc9787>.

13.2.Informative References

[chrome-indicators]
Schechter, E.,"Evolving Chrome's security indicators",Chromium Blog,,<https://blog.chromium.org/2018/05/evolving-chromes-security-indicators.html>.
[CSS]
Bos, B., Ed.,"Cascading Style Sheets Level 2 Revision 2 (CSS 2.2) Specification",W3C First Public Working Draft,,<https://www.w3.org/TR/2016/WD-CSS22-20160412/>.Latest version available at<https://www.w3.org/TR/CSS22/>.
[HTML-ESCAPES]
W3C,"Using character escapes in markup and CSS",,<https://www.w3.org/International/questions/qa-escapes#use>.
[PEP-EMAIL]
Marques, H. andB. Hoeneisen,"pretty Easy privacy (pEp): Email Formats and Protocols",Work in Progress,Internet-Draft, draft-pep-email-03,,<https://datatracker.ietf.org/doc/html/draft-pep-email-03>.
[PEP-GENERAL]
Birk, V.,Marques, H., andB. Hoeneisen,"pretty Easy privacy (pEp): Privacy by Default",Work in Progress,Internet-Draft, draft-pep-general-03,,<https://datatracker.ietf.org/doc/html/draft-pep-general-03>.
[PGPCONTROL]
UUNET Technologies, Inc.,"Authentication of Usenet Group Changes",,<https://ftp.isc.org/pub/pgpcontrol/>.
[PGPVERIFY-FORMAT]
Lawrence, D. C.,"Signing Control Messages, Verifying Control Messages",<https://www.eyrie.org/~eagle/usefor/other/pgpverify>.
[PROTECTED-HEADERS]
Einarsson, B. R.,juga, andD. K. Gillmor,"(Deprecated) Protected E-mail Headers",Work in Progress,Internet-Draft, draft-autocrypt-lamps-protected-headers-03,,<https://datatracker.ietf.org/doc/html/draft-autocrypt-lamps-protected-headers-03>.
[RFC1035]
Mockapetris, P.,"Domain names - implementation and specification",STD 13,RFC 1035,DOI 10.17487/RFC1035,,<https://www.rfc-editor.org/info/rfc1035>.
[RFC2047]
Moore, K.,"MIME (Multipurpose Internet Mail Extensions) Part Three: Message Header Extensions for Non-ASCII Text",RFC 2047,DOI 10.17487/RFC2047,,<https://www.rfc-editor.org/info/rfc2047>.
[RFC2049]
Freed, N. andN. Borenstein,"Multipurpose Internet Mail Extensions (MIME) Part Five: Conformance Criteria and Examples",RFC 2049,DOI 10.17487/RFC2049,,<https://www.rfc-editor.org/info/rfc2049>.
[RFC3156]
Elkins, M.,Del Torto, D.,Levien, R., andT. Roessler,"MIME Security with OpenPGP",RFC 3156,DOI 10.17487/RFC3156,,<https://www.rfc-editor.org/info/rfc3156>.
[RFC3851]
Ramsdell, B., Ed.,"Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 3.1 Message Specification",RFC 3851,DOI 10.17487/RFC3851,,<https://www.rfc-editor.org/info/rfc3851>.
[RFC4021]
Klyne, G. andJ. Palme,"Registration of Mail and MIME Header Fields",RFC 4021,DOI 10.17487/RFC4021,,<https://www.rfc-editor.org/info/rfc4021>.
[RFC5751]
Ramsdell, B. andS. Turner,"Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 3.2 Message Specification",RFC 5751,DOI 10.17487/RFC5751,,<https://www.rfc-editor.org/info/rfc5751>.
[RFC5890]
Klensin, J.,"Internationalized Domain Names for Applications (IDNA): Definitions and Document Framework",RFC 5890,DOI 10.17487/RFC5890,,<https://www.rfc-editor.org/info/rfc5890>.
[RFC5891]
Klensin, J.,"Internationalized Domain Names in Applications (IDNA): Protocol",RFC 5891,DOI 10.17487/RFC5891,,<https://www.rfc-editor.org/info/rfc5891>.
[RFC6376]
Crocker, D., Ed.,Hansen, T., Ed., andM. Kucherawy, Ed.,"DomainKeys Identified Mail (DKIM) Signatures",STD 76,RFC 6376,DOI 10.17487/RFC6376,,<https://www.rfc-editor.org/info/rfc6376>.
[RFC7489]
Kucherawy, M., Ed. andE. Zwicky, Ed.,"Domain-based Message Authentication, Reporting, and Conformance (DMARC)",RFC 7489,DOI 10.17487/RFC7489,,<https://www.rfc-editor.org/info/rfc7489>.
[RFC7929]
Wouters, P.,"DNS-Based Authentication of Named Entities (DANE) Bindings for OpenPGP",RFC 7929,DOI 10.17487/RFC7929,,<https://www.rfc-editor.org/info/rfc7929>.
[RFC8162]
Hoffman, P. andJ. Schlyter,"Using Secure DNS to Associate Certificates with Domain Names for S/MIME",RFC 8162,DOI 10.17487/RFC8162,,<https://www.rfc-editor.org/info/rfc8162>.
[RFC8617]
Andersen, K.,Long, B., Ed.,Blank, S., Ed., andM. Kucherawy, Ed.,"The Authenticated Received Chain (ARC) Protocol",RFC 8617,DOI 10.17487/RFC8617,,<https://www.rfc-editor.org/info/rfc8617>.
[RFC9216]
Gillmor, D. K., Ed.,"S/MIME Example Keys and Certificates",RFC 9216,DOI 10.17487/RFC9216,,<https://www.rfc-editor.org/info/rfc9216>.

Appendix A.Table of Pseudocode Listings

This document contains guidance with pseudocode descriptions.Each algorithm is listed here for easy reference.

Table 5:Table of Pseudocode Listings
Method NameDescriptionReference
HeaderSetsFromMessageDerive "outer" and "protected" sets of Header Fields from a given messageSection 4.2.1
HeaderFieldProtectionCalculate cryptographic protections for a Header Field in a given messageSection 4.3.1
ReferenceHCPProduce an ephemeral HCP to use when responding to a given messageSection 6.1.2
ComposeNoHeaderProtectionLegacy Message composition with end-to-end cryptographic protections (but no Header Protection)Section 5.1.1
ComposeCompose a message with end-to-end cryptographic protections including Header ProtectionSection 5.2.1

Appendix B.Possible Problems with Legacy MUAs

When an email message with end-to-end cryptographic protection is rendered by an MUA, the user might experience many different possible problematic interactions.A message with Header Protection may introduce new forms of user experience failure.

In this section, the authors enumerate different kinds of failures we have observed when reviewing, rendering, and replying to messages with different forms of Header Protection in different Legacy MUAs.Different Legacy MUAs demonstrate different subsets of these problems.

A conformant MUA would not exhibit any of these problems.An implementer updating their Legacy MUA to be compliant with this specification should consider these concerns and try to avoid them.

Recall that "protected" refers to the values of the inner Header Fields, e.g., the realSubject, and "unprotected" refers to the values of the outer Header Fields, e.g., the replacementSubject.

B.1.Problems Viewing Messages in a List View

  • UnprotectedSubject,Date,From, andTo Header Fields are visible (instead of being replaced by protected values)

  • Threading is not visible

B.2.Problems When Rendering a Message

  • UnprotectedSubject is visible

  • ProtectedSubject (on its own) is visible in the Body

  • ProtectedSubject,Date,From, andTo Header Fields are visible in the Body

  • User interaction needed to view the whole message

  • User interaction needed to view the message Body

  • User interaction needed to view the protectedSubject

  • Impossible to view the protectedSubject

  • Nuisance alarms during user interaction

  • Impossible to view the message Body

  • Appears as a forwarded message

  • Appears as an attachment

  • Security indicators not visible

  • Security indicators do not identify the protection status of Header Fields

  • User has multiple different methods to reply (e.g., reply to outer, reply to inner)

  • User sees English "Subject:" in Body despite message itself being in non-English

  • Security indicators do not identify the protection status of Header Fields

  • Header Fields in the Body render with local Header Field names (e.g., showing "Betreff" instead of "Subject") and dates (TZ, locale)

B.3.Problems When Replying to a Message

Note that the use case here is:

  • User views a message, to the point where they can read it

  • User then replies to the message, and they are shown a message composition window, which has some UI elements

  • If the MUA has multiple different methods to reply to a message, each way may need to be evaluated separately

This section also uses the shorthand UI:x to mean "the UI element that the user can edit that they think of as x".

  • UnprotectedSubject is in UI:subject (instead of the protectedSubject)

  • ProtectedSubject is quoted in UI:body (from Legacy Display Element)

  • ProtectedSubject leaks when the reply is serialized into MIME

  • ProtectedSubject is not anywhere in UI

  • Message Body isnot visible/quoted in UI:body

  • User cannot reply while viewing protected message

  • Reply is not encrypted by default (but is for legacy signed-and-encrypted messages without Header Protection)

  • UnprotectedFrom orReply-To Header Field is in UI:To (instead of the protectedFrom orReply-To Header Field)

  • User's locale (lang, TZ) leaks in quoted Body

  • Header Fields not protected (and in particular,Subject is not obscured) by default

Appendix C.Test Vectors

This section contains sample messages using the specification defined above.Each sample contains a MIME object, a textual and diagrammatic view of its structure, and examples of how an MUA might render it.

The cryptographic protections used in this document use the S/MIME standard, and keying material and certificates come from[RFC9216].

These messages should be accessible to any IMAP client atimap://bob@header-protection.cmrg.net/ (any password should authenticate to this read-only IMAP mailbox).

Copies of these test vectors can also be downloaded separately at<https://header-protection.cmrg.net>.

If any of the messages downloaded differ from those offered here, this document is the canonical source.

C.1.Baseline Messages

These messages offer no Header Protection at all and can be used as a baseline.They are provided in this document as a counterexample.An MUA implementer can use these Messages to verify that the reported Cryptographic Summary of the Message indicates no Header Protection.

C.1.1.No Cryptographic Protections over a Simple Message

This message uses no cryptographic protection at all. Its Body is a text/plain message.

It has the following structure:

└─╴text/plain 152 bytes

Its contents are:

MIME-Version: 1.0Content-Type: text/plain; charset="utf-8"Content-Transfer-Encoding: 7bitSubject: no-cryptoMessage-ID: <no-crypto@example>From: Alice <alice@smime.example>To: Bob <bob@smime.example>Date: Sat, 20 Feb 2021 10:00:02 -0500User-Agent: Sample MUA Version 1.0This is theno-cryptomessage.This message uses no cryptographic protection at all.  Its Bodyis a text/plain message.--Alicealice@smime.example

C.1.2.S/MIME Signed-Only signedData over a Simple Message, No Header Protection

This is a signed-only S/MIME message via PKCS#7 signedData. The payload is a text/plain message. It uses no Header Protection.

It has the following structure:

└┬╴application/pkcs7-mime [smime.p7m] 3856 bytes ┴ (unwraps to) └─╴text/plain 206 bytes

Its contents are:

Content-Transfer-Encoding: base64Content-Type: application/pkcs7-mime; name="smime.p7m"; smime-type="signed-data"Subject: smime-one-partMessage-ID: <smime-one-part@example>From: Alice <alice@smime.example>To: Bob <bob@smime.example>Date: Sat, 20 Feb 2021 10:01:02 -0500User-Agent: Sample MUA Version 1.0MIILGQYJKoZIhvcNAQcCoIILCjCCCwYCAQExDTALBglghkgBZQMEAgEwggFCBgkqhkiG9w0BBwGgggEzBIIBL01JTUUtVmVyc2lvbjogMS4wDQpDb250ZW50LVR5cGU6IHRleHQvcGxhaW47IGNoYXJzZXQ9InV0Zi04Ig0KQ29udGVudC1UcmFuc2Zlci1FbmNvZGluZzogN2JpdA0KDQpUaGlzIGlzIHRoZQ0Kc21pbWUtb25lLXBhcnQNCm1lc3NhZ2UuDQoNClRoaXMgaXMgYSBzaWduZWQtb25seSBTL01JTUUgbWVzc2FnZSB2aWEgUEtDUyM3IHNpZ25lZERhdGEuICBUaGUNCnBheWxvYWQgaXMgYSB0ZXh0L3BsYWluIG1lc3NhZ2UuIEl0IHVzZXMgbm8gSGVhZGVyIFByb3RlY3Rpb24uDQoNCi0tIA0KQWxpY2UNCmFsaWNlQHNtaW1lLmV4YW1wbGUNCqCCB6YwggPPMIICt6ADAgECAhMPLSW9ETmXSs5CVIeh7j00Boq0MA0GCSqGSIb3DQEBDQUAMFUxDTALBgNVBAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFNUFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MCAXDTE5MTEyMDA2NTQxOFoYDzIwNTIwOTI3MDY1NDE4WjA7MQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBXRzEXMBUGA1UEAxMOQWxpY2UgTG92ZWxhY2UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCalSn6i8Gi44/oAVAn5GnCk4PHHNjrSfWUnnelN41KImVaTC3D9zFCrS3i4Pa9ZgHyA5Qf8JW3ZmnVz5q7M8onZm7mZjqQeb6FUH4i2GMt4jse2Dqs165ernT9O5NLFflHUjURca3ynqEBBV4DmhnZp8eDhv3t6dXyCjNHT82S6DgCReZuTtMc1zy++MxQlqdn9WZLhOAOpeNZKGmVwjeVy+8FkyzC3jX/Qcm+ZLCqlLqhBwDHdZ5qDTII2PVX1X3K7/cONxhvBbaUl/k1swdszUtjhflyFZ80RuQ3qFC6vL/PGeWy6SCf58duq/AOEksCAWlb+MD8QH9Yj7CFSmq1AgMBAAGjga8wgawwDAYDVR0TAQH/BAIwADAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwHgYDVR0RBBcwFYETYWxpY2VAc21pbWUuZXhhbXBsZTATBgNVHSUEDDAKBggrBgEFBQcDBDAOBgNVHQ8BAf8EBAMCBSAwHQYDVR0OBBYEFKJTQdVEPIApFXwBI/Dnjq/N83cPMB8GA1UdIwQYMBaAFJEwjnwHFwyn8QkoZTYaZxxodvRZMA0GCSqGSIb3DQEBDQUAA4IBAQCBSXignLEynBakDKU68ro0RsyXWAPkfXgQLgy7GrW7SrZeBc5IEcjoN9f/gsOx/Ht9Ii6zyBZVjdaox644DsiLOQEP4YMS7y4q94RFFdmdzEbDLYx9sfUhvdTxDNOOoHz53PYDBh4zE4Nar2inC0D+VM6RGDy66K9l+D+bl8Wj9CyGUc1ppMNURexTg+z3web/eDOdu+F2MVtluLihne0Bp1GUTkr0mJBolg6dSYal8Hw8/ANHpyExl56BJABb744gqoeuD9YSHjKK49+qYC9faFmQ+mK80lh1M9RdNI7srjn0LKpuob6w06jaRzWdNeXzlEc2tUpAr4vRhZjVD6FYMIIDzzCCAregAwIBAgITN0EFee11f0Kpolw69Phqzpqp1zANBgkqhkiG9w0BAQ0FADBVMQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBXRzExMC8GA1UEAxMoU2FtcGxlIExBTVBTIFJTQSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAgFw0xOTExMjAwNjU0MThaGA8yMDUyMDkyNzA2NTQxOFowOzENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxFzAVBgNVBAMTDkFsaWNlIExvdmVsYWNlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtPSJ6Fg4Fj5Nmn9PkrYo0jTkfCv4TfA/pdO/KLpZbJOAEr0sI7AjaO7B1GuMUFJeSTulamNfCwDcDkY63PQWl+DILs7GxVwXurhYdZlaV5hcUqVAckPvedDBc/3rz4D/esFfs+E7QMFtmd+K04s+A8TCNO12DRVBDpbP4JFD9hsc8prDtpGmFk7rd0q8gqnhxBW2RZAeLqzJOMayCQtws1q7ktkNBR2wZX5ICjecF1YJFhX4jrnHwp/iELGqqaNXd3/Y0pG7QFecN7836IPPdfTMSiPR+peCrhJZwLSewbWXLJe3VMvbvQjoBMpEYlaJBUIKkO1zQ1Pq90njlsJLOwIDAQABo4GvMIGsMAwGA1UdEwEB/wQCMAAwFwYDVR0gBBAwDjAMBgpghkgBZQMCATABMB4GA1UdEQQXMBWBE2FsaWNlQHNtaW1lLmV4YW1wbGUwEwYDVR0lBAwwCgYIKwYBBQUHAwQwDgYDVR0PAQH/BAQDAgbAMB0GA1UdDgQWBBS79syyLR0GEhyXrilqkBDTIGZmczAfBgNVHSMEGDAWgBSRMI58BxcMp/EJKGU2GmccaHb0WTANBgkqhkiG9w0BAQ0FAAOCAQEAc4miNqfOqaBpI3f+CpJDhxtuZ2P9HjQEQ+v6BdP7GKJ19naIs3BjJOd64roAKHAp+c284VvyVXWJ99FMX8q2ZUQMxH+xh6oAfzcozmnd6XaVWHg4eHIjSo27PmhKE1oAJKKhDbdbEcZXL2+x1V+duGymWtaD01DZZukKYr7agyHahiXRn/C9cy31wbqNsy9x0fjPQg6+DqatiQpMz9EIae6aCHHBhOiPU7IPkazgPYgkLD59fk4PGHnYxs1FhdO6zZk9E8zwlc1ALgZa/iSbczisqckN3qGehD2s16jMhwFXLJtBiN+uCDgNG/D0qyTbY4fgKieUHx/tHuzUszZxJjGCAgAwggH8AgEBMGwwVTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNhbXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzdBBXntdX9CqaJcOvT4as6aqdcwCwYJYIZIAWUDBAIBoGkwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMjEwMjIwMTUwMTAyWjAvBgkqhkiG9w0BCQQxIgQg+APzZJl4pcksifU3FOYwAUqexbFmtbnUdg8eCFIklg8wDQYJKoZIhvcNAQEBBQAEggEARlZHlulQA7h4AzGUznSRv1TB3w2u4oXQBgxTTaUFXvezPsEacndc16K4ESz8IpjsLEqClhFU6haOKz3OZnab6A8sCqozqAoCpJI35L3D0XwlqucqRDMQoNDZf1AZw1/2rvhlBA4+YVc1vNjwbFF7T8bz6ttkXBdseesPV8zy01tsPVBSEr9A8QtVGTPw/BLEV/sVd6QtbPMCqdVDjRAa5onUPyZvXkt+Qkt5Wcqxfwbotg/u7ecLhqnK0rC2SZkGDjtZa6BuLu88DxA9T90G+L3hhL5VPdEdkdRCounTb9McyGWWmnK0PYind/sKBATP5ouFjj3rLaMfllxGB0xn3A==
C.1.2.1.S/MIME Signed-Only signedData over a Simple Message, No Header Protection, Unwrapped

The S/MIME signed-data layer unwraps to:

MIME-Version: 1.0Content-Type: text/plain; charset="utf-8"Content-Transfer-Encoding: 7bitThis is thesmime-one-partmessage.This is a signed-only S/MIME message via PKCS#7 signedData.  Thepayload is a text/plain message. It uses no Header Protection.--Alicealice@smime.example

C.1.3.S/MIME Signed-Only multipart/signed over a Simple Message, No Header Protection

This is a signed-only S/MIME message via PKCS#7 detached signature (multipart/signed). The payload is a text/plain message. It uses no Header Protection.

It has the following structure:

└┬╴multipart/signed 4187 bytes ├─╴text/plain 224 bytes └─╴application/pkcs7-signature [smime.p7s] 3429 bytes

Its contents are:

MIME-Version: 1.0Content-Type: multipart/signed; protocol="application/pkcs7-signature"; boundary="e19"; micalg="sha-256"Subject: smime-multipartMessage-ID: <smime-multipart@example>From: Alice <alice@smime.example>To: Bob <bob@smime.example>Date: Sat, 20 Feb 2021 10:02:02 -0500User-Agent: Sample MUA Version 1.0--e19MIME-Version: 1.0Content-Type: text/plain; charset="utf-8"Content-Transfer-Encoding: 7bitThis is thesmime-multipartmessage.This is a signed-only S/MIME message via PKCS#7 detachedsignature (multipart/signed).  The payload is a text/plainmessage. It uses no Header Protection.--Alicealice@smime.example--e19Content-Transfer-Encoding: base64Content-Type: application/pkcs7-signature; name="smime.p7s"MIIJ4AYJKoZIhvcNAQcCoIIJ0TCCCc0CAQExDTALBglghkgBZQMEAgEwCwYJKoZIhvcNAQcBoIIHpjCCA88wggK3oAMCAQICEw8tJb0ROZdKzkJUh6HuPTQGirQwDQYJKoZIhvcNAQENBQAwVTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNhbXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwIBcNMTkxMTIwMDY1NDE4WhgPMjA1MjA5MjcwNjU0MThaMDsxDTALBgNVBAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMRcwFQYDVQQDEw5BbGljZSBMb3ZlbGFjZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJqVKfqLwaLjj+gBUCfkacKTg8cc2OtJ9ZSed6U3jUoiZVpMLcP3MUKtLeLg9r1mAfIDlB/wlbdmadXPmrszyidmbuZmOpB5voVQfiLYYy3iOx7YOqzXrl6udP07k0sV+UdSNRFxrfKeoQEFXgOaGdmnx4OG/e3p1fIKM0dPzZLoOAJF5m5O0xzXPL74zFCWp2f1ZkuE4A6l41koaZXCN5XL7wWTLMLeNf9Byb5ksKqUuqEHAMd1nmoNMgjY9VfVfcrv9w43GG8FtpSX+TWzB2zNS2OF+XIVnzRG5DeoULq8v88Z5bLpIJ/nx26r8A4SSwIBaVv4wPxAf1iPsIVKarUCAwEAAaOBrzCBrDAMBgNVHRMBAf8EAjAAMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATAeBgNVHREEFzAVgRNhbGljZUBzbWltZS5leGFtcGxlMBMGA1UdJQQMMAoGCCsGAQUFBwMEMA4GA1UdDwEB/wQEAwIFIDAdBgNVHQ4EFgQUolNB1UQ8gCkVfAEj8OeOr83zdw8wHwYDVR0jBBgwFoAUkTCOfAcXDKfxCShlNhpnHGh29FkwDQYJKoZIhvcNAQENBQADggEBAIFJeKCcsTKcFqQMpTryujRGzJdYA+R9eBAuDLsatbtKtl4FzkgRyOg31/+Cw7H8e30iLrPIFlWN1qjHrjgOyIs5AQ/hgxLvLir3hEUV2Z3MRsMtjH2x9SG91PEM046gfPnc9gMGHjMTg1qvaKcLQP5UzpEYPLror2X4P5uXxaP0LIZRzWmkw1RF7FOD7PfB5v94M5274XYxW2W4uKGd7QGnUZROSvSYkGiWDp1JhqXwfDz8A0enITGXnoEkAFvvjiCqh64P1hIeMorj36pgL19oWZD6YrzSWHUz1F00juyuOfQsqm6hvrDTqNpHNZ015fOURza1SkCvi9GFmNUPoVgwggPPMIICt6ADAgECAhM3QQV57XV/QqmiXDr0+GrOmqnXMA0GCSqGSIb3DQEBDQUAMFUxDTALBgNVBAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFNUFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MCAXDTE5MTEyMDA2NTQxOFoYDzIwNTIwOTI3MDY1NDE4WjA7MQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBXRzEXMBUGA1UEAxMOQWxpY2UgTG92ZWxhY2UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC09InoWDgWPk2af0+StijSNOR8K/hN8D+l078oullsk4ASvSwjsCNo7sHUa4xQUl5JO6VqY18LANwORjrc9BaX4MguzsbFXBe6uFh1mVpXmFxSpUByQ+950MFz/evPgP96wV+z4TtAwW2Z34rTiz4DxMI07XYNFUEOls/gkUP2GxzymsO2kaYWTut3SryCqeHEFbZFkB4urMk4xrIJC3CzWruS2Q0FHbBlfkgKN5wXVgkWFfiOucfCn+IQsaqpo1d3f9jSkbtAV5w3vzfog8919MxKI9H6l4KuElnAtJ7BtZcsl7dUy9u9COgEykRiVokFQgqQ7XNDU+r3SeOWwks7AgMBAAGjga8wgawwDAYDVR0TAQH/BAIwADAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwHgYDVR0RBBcwFYETYWxpY2VAc21pbWUuZXhhbXBsZTATBgNVHSUEDDAKBggrBgEFBQcDBDAOBgNVHQ8BAf8EBAMCBsAwHQYDVR0OBBYEFLv2zLItHQYSHJeuKWqQENMgZmZzMB8GA1UdIwQYMBaAFJEwjnwHFwyn8QkoZTYaZxxodvRZMA0GCSqGSIb3DQEBDQUAA4IBAQBziaI2p86poGkjd/4KkkOHG25nY/0eNARD6/oF0/sYonX2doizcGMk53riugAocCn5zbzhW/JVdYn30UxfyrZlRAzEf7GHqgB/NyjOad3pdpVYeDh4ciNKjbs+aEoTWgAkoqENt1sRxlcvb7HVX524bKZa1oPTUNlm6QpivtqDIdqGJdGf8L1zLfXBuo2zL3HR+M9CDr4Opq2JCkzP0Qhp7poIccGE6I9Tsg+RrOA9iCQsPn1+Tg8YedjGzUWF07rNmT0TzPCVzUAuBlr+JJtzOKypyQ3eoZ6EPazXqMyHAVcsm0GI364IOA0b8PSrJNtjh+AqJ5QfH+0e7NSzNnEmMYICADCCAfwCAQEwbDBVMQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBXRzExMC8GA1UEAxMoU2FtcGxlIExBTVBTIFJTQSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eQITN0EFee11f0Kpolw69Phqzpqp1zALBglghkgBZQMEAgGgaTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0yMTAyMjAxNTAyMDJaMC8GCSqGSIb3DQEJBDEiBCAokSzA71kmvoyy0h+lrO2jw3pvGhvgRnv/zTDC9IxDUzANBgkqhkiG9w0BAQEFAASCAQBWL6C/VCYFv6ZiQR6JYBbLWiQJyAmNFrRhAbfiw5bPndhDbJNSv3DXoUfCKd87pvD5Qr1PsH4WXDZ/IY95h3dD7k6oIIFXhPBTYYW7Np+vrVtS0sDklr03+ebMBY6J0rEtNf5ZXCkQULTmvwmmuKcg4S+5piNqhTnnE0enIvICii8NgjP3VVPZmNpFmxwmztGWd04omYHbY4JY9C7yvuQ6SNEQm47bxnSIS5yHsowWnDYqs2cMDLxZ7zy0cEyOpSy8oDfVde4TyOifqMT3VzSmlttdG1uDNE90ek3txJn9E+hE02sw0Mv1lLjNdRXviRsaMw33DxGbtoUSo2mOkpYb--e19--

C.1.4.S/MIME Signed-and-Encrypted over a Simple Message, No Header Protection

This is a signed-and-encrypted S/MIME message using PKCS#7 envelopedData around signedData. The payload is a text/plain message. It uses no Header Protection.

It has the following structure:

└┬╴application/pkcs7-mime [smime.p7m] 6720 bytes ╧ (decrypts to) └┬╴application/pkcs7-mime [smime.p7m] 3960 bytes  ┴ (unwraps to)  └─╴text/plain 241 bytes

Its contents are:

Content-Transfer-Encoding: base64Content-Type: application/pkcs7-mime; name="smime.p7m"; smime-type="enveloped-data"Subject: smime-signed-encMessage-ID: <smime-signed-enc@example>From: Alice <alice@smime.example>To: Bob <bob@smime.example>Date: Sat, 20 Feb 2021 10:03:02 -0500User-Agent: Sample MUA Version 1.0MIITXAYJKoZIhvcNAQcDoIITTTCCE0kCAQAxggMQMIIBhAIBADBsMFUxDTALBgNVBAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFNUFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhMPLSW9ETmXSs5CVIeh7j00Boq0MA0GCSqGSIb3DQEBAQUABIIBAFxh1OX2qKJrCxk4NBNVX/kprtR6yjMWM/1ntepVdA0A/uf69sMzbyZhd8wFl1eapv05Xp6+1DuOZfqYgkbCJwD+ZtSL4MB7EBPMytxB42LTEC9f8Z/80L96/+nnDotKHxFSVZPXfmi+FKLLDlddH7bswV3GH/nozzYl4wjesm/nvakHEv2CNJ2mh5XHq0gqNPDx5/2OmxaU+x0biLPcGNzFob39ok+1rTbN/9fIGDLKr1ENzQXW0vixcyAS/RBlHw6WGby51EvV7FObcdxsXkTI+vvHTcTGbPhi54ShTTEocIj7mrXzHodVEy0pysuYCl2hOkqre9HSspAqw7s+/3wwggGEAgEAMGwwVTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNhbXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzB8R0APhiY6HGLS64MvlsDXhpQwDQYJKoZIhvcNAQEBBQAEggEAbrhe4bg9I4GbmhF5qnO5kJXwJTfpgB3iK+K+bIxH/gsZbLAOx2UR2OHESrW2dqojynuxZ+QE571NXQN7X7THoOaBmhUPuBRPycw/orR2GR0KCYx4taATw9o2fK3KssO+IAnNP1OM7yUsgABZHT6BfvtCqH7ZPBJaj73A9AyrxTNPtJJHwueE3X5CPTODViasPRZrqiGB/WO/siuApdk0MPiktp29bVqzQuD1tpDFb+aQyfggEnqGQn1ReZYhfBvub+AUr+O0lNOh57mob+eJwc0FSnq9mljS3kgoXbh1DrV9S/seSdYZ7ieCiS3FYEi8h7RsZTGCVMn/STxiq13X0DCCEC4GCSqGSIb3DQEHATAdBglghkgBZQMEAQIEEP3eQZI7xmdgaoarujEjNYuAghAAmXWuV/HZ+MiCJTgt1RWzuHw8hnhLDxcY444IeB0M44fryhiuSkUKDdnvy6GDRiUFThwVs2iGHdCgvh/tJNaXmF9fa/Vi/aHq/oL3wJi+cS0qkeeq2kpGSMm82mNBlmgtuhcwozIru+2n+L0xspYIUx0+dG59NlfB1alRQJd7JmCUWF9AY/wVkGPkj5Vym+VtdRqGqcnJPM4Nq572bhxgLwDOCuoU+2rN5pdW1AT31odSdPtHoux3ysK+aMLcw3chmL+en9j/euqO40Xr3Re0J/suSzHobI5I0bDtQwaEoXooz6aQIZrFE4TtZLCDzG7oZbMf3rkJ1CIelKpbVhjRAjj4X+MvktiOfxVV4K3GYAagHI5jp+4+MWz2yaQcAnRE7SpHFxuFdmSYYYAq0yTgxkS9opoAwxPytKefqnnY62wAbug26ZCpSM03172cKopAgkBqljwFEl+YeauN6206vZKuOhNuyQFbPeO+00qKeHw2bPM+PiKWdzAkQKz9N4COkFqzOgEHG5HnH8jx9PPuU57g8TmJccDFuUrZ4kZVcfWogH7gsNyW+A06BSu9Do/SI7VxMwenuQLv1+W/tm+zLqBLpksKOh81HVNVQ+4zEXx/jQBqM/Tv9BcetVdzGTIqvCNn7KDLwLceNF7hgbNM4SfZZhg5hfV/xxeNpZx0tn86hHntN54FKymO/kXaFebrW5yoXwvGHukCJJyI87NN7WIM12g5IHC829NIICAGIuZ/kxPb/A51WB8yr8748XXvQcXKg7OxTzkVgiACGDyS3ye+fZCncBZgfQ0jcipQU7jVYu7+UiUZDAvuQwae/RUdCSOhdjwtBzMlIazVfbIaHPM5QKvB+MzbAKUMWza+XRpjLrDVdaSFR06V4r4SUMsiAvKdd/1RFvSTEhtNj1QOUKEa1DvnuRLvYsdjWLDF2TsBCjP4jdGKGG+PtfB4vcSUNFJSJ5epaUIDxbFkgSolRF+lM8790NdlgkhY6RbW3kXkA0T1CmKIYrN6poYxCSwUQ+RzGurGDMQTGvfDgZrObvdE0haaNEdti/ci2EbcasYa3um7HCpt/bKDw5sivnh69P9E1WMvdAfEinppCZO8yRrkS1l6b9Jgk6ohJWftQMA2OmpKGw6tRbblH0tJ33JR8ghApEJpSvtoKGc46NTelR6hBgxoaJCebRpxJ9wrNp4EETj0/PbZDiDzNETWDZ4EBn74vJ2I3wCltkk16SmnEJadZovBlyqKYB6bmFvX9S00hOBv8TZ4o//mY4nH57f05CmUM42ePRS0HMk9SrBjpouTIkw/tbDieZNb4tA09B/c3/s3qpZ2Bo0Bz7RVRI79D2P8hnp+/7y74rqyUdRdqW6mFXjNojo1A+hsbXWqTfuMcSikbENC59pmhMDxdS4LGxJCIVoZmhbnjeEhIMqKwa0NtyLLG8uRlzdTF8g/IOI6UwCeFXl/dO3tvLoEB/KAD/n27IyDILDldYa1Em7I8jQmQghJ1IdMrUlr1n/mRB+sql2IDVlI95+r96IrFdmjAWVMX+vbq6n/QNcaxfS5nL7ICgV9kQHO9AtzJ4zXxLDj62nkIdoCRupF+IlHXL9GOmgJJFj0uhgXO67/2G0cT2JME1siW7/F6JHzlGAyeVSoPs2FAJKYMQvvkR6jbn3yHuw3s9RS31co6D+nvxJHLvr/REVwiLklxPqimC+2pmkUjRYyL/aXRV9pDuNJLtMuXJxqwrYgwPw9mBXXaYLgo8G+SSUfeBKvwuKa2kd0prB3cWwfIWlZBgZvVGc7UudzQzxyMaDt8R7eVG6/CXUeGOMSWKbjzoZwkbB/QCgZetVO3YM7FqhEfvmg0tv1pS0cnprxkkMurw1NGearPv+faBo09YSswF38ol44A8hdpYIGc3LL4jj4wSPdS+lMVp84nKWnZJ/asIS74bEH7TK3JK6tgOPEvh+GDMODoXALsnH157oDi0GeN0kwcB7CeUT76zYaQT07QcgOUyWMEOlScOi9zibws0ZKL3uNTwmF8p1Jv2TEvepZQiL2/xbENTmfH+47tdIPUlJOePdjUGo6QTAaqSH5of0e/T/QENueeJOJboPgbaV0OqTFOVVAMMhAupadP8ROG6TalcPC7X0gV9Yi60vd/WWVTJPPLDf4+FJm7HmkzT5l5fOAuA+mYJUOF+BPTUCKyeY9VypoXDV0VnTTpiB9jfyOlPJjBnZ/85Bvfkt0eCW5rV7xeq7tgSJT+LOkTfwDBqlOZt1hlvKe3SFHnsW9hdojlJz/sXw5FcFCxbxqfageVJ60uamENOhBj4Q2ZRvslLXxpVME0ifG1CxpfAr2ZQsEormIu0zJeZjkDguwNlBInFKHFzvtSEJprP4hAqknbSvOqUdAFp9rlII2dYXI4xh3kV3ECvhvwFt39PfVpGL97R92cTK9JCgqp9IOJZv32FdhEsaHqQIRklw5xy96fTwbrho+LQSZIMUhTQ+hcqtcRX9cDPA+VZO/0vLgkF1R8rAWOTCxu3pHELjDq9nKKIzvX7tmyKapFgC38uotkvvKzpUzoA2xPoVHybrM09g9ujruzT/Oz02cDa9NWh2eYsiTWJvekeNftvakr6U9r7VYzUkmPCtfDDKCoWSZHgwnU50Psl6UoTFaw1GuVnlC3cOREOUvFNbtV6R9Jdn3y0XJ0T4uZapFHPJfnaojAoE5iu3VXRMxVZB+4vZWhFJoe4QNvc5t0kwUZVmE1nQWNkHuRyVnpfoLqaG11+5IpR6yIZDHlWm75oc8hchG9PxrE0O2WWUqf+QSEdsT74cGTJVOZDl6d4x/G5g497v1JaCSCgB/J9yrm4olsqgoYfWAbTcIBe0cUHnoNMAstKqH26jAf0Hz1l3V9D7Mzt3POMck+f3lLNUCqyNLcSASWc7jmB170/oF4vNP1EkgwWaz7yBluTLS8sJCIViVYYyZvj4du48h7lKaxeairWjcen+qeIS+Tn8VHqoJD6+QJinH5bXMKtxX0Orvf69pr0WjUctKikcjJFRbc6sQyMP6Y44+6/LyFmWILTaV1WPoWLX5MYKOwP1s5GRneGWSmZRztWt/CL/8DWjpPEG2siCSaS+lBc1u/C5HkD1UVDjPmZTnvuFTHukaTKfteGz1z0Bxuz9gQMyAgU0OMyl+cGldHeR3HvIC9zUZ0qRj/d/20M8aQ+8NtVodadiMt29pTHvkrioxuW6MVKXs0gZgdL72swDHtG3lKW1rrbufgjSr0UvSc8/MDgBPJVP2d6QXP1IJvvBcr766DZ26j9/X0Is5cJjCN7Y0fIrS4RGu5aQR0w+dOulK6v8q8reYZy0K198CRs3prXRKRPiU0oM16oQdsV9T9LhfOnhWeliL/HzetEltcOSiKgGKVYcArkZUbzxsxUHF7q7qEzF2fVzWYBnM3qn8Shj3HHlPWYxW6uh5kI6O+mV3Hs56KJjD9zsZZIzTE/5agYXKpliVrGScTUUGeDqrPPyEtOGRTmiQDLISHfW+nviZZcjC4XDxp04bv6BH3EsSbXN4wJAXypDCY2kfL8wzqMh7qh/8Pk2AuodDtCJQJGsQPkgGwX21lSR24C1J1WJqDEaNhvmMf7B9nUu8unXYwwFe7FQN22CYZJOQloj04T1Ukg7wRITeWwc6xArdNOTn+XQuXfkxVEbiQRhiFt/47qAzoAjPRVr9r4P89Hz3wkTIxirpAjTnKA5vosv/7+28rRuYRYGu2yPwNeUPmO0YHy3IeTVKcJ/UcmO3cXAe+Q+9ckmZ/MmxaxA1zvj2pH+INf3eBsQK77PxwsaGUFHqKWS1Wvk/FPsZkGEMX6QcD56sbGRbtsRRryXy4L0Ul3Jc1P1jwMjHldGEqQohVfKYvHwdOdMaExZh/hhlpfxw1Cwh/d+xuuPlLko5HTHxwlzQvRgzTlIdX78XItFIYo+eMOb84xr8kAaXwHWpuZ06tymA59kD7LpvWVC6r/OmqcnvAVDg/eiNh6Kru4BkIiTMtBs313ruZtSe8Hphvm80fYcelpfHs8Y1qrsSEVohhfxL7073Td6jScN54FZU3dg0EfFg97wyn+2DKeckNr5E/CgdD/FqhkH1IaEO8wTbc9T/6XC+n27q/kQAMXzFnhn4Ec5E6uQb2MkCJEpW91eg9ZTDRYsZW1/r8yz+QzbrSDSjVRvZ61FkGdh6m4i024ZtfCUV08AXoOhGKCh8fG/PKmCMzHvqQezO7I8IDFLTBhWBag9kcNljVFnBYFl0e/hGnAZ6aDc6AQA0HdIZiAF49kEBhCLtOTsa4UHTnpIjhKR6fi1RuiVnFkTqfCMgZawLlZOkaQX2BdH1bsz2Q8wbu/DiNoyXdB/1k3Y29yLcVvGRCnyXODjehyoLF/iJUzewsu8fzlTJfV/CCo07cDge2PdnDPVdEl2nM+BHQo4scmT4cm1YYNGoecy9wGSgHE4fvhk0Szv0V2Fbt5HpJqsJvKH573AlCxROpumwrOttrdRvke2vTw2nlw5iW1lPhcIpUQAEZfpxQ2lhJfRvJiWDBvimAjVlHipTd0xAoNZ383NE4SLWvNmjryk/uSvqoMXvof0Hatm67So0KMVDmBA5AMMq+9TBNBxaN1WWFIuWMzmMWZYCMYm2Lmz2nUOdqVz95Y6rEsaMqQoft/UitEYyJdqawyMXYKmwtYzN7yES4hRc3ee3JTyogrEtirg87pJ+RB7wOuI9FVjkKhjgVppGQVZAKcpeTRyrqjNUoSycr2PbV3RPwzDRXX12PigHgX3suLehccOWAMFvpQvgixXU/Ik5ScDcuLC4o/bsjuzOjy5ENDOjQldvC1bgfPfYUSZAvd/g0SYDc0xzC0Dm7dudNhuwSNDT7R39qh9teBZSOEI+1TKIxThFhHjKnWqxAJP9LJZbk7/L9QaKfQnDxQkPgwaFgskPTBflzgXd4inGVpCfaO3dHbhcb2EdF3jiIzHH84S0w5L1ZmXGgYUfNZHNkFf55VYZoTxNCIuADuc6jWMI+BXIxXM1hJ0YYY9OYljhT1vpv0VS6rj8zrr9y4xkH8dIfDdVZh+OIqI5jGMcCDFrCk03zHtLeYTWzQge5p2UPRRQWoxjKsjDHehxWdtHzfUsAAhx3f9USH3b+nt2vLL2FuSjJMtqS9ACRFncGCQAPsdXjozm85raGnn8p4j9EbN2MFzQ1/mRA3XM3mNpZ2/qT2GUOB2d49WLHJvesgKGbrIQBb0eM6//hH84BonFrSR6Sf0uUjTGiu2LPXWkcsTORuAaaTzM33OVOzQTAhBS27vhMr/kxMZSdTx/14phEaJ4zkYzzPb+T92GCpiDpwEfU2akyZNalZ9jTo28zq1gZENDRu6tYRsjRvPsDI3JN4702HZf80KFhdO/ZgQ8egO79JS5iJASxu78DbC8Lo28DzDN7etUTCLKxBmz/IQFIHDDkxmzNgoF399JBiD2T2KmI8jOgLaSmuAnyw==
C.1.4.1.S/MIME Signed-and-Encrypted over a Simple Message, No Header Protection, Decrypted

The S/MIME enveloped-data layer unwraps to this signed-data part:

Content-Transfer-Encoding: base64Content-Type: application/pkcs7-mime; name="smime.p7m"; smime-type="signed-data"MIILPAYJKoZIhvcNAQcCoIILLTCCCykCAQExDTALBglghkgBZQMEAgEwggFlBgkqhkiG9w0BBwGgggFWBIIBUk1JTUUtVmVyc2lvbjogMS4wDQpDb250ZW50LVR5cGU6IHRleHQvcGxhaW47IGNoYXJzZXQ9InV0Zi04Ig0KQ29udGVudC1UcmFuc2Zlci1FbmNvZGluZzogN2JpdA0KDQpUaGlzIGlzIHRoZQ0Kc21pbWUtc2lnbmVkLWVuYw0KbWVzc2FnZS4NCg0KVGhpcyBpcyBhIHNpZ25lZC1hbmQtZW5jcnlwdGVkIFMvTUlNRSBtZXNzYWdlIHVzaW5nIFBLQ1MjNw0KZW52ZWxvcGVkRGF0YSBhcm91bmQgc2lnbmVkRGF0YS4gIFRoZSBwYXlsb2FkIGlzIGEgdGV4dC9wbGFpbg0KbWVzc2FnZS4gSXQgdXNlcyBubyBIZWFkZXIgUHJvdGVjdGlvbi4NCg0KLS0gDQpBbGljZQ0KYWxpY2VAc21pbWUuZXhhbXBsZQ0KoIIHpjCCA88wggK3oAMCAQICEw8tJb0ROZdKzkJUh6HuPTQGirQwDQYJKoZIhvcNAQENBQAwVTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNhbXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwIBcNMTkxMTIwMDY1NDE4WhgPMjA1MjA5MjcwNjU0MThaMDsxDTALBgNVBAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMRcwFQYDVQQDEw5BbGljZSBMb3ZlbGFjZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJqVKfqLwaLjj+gBUCfkacKTg8cc2OtJ9ZSed6U3jUoiZVpMLcP3MUKtLeLg9r1mAfIDlB/wlbdmadXPmrszyidmbuZmOpB5voVQfiLYYy3iOx7YOqzXrl6udP07k0sV+UdSNRFxrfKeoQEFXgOaGdmnx4OG/e3p1fIKM0dPzZLoOAJF5m5O0xzXPL74zFCWp2f1ZkuE4A6l41koaZXCN5XL7wWTLMLeNf9Byb5ksKqUuqEHAMd1nmoNMgjY9VfVfcrv9w43GG8FtpSX+TWzB2zNS2OF+XIVnzRG5DeoULq8v88Z5bLpIJ/nx26r8A4SSwIBaVv4wPxAf1iPsIVKarUCAwEAAaOBrzCBrDAMBgNVHRMBAf8EAjAAMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATAeBgNVHREEFzAVgRNhbGljZUBzbWltZS5leGFtcGxlMBMGA1UdJQQMMAoGCCsGAQUFBwMEMA4GA1UdDwEB/wQEAwIFIDAdBgNVHQ4EFgQUolNB1UQ8gCkVfAEj8OeOr83zdw8wHwYDVR0jBBgwFoAUkTCOfAcXDKfxCShlNhpnHGh29FkwDQYJKoZIhvcNAQENBQADggEBAIFJeKCcsTKcFqQMpTryujRGzJdYA+R9eBAuDLsatbtKtl4FzkgRyOg31/+Cw7H8e30iLrPIFlWN1qjHrjgOyIs5AQ/hgxLvLir3hEUV2Z3MRsMtjH2x9SG91PEM046gfPnc9gMGHjMTg1qvaKcLQP5UzpEYPLror2X4P5uXxaP0LIZRzWmkw1RF7FOD7PfB5v94M5274XYxW2W4uKGd7QGnUZROSvSYkGiWDp1JhqXwfDz8A0enITGXnoEkAFvvjiCqh64P1hIeMorj36pgL19oWZD6YrzSWHUz1F00juyuOfQsqm6hvrDTqNpHNZ015fOURza1SkCvi9GFmNUPoVgwggPPMIICt6ADAgECAhM3QQV57XV/QqmiXDr0+GrOmqnXMA0GCSqGSIb3DQEBDQUAMFUxDTALBgNVBAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFNUFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MCAXDTE5MTEyMDA2NTQxOFoYDzIwNTIwOTI3MDY1NDE4WjA7MQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBXRzEXMBUGA1UEAxMOQWxpY2UgTG92ZWxhY2UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC09InoWDgWPk2af0+StijSNOR8K/hN8D+l078oullsk4ASvSwjsCNo7sHUa4xQUl5JO6VqY18LANwORjrc9BaX4MguzsbFXBe6uFh1mVpXmFxSpUByQ+950MFz/evPgP96wV+z4TtAwW2Z34rTiz4DxMI07XYNFUEOls/gkUP2GxzymsO2kaYWTut3SryCqeHEFbZFkB4urMk4xrIJC3CzWruS2Q0FHbBlfkgKN5wXVgkWFfiOucfCn+IQsaqpo1d3f9jSkbtAV5w3vzfog8919MxKI9H6l4KuElnAtJ7BtZcsl7dUy9u9COgEykRiVokFQgqQ7XNDU+r3SeOWwks7AgMBAAGjga8wgawwDAYDVR0TAQH/BAIwADAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwHgYDVR0RBBcwFYETYWxpY2VAc21pbWUuZXhhbXBsZTATBgNVHSUEDDAKBggrBgEFBQcDBDAOBgNVHQ8BAf8EBAMCBsAwHQYDVR0OBBYEFLv2zLItHQYSHJeuKWqQENMgZmZzMB8GA1UdIwQYMBaAFJEwjnwHFwyn8QkoZTYaZxxodvRZMA0GCSqGSIb3DQEBDQUAA4IBAQBziaI2p86poGkjd/4KkkOHG25nY/0eNARD6/oF0/sYonX2doizcGMk53riugAocCn5zbzhW/JVdYn30UxfyrZlRAzEf7GHqgB/NyjOad3pdpVYeDh4ciNKjbs+aEoTWgAkoqENt1sRxlcvb7HVX524bKZa1oPTUNlm6QpivtqDIdqGJdGf8L1zLfXBuo2zL3HR+M9CDr4Opq2JCkzP0Qhp7poIccGE6I9Tsg+RrOA9iCQsPn1+Tg8YedjGzUWF07rNmT0TzPCVzUAuBlr+JJtzOKypyQ3eoZ6EPazXqMyHAVcsm0GI364IOA0b8PSrJNtjh+AqJ5QfH+0e7NSzNnEmMYICADCCAfwCAQEwbDBVMQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBXRzExMC8GA1UEAxMoU2FtcGxlIExBTVBTIFJTQSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eQITN0EFee11f0Kpolw69Phqzpqp1zALBglghkgBZQMEAgGgaTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0yMTAyMjAxNTAzMDJaMC8GCSqGSIb3DQEJBDEiBCCb47LkqJUmFpzt9bQAPoWpk+vy9sGfzpOuEZflV+goizANBgkqhkiG9w0BAQEFAASCAQCd+I+Tr7hDMV3VFvFGduS94ysR9dceBgPloLOH71fsoJUl508WspagFkqjkUGPipKfYVrssRi8IHQM682HQqUkjkB0UYx0hfEBVbsDvhYejzOYfyLRQD6TYI3HTVFJIJIKVk3JQUuQWzx+A5i14oHImCeHl1FgRq6D1B3hjpWFFWI35pRZ1gSZ3tPryQwq1Y0bMkiF4CeuUYEKWIdFHZdou/IMfLJoJeYpy8cyv6FznuJzkAR9AlUIUw58zXCD0ipCfKH2w6vwqdoCo4V0+cZd5cZlYQSFab3fduU44viKaXf4VOpWK49oDeR/tV5i1LfM3ZYeH2V1r+pmnjyt8CcW
C.1.4.2.S/MIME Signed-and-Encrypted over a Simple Message, No Header Protection, Decrypted and Unwrapped

The inner signed-data layer unwraps to:

MIME-Version: 1.0Content-Type: text/plain; charset="utf-8"Content-Transfer-Encoding: 7bitThis is thesmime-signed-encmessage.This is a signed-and-encrypted S/MIME message using PKCS#7envelopedData around signedData.  The payload is a text/plainmessage. It uses no Header Protection.--Alicealice@smime.example

C.1.5.No Cryptographic Protections over a Complex Message

This message uses no cryptographic protection at all. Its Body is a multipart/alternative message with an inline image/png attachment.

It has the following structure:

└┬╴multipart/mixed 1402 bytes ├┬╴multipart/alternative 794 bytes │├─╴text/plain 206 bytes │└─╴text/html 304 bytes └─╴image/png inline 232 bytes

Its contents are:

MIME-Version: 1.0Content-Type: multipart/mixed; boundary="0cf"Subject: no-crypto-complexMessage-ID: <no-crypto-complex@example>From: Alice <alice@smime.example>To: Bob <bob@smime.example>Date: Sat, 20 Feb 2021 12:00:02 -0500User-Agent: Sample MUA Version 1.0--0cfMIME-Version: 1.0Content-Type: multipart/alternative; boundary="6e6"--6e6Content-Type: text/plain; charset="us-ascii"MIME-Version: 1.0Content-Transfer-Encoding: 7bitThis is theno-crypto-complexmessage.This message uses no cryptographic protection at all.  Its Bodyis a multipart/alternative message with an inline image/pngattachment.--Alicealice@smime.example--6e6Content-Type: text/html; charset="us-ascii"MIME-Version: 1.0Content-Transfer-Encoding: 7bit<html><head><title></title></head><body><p>This is the<b>no-crypto-complex</b>message.</p><p>This message uses no cryptographic protection at all.  Its Bodyis a multipart/alternative message with an inline image/pngattachment.</p><p><tt>-- <br/>Alice<br/>alice@smime.example</tt></p></body></html>--6e6----0cfContent-Type: image/pngContent-Transfer-Encoding: base64Content-Disposition: inlineiVBORw0KGgoAAAANSUhEUgAAABQAAAAUCAYAAACNiR0NAAAAcElEQVR42uVTOxbAMAgS739nO3TpRw20dqpbfARQEjOywiwYnCtkDKnbcLk66sqlT+zt9cidkE+6KwkZsgrzfcqVMpL2jo0447gYDpeArk+OnJHkIhAfTPRicihAf5YJrw7vjv0ZWRWM/ulivdPf1QZ2kDD9xppd8wAAAABJRU5ErkJggg==--0cf--

C.1.6.S/MIME Signed-Only signedData over a Complex Message, No Header Protection

This is a signed-only S/MIME message via PKCS#7 signedData. The payload is a multipart/alternative message with an inline image/png attachment. It uses no Header Protection.

It has the following structure:

└┬╴application/pkcs7-mime [smime.p7m] 5253 bytes ┴ (unwraps to) └┬╴multipart/mixed 1288 bytes  ├┬╴multipart/alternative 882 bytes  │├─╴text/plain 260 bytes  │└─╴text/html 355 bytes  └─╴image/png inline 236 bytes

Its contents are:

Content-Transfer-Encoding: base64Content-Type: application/pkcs7-mime; name="smime.p7m"; smime-type="signed-data"Subject: smime-one-part-complexMessage-ID: <smime-one-part-complex@example>From: Alice <alice@smime.example>To: Bob <bob@smime.example>Date: Sat, 20 Feb 2021 12:01:02 -0500User-Agent: Sample MUA Version 1.0MIIPIwYJKoZIhvcNAQcCoIIPFDCCDxACAQExDTALBglghkgBZQMEAgEwggVMBgkqhkiG9w0BBwGgggU9BIIFOU1JTUUtVmVyc2lvbjogMS4wDQpDb250ZW50LVR5cGU6IG11bHRpcGFydC9taXhlZDsgYm91bmRhcnk9ImRiMCINCg0KLS1kYjANCk1JTUUtVmVyc2lvbjogMS4wDQpDb250ZW50LVR5cGU6IG11bHRpcGFydC9hbHRlcm5hdGl2ZTsgYm91bmRhcnk9IjUxZCINCg0KLS01MWQNCkNvbnRlbnQtVHlwZTogdGV4dC9wbGFpbjsgY2hhcnNldD0idXMtYXNjaWkiDQpNSU1FLVZlcnNpb246IDEuMA0KQ29udGVudC1UcmFuc2Zlci1FbmNvZGluZzogN2JpdA0KDQpUaGlzIGlzIHRoZQ0Kc21pbWUtb25lLXBhcnQtY29tcGxleA0KbWVzc2FnZS4NCg0KVGhpcyBpcyBhIHNpZ25lZC1vbmx5IFMvTUlNRSBtZXNzYWdlIHZpYSBQS0NTIzcgc2lnbmVkRGF0YS4gIFRoZQ0KcGF5bG9hZCBpcyBhIG11bHRpcGFydC9hbHRlcm5hdGl2ZSBtZXNzYWdlIHdpdGggYW4gaW5saW5lDQppbWFnZS9wbmcgYXR0YWNobWVudC4gSXQgdXNlcyBubyBIZWFkZXIgUHJvdGVjdGlvbi4NCg0KLS0gDQpBbGljZQ0KYWxpY2VAc21pbWUuZXhhbXBsZQ0KLS01MWQNCkNvbnRlbnQtVHlwZTogdGV4dC9odG1sOyBjaGFyc2V0PSJ1cy1hc2NpaSINCk1JTUUtVmVyc2lvbjogMS4wDQpDb250ZW50LVRyYW5zZmVyLUVuY29kaW5nOiA3Yml0DQoNCjxodG1sPjxoZWFkPjx0aXRsZT48L3RpdGxlPjwvaGVhZD48Ym9keT4NCjxwPlRoaXMgaXMgdGhlDQo8Yj5zbWltZS1vbmUtcGFydC1jb21wbGV4PC9iPg0KbWVzc2FnZS48L3A+DQo8cD5UaGlzIGlzIGEgc2lnbmVkLW9ubHkgUy9NSU1FIG1lc3NhZ2UgdmlhIFBLQ1MjNyBzaWduZWREYXRhLiAgVGhlDQpwYXlsb2FkIGlzIGEgbXVsdGlwYXJ0L2FsdGVybmF0aXZlIG1lc3NhZ2Ugd2l0aCBhbiBpbmxpbmUNCmltYWdlL3BuZyBhdHRhY2htZW50LiBJdCB1c2VzIG5vIEhlYWRlciBQcm90ZWN0aW9uLjwvcD4NCjxwPjx0dD4tLSA8YnIvPkFsaWNlPGJyLz5hbGljZUBzbWltZS5leGFtcGxlPC90dD48L3A+PC9ib2R5PjwvaHRtbD4NCi0tNTFkLS0NCg0KLS1kYjANCkNvbnRlbnQtVHlwZTogaW1hZ2UvcG5nDQpDb250ZW50LVRyYW5zZmVyLUVuY29kaW5nOiBiYXNlNjQNCkNvbnRlbnQtRGlzcG9zaXRpb246IGlubGluZQ0KDQppVkJPUncwS0dnb0FBQUFOU1VoRVVnQUFBQlFBQUFBVUNBWUFBQUNOaVIwTkFBQUFjRWxFUVZSNDJ1VlRPeGJBDQpNQWdTNzM5bk8zVHBSdzIwZHFwYmZBUlFFak95d2l3WW5DdGtES25iY0xrNjZzcWxUK3p0OWNpZGtFKzZLd2taDQpzZ3J6ZmNxVk1wTDJqbzA0NDdnWURwZUFyaytPbkpIa0loQWZUUFJpY2loQWY1WUpydzd2anYwWldSV00vdWxpDQp2ZFBmMVFaMmtERDl4cHBkOHdBQUFBQkpSVTVFcmtKZ2dnPT0NCg0KLS1kYjAtLQ0KoIIHpjCCA88wggK3oAMCAQICEw8tJb0ROZdKzkJUh6HuPTQGirQwDQYJKoZIhvcNAQENBQAwVTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNhbXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwIBcNMTkxMTIwMDY1NDE4WhgPMjA1MjA5MjcwNjU0MThaMDsxDTALBgNVBAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMRcwFQYDVQQDEw5BbGljZSBMb3ZlbGFjZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJqVKfqLwaLjj+gBUCfkacKTg8cc2OtJ9ZSed6U3jUoiZVpMLcP3MUKtLeLg9r1mAfIDlB/wlbdmadXPmrszyidmbuZmOpB5voVQfiLYYy3iOx7YOqzXrl6udP07k0sV+UdSNRFxrfKeoQEFXgOaGdmnx4OG/e3p1fIKM0dPzZLoOAJF5m5O0xzXPL74zFCWp2f1ZkuE4A6l41koaZXCN5XL7wWTLMLeNf9Byb5ksKqUuqEHAMd1nmoNMgjY9VfVfcrv9w43GG8FtpSX+TWzB2zNS2OF+XIVnzRG5DeoULq8v88Z5bLpIJ/nx26r8A4SSwIBaVv4wPxAf1iPsIVKarUCAwEAAaOBrzCBrDAMBgNVHRMBAf8EAjAAMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATAeBgNVHREEFzAVgRNhbGljZUBzbWltZS5leGFtcGxlMBMGA1UdJQQMMAoGCCsGAQUFBwMEMA4GA1UdDwEB/wQEAwIFIDAdBgNVHQ4EFgQUolNB1UQ8gCkVfAEj8OeOr83zdw8wHwYDVR0jBBgwFoAUkTCOfAcXDKfxCShlNhpnHGh29FkwDQYJKoZIhvcNAQENBQADggEBAIFJeKCcsTKcFqQMpTryujRGzJdYA+R9eBAuDLsatbtKtl4FzkgRyOg31/+Cw7H8e30iLrPIFlWN1qjHrjgOyIs5AQ/hgxLvLir3hEUV2Z3MRsMtjH2x9SG91PEM046gfPnc9gMGHjMTg1qvaKcLQP5UzpEYPLror2X4P5uXxaP0LIZRzWmkw1RF7FOD7PfB5v94M5274XYxW2W4uKGd7QGnUZROSvSYkGiWDp1JhqXwfDz8A0enITGXnoEkAFvvjiCqh64P1hIeMorj36pgL19oWZD6YrzSWHUz1F00juyuOfQsqm6hvrDTqNpHNZ015fOURza1SkCvi9GFmNUPoVgwggPPMIICt6ADAgECAhM3QQV57XV/QqmiXDr0+GrOmqnXMA0GCSqGSIb3DQEBDQUAMFUxDTALBgNVBAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFNUFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MCAXDTE5MTEyMDA2NTQxOFoYDzIwNTIwOTI3MDY1NDE4WjA7MQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBXRzEXMBUGA1UEAxMOQWxpY2UgTG92ZWxhY2UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC09InoWDgWPk2af0+StijSNOR8K/hN8D+l078oullsk4ASvSwjsCNo7sHUa4xQUl5JO6VqY18LANwORjrc9BaX4MguzsbFXBe6uFh1mVpXmFxSpUByQ+950MFz/evPgP96wV+z4TtAwW2Z34rTiz4DxMI07XYNFUEOls/gkUP2GxzymsO2kaYWTut3SryCqeHEFbZFkB4urMk4xrIJC3CzWruS2Q0FHbBlfkgKN5wXVgkWFfiOucfCn+IQsaqpo1d3f9jSkbtAV5w3vzfog8919MxKI9H6l4KuElnAtJ7BtZcsl7dUy9u9COgEykRiVokFQgqQ7XNDU+r3SeOWwks7AgMBAAGjga8wgawwDAYDVR0TAQH/BAIwADAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwHgYDVR0RBBcwFYETYWxpY2VAc21pbWUuZXhhbXBsZTATBgNVHSUEDDAKBggrBgEFBQcDBDAOBgNVHQ8BAf8EBAMCBsAwHQYDVR0OBBYEFLv2zLItHQYSHJeuKWqQENMgZmZzMB8GA1UdIwQYMBaAFJEwjnwHFwyn8QkoZTYaZxxodvRZMA0GCSqGSIb3DQEBDQUAA4IBAQBziaI2p86poGkjd/4KkkOHG25nY/0eNARD6/oF0/sYonX2doizcGMk53riugAocCn5zbzhW/JVdYn30UxfyrZlRAzEf7GHqgB/NyjOad3pdpVYeDh4ciNKjbs+aEoTWgAkoqENt1sRxlcvb7HVX524bKZa1oPTUNlm6QpivtqDIdqGJdGf8L1zLfXBuo2zL3HR+M9CDr4Opq2JCkzP0Qhp7poIccGE6I9Tsg+RrOA9iCQsPn1+Tg8YedjGzUWF07rNmT0TzPCVzUAuBlr+JJtzOKypyQ3eoZ6EPazXqMyHAVcsm0GI364IOA0b8PSrJNtjh+AqJ5QfH+0e7NSzNnEmMYICADCCAfwCAQEwbDBVMQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBXRzExMC8GA1UEAxMoU2FtcGxlIExBTVBTIFJTQSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eQITN0EFee11f0Kpolw69Phqzpqp1zALBglghkgBZQMEAgGgaTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0yMTAyMjAxNzAxMDJaMC8GCSqGSIb3DQEJBDEiBCBkEM75wgxSOKXxqQLSNadhQ5kDl0ABIYw030cjkP4nsDANBgkqhkiG9w0BAQEFAASCAQA9zet9PbdeBOdT0TVjIwCXvUjnq1/UN22dGV2Ql//QcTN3Z7wMvLilhcYHrL8Sl9lIm2XYCV9r2yqvVyiB+qN+69y18HIzZ7okrgqQ8TDPt4IW2UXxyXrBOItFirLKklntf4SafPq73ipeZLMc3x3jr84lr7psIknpEEmNM+okG6FHduKq8nSvbAKlahOE9qvDGcBJBYXtn+/ijqA6Fxu+mJDshCz0Vvq4uVXp0ZS3pyO+Gg0JJnLD+z5+MPqO8TrSTBhZYQauVQFji9Kjb2A8KZpLjEXvw/JVNqgxW8weaEV03KYp+fbsIdTSDwrz5w9rmSH1b+ReoY5kMa50eu9w
C.1.6.1.S/MIME Signed-Only signedData over a Complex Message, No Header Protection, Unwrapped

The S/MIME signed-data layer unwraps to:

MIME-Version: 1.0Content-Type: multipart/mixed; boundary="db0"--db0MIME-Version: 1.0Content-Type: multipart/alternative; boundary="51d"--51dContent-Type: text/plain; charset="us-ascii"MIME-Version: 1.0Content-Transfer-Encoding: 7bitThis is thesmime-one-part-complexmessage.This is a signed-only S/MIME message via PKCS#7 signedData.  Thepayload is a multipart/alternative message with an inlineimage/png attachment. It uses no Header Protection.--Alicealice@smime.example--51dContent-Type: text/html; charset="us-ascii"MIME-Version: 1.0Content-Transfer-Encoding: 7bit<html><head><title></title></head><body><p>This is the<b>smime-one-part-complex</b>message.</p><p>This is a signed-only S/MIME message via PKCS#7 signedData.  Thepayload is a multipart/alternative message with an inlineimage/png attachment. It uses no Header Protection.</p><p><tt>-- <br/>Alice<br/>alice@smime.example</tt></p></body></html>--51d----db0Content-Type: image/pngContent-Transfer-Encoding: base64Content-Disposition: inlineiVBORw0KGgoAAAANSUhEUgAAABQAAAAUCAYAAACNiR0NAAAAcElEQVR42uVTOxbAMAgS739nO3TpRw20dqpbfARQEjOywiwYnCtkDKnbcLk66sqlT+zt9cidkE+6KwkZsgrzfcqVMpL2jo0447gYDpeArk+OnJHkIhAfTPRicihAf5YJrw7vjv0ZWRWM/ulivdPf1QZ2kDD9xppd8wAAAABJRU5ErkJggg==--db0--

C.1.7.S/MIME Signed-Only multipart/signed over a Complex Message, No Header Protection

This is a signed-only S/MIME message via PKCS#7 detached signature (multipart/signed). The payload is a multipart/alternative message with an inline image/png attachment. It uses no Header Protection.

It has the following structure:

└┬╴multipart/signed 5230 bytes ├┬╴multipart/mixed 1344 bytes │├┬╴multipart/alternative 938 bytes ││├─╴text/plain 278 bytes ││└─╴text/html 376 bytes │└─╴image/png inline 232 bytes └─╴application/pkcs7-signature [smime.p7s] 3429 bytes

Its contents are:

MIME-Version: 1.0Content-Type: multipart/signed; protocol="application/pkcs7-signature"; boundary="872"; micalg="sha-256"Subject: smime-multipart-complexMessage-ID: <smime-multipart-complex@example>From: Alice <alice@smime.example>To: Bob <bob@smime.example>Date: Sat, 20 Feb 2021 12:02:02 -0500User-Agent: Sample MUA Version 1.0--872MIME-Version: 1.0Content-Type: multipart/mixed; boundary="757"--757MIME-Version: 1.0Content-Type: multipart/alternative; boundary="3ff"--3ffContent-Type: text/plain; charset="us-ascii"MIME-Version: 1.0Content-Transfer-Encoding: 7bitThis is thesmime-multipart-complexmessage.This is a signed-only S/MIME message via PKCS#7 detachedsignature (multipart/signed).  The payload is amultipart/alternative message with an inline image/pngattachment. It uses no Header Protection.--Alicealice@smime.example--3ffContent-Type: text/html; charset="us-ascii"MIME-Version: 1.0Content-Transfer-Encoding: 7bit<html><head><title></title></head><body><p>This is the<b>smime-multipart-complex</b>message.</p><p>This is a signed-only S/MIME message via PKCS#7 detachedsignature (multipart/signed).  The payload is amultipart/alternative message with an inline image/pngattachment. It uses no Header Protection.</p><p><tt>-- <br/>Alice<br/>alice@smime.example</tt></p></body></html>--3ff----757Content-Type: image/pngContent-Transfer-Encoding: base64Content-Disposition: inlineiVBORw0KGgoAAAANSUhEUgAAABQAAAAUCAYAAACNiR0NAAAAcElEQVR42uVTOxbAMAgS739nO3TpRw20dqpbfARQEjOywiwYnCtkDKnbcLk66sqlT+zt9cidkE+6KwkZsgrzfcqVMpL2jo0447gYDpeArk+OnJHkIhAfTPRicihAf5YJrw7vjv0ZWRWM/ulivdPf1QZ2kDD9xppd8wAAAABJRU5ErkJggg==--757----872Content-Transfer-Encoding: base64Content-Type: application/pkcs7-signature; name="smime.p7s"MIIJ4AYJKoZIhvcNAQcCoIIJ0TCCCc0CAQExDTALBglghkgBZQMEAgEwCwYJKoZIhvcNAQcBoIIHpjCCA88wggK3oAMCAQICEw8tJb0ROZdKzkJUh6HuPTQGirQwDQYJKoZIhvcNAQENBQAwVTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNhbXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwIBcNMTkxMTIwMDY1NDE4WhgPMjA1MjA5MjcwNjU0MThaMDsxDTALBgNVBAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMRcwFQYDVQQDEw5BbGljZSBMb3ZlbGFjZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJqVKfqLwaLjj+gBUCfkacKTg8cc2OtJ9ZSed6U3jUoiZVpMLcP3MUKtLeLg9r1mAfIDlB/wlbdmadXPmrszyidmbuZmOpB5voVQfiLYYy3iOx7YOqzXrl6udP07k0sV+UdSNRFxrfKeoQEFXgOaGdmnx4OG/e3p1fIKM0dPzZLoOAJF5m5O0xzXPL74zFCWp2f1ZkuE4A6l41koaZXCN5XL7wWTLMLeNf9Byb5ksKqUuqEHAMd1nmoNMgjY9VfVfcrv9w43GG8FtpSX+TWzB2zNS2OF+XIVnzRG5DeoULq8v88Z5bLpIJ/nx26r8A4SSwIBaVv4wPxAf1iPsIVKarUCAwEAAaOBrzCBrDAMBgNVHRMBAf8EAjAAMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATAeBgNVHREEFzAVgRNhbGljZUBzbWltZS5leGFtcGxlMBMGA1UdJQQMMAoGCCsGAQUFBwMEMA4GA1UdDwEB/wQEAwIFIDAdBgNVHQ4EFgQUolNB1UQ8gCkVfAEj8OeOr83zdw8wHwYDVR0jBBgwFoAUkTCOfAcXDKfxCShlNhpnHGh29FkwDQYJKoZIhvcNAQENBQADggEBAIFJeKCcsTKcFqQMpTryujRGzJdYA+R9eBAuDLsatbtKtl4FzkgRyOg31/+Cw7H8e30iLrPIFlWN1qjHrjgOyIs5AQ/hgxLvLir3hEUV2Z3MRsMtjH2x9SG91PEM046gfPnc9gMGHjMTg1qvaKcLQP5UzpEYPLror2X4P5uXxaP0LIZRzWmkw1RF7FOD7PfB5v94M5274XYxW2W4uKGd7QGnUZROSvSYkGiWDp1JhqXwfDz8A0enITGXnoEkAFvvjiCqh64P1hIeMorj36pgL19oWZD6YrzSWHUz1F00juyuOfQsqm6hvrDTqNpHNZ015fOURza1SkCvi9GFmNUPoVgwggPPMIICt6ADAgECAhM3QQV57XV/QqmiXDr0+GrOmqnXMA0GCSqGSIb3DQEBDQUAMFUxDTALBgNVBAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFNUFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MCAXDTE5MTEyMDA2NTQxOFoYDzIwNTIwOTI3MDY1NDE4WjA7MQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBXRzEXMBUGA1UEAxMOQWxpY2UgTG92ZWxhY2UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC09InoWDgWPk2af0+StijSNOR8K/hN8D+l078oullsk4ASvSwjsCNo7sHUa4xQUl5JO6VqY18LANwORjrc9BaX4MguzsbFXBe6uFh1mVpXmFxSpUByQ+950MFz/evPgP96wV+z4TtAwW2Z34rTiz4DxMI07XYNFUEOls/gkUP2GxzymsO2kaYWTut3SryCqeHEFbZFkB4urMk4xrIJC3CzWruS2Q0FHbBlfkgKN5wXVgkWFfiOucfCn+IQsaqpo1d3f9jSkbtAV5w3vzfog8919MxKI9H6l4KuElnAtJ7BtZcsl7dUy9u9COgEykRiVokFQgqQ7XNDU+r3SeOWwks7AgMBAAGjga8wgawwDAYDVR0TAQH/BAIwADAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwHgYDVR0RBBcwFYETYWxpY2VAc21pbWUuZXhhbXBsZTATBgNVHSUEDDAKBggrBgEFBQcDBDAOBgNVHQ8BAf8EBAMCBsAwHQYDVR0OBBYEFLv2zLItHQYSHJeuKWqQENMgZmZzMB8GA1UdIwQYMBaAFJEwjnwHFwyn8QkoZTYaZxxodvRZMA0GCSqGSIb3DQEBDQUAA4IBAQBziaI2p86poGkjd/4KkkOHG25nY/0eNARD6/oF0/sYonX2doizcGMk53riugAocCn5zbzhW/JVdYn30UxfyrZlRAzEf7GHqgB/NyjOad3pdpVYeDh4ciNKjbs+aEoTWgAkoqENt1sRxlcvb7HVX524bKZa1oPTUNlm6QpivtqDIdqGJdGf8L1zLfXBuo2zL3HR+M9CDr4Opq2JCkzP0Qhp7poIccGE6I9Tsg+RrOA9iCQsPn1+Tg8YedjGzUWF07rNmT0TzPCVzUAuBlr+JJtzOKypyQ3eoZ6EPazXqMyHAVcsm0GI364IOA0b8PSrJNtjh+AqJ5QfH+0e7NSzNnEmMYICADCCAfwCAQEwbDBVMQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBXRzExMC8GA1UEAxMoU2FtcGxlIExBTVBTIFJTQSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eQITN0EFee11f0Kpolw69Phqzpqp1zALBglghkgBZQMEAgGgaTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0yMTAyMjAxNzAyMDJaMC8GCSqGSIb3DQEJBDEiBCC5KpxWrqp9lc/at0VVROdHn83fXt5r6VC1EPizN3pzYDANBgkqhkiG9w0BAQEFAASCAQCVWFu4+5JFFOLMcfSgjQsyxsRKPplmT35MrYT1rZKzBqdb7BgsgtavL6xHs/GKGjbqHwrrPADgsnyeXwotOBZoFzxLxw9fQI7z7wH5QbGLEj6hRHvrSdYzhlptTnTqc4hXdYwh3jjNJlIf1D01EP9KySaLt3M/aGcNUKDOz2ngLLtpOQULqGm/IxkIG+Rj9YHlktQVEiPxtT+TQ8qO0eiHZVukT88BpGOBBpCs9aLUH2JuEF6v6wKp9S+sWj4sxO9bzYmNPOmi8WWyGYx5NVldgzeZxhISConuiji7e3Wyda9wa7pqiFz0nsY+/mqILYTxBYMcsjN8uZ8yCaPdcfpU--872--

C.1.8.S/MIME Signed-and-Encrypted over a Complex Message, No Header Protection

This is a signed-and-encrypted S/MIME message using PKCS#7 envelopedData around signedData. The payload is a multipart/alternative message with an inline image/png attachment. It uses no Header Protection.

It has the following structure:

└┬╴application/pkcs7-mime [smime.p7m] 8710 bytes ╧ (decrypts to) └┬╴application/pkcs7-mime [smime.p7m] 5434 bytes  ┴ (unwraps to)  └┬╴multipart/mixed 1356 bytes   ├┬╴multipart/alternative 950 bytes   │├─╴text/plain 295 bytes   │└─╴text/html 390 bytes   └─╴image/png inline 236 bytes

Its contents are:

Content-Transfer-Encoding: base64Content-Type: application/pkcs7-mime; name="smime.p7m"; smime-type="enveloped-data"Subject: smime-signed-enc-complexMessage-ID: <smime-signed-enc-complex@example>From: Alice <alice@smime.example>To: Bob <bob@smime.example>Date: Sat, 20 Feb 2021 12:03:02 -0500User-Agent: Sample MUA Version 1.0MIIZHAYJKoZIhvcNAQcDoIIZDTCCGQkCAQAxggMQMIIBhAIBADBsMFUxDTALBgNVBAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFNUFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhMPLSW9ETmXSs5CVIeh7j00Boq0MA0GCSqGSIb3DQEBAQUABIIBAGaxvLw0XDiDHlLUZffbDPPnrxQvEqUfaDKFq/0tzSwKuX4GYXwI2srRxm04umoeqcyUdiaBx0Vu4R2mSCSUFspk+W9KACMLqpTOhAheLjlB2C2Pu0t0NbkbO74Junxy4DM7epIDpMRqfDs78QSJtuLehkvZRSPbu+offdEjeihEluJrK171PW04zgCUajmHpT0QFkstBnP8sI631tIKutQ1tn7f7NbXFSkIgnfZnpO9osQpUI1hfDbKsPE4Lsv0p3R60Bhy3xK27qS53KMH4bzQrIN86FiGRgYL25s0O3jCSDuNimD1q0Yq3ADJwiN8JE4vxl7ohOvhqkV+cFfiA6MwggGEAgEAMGwwVTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNhbXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzB8R0APhiY6HGLS64MvlsDXhpQwDQYJKoZIhvcNAQEBBQAEggEAjofQnu1xr50wncKoCmExvdj5eIbwYUuUrpfriURfX3dhMTAQ5jnQghbIi+zmTuraElTk6Vi65/rpDBz7a4YBAaeQjz3GH4ua8j5wrYe44ipXaZnHd2QkS5zYCER/lBD/lgCrgewhy7Ef4QI03drzT3zFrc2YozxaViKZ/KUaBn27BlIPZoXWtahlSa8TnoZkCl4to5mI5K6vLuxAR7WgFC845vpnELyyiXcET0cjDnnvfx2wfUpBPo4gx1S+VTzcCn9i/b35LiLoVWSlWabY62ZtRRlNH2gTIqNKjw3X6XvSM63e6qilg7vxWf1wv6tS+mlgsVzxc58u1g0zCxKuUjCCFe4GCSqGSIb3DQEHATAdBglghkgBZQMEAQIEEL40oVxNKumsqJAgvAxYpoaAghXAWAvh2j69ZQKJIU7KRi1TU4RuE4uuPBn+QLa5OYXocxAA8bN2x1BcW14DgROhZ6mAaNv6yzK+aNkYpnlKLwo+YWw911hMLdjVBUJxZan9N7RvRTwxvBqxUFP56m/t4NxwlKkRICb2yt0+/RzMHA4NqAnugmiOPs1Fcva2vXL5eRn0vrxQCTQOkuPdRLNMlJX2u1cT59pFStaxkPxE9MEm9ES8+nuvJNX/aOmUrpvYQsED7vCVdlemd/NlQ8fbTiMjAlg20nrbCxMBgGKb1RqpElmLP8t7ip1JX3Uqw7rB0zVoRpf4q4nMN+WIdSsJevnncyyO9kTEhklwTmkldme2XSmuPukBjW1RghHV5hpWDmLssURpb4rMf79l/8mbuZbQjuHI7gXVdutDH/VxeMx3fPYtYRrkrXia6XHtHFoIfRuYuXeoX3uG36FDrCXUHthq5TujlJkI2l8gYUsNUl9JpFj5mauVnlWHc1ZdgY7Lu2DCVooybBD4Zfe2laQKl+ZDKiVi4yxFWMlbZzENMmwUXnrf12xl8uEzNW63Ms573Cp6DgLj5acfSJPA7GuKT25Q+C2lfP4o48hMdwqL7xZU1cxEjiUE8bhvBVQ7RNvWziANmI+vzAXyPmq+LNjeaig9yzTEDRrcDISL61wVBf1cakbrDS/zitKy4WZta15pWLpXS5Nm0o/j78H424poEnklBLdn9VFjENNYqszWxUmTxMoGE9bMFAOQny4FrMCyuFLVcu2ktQg6L2q8CSw98EodKAg1vyKIYUtNMghZpx2dSWaVV/0dFzgV9q3ezgKft3GrZ2MP/vdCfNB0+GM9yJ79KJcgdsmUv8GeIs0fkihsABdUMZn/kdFdDOQIx4w9K5hmxWXeR37ancwRloBgC2Ke5Ci/MtKsHtnaAMhAhwHDtaB2jlITWQUvu3uBe4CffQaZblYhro1KedIcMco/Kw3YsQgE2SBhKTmiIQC/JPlnn350J93zVEzdouhzjXO9NyJpQHX6l4iJs8V0GevTfcXN0fsuT0XdX5aRjlFKB4Wv4G6jVf9lQqNHpr/fEnSeuz0bFnGrZetRYHlHu/gxsDDABHAirmRhPNUJEMWkeC4t9MWfDMtI0EFb+80E8y27bYh3VlGxJS/Mvfwd1sgRmp2+17Gyny7MA9xMtIhetzGOpLb/8dwODdenv/Set1qJ3yDDS7S6UnNsbuK1/08OAYBLhNbO5pGYiQohflHkq0Rrs1ps6lxdz5hk2fm44sgCKtTC3S7g5OUbATSx3zl1aEE0bnTcNEoh+iHUj4YFRhz/sB8sqeodMJLSlbUlAl2OgmF+cJyLT7+SdAR0/vJxjkgPvVB1p5Eut27JGaACrXfWE/hGGriLgdiT4UgV9f5pru7w9TVM67jc59+7Flz4bSCtK+xUskePye1SN4DeaSDOm9hYUZMfKu9lcXAWRdGJd4zWdICBbWcfNvuajuFZbOE8l6lmS61f7/6zhLSREt0xNP/hsJa2QpnDE5hQWql3lkyC7k4T3bGzvYRKO5D063kFMgo2aofZ4QdbsB17POiibSEj0KyxhXCDnjSybQ25gOycg0VoshVZj1loxIDfMZzhlRuA04q1dm9W3o/MXKLbhWhyFAEJswnz05VxrxYUQLL9mmcp8I8fN1YH9gd/DQQCBQPkzzFs755rJpdPJ1KKoj8aKefDzNSBszgHdwNUjbrGHRQAgqYg8QHXHzG5SNA+xX1uvJv7gMcrlSFYTKKgWKM7tdBmD2dhxQL8FGI+ZlZEF9GZ4UIVEMRVJqZ1kQ0kqsR84dxCejnALehDDAjsYl1E2+OJA8DO+ddjdPlF3h5DNGs/GwJ0CkStf9mWt2LGuwueWxdEeI3jphF75ttwJ4v81Dv4vEH0suzcQS7O1PZmLoqXu/h60SvKK4txEr2O60uc8un8a4//WcMotRQMfMmYmNomY/HaayEhbEPWofENsEgsa+70oHFgqcM70MtsTyW2MOXM7KEgUH8YRsHLx5a1V2TCqVeJmUcq/MeQZs30rxBywGNVRPijc8XSV9kOfRI+h+d7c2YROk8QLrUmdZdKxg9229I40r5jwGOzwljFCYEsyWC8AEw5TKi0Y6mEcdkY8viRK1ZkVTfR7od3xgfzjm0Woo1BW/Nj4Q3j9B7eR+TdOZqq26/t7XiqzlMqjor08wBhE4GtrxBHvIjgvArniBe/z9s4p5ZT5sMWqm7YEzkAWeocT5cvJGZVdmC5CtNUI1mmTIngy57sIxl6rSXcdrSl8qMvTc0/7D3mSChpj1OQxhP95jtEkYMAyqsrvJtZMCaumihR3BKbnsPkdpZeXb7VBGW08M1jv9dy2MucmTCyP8inDhMwPuj1sn2fVRqgyqWCfLH1N47gXtNtKbOvzJ0NkHfJqpJRY6NtQ7mVHT9ZUjh6HjPVU47TikOJPU97IYvGhwGnKf6ROUXoUt0X4rba77kgBAA8NqtGFB0O7IZlNzL7hb98TjMOM0pnpiWsihdkP5OKgv9PToRlhmv/g1ZQ3Dli2oFBmdQrdMOfvqWZWtHf6qFXXasjgkKhRcr1o4TfRQT/WbHj4Mjcx9/govqtB2ssw30JTI2s6NxVt+0GKk798W4mAClYqSDY2nXBS0Oa7vr3MRzlmwMtFvLe5WIV4ojjvcjRmgFLVA9d33D0Cvb9h5tk8jcHO7H+mhcXWhKq+Ugmk1xjKiNqFOUmif6vr9lwv++RGJEuujVWRgucfMuuQJmhOTBeuEHAnTg3ILoj5I9CFTBCr8w8CGfJsax1gmOpY39aXxgXNBWH8YhGPi9UYu/cUdiXyEQQkBmFWvaD45247R1ubkERejEd05zl/K+93KhzVDeoMow/Q0GGEEQ/SZ5als5NpyzJQ7qI5jDjSqreiRXRrX1WQTN/7aTaCnw1LwNO5SNHVzZP1vAQIZQlSYxMzrFPtuF25uiFKJrUpe48NkLNi8bAKOb3Wc4OvLlPhbBVQuRz0lN8VE8gZMcZzQcdsFvorEor+4+ABaHVsTbdrrLGSGSpTcqGpTcd620H9JvrrNgfdv7eZ/ZD7TT9XG6coy4dzO33gaWIY+VZy/poMm+bFjYD8B7bc+qiTYQrIyBmFaC5haFgRnvN9nFq2OmL40g5Q9UreLfPwPc5aBgr+kKjebSMl4ZLV7T21BPDBDZ8JWFWFutw/SUR/7a9S7G8YkztQPxh/EMrFUsxK+eYu4OCbTGMOdZOAvnLO3Na3AjaSJGVdCKU50Yc4HxZOdTOMm1tfRj3PZIWjOp5lYue2SK/pqG1GeFztaZbGF19zkLmZMRr1KO71RQeaIl1wlkZYOLRonISqE7z6mj//Z5x6zP17i11LhhWMIxZECpMFjKA4dkfXLpa+aMqd8Wc7p1F7UeJbu+xK4kLfJdRf+YjIc6F+OtJClK98AKxjfX6Hs6AdTBT3SkKci4qPmNOslv+GgyUP4yfMwXiTn3/TvlrHARaEQrKCTUL6GnedTEFZIPy9UUcG82PerOeyitm6m4SmSo+VxSfgrQQP1rCjz0xxaz5PT0+6rdlki53T4rBUYzw3El1i5r7XA0Pw9+dLLLzRWL5l4Djvr4XvuyhKu7PZahKtoYMBKVw423JxNpJkgP2DlhEb78pUeNMaUUwGyxjSLX6mpf5c4a5Q0+R9fw4Acs/QtDoX5ZMgMoSpdN8x7AdBtxolicWe/iQECurAnRYcrwKXo7+WVURy5/cq6Z3STIHqdCcGBBJLX9OsGIyBK80mgmhNDjbRe4fdeVXOSWQOcdNQSXTKFg5G75UuCkukly7e31XNbhhRQy58jbuhM4bptnxqM7cz++uC1Xfl+zm8TX+1gRMBODVg/e5OpJT6OBQv/V0aVChRu9pMa7B7Zi44iYZh4jAK2s86f7d7amLQZT+PtCYg+Q+8Vxf+XUDs1wciqcBZAZ9Jo4Qk/1cb1DBmxj7Vh54liv/nHUErohlUV6CVWOMJcb43KIuhkKooVG5e1/u/9SHRt4nE5WK9QQruL3OV0hzfopc5UAV57ocQBMHdgqTezq+ntFTFlez7Loed/zUqInzWhE3I7ID+pJX6YK5ti4E5uqOzBYA8bj/a3PTwE2G2PteVZgcMK3764MB/dRgSPZ8HdpsYcG685aCzs3zEIYVi/Q5Zp4q3UBzRy3TY0mhdjvDk1RcCwkmKxzrQDEJVOcxz5GdMcuLt8WAB5pjK3LG3gIEbfd8h968U+D3+ufV6KjRsh5cweupN51piLneBEg5TgjZzSMuYakrbezTRfySO9SFIj2JvLfWvuX8grEi101qRGC8/O7/I4L45Sb8diZaPsNIl/3kuqjGMASYtnEFYcrurCGlC1UweIShOrtSdeHjmBBOq+YyAYybF2ez6AVPr/SDfwxcK+cQB1wmpdftyuLhY3uEQE53aPvxb9EWRVGOKJv4fxqOgAt99XeXQvgfWWM/Kix/hI+zP5gOrzKW0i/T7wdJBQDBIOwqbauPfepur9reL75ixWn7AR7iMaEZD6sCfEojPhozeFUZ6KZdGo1baG3bRW5IRq4g9rt8YpujOEo4dFtflECQHAsoJ6xiCHs4XLgB9iLJd4eMzHuZDaVdPRp4JQT9fi8/st3CRfDkyIdFb1aAxX/D8xBYkE1zwC4TR3ejTEVwpQUNz8GOW+npz/uTUkjKxyO+P4qXNSJap6dmxb34lUOtE/OnuMFcy2IrvE5g+NzzqwCFGOEOpk+Ii6HVgmZDhMhzzYzFeNArxRQP2YA+dnn10X4o3oB2gW47vZ+PF61r6DcUWlTCDaVDU5FvMEu5AOasuwpo/JSkBafZ0xup8QQHdhIQhuL99Y+CkNDGqh6d24L93bSRFiYu1k/sRO+QdWrNtyZ8MYOoeEsVP/MDdI1anKEOUn1snSaGc08yaSmHqttLI85KnGOJCNsNvJ/qB7DQXXAdgUWHM12x/dbbBwwh5cc281352crClDTdm21Vor//Jd8sz3o9dGIRyyf/NiEvuK9AY4JJmEHKZ6/XFgBxmgKAXnik642D6zCX7phGRgcVTJX54NhiJ17DT7sw/VIN9lsYGZoAWFjvu9wtolHAdhzh2OCFtRm8bs/SYyf2hUma9DL8Ejl1Qvtc0KHZxuKNXcqa+srUOmSq+HrGMBL5SmVdwvRptytopEKPYvMZDS27IacnioEljjCHzQdqFu6zmwRu5d3gmwY0zuubQPz5FXiuyQ0ombKR4G9MWsLsRwMiwMz5sDaNbSIaKRgLDFxBQmL5qHlhHPTAZSD8r6BZTwHPsi+jfBH4lpgsdjHRYwk6ApX4lCdra/q5SaubBZkJnxpE0TgOIxypGPWYPefHVwv2aiy3oHs21k19YpokEe3asKAcpmXFGSkf1Fzhac0ZalbRcP8fapP8yJY8Ys/fZDHGKB4XL28JKfMUeb7+YWtAN+yoj3YsfdfsM5EL7oZHcb/HJQhdvTLa5Iyi1IUdk/GUF+YYKuOMG50KClqAX2fm2X9Um30HTCENRuLlbT71youRei6dhxqHMbcBoscqFLVbVu5ESGVyjVYpMl6EjzCrkTgjH+OlCI3Zsu0y1JL+L2CN0H5KQ2y7aMqbiq+122QrjICWNNWrA2qgB2x/NI/BiH5vGs5HDvKTDchafWQiDVJUk4+CSSnxKs9AJ5VLStkLfEaxvtbBDt5KaLtmCE8yKKc6fGB4ji9CSSdWcfjCdd0Ki/DaW0xKcwwsknVaYbL6evqAk5wEZjacf7kudcYTKBuMdEmM7vKVluXwI671dDdLBWFsXi2pTpFnppA90RBvNS7nDG0mKhXzTiqjEZx0uWT97yW2DtoalO6VlGLyC+wMX5TlswenP+r79DxCmpzYkOGI9SGAG2gN0SWrlOwy54M+ZnNynntc39wz355IzhDGO8DBoZVF69/RUgHVzJm65MMJjNEcv278QHTlyw4B1upAO4CMchGYfFDsQP0297wd6Ip8ScpKNx04amwDcK6y9EOtrE3I3cW01RrlTt1tIW3bY3iTdjv5NStfZxAhZlpXtwb/BDabvjlDpfPVlRXB17iC7RfI1q9WdpV6Zam4aXjYlvpWREZ1WXuTpi1lxGxvCMYbRfrgTT6OZRwNeiYl2pO61ODzwQTbVS5L0JE9NSr6Cx/lGQ1Y8wxbJ1AOFAzWslLnMlkOFE2Qbfyz+6Yg33xD90m5LRnxBDd/zifczhV9+KlJ2u1GvaUAN9CVHrhw8M/ukjGWwxsq1adPxlBK6OH/vAIhynbYio0lrVxi6xYHfnyjfhab4aFozE98X2hHUFUFdY2qn8CT5say+QEyiA319gtZ6U1rqGpLD0KVNeIuaJXlZBst8sY/DzvdyflKN+nGUROgrmuZZMIdkZTL1IHGTklDTRFtZdT4qPz0M3OxDw+DjPE6n3C8vxgWWH7Av83ecUwyzNfWzfk1WYeQ6Lr5xcu5R7kl9fGM9oFOgQk9ZmQdRKLbZkwxpUhF1kddxP8wNf7UQR9OIeve7v6eapjauXzJnXhtcl78YdteFxI6dBXCQ79JemUmPNXFuQJElOZDtmjZAGQIHnzXTl8kAOuHRlx2mkBpRwNYGUTQZzdGGJAUnrwBotPfx6310aKbQbjtsoSyfghUvzp8ULhbxo9FvZm+nwp2OunIiqtKtuyWh19qlKBCXjrsd0IHZ5dOPELQsof5zWVoPgwqd2QkDUSflUnW2zWvl1FWmTJmVQuLOJoJ4V5SX0O3ZtDGBCLkKc1FtP1XzwL+pASF8MBh1mYoJsdAXuUxaEkrDZXqoqY7zx5/XiD/HW27gZk7hrfoZ/fR1U8Ac4InIoa3FHR1wLro0NJsF6mqRxCr7vMe2bhjmD0KYqqDW2pVtzaYuC3fUje6Hv6rIWOjZ+Q1La2Lwx0RzmYafGZB8azGr+7B8eijXppVgn/s80+llMOiNV99rkvilUvkZg3QCNNoCtuAb4/sfTN/pqXpcdW7Cte6kHPbxtzoGkR2P+Lu6lJdxrG0as7bh0Rs7fMXCnl3ps44thAbZSje1ZNcuI4bQiYEgiF2wdPCcescz9xA8+Xz7t99qa1t27+4JaC2w5maC49s6cd/hRi7AGCyy8dMhUfNz+xs8m0BrdKACkQm8i3u817vnPFC8FcceXCgwVK9lgZMGLdcYcyW31ma2JXJXjTTrW0Z9324r1etODBR75UC2p5sfHVB/KkHgCQnEiEYshhHmYpHjiTbTYfT6S9HkA2yugwbdFHpxFjLRaS2AVZ/mZPcYhu1E8OWnxu0YkntmZMx3TlyR17KGIziGFAzvA4vwD34n+9S7yNeso264eUDd59XCn0pGXHB13LsLt2EXxmb0gEZhZnWTdhkzzEXyvZjXeZDDeU4h7ilvJqWJ2CBpWtHw/CDpK5lffK0VMX62Dce+3QefqFVifhmXQfYRxgJGSh/qGYeLLLdiOWrdeZrFrvD
C.1.8.1.S/MIME Signed-and-Encrypted over a Complex Message, No Header Protection, Decrypted

The S/MIME enveloped-data layer unwraps to this signed-data part:

Content-Transfer-Encoding: base64Content-Type: application/pkcs7-mime; name="smime.p7m"; smime-type="signed-data"MIIPaQYJKoZIhvcNAQcCoIIPWjCCD1YCAQExDTALBglghkgBZQMEAgEwggWSBgkqhkiG9w0BBwGgggWDBIIFf01JTUUtVmVyc2lvbjogMS4wDQpDb250ZW50LVR5cGU6IG11bHRpcGFydC9taXhlZDsgYm91bmRhcnk9IjM2MyINCg0KLS0zNjMNCk1JTUUtVmVyc2lvbjogMS4wDQpDb250ZW50LVR5cGU6IG11bHRpcGFydC9hbHRlcm5hdGl2ZTsgYm91bmRhcnk9ImYyNyINCg0KLS1mMjcNCkNvbnRlbnQtVHlwZTogdGV4dC9wbGFpbjsgY2hhcnNldD0idXMtYXNjaWkiDQpNSU1FLVZlcnNpb246IDEuMA0KQ29udGVudC1UcmFuc2Zlci1FbmNvZGluZzogN2JpdA0KDQpUaGlzIGlzIHRoZQ0Kc21pbWUtc2lnbmVkLWVuYy1jb21wbGV4DQptZXNzYWdlLg0KDQpUaGlzIGlzIGEgc2lnbmVkLWFuZC1lbmNyeXB0ZWQgUy9NSU1FIG1lc3NhZ2UgdXNpbmcgUEtDUyM3DQplbnZlbG9wZWREYXRhIGFyb3VuZCBzaWduZWREYXRhLiAgVGhlIHBheWxvYWQgaXMgYQ0KbXVsdGlwYXJ0L2FsdGVybmF0aXZlIG1lc3NhZ2Ugd2l0aCBhbiBpbmxpbmUgaW1hZ2UvcG5nDQphdHRhY2htZW50LiBJdCB1c2VzIG5vIEhlYWRlciBQcm90ZWN0aW9uLg0KDQotLSANCkFsaWNlDQphbGljZUBzbWltZS5leGFtcGxlDQotLWYyNw0KQ29udGVudC1UeXBlOiB0ZXh0L2h0bWw7IGNoYXJzZXQ9InVzLWFzY2lpIg0KTUlNRS1WZXJzaW9uOiAxLjANCkNvbnRlbnQtVHJhbnNmZXItRW5jb2Rpbmc6IDdiaXQNCg0KPGh0bWw+PGhlYWQ+PHRpdGxlPjwvdGl0bGU+PC9oZWFkPjxib2R5Pg0KPHA+VGhpcyBpcyB0aGUNCjxiPnNtaW1lLXNpZ25lZC1lbmMtY29tcGxleDwvYj4NCm1lc3NhZ2UuPC9wPg0KPHA+VGhpcyBpcyBhIHNpZ25lZC1hbmQtZW5jcnlwdGVkIFMvTUlNRSBtZXNzYWdlIHVzaW5nIFBLQ1MjNw0KZW52ZWxvcGVkRGF0YSBhcm91bmQgc2lnbmVkRGF0YS4gIFRoZSBwYXlsb2FkIGlzIGENCm11bHRpcGFydC9hbHRlcm5hdGl2ZSBtZXNzYWdlIHdpdGggYW4gaW5saW5lIGltYWdlL3BuZw0KYXR0YWNobWVudC4gSXQgdXNlcyBubyBIZWFkZXIgUHJvdGVjdGlvbi48L3A+DQo8cD48dHQ+LS0gPGJyLz5BbGljZTxici8+YWxpY2VAc21pbWUuZXhhbXBsZTwvdHQ+PC9wPjwvYm9keT48L2h0bWw+DQotLWYyNy0tDQoNCi0tMzYzDQpDb250ZW50LVR5cGU6IGltYWdlL3BuZw0KQ29udGVudC1UcmFuc2Zlci1FbmNvZGluZzogYmFzZTY0DQpDb250ZW50LURpc3Bvc2l0aW9uOiBpbmxpbmUNCg0KaVZCT1J3MEtHZ29BQUFBTlNVaEVVZ0FBQUJRQUFBQVVDQVlBQUFDTmlSME5BQUFBY0VsRVFWUjQydVZUT3hiQQ0KTUFnUzczOW5PM1RwUncyMGRxcGJmQVJRRWpPeXdpd1luQ3RrREtuYmNMazY2c3FsVCt6dDljaWRrRSs2S3drWg0Kc2dyemZjcVZNcEwyam8wNDQ3Z1lEcGVBcmsrT25KSGtJaEFmVFBSaWNpaEFmNVlKcnc3dmp2MFpXUldNL3VsaQ0KdmRQZjFRWjJrREQ5eHBwZDh3QUFBQUJKUlU1RXJrSmdnZz09DQoNCi0tMzYzLS0NCqCCB6YwggPPMIICt6ADAgECAhMPLSW9ETmXSs5CVIeh7j00Boq0MA0GCSqGSIb3DQEBDQUAMFUxDTALBgNVBAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFNUFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MCAXDTE5MTEyMDA2NTQxOFoYDzIwNTIwOTI3MDY1NDE4WjA7MQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBXRzEXMBUGA1UEAxMOQWxpY2UgTG92ZWxhY2UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCalSn6i8Gi44/oAVAn5GnCk4PHHNjrSfWUnnelN41KImVaTC3D9zFCrS3i4Pa9ZgHyA5Qf8JW3ZmnVz5q7M8onZm7mZjqQeb6FUH4i2GMt4jse2Dqs165ernT9O5NLFflHUjURca3ynqEBBV4DmhnZp8eDhv3t6dXyCjNHT82S6DgCReZuTtMc1zy++MxQlqdn9WZLhOAOpeNZKGmVwjeVy+8FkyzC3jX/Qcm+ZLCqlLqhBwDHdZ5qDTII2PVX1X3K7/cONxhvBbaUl/k1swdszUtjhflyFZ80RuQ3qFC6vL/PGeWy6SCf58duq/AOEksCAWlb+MD8QH9Yj7CFSmq1AgMBAAGjga8wgawwDAYDVR0TAQH/BAIwADAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwHgYDVR0RBBcwFYETYWxpY2VAc21pbWUuZXhhbXBsZTATBgNVHSUEDDAKBggrBgEFBQcDBDAOBgNVHQ8BAf8EBAMCBSAwHQYDVR0OBBYEFKJTQdVEPIApFXwBI/Dnjq/N83cPMB8GA1UdIwQYMBaAFJEwjnwHFwyn8QkoZTYaZxxodvRZMA0GCSqGSIb3DQEBDQUAA4IBAQCBSXignLEynBakDKU68ro0RsyXWAPkfXgQLgy7GrW7SrZeBc5IEcjoN9f/gsOx/Ht9Ii6zyBZVjdaox644DsiLOQEP4YMS7y4q94RFFdmdzEbDLYx9sfUhvdTxDNOOoHz53PYDBh4zE4Nar2inC0D+VM6RGDy66K9l+D+bl8Wj9CyGUc1ppMNURexTg+z3web/eDOdu+F2MVtluLihne0Bp1GUTkr0mJBolg6dSYal8Hw8/ANHpyExl56BJABb744gqoeuD9YSHjKK49+qYC9faFmQ+mK80lh1M9RdNI7srjn0LKpuob6w06jaRzWdNeXzlEc2tUpAr4vRhZjVD6FYMIIDzzCCAregAwIBAgITN0EFee11f0Kpolw69Phqzpqp1zANBgkqhkiG9w0BAQ0FADBVMQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBXRzExMC8GA1UEAxMoU2FtcGxlIExBTVBTIFJTQSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAgFw0xOTExMjAwNjU0MThaGA8yMDUyMDkyNzA2NTQxOFowOzENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxFzAVBgNVBAMTDkFsaWNlIExvdmVsYWNlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtPSJ6Fg4Fj5Nmn9PkrYo0jTkfCv4TfA/pdO/KLpZbJOAEr0sI7AjaO7B1GuMUFJeSTulamNfCwDcDkY63PQWl+DILs7GxVwXurhYdZlaV5hcUqVAckPvedDBc/3rz4D/esFfs+E7QMFtmd+K04s+A8TCNO12DRVBDpbP4JFD9hsc8prDtpGmFk7rd0q8gqnhxBW2RZAeLqzJOMayCQtws1q7ktkNBR2wZX5ICjecF1YJFhX4jrnHwp/iELGqqaNXd3/Y0pG7QFecN7836IPPdfTMSiPR+peCrhJZwLSewbWXLJe3VMvbvQjoBMpEYlaJBUIKkO1zQ1Pq90njlsJLOwIDAQABo4GvMIGsMAwGA1UdEwEB/wQCMAAwFwYDVR0gBBAwDjAMBgpghkgBZQMCATABMB4GA1UdEQQXMBWBE2FsaWNlQHNtaW1lLmV4YW1wbGUwEwYDVR0lBAwwCgYIKwYBBQUHAwQwDgYDVR0PAQH/BAQDAgbAMB0GA1UdDgQWBBS79syyLR0GEhyXrilqkBDTIGZmczAfBgNVHSMEGDAWgBSRMI58BxcMp/EJKGU2GmccaHb0WTANBgkqhkiG9w0BAQ0FAAOCAQEAc4miNqfOqaBpI3f+CpJDhxtuZ2P9HjQEQ+v6BdP7GKJ19naIs3BjJOd64roAKHAp+c284VvyVXWJ99FMX8q2ZUQMxH+xh6oAfzcozmnd6XaVWHg4eHIjSo27PmhKE1oAJKKhDbdbEcZXL2+x1V+duGymWtaD01DZZukKYr7agyHahiXRn/C9cy31wbqNsy9x0fjPQg6+DqatiQpMz9EIae6aCHHBhOiPU7IPkazgPYgkLD59fk4PGHnYxs1FhdO6zZk9E8zwlc1ALgZa/iSbczisqckN3qGehD2s16jMhwFXLJtBiN+uCDgNG/D0qyTbY4fgKieUHx/tHuzUszZxJjGCAgAwggH8AgEBMGwwVTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNhbXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzdBBXntdX9CqaJcOvT4as6aqdcwCwYJYIZIAWUDBAIBoGkwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMjEwMjIwMTcwMzAyWjAvBgkqhkiG9w0BCQQxIgQgup+VC4mfBVNHPJS0b9oKX/dVMKiR3JOz5AXfqv/YG0AwDQYJKoZIhvcNAQEBBQAEggEAJ2XXxojAdRnBTCRahPos057TnArr1wju76pnJSWXK1flGWjEsSpHVro2t9LRKALqwTnXYLM1PbrPoMyivqfhFik1h1dR9J2aXisS4FfZB3jj1c8XkD1yZb8qTBBRQ4v17MFS1bEKW4ecopbd67f73QhUvk3NGJ8Aq8JPY8yxKGgGH9bucecSGYAHC1745wosTs81aaY3k5UwyHNxRjFkkQAsnMe7HAiVnwsDLYCDOXACbg/DOwOCFK9vzDYkD5HjnqK2wrhkTs1R4OZW+gWXPhFYClf3fMvrGZvr9rCwgjnwMvrpQjugZi5QGoi/sEdHO5T5edT2/t+0u3oJtCflrQ==
C.1.8.2.S/MIME Signed-and-Encrypted over a Complex Message, No Header Protection, Decrypted and Unwrapped

The inner signed-data layer unwraps to:

MIME-Version: 1.0Content-Type: multipart/mixed; boundary="363"--363MIME-Version: 1.0Content-Type: multipart/alternative; boundary="f27"--f27Content-Type: text/plain; charset="us-ascii"MIME-Version: 1.0Content-Transfer-Encoding: 7bitThis is thesmime-signed-enc-complexmessage.This is a signed-and-encrypted S/MIME message using PKCS#7envelopedData around signedData.  The payload is amultipart/alternative message with an inline image/pngattachment. It uses no Header Protection.--Alicealice@smime.example--f27Content-Type: text/html; charset="us-ascii"MIME-Version: 1.0Content-Transfer-Encoding: 7bit<html><head><title></title></head><body><p>This is the<b>smime-signed-enc-complex</b>message.</p><p>This is a signed-and-encrypted S/MIME message using PKCS#7envelopedData around signedData.  The payload is amultipart/alternative message with an inline image/pngattachment. It uses no Header Protection.</p><p><tt>-- <br/>Alice<br/>alice@smime.example</tt></p></body></html>--f27----363Content-Type: image/pngContent-Transfer-Encoding: base64Content-Disposition: inlineiVBORw0KGgoAAAANSUhEUgAAABQAAAAUCAYAAACNiR0NAAAAcElEQVR42uVTOxbAMAgS739nO3TpRw20dqpbfARQEjOywiwYnCtkDKnbcLk66sqlT+zt9cidkE+6KwkZsgrzfcqVMpL2jo0447gYDpeArk+OnJHkIhAfTPRicihAf5YJrw7vjv0ZWRWM/ulivdPf1QZ2kDD9xppd8wAAAABJRU5ErkJggg==--363--

C.2.Signed-Only Messages

These messages are signed-only, using different schemes of Header Protection and different S/MIME structures.They use no HCP because the HCP is only relevant when a message is encrypted.

C.2.1.S/MIME Signed-Only signedData over a Simple Message, Header Protection

This is a signed-only S/MIME message via PKCS#7 signedData. The payload is a text/plain message. It uses the Header Protection scheme from RFC 9788.

It has the following structure:

└┬╴application/pkcs7-mime [smime.p7m] 4189 bytes ┴ (unwraps to) └─╴text/plain 232 bytes

Its contents are:

Content-Transfer-Encoding: base64Content-Type: application/pkcs7-mime; name="smime.p7m"; smime-type="signed-data"Subject: smime-one-part-hpMessage-ID: <smime-one-part-hp@example>From: Alice <alice@smime.example>To: Bob <bob@smime.example>Date: Sat, 20 Feb 2021 10:06:02 -0500User-Agent: Sample MUA Version 1.0MIIMDwYJKoZIhvcNAQcCoIIMADCCC/wCAQExDTALBglghkgBZQMEAgEwggI4BgkqhkiG9w0BBwGgggIpBIICJU1JTUUtVmVyc2lvbjogMS4wDQpDb250ZW50LVRyYW5zZmVyLUVuY29kaW5nOiA3Yml0DQpTdWJqZWN0OiBzbWltZS1vbmUtcGFydC1ocA0KTWVzc2FnZS1JRDogPHNtaW1lLW9uZS1wYXJ0LWhwQGV4YW1wbGU+DQpGcm9tOiBBbGljZSA8YWxpY2VAc21pbWUuZXhhbXBsZT4NClRvOiBCb2IgPGJvYkBzbWltZS5leGFtcGxlPg0KRGF0ZTogU2F0LCAyMCBGZWIgMjAyMSAxMDowNjowMiAtMDUwMA0KVXNlci1BZ2VudDogU2FtcGxlIE1VQSBWZXJzaW9uIDEuMA0KQ29udGVudC1UeXBlOiB0ZXh0L3BsYWluOyBjaGFyc2V0PSJ1dGYtOCI7IGhwPSJjbGVhciINCg0KVGhpcyBpcyB0aGUNCnNtaW1lLW9uZS1wYXJ0LWhwDQptZXNzYWdlLg0KDQpUaGlzIGlzIGEgc2lnbmVkLW9ubHkgUy9NSU1FIG1lc3NhZ2UgdmlhIFBLQ1MjNyBzaWduZWREYXRhLiAgVGhlDQpwYXlsb2FkIGlzIGEgdGV4dC9wbGFpbiBtZXNzYWdlLiBJdCB1c2VzIHRoZSBIZWFkZXIgUHJvdGVjdGlvbg0Kc2NoZW1lIGZyb20gUkZDIDk3ODguDQoNCi0tIA0KQWxpY2UNCmFsaWNlQHNtaW1lLmV4YW1wbGUNCqCCB6YwggPPMIICt6ADAgECAhMPLSW9ETmXSs5CVIeh7j00Boq0MA0GCSqGSIb3DQEBDQUAMFUxDTALBgNVBAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFNUFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MCAXDTE5MTEyMDA2NTQxOFoYDzIwNTIwOTI3MDY1NDE4WjA7MQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBXRzEXMBUGA1UEAxMOQWxpY2UgTG92ZWxhY2UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCalSn6i8Gi44/oAVAn5GnCk4PHHNjrSfWUnnelN41KImVaTC3D9zFCrS3i4Pa9ZgHyA5Qf8JW3ZmnVz5q7M8onZm7mZjqQeb6FUH4i2GMt4jse2Dqs165ernT9O5NLFflHUjURca3ynqEBBV4DmhnZp8eDhv3t6dXyCjNHT82S6DgCReZuTtMc1zy++MxQlqdn9WZLhOAOpeNZKGmVwjeVy+8FkyzC3jX/Qcm+ZLCqlLqhBwDHdZ5qDTII2PVX1X3K7/cONxhvBbaUl/k1swdszUtjhflyFZ80RuQ3qFC6vL/PGeWy6SCf58duq/AOEksCAWlb+MD8QH9Yj7CFSmq1AgMBAAGjga8wgawwDAYDVR0TAQH/BAIwADAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwHgYDVR0RBBcwFYETYWxpY2VAc21pbWUuZXhhbXBsZTATBgNVHSUEDDAKBggrBgEFBQcDBDAOBgNVHQ8BAf8EBAMCBSAwHQYDVR0OBBYEFKJTQdVEPIApFXwBI/Dnjq/N83cPMB8GA1UdIwQYMBaAFJEwjnwHFwyn8QkoZTYaZxxodvRZMA0GCSqGSIb3DQEBDQUAA4IBAQCBSXignLEynBakDKU68ro0RsyXWAPkfXgQLgy7GrW7SrZeBc5IEcjoN9f/gsOx/Ht9Ii6zyBZVjdaox644DsiLOQEP4YMS7y4q94RFFdmdzEbDLYx9sfUhvdTxDNOOoHz53PYDBh4zE4Nar2inC0D+VM6RGDy66K9l+D+bl8Wj9CyGUc1ppMNURexTg+z3web/eDOdu+F2MVtluLihne0Bp1GUTkr0mJBolg6dSYal8Hw8/ANHpyExl56BJABb744gqoeuD9YSHjKK49+qYC9faFmQ+mK80lh1M9RdNI7srjn0LKpuob6w06jaRzWdNeXzlEc2tUpAr4vRhZjVD6FYMIIDzzCCAregAwIBAgITN0EFee11f0Kpolw69Phqzpqp1zANBgkqhkiG9w0BAQ0FADBVMQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBXRzExMC8GA1UEAxMoU2FtcGxlIExBTVBTIFJTQSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAgFw0xOTExMjAwNjU0MThaGA8yMDUyMDkyNzA2NTQxOFowOzENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxFzAVBgNVBAMTDkFsaWNlIExvdmVsYWNlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtPSJ6Fg4Fj5Nmn9PkrYo0jTkfCv4TfA/pdO/KLpZbJOAEr0sI7AjaO7B1GuMUFJeSTulamNfCwDcDkY63PQWl+DILs7GxVwXurhYdZlaV5hcUqVAckPvedDBc/3rz4D/esFfs+E7QMFtmd+K04s+A8TCNO12DRVBDpbP4JFD9hsc8prDtpGmFk7rd0q8gqnhxBW2RZAeLqzJOMayCQtws1q7ktkNBR2wZX5ICjecF1YJFhX4jrnHwp/iELGqqaNXd3/Y0pG7QFecN7836IPPdfTMSiPR+peCrhJZwLSewbWXLJe3VMvbvQjoBMpEYlaJBUIKkO1zQ1Pq90njlsJLOwIDAQABo4GvMIGsMAwGA1UdEwEB/wQCMAAwFwYDVR0gBBAwDjAMBgpghkgBZQMCATABMB4GA1UdEQQXMBWBE2FsaWNlQHNtaW1lLmV4YW1wbGUwEwYDVR0lBAwwCgYIKwYBBQUHAwQwDgYDVR0PAQH/BAQDAgbAMB0GA1UdDgQWBBS79syyLR0GEhyXrilqkBDTIGZmczAfBgNVHSMEGDAWgBSRMI58BxcMp/EJKGU2GmccaHb0WTANBgkqhkiG9w0BAQ0FAAOCAQEAc4miNqfOqaBpI3f+CpJDhxtuZ2P9HjQEQ+v6BdP7GKJ19naIs3BjJOd64roAKHAp+c284VvyVXWJ99FMX8q2ZUQMxH+xh6oAfzcozmnd6XaVWHg4eHIjSo27PmhKE1oAJKKhDbdbEcZXL2+x1V+duGymWtaD01DZZukKYr7agyHahiXRn/C9cy31wbqNsy9x0fjPQg6+DqatiQpMz9EIae6aCHHBhOiPU7IPkazgPYgkLD59fk4PGHnYxs1FhdO6zZk9E8zwlc1ALgZa/iSbczisqckN3qGehD2s16jMhwFXLJtBiN+uCDgNG/D0qyTbY4fgKieUHx/tHuzUszZxJjGCAgAwggH8AgEBMGwwVTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNhbXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzdBBXntdX9CqaJcOvT4as6aqdcwCwYJYIZIAWUDBAIBoGkwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMjEwMjIwMTUwNjAyWjAvBgkqhkiG9w0BCQQxIgQgK3lOLqVxzkFzTCjC4/0WD1uiOJZ/y8y2mKLDM5P/bj0wDQYJKoZIhvcNAQEBBQAEggEAiWwxPK/j2eujuwSbftm7fHd+LZyXyhUhfrZghxdPZyunkZmQ+N4ARXGv0zqryOgKhBdbd0pFO8sIfqRGvU2eQdvfFWTKz1Nt1UMGMUtTTA2Iua4+QcPdjX6At6k/pp/OdEIuSLQHW89UkUfNEqYc8SjnhOaTMz7glWEM9jIXuWcmhtRqqsg+yYItvSbdeXktWzBWuVCzvrsO4Q3oR4B0Aohdf+qCeTOwP5grdU4oIadD4eq1o+OEZfmliN2N3dNYgd65gF0IXek3a1MMFh6AQF9aJz6451GqO1fwwwX2TtRnjXBY0ucY2Rn6h3PBGEyYkGT7mRMuLMxmHktDjUBiIA==
C.2.1.1.S/MIME Signed-Only signedData over a Simple Message, Header Protection, Unwrapped

The S/MIME signed-data layer unwraps to:

MIME-Version: 1.0Content-Transfer-Encoding: 7bitSubject: smime-one-part-hpMessage-ID: <smime-one-part-hp@example>From: Alice <alice@smime.example>To: Bob <bob@smime.example>Date: Sat, 20 Feb 2021 10:06:02 -0500User-Agent: Sample MUA Version 1.0Content-Type: text/plain; charset="utf-8"; hp="clear"This is thesmime-one-part-hpmessage.This is a signed-only S/MIME message via PKCS#7 signedData.  Thepayload is a text/plain message. It uses the Header Protectionscheme from RFC 9788.--Alicealice@smime.example

C.2.2.S/MIME Signed-Only multipart/signed over a Simple Message, Header Protection

This is a signed-only S/MIME message via PKCS#7 detached signature (multipart/signed). The payload is a text/plain message. It uses the Header Protection scheme from RFC 9788.

It has the following structure:

└┬╴multipart/signed 4434 bytes ├─╴text/plain 249 bytes └─╴application/pkcs7-signature [smime.p7s] 3429 bytes

Its contents are:

MIME-Version: 1.0Content-Type: multipart/signed; protocol="application/pkcs7-signature"; boundary="54f"; micalg="sha-256"Subject: smime-multipart-hpMessage-ID: <smime-multipart-hp@example>From: Alice <alice@smime.example>To: Bob <bob@smime.example>Date: Sat, 20 Feb 2021 10:07:02 -0500User-Agent: Sample MUA Version 1.0--54fMIME-Version: 1.0Content-Transfer-Encoding: 7bitSubject: smime-multipart-hpMessage-ID: <smime-multipart-hp@example>From: Alice <alice@smime.example>To: Bob <bob@smime.example>Date: Sat, 20 Feb 2021 10:07:02 -0500User-Agent: Sample MUA Version 1.0Content-Type: text/plain; charset="utf-8"; hp="clear"This is thesmime-multipart-hpmessage.This is a signed-only S/MIME message via PKCS#7 detachedsignature (multipart/signed).  The payload is a text/plainmessage. It uses the Header Protection scheme from RFC 9788.--Alicealice@smime.example--54fContent-Transfer-Encoding: base64Content-Type: application/pkcs7-signature; name="smime.p7s"MIIJ4AYJKoZIhvcNAQcCoIIJ0TCCCc0CAQExDTALBglghkgBZQMEAgEwCwYJKoZIhvcNAQcBoIIHpjCCA88wggK3oAMCAQICEw8tJb0ROZdKzkJUh6HuPTQGirQwDQYJKoZIhvcNAQENBQAwVTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNhbXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwIBcNMTkxMTIwMDY1NDE4WhgPMjA1MjA5MjcwNjU0MThaMDsxDTALBgNVBAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMRcwFQYDVQQDEw5BbGljZSBMb3ZlbGFjZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJqVKfqLwaLjj+gBUCfkacKTg8cc2OtJ9ZSed6U3jUoiZVpMLcP3MUKtLeLg9r1mAfIDlB/wlbdmadXPmrszyidmbuZmOpB5voVQfiLYYy3iOx7YOqzXrl6udP07k0sV+UdSNRFxrfKeoQEFXgOaGdmnx4OG/e3p1fIKM0dPzZLoOAJF5m5O0xzXPL74zFCWp2f1ZkuE4A6l41koaZXCN5XL7wWTLMLeNf9Byb5ksKqUuqEHAMd1nmoNMgjY9VfVfcrv9w43GG8FtpSX+TWzB2zNS2OF+XIVnzRG5DeoULq8v88Z5bLpIJ/nx26r8A4SSwIBaVv4wPxAf1iPsIVKarUCAwEAAaOBrzCBrDAMBgNVHRMBAf8EAjAAMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATAeBgNVHREEFzAVgRNhbGljZUBzbWltZS5leGFtcGxlMBMGA1UdJQQMMAoGCCsGAQUFBwMEMA4GA1UdDwEB/wQEAwIFIDAdBgNVHQ4EFgQUolNB1UQ8gCkVfAEj8OeOr83zdw8wHwYDVR0jBBgwFoAUkTCOfAcXDKfxCShlNhpnHGh29FkwDQYJKoZIhvcNAQENBQADggEBAIFJeKCcsTKcFqQMpTryujRGzJdYA+R9eBAuDLsatbtKtl4FzkgRyOg31/+Cw7H8e30iLrPIFlWN1qjHrjgOyIs5AQ/hgxLvLir3hEUV2Z3MRsMtjH2x9SG91PEM046gfPnc9gMGHjMTg1qvaKcLQP5UzpEYPLror2X4P5uXxaP0LIZRzWmkw1RF7FOD7PfB5v94M5274XYxW2W4uKGd7QGnUZROSvSYkGiWDp1JhqXwfDz8A0enITGXnoEkAFvvjiCqh64P1hIeMorj36pgL19oWZD6YrzSWHUz1F00juyuOfQsqm6hvrDTqNpHNZ015fOURza1SkCvi9GFmNUPoVgwggPPMIICt6ADAgECAhM3QQV57XV/QqmiXDr0+GrOmqnXMA0GCSqGSIb3DQEBDQUAMFUxDTALBgNVBAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFNUFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MCAXDTE5MTEyMDA2NTQxOFoYDzIwNTIwOTI3MDY1NDE4WjA7MQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBXRzEXMBUGA1UEAxMOQWxpY2UgTG92ZWxhY2UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC09InoWDgWPk2af0+StijSNOR8K/hN8D+l078oullsk4ASvSwjsCNo7sHUa4xQUl5JO6VqY18LANwORjrc9BaX4MguzsbFXBe6uFh1mVpXmFxSpUByQ+950MFz/evPgP96wV+z4TtAwW2Z34rTiz4DxMI07XYNFUEOls/gkUP2GxzymsO2kaYWTut3SryCqeHEFbZFkB4urMk4xrIJC3CzWruS2Q0FHbBlfkgKN5wXVgkWFfiOucfCn+IQsaqpo1d3f9jSkbtAV5w3vzfog8919MxKI9H6l4KuElnAtJ7BtZcsl7dUy9u9COgEykRiVokFQgqQ7XNDU+r3SeOWwks7AgMBAAGjga8wgawwDAYDVR0TAQH/BAIwADAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwHgYDVR0RBBcwFYETYWxpY2VAc21pbWUuZXhhbXBsZTATBgNVHSUEDDAKBggrBgEFBQcDBDAOBgNVHQ8BAf8EBAMCBsAwHQYDVR0OBBYEFLv2zLItHQYSHJeuKWqQENMgZmZzMB8GA1UdIwQYMBaAFJEwjnwHFwyn8QkoZTYaZxxodvRZMA0GCSqGSIb3DQEBDQUAA4IBAQBziaI2p86poGkjd/4KkkOHG25nY/0eNARD6/oF0/sYonX2doizcGMk53riugAocCn5zbzhW/JVdYn30UxfyrZlRAzEf7GHqgB/NyjOad3pdpVYeDh4ciNKjbs+aEoTWgAkoqENt1sRxlcvb7HVX524bKZa1oPTUNlm6QpivtqDIdqGJdGf8L1zLfXBuo2zL3HR+M9CDr4Opq2JCkzP0Qhp7poIccGE6I9Tsg+RrOA9iCQsPn1+Tg8YedjGzUWF07rNmT0TzPCVzUAuBlr+JJtzOKypyQ3eoZ6EPazXqMyHAVcsm0GI364IOA0b8PSrJNtjh+AqJ5QfH+0e7NSzNnEmMYICADCCAfwCAQEwbDBVMQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBXRzExMC8GA1UEAxMoU2FtcGxlIExBTVBTIFJTQSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eQITN0EFee11f0Kpolw69Phqzpqp1zALBglghkgBZQMEAgGgaTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0yMTAyMjAxNTA3MDJaMC8GCSqGSIb3DQEJBDEiBCAfybSsej+1D6r16hb18FcqV4ucPU0CgwMlVVH7gTaP3TANBgkqhkiG9w0BAQEFAASCAQBwlRSGR8OZHFa+8cUc5th58+DiNkwKWqz4pWWX0QP9uuxRZjE8Dtg7b88d0HtZWL98qAp+bjFK8ElktpuBiS5Nuiy+Zm3XnMU5GhCMywIPUAPJA6jvibT5fzYvMGV11RBmrTFNBZxxrJOAWfGfqf96vx9VajBVbyXdXnV7hnQCx8wsbIOrbRUUVJHBGqpx+j+bIoUmg3uKxOYkZFz9IShmq8fzsW/CVTBMLfoTqle2y+4H+RlGioqz8Mvs+XXbL5MG1r5PGjgpa9hHxPKdbFQCoWIJMA6xJNKgeuoNrA3kHbrX/5Gn9eK8vE5eI6rpEurDGYkws6A9Z/tvsR7Gm9Ia--54f--

C.2.3.S/MIME Signed-Only signedData over a Complex Message, Header Protection

This is a signed-only S/MIME message via PKCS#7 signedData. The payload is a multipart/alternative message with an inline image/png attachment. It uses the Header Protection scheme from RFC 9788.

It has the following structure:

└┬╴application/pkcs7-mime [smime.p7m] 5643 bytes ┴ (unwraps to) └┬╴multipart/mixed 1568 bytes  ├┬╴multipart/alternative 932 bytes  │├─╴text/plain 286 bytes  │└─╴text/html 381 bytes  └─╴image/png inline 236 bytes

Its contents are:

Content-Transfer-Encoding: base64Content-Type: application/pkcs7-mime; name="smime.p7m"; smime-type="signed-data"Subject: smime-one-part-complex-hpMessage-ID: <smime-one-part-complex-hp@example>From: Alice <alice@smime.example>To: Bob <bob@smime.example>Date: Sat, 20 Feb 2021 12:06:02 -0500User-Agent: Sample MUA Version 1.0MIIQQwYJKoZIhvcNAQcCoIIQNDCCEDACAQExDTALBglghkgBZQMEAgEwggZsBgkqhkiG9w0BBwGgggZdBIIGWU1JTUUtVmVyc2lvbjogMS4wDQpTdWJqZWN0OiBzbWltZS1vbmUtcGFydC1jb21wbGV4LWhwDQpNZXNzYWdlLUlEOiA8c21pbWUtb25lLXBhcnQtY29tcGxleC1ocEBleGFtcGxlPg0KRnJvbTogQWxpY2UgPGFsaWNlQHNtaW1lLmV4YW1wbGU+DQpUbzogQm9iIDxib2JAc21pbWUuZXhhbXBsZT4NCkRhdGU6IFNhdCwgMjAgRmViIDIwMjEgMTI6MDY6MDIgLTA1MDANClVzZXItQWdlbnQ6IFNhbXBsZSBNVUEgVmVyc2lvbiAxLjANCkNvbnRlbnQtVHlwZTogbXVsdGlwYXJ0L21peGVkOyBib3VuZGFyeT0iYWI4IjsgaHA9ImNsZWFyIg0KDQotLWFiOA0KTUlNRS1WZXJzaW9uOiAxLjANCkNvbnRlbnQtVHlwZTogbXVsdGlwYXJ0L2FsdGVybmF0aXZlOyBib3VuZGFyeT0iMGY0Ig0KDQotLTBmNA0KQ29udGVudC1UeXBlOiB0ZXh0L3BsYWluOyBjaGFyc2V0PSJ1cy1hc2NpaSINCk1JTUUtVmVyc2lvbjogMS4wDQpDb250ZW50LVRyYW5zZmVyLUVuY29kaW5nOiA3Yml0DQoNClRoaXMgaXMgdGhlDQpzbWltZS1vbmUtcGFydC1jb21wbGV4LWhwDQptZXNzYWdlLg0KDQpUaGlzIGlzIGEgc2lnbmVkLW9ubHkgUy9NSU1FIG1lc3NhZ2UgdmlhIFBLQ1MjNyBzaWduZWREYXRhLiAgVGhlDQpwYXlsb2FkIGlzIGEgbXVsdGlwYXJ0L2FsdGVybmF0aXZlIG1lc3NhZ2Ugd2l0aCBhbiBpbmxpbmUNCmltYWdlL3BuZyBhdHRhY2htZW50LiBJdCB1c2VzIHRoZSBIZWFkZXIgUHJvdGVjdGlvbiBzY2hlbWUgZnJvbQ0KUkZDIDk3ODguDQoNCi0tIA0KQWxpY2UNCmFsaWNlQHNtaW1lLmV4YW1wbGUNCi0tMGY0DQpDb250ZW50LVR5cGU6IHRleHQvaHRtbDsgY2hhcnNldD0idXMtYXNjaWkiDQpNSU1FLVZlcnNpb246IDEuMA0KQ29udGVudC1UcmFuc2Zlci1FbmNvZGluZzogN2JpdA0KDQo8aHRtbD48aGVhZD48dGl0bGU+PC90aXRsZT48L2hlYWQ+PGJvZHk+DQo8cD5UaGlzIGlzIHRoZQ0KPGI+c21pbWUtb25lLXBhcnQtY29tcGxleC1ocDwvYj4NCm1lc3NhZ2UuPC9wPg0KPHA+VGhpcyBpcyBhIHNpZ25lZC1vbmx5IFMvTUlNRSBtZXNzYWdlIHZpYSBQS0NTIzcgc2lnbmVkRGF0YS4gIFRoZQ0KcGF5bG9hZCBpcyBhIG11bHRpcGFydC9hbHRlcm5hdGl2ZSBtZXNzYWdlIHdpdGggYW4gaW5saW5lDQppbWFnZS9wbmcgYXR0YWNobWVudC4gSXQgdXNlcyB0aGUgSGVhZGVyIFByb3RlY3Rpb24gc2NoZW1lIGZyb20NClJGQyA5Nzg4LjwvcD4NCjxwPjx0dD4tLSA8YnIvPkFsaWNlPGJyLz5hbGljZUBzbWltZS5leGFtcGxlPC90dD48L3A+PC9ib2R5PjwvaHRtbD4NCi0tMGY0LS0NCg0KLS1hYjgNCkNvbnRlbnQtVHlwZTogaW1hZ2UvcG5nDQpDb250ZW50LVRyYW5zZmVyLUVuY29kaW5nOiBiYXNlNjQNCkNvbnRlbnQtRGlzcG9zaXRpb246IGlubGluZQ0KDQppVkJPUncwS0dnb0FBQUFOU1VoRVVnQUFBQlFBQUFBVUNBWUFBQUNOaVIwTkFBQUFjRWxFUVZSNDJ1VlRPeGJBDQpNQWdTNzM5bk8zVHBSdzIwZHFwYmZBUlFFak95d2l3WW5DdGtES25iY0xrNjZzcWxUK3p0OWNpZGtFKzZLd2taDQpzZ3J6ZmNxVk1wTDJqbzA0NDdnWURwZUFyaytPbkpIa0loQWZUUFJpY2loQWY1WUpydzd2anYwWldSV00vdWxpDQp2ZFBmMVFaMmtERDl4cHBkOHdBQUFBQkpSVTVFcmtKZ2dnPT0NCg0KLS1hYjgtLQ0KoIIHpjCCA88wggK3oAMCAQICEw8tJb0ROZdKzkJUh6HuPTQGirQwDQYJKoZIhvcNAQENBQAwVTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNhbXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwIBcNMTkxMTIwMDY1NDE4WhgPMjA1MjA5MjcwNjU0MThaMDsxDTALBgNVBAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMRcwFQYDVQQDEw5BbGljZSBMb3ZlbGFjZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJqVKfqLwaLjj+gBUCfkacKTg8cc2OtJ9ZSed6U3jUoiZVpMLcP3MUKtLeLg9r1mAfIDlB/wlbdmadXPmrszyidmbuZmOpB5voVQfiLYYy3iOx7YOqzXrl6udP07k0sV+UdSNRFxrfKeoQEFXgOaGdmnx4OG/e3p1fIKM0dPzZLoOAJF5m5O0xzXPL74zFCWp2f1ZkuE4A6l41koaZXCN5XL7wWTLMLeNf9Byb5ksKqUuqEHAMd1nmoNMgjY9VfVfcrv9w43GG8FtpSX+TWzB2zNS2OF+XIVnzRG5DeoULq8v88Z5bLpIJ/nx26r8A4SSwIBaVv4wPxAf1iPsIVKarUCAwEAAaOBrzCBrDAMBgNVHRMBAf8EAjAAMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATAeBgNVHREEFzAVgRNhbGljZUBzbWltZS5leGFtcGxlMBMGA1UdJQQMMAoGCCsGAQUFBwMEMA4GA1UdDwEB/wQEAwIFIDAdBgNVHQ4EFgQUolNB1UQ8gCkVfAEj8OeOr83zdw8wHwYDVR0jBBgwFoAUkTCOfAcXDKfxCShlNhpnHGh29FkwDQYJKoZIhvcNAQENBQADggEBAIFJeKCcsTKcFqQMpTryujRGzJdYA+R9eBAuDLsatbtKtl4FzkgRyOg31/+Cw7H8e30iLrPIFlWN1qjHrjgOyIs5AQ/hgxLvLir3hEUV2Z3MRsMtjH2x9SG91PEM046gfPnc9gMGHjMTg1qvaKcLQP5UzpEYPLror2X4P5uXxaP0LIZRzWmkw1RF7FOD7PfB5v94M5274XYxW2W4uKGd7QGnUZROSvSYkGiWDp1JhqXwfDz8A0enITGXnoEkAFvvjiCqh64P1hIeMorj36pgL19oWZD6YrzSWHUz1F00juyuOfQsqm6hvrDTqNpHNZ015fOURza1SkCvi9GFmNUPoVgwggPPMIICt6ADAgECAhM3QQV57XV/QqmiXDr0+GrOmqnXMA0GCSqGSIb3DQEBDQUAMFUxDTALBgNVBAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFNUFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MCAXDTE5MTEyMDA2NTQxOFoYDzIwNTIwOTI3MDY1NDE4WjA7MQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBXRzEXMBUGA1UEAxMOQWxpY2UgTG92ZWxhY2UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC09InoWDgWPk2af0+StijSNOR8K/hN8D+l078oullsk4ASvSwjsCNo7sHUa4xQUl5JO6VqY18LANwORjrc9BaX4MguzsbFXBe6uFh1mVpXmFxSpUByQ+950MFz/evPgP96wV+z4TtAwW2Z34rTiz4DxMI07XYNFUEOls/gkUP2GxzymsO2kaYWTut3SryCqeHEFbZFkB4urMk4xrIJC3CzWruS2Q0FHbBlfkgKN5wXVgkWFfiOucfCn+IQsaqpo1d3f9jSkbtAV5w3vzfog8919MxKI9H6l4KuElnAtJ7BtZcsl7dUy9u9COgEykRiVokFQgqQ7XNDU+r3SeOWwks7AgMBAAGjga8wgawwDAYDVR0TAQH/BAIwADAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwHgYDVR0RBBcwFYETYWxpY2VAc21pbWUuZXhhbXBsZTATBgNVHSUEDDAKBggrBgEFBQcDBDAOBgNVHQ8BAf8EBAMCBsAwHQYDVR0OBBYEFLv2zLItHQYSHJeuKWqQENMgZmZzMB8GA1UdIwQYMBaAFJEwjnwHFwyn8QkoZTYaZxxodvRZMA0GCSqGSIb3DQEBDQUAA4IBAQBziaI2p86poGkjd/4KkkOHG25nY/0eNARD6/oF0/sYonX2doizcGMk53riugAocCn5zbzhW/JVdYn30UxfyrZlRAzEf7GHqgB/NyjOad3pdpVYeDh4ciNKjbs+aEoTWgAkoqENt1sRxlcvb7HVX524bKZa1oPTUNlm6QpivtqDIdqGJdGf8L1zLfXBuo2zL3HR+M9CDr4Opq2JCkzP0Qhp7poIccGE6I9Tsg+RrOA9iCQsPn1+Tg8YedjGzUWF07rNmT0TzPCVzUAuBlr+JJtzOKypyQ3eoZ6EPazXqMyHAVcsm0GI364IOA0b8PSrJNtjh+AqJ5QfH+0e7NSzNnEmMYICADCCAfwCAQEwbDBVMQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBXRzExMC8GA1UEAxMoU2FtcGxlIExBTVBTIFJTQSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eQITN0EFee11f0Kpolw69Phqzpqp1zALBglghkgBZQMEAgGgaTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0yMTAyMjAxNzA2MDJaMC8GCSqGSIb3DQEJBDEiBCAXURNXz0Mn7lPPDM1oQHdl876V7RbyfNsR/srFsVvmLDANBgkqhkiG9w0BAQEFAASCAQAjKgdecJe4TqYBPZ1hQzaeCGP+Y8kB5bydwtkUDh91bAPCGiA7YzRjyWG/Yq4soSb/bRSpPRr3Jyzubwq5oBsnH9k1L2hVDinFYeot2E1Aga5OZTjfS8URVY4IEKKI9hNNUpdnqoehQqm54D4LFnJiujiVrS2COHSjZ3Nr9SjeZ7ymKzThhsHaZTRJaloCxauGkf8EpeNJeoeNzae2PvcgomrO1aLW3M1oQ3VqlsOfVsLElmS8hL0Mo08XXVs9KRWuBiuXR+fsXlODlVHwqWJVBR/5wOGLgfn9bPh7G4quw8SDQNHb/qTjsWYfAfE1K2edTz5z1u0GPm9ElCiFUPsc
C.2.3.1.S/MIME Signed-Only signedData over a Complex Message, Header Protection, Unwrapped

The S/MIME signed-data layer unwraps to:

MIME-Version: 1.0Subject: smime-one-part-complex-hpMessage-ID: <smime-one-part-complex-hp@example>From: Alice <alice@smime.example>To: Bob <bob@smime.example>Date: Sat, 20 Feb 2021 12:06:02 -0500User-Agent: Sample MUA Version 1.0Content-Type: multipart/mixed; boundary="ab8"; hp="clear"--ab8MIME-Version: 1.0Content-Type: multipart/alternative; boundary="0f4"--0f4Content-Type: text/plain; charset="us-ascii"MIME-Version: 1.0Content-Transfer-Encoding: 7bitThis is thesmime-one-part-complex-hpmessage.This is a signed-only S/MIME message via PKCS#7 signedData.  Thepayload is a multipart/alternative message with an inlineimage/png attachment. It uses the Header Protection scheme fromRFC 9788.--Alicealice@smime.example--0f4Content-Type: text/html; charset="us-ascii"MIME-Version: 1.0Content-Transfer-Encoding: 7bit<html><head><title></title></head><body><p>This is the<b>smime-one-part-complex-hp</b>message.</p><p>This is a signed-only S/MIME message via PKCS#7 signedData.  Thepayload is a multipart/alternative message with an inlineimage/png attachment. It uses the Header Protection scheme fromRFC 9788.</p><p><tt>-- <br/>Alice<br/>alice@smime.example</tt></p></body></html>--0f4----ab8Content-Type: image/pngContent-Transfer-Encoding: base64Content-Disposition: inlineiVBORw0KGgoAAAANSUhEUgAAABQAAAAUCAYAAACNiR0NAAAAcElEQVR42uVTOxbAMAgS739nO3TpRw20dqpbfARQEjOywiwYnCtkDKnbcLk66sqlT+zt9cidkE+6KwkZsgrzfcqVMpL2jo0447gYDpeArk+OnJHkIhAfTPRicihAf5YJrw7vjv0ZWRWM/ulivdPf1QZ2kDD9xppd8wAAAABJRU5ErkJggg==--ab8--

C.2.4.S/MIME Signed-Only multipart/signed over a Complex Message, Header Protection

This is a signed-only S/MIME message via PKCS#7 detached signature (multipart/signed). The payload is a multipart/alternative message with an inline image/png attachment. It uses the Header Protection scheme from RFC 9788.

It has the following structure:

└┬╴multipart/signed 5518 bytes ├┬╴multipart/mixed 1626 bytes │├┬╴multipart/alternative 988 bytes ││├─╴text/plain 303 bytes ││└─╴text/html 401 bytes │└─╴image/png inline 232 bytes └─╴application/pkcs7-signature [smime.p7s] 3429 bytes

Its contents are:

MIME-Version: 1.0Content-Type: multipart/signed; protocol="application/pkcs7-signature"; boundary="a64"; micalg="sha-256"Subject: smime-multipart-complex-hpMessage-ID: <smime-multipart-complex-hp@example>From: Alice <alice@smime.example>To: Bob <bob@smime.example>Date: Sat, 20 Feb 2021 12:07:02 -0500User-Agent: Sample MUA Version 1.0--a64MIME-Version: 1.0Subject: smime-multipart-complex-hpMessage-ID: <smime-multipart-complex-hp@example>From: Alice <alice@smime.example>To: Bob <bob@smime.example>Date: Sat, 20 Feb 2021 12:07:02 -0500User-Agent: Sample MUA Version 1.0Content-Type: multipart/mixed; boundary="550"; hp="clear"--550MIME-Version: 1.0Content-Type: multipart/alternative; boundary="fcd"--fcdContent-Type: text/plain; charset="us-ascii"MIME-Version: 1.0Content-Transfer-Encoding: 7bitThis is thesmime-multipart-complex-hpmessage.This is a signed-only S/MIME message via PKCS#7 detachedsignature (multipart/signed).  The payload is amultipart/alternative message with an inline image/pngattachment. It uses the Header Protection scheme from RFC 9788.--Alicealice@smime.example--fcdContent-Type: text/html; charset="us-ascii"MIME-Version: 1.0Content-Transfer-Encoding: 7bit<html><head><title></title></head><body><p>This is the<b>smime-multipart-complex-hp</b>message.</p><p>This is a signed-only S/MIME message via PKCS#7 detachedsignature (multipart/signed).  The payload is amultipart/alternative message with an inline image/pngattachment. It uses the Header Protection scheme from RFC 9788.</p><p><tt>-- <br/>Alice<br/>alice@smime.example</tt></p></body></html>--fcd----550Content-Type: image/pngContent-Transfer-Encoding: base64Content-Disposition: inlineiVBORw0KGgoAAAANSUhEUgAAABQAAAAUCAYAAACNiR0NAAAAcElEQVR42uVTOxbAMAgS739nO3TpRw20dqpbfARQEjOywiwYnCtkDKnbcLk66sqlT+zt9cidkE+6KwkZsgrzfcqVMpL2jo0447gYDpeArk+OnJHkIhAfTPRicihAf5YJrw7vjv0ZWRWM/ulivdPf1QZ2kDD9xppd8wAAAABJRU5ErkJggg==--550----a64Content-Transfer-Encoding: base64Content-Type: application/pkcs7-signature; name="smime.p7s"MIIJ4AYJKoZIhvcNAQcCoIIJ0TCCCc0CAQExDTALBglghkgBZQMEAgEwCwYJKoZIhvcNAQcBoIIHpjCCA88wggK3oAMCAQICEw8tJb0ROZdKzkJUh6HuPTQGirQwDQYJKoZIhvcNAQENBQAwVTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNhbXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwIBcNMTkxMTIwMDY1NDE4WhgPMjA1MjA5MjcwNjU0MThaMDsxDTALBgNVBAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMRcwFQYDVQQDEw5BbGljZSBMb3ZlbGFjZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJqVKfqLwaLjj+gBUCfkacKTg8cc2OtJ9ZSed6U3jUoiZVpMLcP3MUKtLeLg9r1mAfIDlB/wlbdmadXPmrszyidmbuZmOpB5voVQfiLYYy3iOx7YOqzXrl6udP07k0sV+UdSNRFxrfKeoQEFXgOaGdmnx4OG/e3p1fIKM0dPzZLoOAJF5m5O0xzXPL74zFCWp2f1ZkuE4A6l41koaZXCN5XL7wWTLMLeNf9Byb5ksKqUuqEHAMd1nmoNMgjY9VfVfcrv9w43GG8FtpSX+TWzB2zNS2OF+XIVnzRG5DeoULq8v88Z5bLpIJ/nx26r8A4SSwIBaVv4wPxAf1iPsIVKarUCAwEAAaOBrzCBrDAMBgNVHRMBAf8EAjAAMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATAeBgNVHREEFzAVgRNhbGljZUBzbWltZS5leGFtcGxlMBMGA1UdJQQMMAoGCCsGAQUFBwMEMA4GA1UdDwEB/wQEAwIFIDAdBgNVHQ4EFgQUolNB1UQ8gCkVfAEj8OeOr83zdw8wHwYDVR0jBBgwFoAUkTCOfAcXDKfxCShlNhpnHGh29FkwDQYJKoZIhvcNAQENBQADggEBAIFJeKCcsTKcFqQMpTryujRGzJdYA+R9eBAuDLsatbtKtl4FzkgRyOg31/+Cw7H8e30iLrPIFlWN1qjHrjgOyIs5AQ/hgxLvLir3hEUV2Z3MRsMtjH2x9SG91PEM046gfPnc9gMGHjMTg1qvaKcLQP5UzpEYPLror2X4P5uXxaP0LIZRzWmkw1RF7FOD7PfB5v94M5274XYxW2W4uKGd7QGnUZROSvSYkGiWDp1JhqXwfDz8A0enITGXnoEkAFvvjiCqh64P1hIeMorj36pgL19oWZD6YrzSWHUz1F00juyuOfQsqm6hvrDTqNpHNZ015fOURza1SkCvi9GFmNUPoVgwggPPMIICt6ADAgECAhM3QQV57XV/QqmiXDr0+GrOmqnXMA0GCSqGSIb3DQEBDQUAMFUxDTALBgNVBAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFNUFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MCAXDTE5MTEyMDA2NTQxOFoYDzIwNTIwOTI3MDY1NDE4WjA7MQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBXRzEXMBUGA1UEAxMOQWxpY2UgTG92ZWxhY2UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC09InoWDgWPk2af0+StijSNOR8K/hN8D+l078oullsk4ASvSwjsCNo7sHUa4xQUl5JO6VqY18LANwORjrc9BaX4MguzsbFXBe6uFh1mVpXmFxSpUByQ+950MFz/evPgP96wV+z4TtAwW2Z34rTiz4DxMI07XYNFUEOls/gkUP2GxzymsO2kaYWTut3SryCqeHEFbZFkB4urMk4xrIJC3CzWruS2Q0FHbBlfkgKN5wXVgkWFfiOucfCn+IQsaqpo1d3f9jSkbtAV5w3vzfog8919MxKI9H6l4KuElnAtJ7BtZcsl7dUy9u9COgEykRiVokFQgqQ7XNDU+r3SeOWwks7AgMBAAGjga8wgawwDAYDVR0TAQH/BAIwADAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwHgYDVR0RBBcwFYETYWxpY2VAc21pbWUuZXhhbXBsZTATBgNVHSUEDDAKBggrBgEFBQcDBDAOBgNVHQ8BAf8EBAMCBsAwHQYDVR0OBBYEFLv2zLItHQYSHJeuKWqQENMgZmZzMB8GA1UdIwQYMBaAFJEwjnwHFwyn8QkoZTYaZxxodvRZMA0GCSqGSIb3DQEBDQUAA4IBAQBziaI2p86poGkjd/4KkkOHG25nY/0eNARD6/oF0/sYonX2doizcGMk53riugAocCn5zbzhW/JVdYn30UxfyrZlRAzEf7GHqgB/NyjOad3pdpVYeDh4ciNKjbs+aEoTWgAkoqENt1sRxlcvb7HVX524bKZa1oPTUNlm6QpivtqDIdqGJdGf8L1zLfXBuo2zL3HR+M9CDr4Opq2JCkzP0Qhp7poIccGE6I9Tsg+RrOA9iCQsPn1+Tg8YedjGzUWF07rNmT0TzPCVzUAuBlr+JJtzOKypyQ3eoZ6EPazXqMyHAVcsm0GI364IOA0b8PSrJNtjh+AqJ5QfH+0e7NSzNnEmMYICADCCAfwCAQEwbDBVMQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBXRzExMC8GA1UEAxMoU2FtcGxlIExBTVBTIFJTQSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eQITN0EFee11f0Kpolw69Phqzpqp1zALBglghkgBZQMEAgGgaTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0yMTAyMjAxNzA3MDJaMC8GCSqGSIb3DQEJBDEiBCAHedgXF/1PPCnjTbv4CNkHl6SU0FJSW9ykndUZcVnSczANBgkqhkiG9w0BAQEFAASCAQCYePlJ3K4FtJC/4snTsO8l+p0qEkpFh4swjQTGWUhZHrdzb4kvHTCaoH5ShpVxZ4FOp1InabzulsB1P9m5xDvZveUMaCiC/qgSS+stKdklsWANoTgTlAAGs9og6Wp5Nq/evf8XIYdQV0ZXavzASl/yylz2uHTpW1ETxTlZfkgSqb8X/zRaVGoai20aVbmsIJFrVPIlkpgh+r8tbJOm4791cCU/8lIdreynoUKqBsa2Y/uhoez/pldX/5A7Rv+JX2vdt71C2BZAk4166wvDhhlHf9pVCWXdKXSh99c6Do1TzpnakOm4bKSzPMXTrz1p5GcfDzO94kbNImkcdr8yAdcB--a64--

C.2.5.S/MIME Signed-Only signedData over a Complex Message, Legacy RFC 8551 Header Protection

This is a signed-only S/MIME message via PKCS#7 signedData. The payload is a multipart/alternative message with an inline image/png attachment. It uses the legacy RFC 8551 Header Protection (RFC8551HP) scheme.

It has the following structure:

└┬╴application/pkcs7-mime [smime.p7m] 5696 bytes ┴ (unwraps to) └┬╴message/rfc822 1660 bytes  └┬╴multipart/mixed 1612 bytes   ├┬╴multipart/alternative 974 bytes   │├─╴text/plain 296 bytes   │└─╴text/html 394 bytes   └─╴image/png inline 232 bytes

Its contents are:

Content-Transfer-Encoding: base64Content-Type: application/pkcs7-mime; name="smime.p7m"; smime-type="signed-data"Subject: smime-one-part-complex-rfc8551hpMessage-ID: <smime-one-part-complex-rfc8551hp@example>From: Alice <alice@smime.example>To: Bob <bob@smime.example>Date: Sat, 20 Feb 2021 12:26:02 -0500User-Agent: Sample MUA Version 1.0MIIQaQYJKoZIhvcNAQcCoIIQWjCCEFYCAQExDTALBglghkgBZQMEAgEwggaSBgkqhkiG9w0BBwGgggaDBIIGf01JTUUtVmVyc2lvbjogMS4wDQpDb250ZW50LVR5cGU6IG1lc3NhZ2UvcmZjODIyDQoNCk1JTUUtVmVyc2lvbjogMS4wCkNvbnRlbnQtVHlwZTogbXVsdGlwYXJ0L21peGVkOyBib3VuZGFyeT0iZmNjIgpTdWJqZWN0OiBzbWltZS1vbmUtcGFydC1jb21wbGV4LXJmYzg1NTFocApNZXNzYWdlLUlEOiA8c21pbWUtb25lLXBhcnQtY29tcGxleC1yZmM4NTUxaHBAZXhhbXBsZT4KRnJvbTogQWxpY2UgPGFsaWNlQHNtaW1lLmV4YW1wbGU+ClRvOiBCb2IgPGJvYkBzbWltZS5leGFtcGxlPgpEYXRlOiBTYXQsIDIwIEZlYiAyMDIxIDEyOjI2OjAyIC0wNTAwClVzZXItQWdlbnQ6IFNhbXBsZSBNVUEgVmVyc2lvbiAxLjAKCi0tZmNjCk1JTUUtVmVyc2lvbjogMS4wCkNvbnRlbnQtVHlwZTogbXVsdGlwYXJ0L2FsdGVybmF0aXZlOyBib3VuZGFyeT0iMGY4IgoKLS0wZjgKQ29udGVudC1UeXBlOiB0ZXh0L3BsYWluOyBjaGFyc2V0PSJ1cy1hc2NpaSIKTUlNRS1WZXJzaW9uOiAxLjAKQ29udGVudC1UcmFuc2Zlci1FbmNvZGluZzogN2JpdAoKVGhpcyBpcyB0aGUKc21pbWUtb25lLXBhcnQtY29tcGxleC1yZmM4NTUxaHAKbWVzc2FnZS4KClRoaXMgaXMgYSBzaWduZWQtb25seSBTL01JTUUgbWVzc2FnZSB2aWEgUEtDUyM3IHNpZ25lZERhdGEuICBUaGUKcGF5bG9hZCBpcyBhIG11bHRpcGFydC9hbHRlcm5hdGl2ZSBtZXNzYWdlIHdpdGggYW4gaW5saW5lCmltYWdlL3BuZyBhdHRhY2htZW50LiBJdCB1c2VzIHRoZSBsZWdhY3kgUkZDIDg1NTEgSGVhZGVyClByb3RlY3Rpb24gKFJGQzg1NTFIUCkgc2NoZW1lLgoKLS0gCkFsaWNlCmFsaWNlQHNtaW1lLmV4YW1wbGUKLS0wZjgKQ29udGVudC1UeXBlOiB0ZXh0L2h0bWw7IGNoYXJzZXQ9InVzLWFzY2lpIgpNSU1FLVZlcnNpb246IDEuMApDb250ZW50LVRyYW5zZmVyLUVuY29kaW5nOiA3Yml0Cgo8aHRtbD48aGVhZD48dGl0bGU+PC90aXRsZT48L2hlYWQ+PGJvZHk+CjxwPlRoaXMgaXMgdGhlCjxiPnNtaW1lLW9uZS1wYXJ0LWNvbXBsZXgtcmZjODU1MWhwPC9iPgptZXNzYWdlLjwvcD4KPHA+VGhpcyBpcyBhIHNpZ25lZC1vbmx5IFMvTUlNRSBtZXNzYWdlIHZpYSBQS0NTIzcgc2lnbmVkRGF0YS4gIFRoZQpwYXlsb2FkIGlzIGEgbXVsdGlwYXJ0L2FsdGVybmF0aXZlIG1lc3NhZ2Ugd2l0aCBhbiBpbmxpbmUKaW1hZ2UvcG5nIGF0dGFjaG1lbnQuIEl0IHVzZXMgdGhlIGxlZ2FjeSBSRkMgODU1MSBIZWFkZXIKUHJvdGVjdGlvbiAoUkZDODU1MUhQKSBzY2hlbWUuPC9wPgo8cD48dHQ+LS0gPGJyLz5BbGljZTxici8+YWxpY2VAc21pbWUuZXhhbXBsZTwvdHQ+PC9wPjwvYm9keT48L2h0bWw+Ci0tMGY4LS0KCi0tZmNjCkNvbnRlbnQtVHlwZTogaW1hZ2UvcG5nCkNvbnRlbnQtVHJhbnNmZXItRW5jb2Rpbmc6IGJhc2U2NApDb250ZW50LURpc3Bvc2l0aW9uOiBpbmxpbmUKCmlWQk9SdzBLR2dvQUFBQU5TVWhFVWdBQUFCUUFBQUFVQ0FZQUFBQ05pUjBOQUFBQWNFbEVRVlI0MnVWVE94YkEKTUFnUzczOW5PM1RwUncyMGRxcGJmQVJRRWpPeXdpd1luQ3RrREtuYmNMazY2c3FsVCt6dDljaWRrRSs2S3drWgpzZ3J6ZmNxVk1wTDJqbzA0NDdnWURwZUFyaytPbkpIa0loQWZUUFJpY2loQWY1WUpydzd2anYwWldSV00vdWxpCnZkUGYxUVoya0REOXhwcGQ4d0FBQUFCSlJVNUVya0pnZ2c9PQoKLS1mY2MtLQqgggemMIIDzzCCAregAwIBAgITDy0lvRE5l0rOQlSHoe49NAaKtDANBgkqhkiG9w0BAQ0FADBVMQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBXRzExMC8GA1UEAxMoU2FtcGxlIExBTVBTIFJTQSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAgFw0xOTExMjAwNjU0MThaGA8yMDUyMDkyNzA2NTQxOFowOzENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxFzAVBgNVBAMTDkFsaWNlIExvdmVsYWNlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmpUp+ovBouOP6AFQJ+RpwpODxxzY60n1lJ53pTeNSiJlWkwtw/cxQq0t4uD2vWYB8gOUH/CVt2Zp1c+auzPKJ2Zu5mY6kHm+hVB+IthjLeI7Htg6rNeuXq50/TuTSxX5R1I1EXGt8p6hAQVeA5oZ2afHg4b97enV8gozR0/Nkug4AkXmbk7THNc8vvjMUJanZ/VmS4TgDqXjWShplcI3lcvvBZMswt41/0HJvmSwqpS6oQcAx3Weag0yCNj1V9V9yu/3DjcYbwW2lJf5NbMHbM1LY4X5chWfNEbkN6hQury/zxnlsukgn+fHbqvwDhJLAgFpW/jA/EB/WI+whUpqtQIDAQABo4GvMIGsMAwGA1UdEwEB/wQCMAAwFwYDVR0gBBAwDjAMBgpghkgBZQMCATABMB4GA1UdEQQXMBWBE2FsaWNlQHNtaW1lLmV4YW1wbGUwEwYDVR0lBAwwCgYIKwYBBQUHAwQwDgYDVR0PAQH/BAQDAgUgMB0GA1UdDgQWBBSiU0HVRDyAKRV8ASPw546vzfN3DzAfBgNVHSMEGDAWgBSRMI58BxcMp/EJKGU2GmccaHb0WTANBgkqhkiG9w0BAQ0FAAOCAQEAgUl4oJyxMpwWpAylOvK6NEbMl1gD5H14EC4Muxq1u0q2XgXOSBHI6DfX/4LDsfx7fSIus8gWVY3WqMeuOA7IizkBD+GDEu8uKveERRXZncxGwy2MfbH1Ib3U8QzTjqB8+dz2AwYeMxODWq9opwtA/lTOkRg8uuivZfg/m5fFo/QshlHNaaTDVEXsU4Ps98Hm/3gznbvhdjFbZbi4oZ3tAadRlE5K9JiQaJYOnUmGpfB8PPwDR6chMZeegSQAW++OIKqHrg/WEh4yiuPfqmAvX2hZkPpivNJYdTPUXTSO7K459CyqbqG+sNOo2kc1nTXl85RHNrVKQK+L0YWY1Q+hWDCCA88wggK3oAMCAQICEzdBBXntdX9CqaJcOvT4as6aqdcwDQYJKoZIhvcNAQENBQAwVTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNhbXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwIBcNMTkxMTIwMDY1NDE4WhgPMjA1MjA5MjcwNjU0MThaMDsxDTALBgNVBAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMRcwFQYDVQQDEw5BbGljZSBMb3ZlbGFjZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALT0iehYOBY+TZp/T5K2KNI05Hwr+E3wP6XTvyi6WWyTgBK9LCOwI2juwdRrjFBSXkk7pWpjXwsA3A5GOtz0FpfgyC7OxsVcF7q4WHWZWleYXFKlQHJD73nQwXP968+A/3rBX7PhO0DBbZnfitOLPgPEwjTtdg0VQQ6Wz+CRQ/YbHPKaw7aRphZO63dKvIKp4cQVtkWQHi6syTjGsgkLcLNau5LZDQUdsGV+SAo3nBdWCRYV+I65x8Kf4hCxqqmjV3d/2NKRu0BXnDe/N+iDz3X0zEoj0fqXgq4SWcC0nsG1lyyXt1TL270I6ATKRGJWiQVCCpDtc0NT6vdJ45bCSzsCAwEAAaOBrzCBrDAMBgNVHRMBAf8EAjAAMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATAeBgNVHREEFzAVgRNhbGljZUBzbWltZS5leGFtcGxlMBMGA1UdJQQMMAoGCCsGAQUFBwMEMA4GA1UdDwEB/wQEAwIGwDAdBgNVHQ4EFgQUu/bMsi0dBhIcl64papAQ0yBmZnMwHwYDVR0jBBgwFoAUkTCOfAcXDKfxCShlNhpnHGh29FkwDQYJKoZIhvcNAQENBQADggEBAHOJojanzqmgaSN3/gqSQ4cbbmdj/R40BEPr+gXT+xiidfZ2iLNwYyTneuK6AChwKfnNvOFb8lV1iffRTF/KtmVEDMR/sYeqAH83KM5p3el2lVh4OHhyI0qNuz5oShNaACSioQ23WxHGVy9vsdVfnbhsplrWg9NQ2WbpCmK+2oMh2oYl0Z/wvXMt9cG6jbMvcdH4z0IOvg6mrYkKTM/RCGnumghxwYToj1OyD5Gs4D2IJCw+fX5ODxh52MbNRYXTus2ZPRPM8JXNQC4GWv4km3M4rKnJDd6hnoQ9rNeozIcBVyybQYjfrgg4DRvw9Ksk22OH4ConlB8f7R7s1LM2cSYxggIAMIIB/AIBATBsMFUxDTALBgNVBAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFNUFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhM3QQV57XV/QqmiXDr0+GrOmqnXMAsGCWCGSAFlAwQCAaBpMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTIxMDIyMDE3MjYwMlowLwYJKoZIhvcNAQkEMSIEIJaCe/AYALXLZ8GDGBxF2yvHB9b3uwnKNIvWM0h3y2s3MA0GCSqGSIb3DQEBAQUABIIBADrTK0kKM1vxG/qmdbFxdKDBjyUXGDaOWqjCmq81OfRF88aY37JerJhyUUsUPVCd73rlsjskMrxsA53c6ojOcSqj5PM7ZDhXCnGdEg4CiKjOAn1lC84LXG485qDGcJiQ0hMF/p/V2UguVdfVzPrCLPP2SCDP5BWfCLMII3k4sRVayUt4FwlYLvsXcRUbTlLZBoJrYvfN6sNOAfcbNwAMTu0rx1A8ZAoNBTbhAbpn/UiTd6AvYFcisTSEIuZ+oGRyvU3n/wBHp9bUonKVHuNYGYKgycuXowwVx3D3j6+h+XEBOFJEKTaTKY4sz4qH+3UWjytqrEisWQW0JkuzVOa0dg4=
C.2.5.1.S/MIME Signed-Only signedData over a Complex Message, Legacy RFC 8551 Header Protection, Unwrapped

The S/MIME signed-data layer unwraps to:

MIME-Version: 1.0Content-Type: message/rfc822MIME-Version: 1.0Content-Type: multipart/mixed; boundary="fcc"Subject: smime-one-part-complex-rfc8551hpMessage-ID: <smime-one-part-complex-rfc8551hp@example>From: Alice <alice@smime.example>To: Bob <bob@smime.example>Date: Sat, 20 Feb 2021 12:26:02 -0500User-Agent: Sample MUA Version 1.0--fccMIME-Version: 1.0Content-Type: multipart/alternative; boundary="0f8"--0f8Content-Type: text/plain; charset="us-ascii"MIME-Version: 1.0Content-Transfer-Encoding: 7bitThis is thesmime-one-part-complex-rfc8551hpmessage.This is a signed-only S/MIME message via PKCS#7 signedData.  Thepayload is a multipart/alternative message with an inlineimage/png attachment. It uses the legacy RFC 8551 HeaderProtection (RFC8551HP) scheme.--Alicealice@smime.example--0f8Content-Type: text/html; charset="us-ascii"MIME-Version: 1.0Content-Transfer-Encoding: 7bit<html><head><title></title></head><body><p>This is the<b>smime-one-part-complex-rfc8551hp</b>message.</p><p>This is a signed-only S/MIME message via PKCS#7 signedData.  Thepayload is a multipart/alternative message with an inlineimage/png attachment. It uses the legacy RFC 8551 HeaderProtection (RFC8551HP) scheme.</p><p><tt>-- <br/>Alice<br/>alice@smime.example</tt></p></body></html>--0f8----fccContent-Type: image/pngContent-Transfer-Encoding: base64Content-Disposition: inlineiVBORw0KGgoAAAANSUhEUgAAABQAAAAUCAYAAACNiR0NAAAAcElEQVR42uVTOxbAMAgS739nO3TpRw20dqpbfARQEjOywiwYnCtkDKnbcLk66sqlT+zt9cidkE+6KwkZsgrzfcqVMpL2jo0447gYDpeArk+OnJHkIhAfTPRicihAf5YJrw7vjv0ZWRWM/ulivdPf1QZ2kDD9xppd8wAAAABJRU5ErkJggg==--fcc--

C.2.6.S/MIME Signed-Only multipart/signed over a Complex Message, Legacy RFC 8551 Header Protection

This is a signed-only S/MIME message via PKCS#7 detached signature (multipart/signed). The payload is a multipart/alternative message with an inline image/png attachment. It uses the legacy RFC 8551 Header Protection (RFC8551HP) scheme.

It has the following structure:

└┬╴multipart/signed 5624 bytes ├┬╴message/rfc822 1718 bytes │└┬╴multipart/mixed 1670 bytes │ ├┬╴multipart/alternative 1030 bytes │ │├─╴text/plain 324 bytes │ │└─╴text/html 422 bytes │ └─╴image/png inline 232 bytes └─╴application/pkcs7-signature [smime.p7s] 3429 bytes

Its contents are:

MIME-Version: 1.0Content-Type: multipart/signed; protocol="application/pkcs7-signature"; boundary="740"; micalg="sha-256"Subject: smime-multipart-complex-rfc8551hpMessage-ID: <smime-multipart-complex-rfc8551hp@example>From: Alice <alice@smime.example>To: Bob <bob@smime.example>Date: Sat, 20 Feb 2021 12:27:02 -0500User-Agent: Sample MUA Version 1.0--740MIME-Version: 1.0Content-Type: message/rfc822MIME-Version: 1.0Content-Type: multipart/mixed; boundary="cf8"Subject: smime-multipart-complex-rfc8551hpMessage-ID: <smime-multipart-complex-rfc8551hp@example>From: Alice <alice@smime.example>To: Bob <bob@smime.example>Date: Sat, 20 Feb 2021 12:27:02 -0500User-Agent: Sample MUA Version 1.0--cf8MIME-Version: 1.0Content-Type: multipart/alternative; boundary="e8a"--e8aContent-Type: text/plain; charset="us-ascii"MIME-Version: 1.0Content-Transfer-Encoding: 7bitThis is thesmime-multipart-complex-rfc8551hpmessage.This is a signed-only S/MIME message via PKCS#7 detachedsignature (multipart/signed).  The payload is amultipart/alternative message with an inline image/pngattachment. It uses the legacy RFC 8551 Header Protection(RFC8551HP) scheme.--Alicealice@smime.example--e8aContent-Type: text/html; charset="us-ascii"MIME-Version: 1.0Content-Transfer-Encoding: 7bit<html><head><title></title></head><body><p>This is the<b>smime-multipart-complex-rfc8551hp</b>message.</p><p>This is a signed-only S/MIME message via PKCS#7 detachedsignature (multipart/signed).  The payload is amultipart/alternative message with an inline image/pngattachment. It uses the legacy RFC 8551 Header Protection(RFC8551HP) scheme.</p><p><tt>-- <br/>Alice<br/>alice@smime.example</tt></p></body></html>--e8a----cf8Content-Type: image/pngContent-Transfer-Encoding: base64Content-Disposition: inlineiVBORw0KGgoAAAANSUhEUgAAABQAAAAUCAYAAACNiR0NAAAAcElEQVR42uVTOxbAMAgS739nO3TpRw20dqpbfARQEjOywiwYnCtkDKnbcLk66sqlT+zt9cidkE+6KwkZsgrzfcqVMpL2jo0447gYDpeArk+OnJHkIhAfTPRicihAf5YJrw7vjv0ZWRWM/ulivdPf1QZ2kDD9xppd8wAAAABJRU5ErkJggg==--cf8----740Content-Transfer-Encoding: base64Content-Type: application/pkcs7-signature; name="smime.p7s"MIIJ4AYJKoZIhvcNAQcCoIIJ0TCCCc0CAQExDTALBglghkgBZQMEAgEwCwYJKoZIhvcNAQcBoIIHpjCCA88wggK3oAMCAQICEw8tJb0ROZdKzkJUh6HuPTQGirQwDQYJKoZIhvcNAQENBQAwVTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNhbXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwIBcNMTkxMTIwMDY1NDE4WhgPMjA1MjA5MjcwNjU0MThaMDsxDTALBgNVBAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMRcwFQYDVQQDEw5BbGljZSBMb3ZlbGFjZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJqVKfqLwaLjj+gBUCfkacKTg8cc2OtJ9ZSed6U3jUoiZVpMLcP3MUKtLeLg9r1mAfIDlB/wlbdmadXPmrszyidmbuZmOpB5voVQfiLYYy3iOx7YOqzXrl6udP07k0sV+UdSNRFxrfKeoQEFXgOaGdmnx4OG/e3p1fIKM0dPzZLoOAJF5m5O0xzXPL74zFCWp2f1ZkuE4A6l41koaZXCN5XL7wWTLMLeNf9Byb5ksKqUuqEHAMd1nmoNMgjY9VfVfcrv9w43GG8FtpSX+TWzB2zNS2OF+XIVnzRG5DeoULq8v88Z5bLpIJ/nx26r8A4SSwIBaVv4wPxAf1iPsIVKarUCAwEAAaOBrzCBrDAMBgNVHRMBAf8EAjAAMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATAeBgNVHREEFzAVgRNhbGljZUBzbWltZS5leGFtcGxlMBMGA1UdJQQMMAoGCCsGAQUFBwMEMA4GA1UdDwEB/wQEAwIFIDAdBgNVHQ4EFgQUolNB1UQ8gCkVfAEj8OeOr83zdw8wHwYDVR0jBBgwFoAUkTCOfAcXDKfxCShlNhpnHGh29FkwDQYJKoZIhvcNAQENBQADggEBAIFJeKCcsTKcFqQMpTryujRGzJdYA+R9eBAuDLsatbtKtl4FzkgRyOg31/+Cw7H8e30iLrPIFlWN1qjHrjgOyIs5AQ/hgxLvLir3hEUV2Z3MRsMtjH2x9SG91PEM046gfPnc9gMGHjMTg1qvaKcLQP5UzpEYPLror2X4P5uXxaP0LIZRzWmkw1RF7FOD7PfB5v94M5274XYxW2W4uKGd7QGnUZROSvSYkGiWDp1JhqXwfDz8A0enITGXnoEkAFvvjiCqh64P1hIeMorj36pgL19oWZD6YrzSWHUz1F00juyuOfQsqm6hvrDTqNpHNZ015fOURza1SkCvi9GFmNUPoVgwggPPMIICt6ADAgECAhM3QQV57XV/QqmiXDr0+GrOmqnXMA0GCSqGSIb3DQEBDQUAMFUxDTALBgNVBAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFNUFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MCAXDTE5MTEyMDA2NTQxOFoYDzIwNTIwOTI3MDY1NDE4WjA7MQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBXRzEXMBUGA1UEAxMOQWxpY2UgTG92ZWxhY2UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC09InoWDgWPk2af0+StijSNOR8K/hN8D+l078oullsk4ASvSwjsCNo7sHUa4xQUl5JO6VqY18LANwORjrc9BaX4MguzsbFXBe6uFh1mVpXmFxSpUByQ+950MFz/evPgP96wV+z4TtAwW2Z34rTiz4DxMI07XYNFUEOls/gkUP2GxzymsO2kaYWTut3SryCqeHEFbZFkB4urMk4xrIJC3CzWruS2Q0FHbBlfkgKN5wXVgkWFfiOucfCn+IQsaqpo1d3f9jSkbtAV5w3vzfog8919MxKI9H6l4KuElnAtJ7BtZcsl7dUy9u9COgEykRiVokFQgqQ7XNDU+r3SeOWwks7AgMBAAGjga8wgawwDAYDVR0TAQH/BAIwADAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwHgYDVR0RBBcwFYETYWxpY2VAc21pbWUuZXhhbXBsZTATBgNVHSUEDDAKBggrBgEFBQcDBDAOBgNVHQ8BAf8EBAMCBsAwHQYDVR0OBBYEFLv2zLItHQYSHJeuKWqQENMgZmZzMB8GA1UdIwQYMBaAFJEwjnwHFwyn8QkoZTYaZxxodvRZMA0GCSqGSIb3DQEBDQUAA4IBAQBziaI2p86poGkjd/4KkkOHG25nY/0eNARD6/oF0/sYonX2doizcGMk53riugAocCn5zbzhW/JVdYn30UxfyrZlRAzEf7GHqgB/NyjOad3pdpVYeDh4ciNKjbs+aEoTWgAkoqENt1sRxlcvb7HVX524bKZa1oPTUNlm6QpivtqDIdqGJdGf8L1zLfXBuo2zL3HR+M9CDr4Opq2JCkzP0Qhp7poIccGE6I9Tsg+RrOA9iCQsPn1+Tg8YedjGzUWF07rNmT0TzPCVzUAuBlr+JJtzOKypyQ3eoZ6EPazXqMyHAVcsm0GI364IOA0b8PSrJNtjh+AqJ5QfH+0e7NSzNnEmMYICADCCAfwCAQEwbDBVMQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBXRzExMC8GA1UEAxMoU2FtcGxlIExBTVBTIFJTQSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eQITN0EFee11f0Kpolw69Phqzpqp1zALBglghkgBZQMEAgGgaTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0yMTAyMjAxNzI3MDJaMC8GCSqGSIb3DQEJBDEiBCA9qnCv8hrAl02HDXOOfVNCH7ucDtJ3vYdKv0vdCnWzSDANBgkqhkiG9w0BAQEFAASCAQBp4hNammJHK5hpd7ha6lzKahf9hoZZS6TPNUCDplGKSjV4XN7pLxDu3wXAuzon2zV0FxeA1MG6gZgdSBy/5nGivTc/NBOmXJtlNOUV6b+IiQ1ZgJcWG6R2Pi0bE+NfadPhxvekgmCNTNl0jHQkXn+ABstolOZ+0QnY7TPe6JoT6HHamKbV0L1/gkEEQtSvOkaDaZllA+if+Qkb6xus1QA3FGzScPpcryTvupsOwNIlNwiRTT1Kvk7uMxJkWTvfZnWh2UOh7lJAkXbRfMwXwmnVnVooCFHWWpUBVPnnURqYcZhz+4DJc9iim5CqXRZzIF6t6fioS8lCBalaWRy4AaEJ--740--

C.3.Signed-and-Encrypted Messages

These messages are signed and encrypted.They use PKCS#7 signedData inside envelopedData, with different Header Protection schemes and different Header Confidentiality Policies.

C.3.1.S/MIME Signed-and-Encrypted over a Simple Message, Header Protection with hcp_baseline

This is a signed-and-encrypted S/MIME message using PKCS#7 envelopedData around signedData. The payload is a text/plain message. It uses the Header Protection scheme from RFC 9788 with thehcp_baseline Header Confidentiality Policy.

It has the following structure:

└┬╴application/pkcs7-mime [smime.p7m] 7825 bytes ╧ (decrypts to) └┬╴application/pkcs7-mime [smime.p7m] 4786 bytes  ┴ (unwraps to)  └─╴text/plain 330 bytes

Its contents are:

Content-Transfer-Encoding: base64Content-Type: application/pkcs7-mime; name="smime.p7m"; smime-type="enveloped-data"Subject: [...]Message-ID: <smime-signed-enc-hp-baseline@example>From: Alice <alice@smime.example>To: Bob <bob@smime.example>Date: Sat, 20 Feb 2021 10:09:02 -0500User-Agent: Sample MUA Version 1.0MIIWjAYJKoZIhvcNAQcDoIIWfTCCFnkCAQAxggMQMIIBhAIBADBsMFUxDTALBgNVBAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFNUFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhMPLSW9ETmXSs5CVIeh7j00Boq0MA0GCSqGSIb3DQEBAQUABIIBAERACKkMFfCQBEXqsSFRAOfaa0UcrVI6fcuBnsfnksstYg/+DabeHHBueVpIuTr5Zqtj8kQMK8hWRoA+yVhA85aZaRadcywsEn3OoTc5vD6m9DBVOIpK2vhT+aYWJr67cfzlxJgVdRi6Pf+8g3c0oi05fMA17pPCUHYe//VSeW3cdaMGgaqFamqL+pOi222Hp19p+3Q6zYRUJ5Y1cvD4aOKzaxw0RcWvFg//KYuy1q6Fn0utZAhoEfnBtEp71fSI5LugUdj3tx3NDfrG1MLJHbBsELqawuWrcvmvBbewMWR5BYcl1/DQgbGFSbB/yoqBPkpC54A7PP2MXfb97SEquY0wggGEAgEAMGwwVTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNhbXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzB8R0APhiY6HGLS64MvlsDXhpQwDQYJKoZIhvcNAQEBBQAEggEAL7PO1rb8J7CwZ+vEvIROxpiZon8lc1VRHaE2tthLu8WOekoAyQtPv11edZgydCRbXr++xY2CvOiaE3+jdWrn11amkhzFkHpfEna4o91BHoNoipvl4vuLp7B+s2Dxymwctv1sZYkcHjVC8Eh1SH/43JMY0TJkBtkO1nLDWTVfVePC/ydbFaXqtgN69SiN03GjaczhHUTuZbKJX41SbGqk3XhHiscSIrS/QIdK9arBEP7Vlr7WdvVdfAfPEYZvRRrogzZJ5TE95Aes78+kaQO5wJRqxSCdSgw1M9jcHUrUtZ0kk/pGvs2aa3oNtkKj/7OMDi64SsWwEdiTVsHob5foyjCCE14GCSqGSIb3DQEHATAdBglghkgBZQMEAQIEEGYCTS4JhiRx+ufWgp0alQiAghMwGgBNjWrIh5GY9ElDx5GWJxbUaCM77I6Q/NAYPVQaM73L5yCBHNEekbAFMFmZF8k2bYgLyBCp2PcL6BhSAQiFAvDUN8KYTKHYqaz0cwK2C9EgUi1dBtQ7VB+xPvTXZwSx0sPOiv6keO2FYeIDEnT56jnD2b+JkW4/dwsgBVju3dtPsVR6bIRHICTrk0thCphg0kUPnjefdDmQh0kCkp8XuN6M9ZTwamzR1gn4ZLXw5LArZ9h7P1yNKZvdoR6D+510qo6IhBR1fmi+uF60m8blLN8TBJ9y8dt+UPQE3XD2d/r8YHvrItCJD1hse56J3WqGAAU3dlks76PcxUzECQPmVgdzfWYmQ+ygCnxqIWanRbDsOY9DG0FoozWLbRG0yTsTawwlH8si81FJPUyqiKRSdhufVMHIQT/rySSmfB2o6r6Z5p60x2sqY5csYemPrFq2YWp5wCv/nLTkcAbvuCohR22XSlz9n0ihuTQbH3d2vDsUQzbX/7RrPNPOKYLPNZXuO0XEklYC0IwMMJ4CUGtjgOMalOEpeePuURmXzQHg3704w4ESSiCnmVEVQCLEwgQu8A1r9P97aQaVV4vvKEtLv2/RpRr5BXY28Kcer/2HQFUJ9nBpkJf+ItZBicO2cab5o0JelZdoPL6aDwy4eDLVS+SMajO5bQLYMKaTYfcP+nUdYZ5gLU9qBcqRtIjQ5qdBWH8XhEEiBPZYYHhvBidaK9EovTOJ4touEgOG0iaWoRa8crQgryKR/cnInZ1pWpfdkmeJ0+NJSfstOLaHhk2x1fiq0KklryMAF9ORN2iZvtbOdr6zv2iR548O1XuN0Q52ZmLQnWdqj2CSXvXi2kPHz+/1dn/iQl4oXAnDMbvm0QcJxvflFg1zQzRsTwvoyiRnRBUdbsbGBziZGqg/vMaVnZF8yUl6ADxzqIf5rM/iV76g7sscLhX5Ewcj618QKOgqn3nGxBd2xuEuX0pv9tS0mRi81qElRUboHV3/HhRnlTLs699fLFOAJMcke43a0jHFNOECszVjwdXfn9JwlS6ZwWGqtDuCB4qPGjVttiPMn3iWIbWC6y5mtgaJBBAcGMaTDXcojNrR3mUEwFmWFZKb/3cn2mzmB26JU9qbfyZrFxvXFPF0EYzqReHSkQLvwnquIqWm1ILBuIsLICSUrJw64e+k+qBgqg7lKhTywECC/0D1bjKntE7R7eeUn5IGs4XddLdr0f/UkDhIqIAkn67CnIZi+miCszlk+l8uzIAIM6Vux3a7rXYVcJdSQg59tWFNmmqdx9BT/bZok1Ijo2qG6JI2EIIjuvD8ufW9LYl2QCNuZ+Qn8S5b4gbRDKZGf9fGvD2G96t0C8QpnUmVn4dI5B4plXYo77SrvMAY85GOtzha6HCJdIA+5SMxxIF/QpbaTBinO2Z+4dxTJvbIJpQzZfMUQP4DCJxphpaALMiBxgVMM7FxPn4hpwUUAiu8juQPGRh/PRKTB+ZjdzysiCYBPUlvd5BO/aM8uhu0CqOal9oA7bOXznd5PyJOBrkac94xqXCwhwu72jYrt0YFmL9RbpXMZSh/fTGq68NY7j7NOMdlFS8P7Si1Tdfc7Q8fh4MWw/ODenQPXTRKJ8NTYk7LntGM2NKrUS+e1kjaAwCk/F5fRieF6AkbVkP/vFDQYTuioQM9LlGW85TIihO/WDWJYzRQCoigVVErwppjuwSDztFtQrtfCFbOVx4sAfbYoEt7NTVg9V/elgTgAwrzowT9jMmZIDnkAzQ1Y46sD20BhjgxU1YwWSIhKyo7EP0xszPXDTo9fY5ybayhkYQ59gQcb0mrwZ8q9C95FFxxpA0S9Yee5++j5+RCSosvYIHw5PivRge1Wm1U3SG0BYQENLqYB+G39va0T5yy9lusVMiFnJ6CVGGNufLXNjpCXaNQLfRXshYBUoUMwt0R9kpBDDg1tOwqHWoh0iG4X8Iy+cLvna2thFv8u94/Riq5pUn1sbC6wxyu6y0vBdMLx0fm0fP8xyPnBCiG/5WeziARqdAaH8sGp3Q7qc/YApnlIQevCU2bOlIz6t7dLve9HyYlvIv4pClPWi6AZg/un4Rtas2HuLAndrNV7s55sOFH4BvdGP583fR/M9ITOVjyiT3bUit+5qE7MvpUqdxfsdC3SUaPxFJ17khGiimV0gC+x+8YTicEJebKrihVAosyVVWZpjCIa4hjdMpVgUutyEgVNov9XFoWcNxMb8f5IAgXvNKMsvpNFMoAfeT1MSj3tM5jdWliV0P5tU8WtlFj3hxixZPaz+w2SykOrHoyoDjCWpXifZ3KCVgGghueWgLglwuja0FSkvZbq1AiVy6ebtbkx/q5o/jh91oTa0SM2MupcHrHg3Z6SB6ujw7BlBXWqcNlMMJQS6npXCWsleg8iHQRdTuDGabxuBJmVf6I2mg8Ev+Ki7C1KAHfAAhHp1E13DXf+E8eHVEPIemv3YeY3ldBVI93+T5V823yYwqwk5PfWZ+fPo+7lBoq8IuHDu0fpwh21b6iNKEODvokXOPwkixLB7KpMpl9niCkdVwtj8CJJzLD6CSRctVnGtFua77wOMEu1wvlXWuWz2IT9a3aKGyciLrgz/CsTmJKWSIoc/f+u6EnPf23hYMpMxLI46I9VQVcxaX5YD20ywMxTmN2fkGQdoyxa5pAhN75+iBeYH9J0+B+bYHoHJX9UiEs5Ja6vu37SVje6RqchkLrrXLyock/uTB0pCqsqJaZoFaVC8M1T+jTw8ro+mioqKVi0JeH/Wn3yhCEHQ5AY5n5dB2OMdPe9BZQ9zzr/WdNx1/xs/FpRj+ggpql1nEerBbzG9uJQOneKqRLYActvZ3zhe9X7Sl/jS9+pFLLtO2tnRNe/edOunZHrJVtpb19s+WtaDVez/eRUbjkgdjlBFtfYtFtcldKJBjLO9KiIkLecj49cfZHr2pcXeZSpnMu3vv1mjapHAbqIvnEnf/jGxGFIiWKP3jeKjgjv7580R3YpNQ62upOe2MP+HAw3nhYYNrLxD1eFT/TTiFwOfVpvrVuL3vFfJBXVFWyaokM4/sLN4E2EfJ9kdgBVS2YRmgXH3/EBYjJzicoVcvb799rXkbfu5LymXGteMZ+XeTDeYkLrx490E4FYmnQFlQXGrx2cqtzLPe4aVFekZndq0zDenNibLpv2PGL1cJy3mL/FEM85phjxe16wXM/aPcD2ScKzC7eSfUj01K27nswJ0FogQQv4Q81apSQaVt3884uQfpz8j07NxR7ZfknpnwFAR208udTix02yEQc0lYEI+vTo48DiI7bHVOXbA4lM7hSCaFyqAMuyb9JXyZGVvdcv9+mxvNg6ObXhOkLwPxBVfQ+TraGKGvxMBI29/Lzfgssb6k8JoxiBy/qQnBcLZfsbCqggRM2WDy0mApeyAHBwmybYS1l1nosIGHntnpaPgsRMIcMENNzEpVdWLZOcmwhfEX++diQFQ9AwzW3zygnYAk/tZSXVe2wUL9ojMRr7kLwUz9n3OZLF3u/4UEra7bDXRMtTO/UmuN/d16EqBN10gKY96buiRcgAAigMzj+D5VRqXzgj0I0Qq+gu/eXkzr0tONfZfuoVNDl+q6H//f2kDRHbj0SXz9OSWHOtxaJ6SJbDX60MQFb6mEWJm8kno/eUpEXjHzTU2xyum8qoN8XdaRBevrBhyPXFPb8QEVD1BXR6ehFockfbnaRqHVaStvaDf6/nos9E7ViCGW8R3YoJ+2qfWTk7RXjmq1ykrdbQxMycOXyRTbLB5ur0ynIif15oQyz3SiQGSLOaSD1Z501Yty3zTEn8jMlpBOr9KXFkgbbxNY1X6nn3vZ5ZumAl1M/iwtaPgThkj2RnM0ATEWG9SQva8FaH8zUv3fGepJ37VMPlQ43eWhZavwZi1/fs5vGUYCyqxjhNXtwSnhEGHI2F4LaffYeim20Wt9HiXZON15vRpSeTWvTGOUGVZWROzx7OgIeKe/ksjcIlJuzy9fKQlJjsmURWQfuKM2vfRFGAoM3jxKBNDDFzinkL2/kVpozrn8LpukkEOZNB++ALIGVOB8L4zNDluePDTYlojthvjJUN0+oU6OB/iYvcnHOKXinPKmeDe7g5Ywjx0Uj0nuZEwa4L7ALCG2WpmnpMOT1RkHVpqn+29PPQ/Cx+JpGmXO+uFiHQN+L3uk74rQwJ+LUQBGDrRE94GobEN/sWgk4l6bQrf7Sl3Af0QaXDCN9d2NnebzYvxhxEkpqVnvjvd1Vr3ZT7ECzOFEA2hjK8L12oJz/zF8DXUhSlXxXAER3Nf5nVzM+OfCpigIUezk5QN3r0sHD1mWEmOe6JgXnDu8BIbBN6NnxFXE+rbRV71vd0APEq5F0T9a0o95/cVYBcLvhW3QQcp6yP1Xhulaq1zZc/N1482qDNddYDPtUDaa+g7/Xm1+3tK1myLIBhxv8ORgdyVQiXmHmvjWVk8qqSmwrNM7rZNkWo4FZFOYALreVHxHZT1bgmQ2Q/OydwRhfpWTlHK1AH4UzUTWKjFDH0j1pZGqtDuc+ghEboZxHdAI/xrvyypU3OnP5a9Dvdx4B2GuKHbPpN/yY+jbvjDbb1DX0NROcVqC7JU+mMXYFRkKg6ygaL2KDhI0VChXtzGUGSR7wnfvCPBWOpmi959NSoSRdVnVI6hrCqNopVPvRh9bAtdor+MoGi2gxmKCLhxY0A9/6VjZnBF498RxRKSAh9EkHZp3Wtiy5T5779j8gHRLwIpeLYnORqbfW0gcWhjKwL8BoXT95S7rvHWuJbwFXMmZFD7fVJqDl1auaeS8QNFPxEOIW91Z+2yidE0MdkfTWWS3WTFy3N4DBYP6JJRIzHV9bYk18ASxvNR7sGjKTsaioRble3WaKwI7eszBNvgEsrNtJP9PYD3leXc0XXbsZZmUgbu+Q0zIYfrmJwoOwA/4pOjtMVpF0dAWOvwOMygwsljdOH8MFBBwVMsu95DiM5Qx7JTXNaPAkxKSVrvmPCPi1yH6s82Tkf9D7MC91TyOV5g5wqR/aNXfHFk31+8tRi/jhDAGcyY+s1AUONPaNCImOjfe1oRPRpw6noLVW+0X6JuZ+hFoIvOv5oY4mhvXmtm0rxG1/bI+5WFHRfqD3rQNX/RW0WMepPlKnRq1yNCzwKNrdPf7sus1MHSDCYCuGFUUawRBZnPtd0wM7G4kPiVh6rm0WEQji3yT1bDp61yVbw6TN0SAhcAzkDwrBNiGyDCDa5naYnnYRNE2j5KkAcFtZv32QKFVEAld8dP3+qeuGiNJVpiTNaQMtMT+Zm4IwgHHn7aHKW6su/jjc48gxLU+IHSR6iW9IwZxRvCWkHLKmUutBN/WkNMgpt/Wmc3waY7LZiFhK+LCXHK1dLbyrkCdSD8DBiYxV6+MFG9huPj1JtuonFt6DX/PE2S7pgLeTFWDwKxaeNSd6WGVU6KiEpeEgDPmJGpLAv1ow/G3Vmv0GhM/oxKd76uY61CosCHlEV6KqSX/c2YA1IVcxu6v8kaPXd2B9mbafIPVDfEr8ZOD8SswA9jxaf3ZCmrYHhwyV9FSuQn8BNBpYqaa1++YOeOWPJ9tA7qTDNUJNgc0vKa/nVWPuSVogfaVn5gw/byuNlPHmdLEdHUMyOcal4UyJ28nQrvYR23WPQKmRT9OASsEMm2UZzB4+yf4/lzt3p2auEks2s3GMlfdyUm7PHu6tz/Kvpvy3xE6G04qV/cEK9600jwfonvNgf+LV/06GV262QvbVj6eKnNVoE/7qws+QJNuwjqmExyOt/dRjTFLomTXFAKWpnXNTPNzUTyM4GG31We+aOkOzvjhC4dAL7lf4JKYqP6WWwKxjK46KQuew81k08Wwk1VHW+D4DlN2ynIbDM+q8rkrlJNNvIHXw5BA5CSWpsxnuoYR/fpw6kSbCPGO7b2tWVGmTw3S/Vwy96OLwunw4oYyaaBgenFFBgDzicgiyExtPK0OPIr3LjEXyol31cLwSBjCNUMt7FwPiB5/TFQwVmtGq5t3uYL3ei5IgTaozbk7p04bVa2QJQxK4bHHbsgZ8/Vd2JXJJdQ+I1rfC0F6PKFqrfhDeujsF8QzZhvn8M2qJy1NPENK9Q4zb77dYvDUXBss4+erFM0wPesScHEbQPh9yyu2zqskpYQMrOqMPCjb6y7yKppG1pOIrMzpJQkt7WP6n68nhZAlkEoCu7XchopEq1TmlzFVJ0F48ijIXWHMJPjsMWj2eh6goyFaAl2tovcyHl14j8vY3JO9ACyLytyns+PzdrqjuZxJQt8wZMd84axs1klGO2AEuAehpsf7ypMKCBO32kirOMQSYZc4QridRDU5J5TTxMsxz8vXtc7488fDkhFFq5Bqf6Weo8YiFvspF/Vvow6xjGpcNK6DMgxwwvUb92bxHwhdlyVa90lhoB1fxiQkaA+Oiy4bdYXuDoLHd5p+T8SipMorXJrHe/blq0OwNaHrbGSCje2SXQBqB+cMVUyvTtEsA+hpI6hIlAZutTZ7qrvIMGafd5CO078+8okboTHysqAIH8WAdDwkvaXylZnqk5kEiwW3eNjoh0Q==
C.3.1.1.S/MIME Signed-and-Encrypted over a Simple Message, Header Protection with hcp_baseline, Decrypted

The S/MIME enveloped-data layer unwraps to this signed-data part:

Content-Transfer-Encoding: base64Content-Type: application/pkcs7-mime; name="smime.p7m"; smime-type="signed-data"MIINkwYJKoZIhvcNAQcCoIINhDCCDYACAQExDTALBglghkgBZQMEAgEwggO8BgkqhkiG9w0BBwGgggOtBIIDqU1JTUUtVmVyc2lvbjogMS4wDQpDb250ZW50LVRyYW5zZmVyLUVuY29kaW5nOiA3Yml0DQpTdWJqZWN0OiBzbWltZS1zaWduZWQtZW5jLWhwLWJhc2VsaW5lDQpNZXNzYWdlLUlEOiA8c21pbWUtc2lnbmVkLWVuYy1ocC1iYXNlbGluZUBleGFtcGxlPg0KRnJvbTogQWxpY2UgPGFsaWNlQHNtaW1lLmV4YW1wbGU+DQpUbzogQm9iIDxib2JAc21pbWUuZXhhbXBsZT4NCkRhdGU6IFNhdCwgMjAgRmViIDIwMjEgMTA6MDk6MDIgLTA1MDANClVzZXItQWdlbnQ6IFNhbXBsZSBNVUEgVmVyc2lvbiAxLjANCkhQLU91dGVyOiBTdWJqZWN0OiBbLi4uXQ0KSFAtT3V0ZXI6IE1lc3NhZ2UtSUQ6IDxzbWltZS1zaWduZWQtZW5jLWhwLWJhc2VsaW5lQGV4YW1wbGU+DQpIUC1PdXRlcjogRnJvbTogQWxpY2UgPGFsaWNlQHNtaW1lLmV4YW1wbGU+DQpIUC1PdXRlcjogVG86IEJvYiA8Ym9iQHNtaW1lLmV4YW1wbGU+DQpIUC1PdXRlcjogRGF0ZTogU2F0LCAyMCBGZWIgMjAyMSAxMDowOTowMiAtMDUwMA0KSFAtT3V0ZXI6IFVzZXItQWdlbnQ6IFNhbXBsZSBNVUEgVmVyc2lvbiAxLjANCkNvbnRlbnQtVHlwZTogdGV4dC9wbGFpbjsgY2hhcnNldD0idXRmLTgiOyBocD0iY2lwaGVyIg0KDQpUaGlzIGlzIHRoZQ0Kc21pbWUtc2lnbmVkLWVuYy1ocC1iYXNlbGluZQ0KbWVzc2FnZS4NCg0KVGhpcyBpcyBhIHNpZ25lZC1hbmQtZW5jcnlwdGVkIFMvTUlNRSBtZXNzYWdlIHVzaW5nIFBLQ1MjNw0KZW52ZWxvcGVkRGF0YSBhcm91bmQgc2lnbmVkRGF0YS4gIFRoZSBwYXlsb2FkIGlzIGEgdGV4dC9wbGFpbg0KbWVzc2FnZS4gSXQgdXNlcyB0aGUgSGVhZGVyIFByb3RlY3Rpb24gc2NoZW1lIGZyb20gUkZDIDk3ODggd2l0aA0KdGhlIGBoY3BfYmFzZWxpbmVgIEhlYWRlciBDb25maWRlbnRpYWxpdHkgUG9saWN5Lg0KDQotLSANCkFsaWNlDQphbGljZUBzbWltZS5leGFtcGxlDQqgggemMIIDzzCCAregAwIBAgITDy0lvRE5l0rOQlSHoe49NAaKtDANBgkqhkiG9w0BAQ0FADBVMQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBXRzExMC8GA1UEAxMoU2FtcGxlIExBTVBTIFJTQSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAgFw0xOTExMjAwNjU0MThaGA8yMDUyMDkyNzA2NTQxOFowOzENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxFzAVBgNVBAMTDkFsaWNlIExvdmVsYWNlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmpUp+ovBouOP6AFQJ+RpwpODxxzY60n1lJ53pTeNSiJlWkwtw/cxQq0t4uD2vWYB8gOUH/CVt2Zp1c+auzPKJ2Zu5mY6kHm+hVB+IthjLeI7Htg6rNeuXq50/TuTSxX5R1I1EXGt8p6hAQVeA5oZ2afHg4b97enV8gozR0/Nkug4AkXmbk7THNc8vvjMUJanZ/VmS4TgDqXjWShplcI3lcvvBZMswt41/0HJvmSwqpS6oQcAx3Weag0yCNj1V9V9yu/3DjcYbwW2lJf5NbMHbM1LY4X5chWfNEbkN6hQury/zxnlsukgn+fHbqvwDhJLAgFpW/jA/EB/WI+whUpqtQIDAQABo4GvMIGsMAwGA1UdEwEB/wQCMAAwFwYDVR0gBBAwDjAMBgpghkgBZQMCATABMB4GA1UdEQQXMBWBE2FsaWNlQHNtaW1lLmV4YW1wbGUwEwYDVR0lBAwwCgYIKwYBBQUHAwQwDgYDVR0PAQH/BAQDAgUgMB0GA1UdDgQWBBSiU0HVRDyAKRV8ASPw546vzfN3DzAfBgNVHSMEGDAWgBSRMI58BxcMp/EJKGU2GmccaHb0WTANBgkqhkiG9w0BAQ0FAAOCAQEAgUl4oJyxMpwWpAylOvK6NEbMl1gD5H14EC4Muxq1u0q2XgXOSBHI6DfX/4LDsfx7fSIus8gWVY3WqMeuOA7IizkBD+GDEu8uKveERRXZncxGwy2MfbH1Ib3U8QzTjqB8+dz2AwYeMxODWq9opwtA/lTOkRg8uuivZfg/m5fFo/QshlHNaaTDVEXsU4Ps98Hm/3gznbvhdjFbZbi4oZ3tAadRlE5K9JiQaJYOnUmGpfB8PPwDR6chMZeegSQAW++OIKqHrg/WEh4yiuPfqmAvX2hZkPpivNJYdTPUXTSO7K459CyqbqG+sNOo2kc1nTXl85RHNrVKQK+L0YWY1Q+hWDCCA88wggK3oAMCAQICEzdBBXntdX9CqaJcOvT4as6aqdcwDQYJKoZIhvcNAQENBQAwVTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNhbXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwIBcNMTkxMTIwMDY1NDE4WhgPMjA1MjA5MjcwNjU0MThaMDsxDTALBgNVBAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMRcwFQYDVQQDEw5BbGljZSBMb3ZlbGFjZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALT0iehYOBY+TZp/T5K2KNI05Hwr+E3wP6XTvyi6WWyTgBK9LCOwI2juwdRrjFBSXkk7pWpjXwsA3A5GOtz0FpfgyC7OxsVcF7q4WHWZWleYXFKlQHJD73nQwXP968+A/3rBX7PhO0DBbZnfitOLPgPEwjTtdg0VQQ6Wz+CRQ/YbHPKaw7aRphZO63dKvIKp4cQVtkWQHi6syTjGsgkLcLNau5LZDQUdsGV+SAo3nBdWCRYV+I65x8Kf4hCxqqmjV3d/2NKRu0BXnDe/N+iDz3X0zEoj0fqXgq4SWcC0nsG1lyyXt1TL270I6ATKRGJWiQVCCpDtc0NT6vdJ45bCSzsCAwEAAaOBrzCBrDAMBgNVHRMBAf8EAjAAMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATAeBgNVHREEFzAVgRNhbGljZUBzbWltZS5leGFtcGxlMBMGA1UdJQQMMAoGCCsGAQUFBwMEMA4GA1UdDwEB/wQEAwIGwDAdBgNVHQ4EFgQUu/bMsi0dBhIcl64papAQ0yBmZnMwHwYDVR0jBBgwFoAUkTCOfAcXDKfxCShlNhpnHGh29FkwDQYJKoZIhvcNAQENBQADggEBAHOJojanzqmgaSN3/gqSQ4cbbmdj/R40BEPr+gXT+xiidfZ2iLNwYyTneuK6AChwKfnNvOFb8lV1iffRTF/KtmVEDMR/sYeqAH83KM5p3el2lVh4OHhyI0qNuz5oShNaACSioQ23WxHGVy9vsdVfnbhsplrWg9NQ2WbpCmK+2oMh2oYl0Z/wvXMt9cG6jbMvcdH4z0IOvg6mrYkKTM/RCGnumghxwYToj1OyD5Gs4D2IJCw+fX5ODxh52MbNRYXTus2ZPRPM8JXNQC4GWv4km3M4rKnJDd6hnoQ9rNeozIcBVyybQYjfrgg4DRvw9Ksk22OH4ConlB8f7R7s1LM2cSYxggIAMIIB/AIBATBsMFUxDTALBgNVBAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFNUFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhM3QQV57XV/QqmiXDr0+GrOmqnXMAsGCWCGSAFlAwQCAaBpMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTIxMDIyMDE1MDkwMlowLwYJKoZIhvcNAQkEMSIEIPc7Pk9KNPXyMYThSPlPWV2Qm8CR4vwcxnqIoOjkdUtMMA0GCSqGSIb3DQEBAQUABIIBAA4QYIyZPmQpKWNUhU2nJc7Fr1Oh66z992rzH2OTpxSHehRBo5dJYSqm9p/EOWB0XLOuJ8s97cVbdYl1EqEjx9zvp1kdLtvosuonNGHmQlCPVKSFfpBvq4DVL7YcZkAQgXujN2Z1F+MDlUTYo6reDa2K21zPqa6CJX75zersFb1xS3raFRaNAspWURatTpJpgf2E7F39o78kRGsbUxurtzm5QTNHIVAqjv4LudNSGVOH++VTmkMR5gLJ3Xm2E7tz/TLDlGDi+l67tYni3f+sMgyW39dA4/ImkVV3LCjT6TXuKRwvDnLdik1ueh0Hs/LLI6jCJ82HDBCfgGfbJ8Lfqdk=
C.3.1.2.S/MIME Signed-and-Encrypted over a Simple Message, Header Protection with hcp_baseline, Decrypted and Unwrapped

The inner signed-data layer unwraps to:

MIME-Version: 1.0Content-Transfer-Encoding: 7bitSubject: smime-signed-enc-hp-baselineMessage-ID: <smime-signed-enc-hp-baseline@example>From: Alice <alice@smime.example>To: Bob <bob@smime.example>Date: Sat, 20 Feb 2021 10:09:02 -0500User-Agent: Sample MUA Version 1.0HP-Outer: Subject: [...]HP-Outer: Message-ID: <smime-signed-enc-hp-baseline@example>HP-Outer: From: Alice <alice@smime.example>HP-Outer: To: Bob <bob@smime.example>HP-Outer: Date: Sat, 20 Feb 2021 10:09:02 -0500HP-Outer: User-Agent: Sample MUA Version 1.0Content-Type: text/plain; charset="utf-8"; hp="cipher"This is thesmime-signed-enc-hp-baselinemessage.This is a signed-and-encrypted S/MIME message using PKCS#7envelopedData around signedData.  The payload is a text/plainmessage. It uses the Header Protection scheme from RFC 9788 withthe `hcp_baseline` Header Confidentiality Policy.--Alicealice@smime.example

C.3.2.S/MIME Signed-and-Encrypted over a Simple Message, Header Protection with hcp_baseline (+ Legacy Display)

This is a signed-and-encrypted S/MIME message using PKCS#7 envelopedData around signedData. The payload is a text/plain message. It uses the Header Protection scheme from RFC 9788 with thehcp_baseline Header Confidentiality Policy with a "Legacy Display" element.

It has the following structure:

└┬╴application/pkcs7-mime [smime.p7m] 8085 bytes ╧ (decrypts to) └┬╴application/pkcs7-mime [smime.p7m] 4972 bytes  ┴ (unwraps to)  └─╴text/plain 418 bytes

Its contents are:

Content-Transfer-Encoding: base64Content-Type: application/pkcs7-mime; name="smime.p7m"; smime-type="enveloped-data"Subject: [...]Message-ID: <smime-signed-enc-hp-baseline-legacy@example>From: Alice <alice@smime.example>To: Bob <bob@smime.example>Date: Sat, 20 Feb 2021 10:10:02 -0500User-Agent: Sample MUA Version 1.0MIIXTAYJKoZIhvcNAQcDoIIXPTCCFzkCAQAxggMQMIIBhAIBADBsMFUxDTALBgNVBAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFNUFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhMPLSW9ETmXSs5CVIeh7j00Boq0MA0GCSqGSIb3DQEBAQUABIIBAHafgwK5Dq1Mk+/BfVcTHIE/bWksOCdgOuo1ppl3Qdi238REiGsONqPHaLjiK9xhjvTS4pSV3NHEbKTVZpQurzaUqIXL/sA12kknTQgbJiemZq2HXKI1feGM86z13FYWPe4g42nffZNi5kErmPI/IZX4CuJ2+6Wy8IoOtZ3C1vLg6z4V9mialF6IyVDYw2VZUIb/r3I4SKINANa1t6wKHeHTX6TEJxOv3P6WkWUwpPHGzYXPNVKX+NSLxGqX68vTYOhg86Q+FeKLNHkutnQD1fNU/ZBn/iidZt3uaUbDpByaxv79j8QpvCHUXbygTIYENNc11+RcJ3WmkCKVkwXG2fswggGEAgEAMGwwVTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNhbXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzB8R0APhiY6HGLS64MvlsDXhpQwDQYJKoZIhvcNAQEBBQAEggEARW1p7eiEdi69X6DKW+FXzEocE8KIzTvIpU++vNLVzq+29VTzdjvBVcg/8F8L4BNCIpWSgz5i7Z0o9LjMCw/mHo20XL074me2zAv3HeGZ85i7gIiA/lsdgIb3f2Qw/+8gQVAIkoYOlBmpocBf6EGyEciUSWfwp1qJE6/YWhiFbjcTIZYj6UqGy72AkiqGKgCZ/tFWhMJ2KKzbm8t5rG8oC8bDdgjT2PYo5by8brJohF/zTS5CucfLqqWpA7QtHLHcAeU3NXqVc5tHyGZy89KDpEiixVCxdE9Rs2AurTjT2/98WF5tTEFOR6LeEdG3svOzmMd0xWEdwP47BA/ePsS53jCCFB4GCSqGSIb3DQEHATAdBglghkgBZQMEAQIEEILWJEheEd6fWe0TTJf9JzOAghPw6igc/NoE/Okf7HXkehS4/7Vs85BKRQ5mdxGN1WfY4nFcchHVWVUCrPXYC9mUC6hW12YuNkD+i/LBUN0Yunvny5igqNHEUBzMQbJMpRxcgClqS8zMokqB0+kzkGJMK0nC0DVfneVaPAldMvZhw3BsbJfGaeDVTthp8IuR4PgdCUEBL4QWCvkgDlNquACVYAD3MD7PSziVb2tAvVBBpXOZ0kRGc3bQm+IhZWRAd65313297+eYKfmInlt+j/K57UBCi3tnWaNei+ftFBPVpbnMqXm3TbBBKzuWtV8QsOKZFddCtgoZmjpeNPAYMUGtn79c3eq6fTzQPaMKCY8Z3aEFEv7YfvcdCWrmsbtGndyoQAr0nc8BU7geuHD+MoVIVu07F6x/hxZyJdEh1vfLP8hPKq9X11gwa8+qq1M92oBxT4hY96rMOMu2dBNvF3g9Tl6vg1LE2PJs62m4O2XEYd05FlWzYzXjP4EzF3u171duDsdyrbwZBqOJvMXVffqEmfd7YfiLMvfUihHpNBFsKtgPeSqjVZ7WN2M902CzFa85Z1CcCTrqtXTbVkzSUYBfixU5mCkZimMFvH9iwNSxxqdovNq6OojFiVNUH4SCKBXDHhwBrHROUqZ7Jap3xQplYp0P2q9owbJ9irL/2oX9QGRG/g2W9POQ2L7+S9l2QWWpn3hJZwZimG2LebRrIHEVsHhVnQdEst7lZ8iDw2fDTd9cpSxUjV24LauODLxLHfO2NWnttdykv4RZhrhAYOOIE0H1YuEhPD7m8rYvhr5Xi6pDEFVGpjkAE0Vk9CQkdmYxjF3nJhL9EBzozTWWkRsiNgyUDJUkaikV/smnYcwU/0Y4Ug+AZdLhx9fCK5Crv2MjXaB/8btxoutyKUn3oO4ABVtQKFt3r/CkYJvyfZQTmlhDLDxry1L/yX78+pFmnsLRSKdNp+Wlhz3GeeI/bDZzR5L3ETECwXcPjh9uqrgM3HUvKC9HHc+fUXKrQXqGMXRltvA1l7yW9ONOdBZbW+AaS52xcSSr/z+jQJy6WSIXiPN/Lme8SyK8cSMUGRW44x08jZ17FRCMJwbmET6n/AxX4XFMMBAJ/Cln9kM0cnC1Aw52X0571xKOS1MNQb5LRr/a6RnpVTTTJpplBQGjc8tjQfAlbL5l0dPFKq2oOp90C3xjVa0Gvi3Qp8BBR9LKfwTUZSEsrcNhYm05+OiDfKMaD4nXPJPd47XBR+MuYHRVu/7LYFv9KmhxDsemLmq+8W23AYuPXGoodQDB5upJSoVj2gjwj/Aa6n7J8NIoNr0omfsavqZBiAiNSKRBnaQZ45h7hkYB40Oel3dMgJNATAE8/5d2gXV6RkhCxtFQP0ykzbSdrlCVUSW35TtiCzGzEsVUQdJ6ZBy02a2mXIwWDt98Hf3xZ1pHjfIXlFKG+h9f2S6lxkNZjIATawIwY1+yN246yvdfX4TugEtISyyeu8mGlnkkmd6BJL1fGCapQ8B2u/KFswjNQc9orJAs4PZAYwAMJqZl4jOPbcwjD4yVwxwdgu5WuQZgUfHVQnig4jT35svTsNmMei//0WYrESkOLT+8I64TuBpP9Nt8kwFbfrJA3MASmmLKVZ2t/U5FfOu8hemprMntiAhNGBLuKwwbg2q8cQfZ1XNGyZv006s/9dVX2aTGExNCEsfprvsXrgHNT2gFGEbvlDJFEHCWlozu2GucDVo/AH5FAcwSMcyWtFvTkXHVW2gGKYQd6Ap9flpy4B2PGQHdlinMADUxmaFRsD3fYbG2JkhOaSzAfJOwjXMMu1dFAYyUmSj/hCCmosqR0QG7UJWQ4QK2S7dMFSnNt9zaPvKJMwPmAc8OTzaxrJxJ7l6HDJ5HHAtZm52fGYRrUyXEWYSzIjqPkQFO9pwFhnlMNDLZ99D43VFUkoBeHHQ0Aswhd+Xp+jGDwEMR62xQhIdRCuR8i7Wyl3+tCdzpfQSvMcfTPU2G3/xdvhDVJ3sDjcIf7gLQG6/uQmevrL6XdUNW7zI4a09e/knL+trM/847NLjN0RRTABLkTxlTxgJ9ELcwyx2gvuhvKSt414/1NcnbBZaW3yfA6l32X5t5jY9djW8M6EYLN5HSjy3aIJ8fiaZtT9kKm5uSsz+7bb8TSc8uQ5lHzAvctgM2k56zGVQnzWkXR/ghaIJnp4ekLGlGZeWvWa5lKqMyvIM511VRL5UvuoAA2T99A0BiC0qWjuXpAjXHRDUMKfR1vSJMcxim228Vd6MfqcxJjEFsH1SLDA02jSafk2jAApBZe6Dwx42bw1/w3MOGJv+rPAI7tVyRBqD4LqD4sgT7R1N4z1CPuxWdRTCmsSN8rqK11pzawJyOwElyimrqjP1GLFGuoG/s+VIHgsRZGGeL1X9OeyfgFeFb8EAiQ8VCrCr5yzQNL8l+E7CJYCbqFH1HK3+aGqYhg2G1kYEgcMGS2JVQTioPlohPB9ZVLPmcaCAzsPeZ1qAgkc4FAMHNh6Oad8/ELCtlp8Mf+ttz3HVVZVkIHbqjag/LVgAGbi2WMvsb1WmtRCEAxzQwuuxvdQ3SrqiJ9QTP0DURhpyIzIP7G61EDnI2HPeq0G4L9LspOf/MUzTtYhnjkxRrsqUDVJ4UhWWVeL/rzEOI/mfltQ+f2odEYOWLYHomhyd23SnWnq86P28wVgEhXBTNFeo+BkXnoenaJyLmjJi27HxOEXM6gcO0Y98wt9NQxaLvJ3DPtCQpJf4vQE2fsOblY4YLM5z/sEQSmNhxjRFrRTO14S6ngOcH5iqdrw0+e9P7HXZahp5c6IuDOgG36DEM6NFxzy7mSDUsKRtStZKkTQXe1W9LeUo4Vn/oHiR4cijQJ65j4k90FTgfBMKL58z0H82fZUcXZIHJnkMhvjmQm8LZLU7n46KC3sAzVJg+Uh374iwqsrNYXqr/IjYyheXLHxbFV76a7RbknTFx376zY84Q7NTD+HoydTWtFd7Wyajy8lfcJIddMi7tQtKvrrSZXGWQEhKTA4TmCgVCYRKsOo4RynbaFbX7Xb50No8CUtSsD+fVyIlq/fSlhs8cdpxzfQH2K75CdIQ2DAcPTVmho6MIBVAmDy8y1DAw8zJUPH5p8mSOvbvRX0y5Bs5dRM7PT9A+Nf67f+RF5xfJNSi4Gwj6cU1hBN4Uxi8Yre/ze8DgaTb+5b5vt8pTiNpSvgqa0iY1o4TQjQVA+wZ9FZpFha48nC9hmpOIEAH3elODip2kuAXx1J8tUCJ6xvWHBfxhYjZZoZfkW5ANh7YRNDmVcKjdpWyLak62aERncU35lxpg/OHM7fTlChFBl0PBPIownbpWSzuzPFKslu4Maf9hPLO3jTcKPlw5Yp7JL4ChSqCLcF9KK7ava11UHj4oNgnphejl8ncFAWHvrB3CykN9xD3IPjQmpH1woMkNspkFHklfq6jiFcuVBPPJ1AFawpKMwrf46MHOFQr85BE5JlXoez/pM19tItZyOsm6XUlITumIX0El1kiVr5WQaC4eC8FEd8KDJfD+sOq7RGaRoIQZD8vGB5QrdLbB2aNnKxwyTbK+P7p+F3Qy0BVidoGk1J16sEep2Sko7OoVdJCFd4bmdUwBlvwXc006z821QkfmdLWpuIEIiqB19bEtxyEXyVnt0QG1OhrzJqjY0Q8cFhMsexyW0aak/pOSPd7f81azE/UmX5U7b8slLwA54N7tqqjoMCLXyQqqaGNdgfU6S5HdDcIGHA7KT1tlr64HlzhQOA/iqCrv3/mOdJtx5voztQSqlZqlVs86ZhvW6BigqxyLoqI52yFPMmkloR+QkPrwCl7EiSQSLRjv06KgdYDRjBqr2mgIOuZy0Urz0LDSSJv7hdV+TYLwYxb4h/q6sxtQHu5vyzBshNBoF84PK7/xMMw3hASQLEpVZJCv0k/0pFuBadCXSux6Op8nSYcMfyN8b1vIAPFP4b/s6uE+R9beTss6tWzZrk4rx77qjBOdApIAPdbtndybZvktflfSq7ftwgiKERN8qT/FRQZVU9Z58MnVCTb3ep3MxTEoiVE47/sgV5WZsly6Pm87XFCZxGCfZvyePGPU6iEPcbiO7zfhQk+tH/D7ccd4xD3kSVF5S+qXV9DC5/eiKXDaWVOf+KyhJVuoNztErEvDfuPIqBr8gL85kpcqi4fvPrP4xziKK0HJX7hoc5psA27JO0FbvPPPwNCWBcQmjZswIqt/s4JwiKGApZEtv1zaL8qHieiLS5lFCJGyeQvjdSm99fRGF+dOrypeMGoTPkBL5KjTF6ezt/H3b+BN2A760Otphv8YHsa/GhYwxmbjLnwCNL8bKrLzR211n8XPZcHcZTOKwvuT3/jImgTW47T8tBjP+uzsp6PXa+I5HTxkw8hhLIN7sqfkzp+zupKlHjHG8AayROTkW8yFNViDZfxWI7shsjOHJApf6Nkaauz0bUXYuxGdobMWaY/50ggA5CKS+SEXRXyrmLL0l7NAEWBCqIODK26zZPQkTABDscOSDevdMXiAKcfUcIJCwZpjUQ42x9yJ0Byd5ood2+489nfz+GJC2yO9ZgZeSWP1uUUs8maUPglQA8IVik6Jh7hijmoKu6ZMxM0Vg64bkiAMpNxFcZnYQSrlW4nY6LsHstDs2z6+8oz/1ff68Ig1i8i1EzTXLRF5rKofQNMtBruuxD5O7tpeXDHj2EmAmxkU5ubRf6Ab0QbAJ/FMB32VXpZnJHt8dIQZJ2HN3dq1H5I8PDwlD/kFuLE6xyYYPMC3an5+q5VrrLzqaZ5w5uZAupJ+1dHmT2TxuySkUJuwfOHL20d2JVOHmtpJmuZ1SEUU4EOIwDzS/NlqAVWElN4r5MPWotZ52pzvd2MiTMwrtNDE9wZd+WDOX9evTr6YpYOS7XW+NYEz/jABEWJb+Vw9gOL0DOkhwBjYdnUnD5io7LkQsRfvkCun1vHIWv7fMn7MdSgnmTu7+advjf0sv+SdHYOMPdCML/QbNQU7d1DP6gv8/WeDoGFvInNRidBgFtwm8CHrzXPIEP2/3GPxWh8SSlFyafBKwtpUWZV3pbO1+9UhlDBGX/ysIKFD1/XdiSt6B6ZZAResO7sxeSED/7ytHfEb9kAw16Z4d1XIyZ9y8QNRATI8IC2T9PHt2qVbDDNR7JU+UH+XsPUvqolv0vDCkk6KfrRKiugEfgKZHPCOYQsVwhO+Nych47I7DxJeAHJUdjh03KjBHalhbT2EZexcDPCMbiQOdQsVKyGSMFTbupZ4jGN2qMul/2nfB5Ed/lEK3At02aFzSl2eIEeExS/kyL8yJB9g3MAae5hcH67tvQlYIpZvRtKHbaF5nOr6CxznmHv2Iuui39a/FE+tpzeutxSg8gSmu7RuyYtILhNRJgKhYfBQFqJKJZzLSbgPMZBPEEymba113dmAjow3trFz33Uy8nw1/bQvWLMMX9qoJM2FK/CFwTvNeW4+ixWBIHovEIv2Z+0eSS0JcBXAfWaDTha0593PiJ0aMWPwHfa0smahNmBqQ/XYnKGSOtsd/ijY0m0YoNyjwS36gRnl9BMJ8BXKraxlQiRjLM2zcuAXhl/wieahb8Nl2oPgooNcYn1rgcc3V3UaOjW6qjypkNJOaY9zQ1TNPf//DvlVi3Ut5niLMmroucYho9Cs81z3IpKi/dvP7nEtfxuyQwTNHhJnDELPBuAQ3BBEptVYZufT6dtCIGeLZoLALShvEgrWTI7HtACgdBI5+52yCJLhFg/GkgO8BtztAW3XJyfxOj7RH64ijCKpNzW+aBSMdPCxbPvLjzQzVqTuCpr1VF+uY28NLfFxDcKFoVIVH746nt7flS4UUUP2h/6ISIe/NWSfIiAL5Pd3zpdCzT2wOhrztHYzFgVM0m8LSATm7Lfvay9j8G92qnzD2kge0J1uApgwSMJCy6wQ1EubvxtywxML4JZzkDZMwtfTmujaGLNZmlJ9wOW8ZR1et6Oy39326n34Fv+Jx1ZaLC0Wy6Ap/0lYDeQ4ebCqhRJBLi2e54AeNfFntNmFtxvkL6/ZLvEi3fHCiijh24iHVLQNKjACp+Ez8/rjWaqA1MEBXhAJsHt7pTKTL5KtfNOujP6Jd2REI5jDUTmbwOzdEap3xT8pVBLWrJr9D4Me4vu+htyqxdNYtS7M7LP3AaWN+XNbtVszES80u1gFNKCytavWx3lVTfuMCwT98e3qxhE5WLENxSsHYWUSoYCF0IureNIbmLeYxrCEgKJ/vYEI5EGYWBXAYRs96Klx3zfmMCgBv7Fi+U+Z6zlh2nhJo4AF9G+DiifeRVTKsyESFZSFYDrrfIQR4M1Hig/yGxZIBSd73Q779Q5x1T3/u5pYwP2Sb0I/45csIWvSzK1cdjVDwEOGnjlHP3E4z6Dvp58Er8zHkWPhH5bvEzyP5ga14huQ8UgrrVm66/N9Ob/Rh3iwS4fk4dSQkqBxZ+W8QifsXkWVOjIhjbDjtmj1r/1azJJSvMkXf25ocTjT3x1o1oRlCHuXa2yPYOHe8uzx6ikrBHmaIWtNORvUIXA5Bqfk6xsDwfswFtSgNUxppUVgQawrq5bwFOD6C9Ee756QXp9DGmW4PWi76u5qcnKYeG7JHUd+JLRjcxVvxh0gmayCxEsRoCZiePnRjSUWTUiFd7SQ3C2/3hRpC7aeH4rEZJ00W9cFBgRzHsZhgjkKIWEt5kgpX4C7HAhEHmk8NztZRoMXMLCEK/yAj6btTt7aRgPtjkISQ3ZDU66C4MUruj2B1Z1HBLVFZsk79z/yzHQarFYooGJUEsOmJ6VDjGj1Oh3kHR72BDLspScxUQe4oOAsZzzqd5R1io5ABgZD5A==
C.3.2.1.S/MIME Signed-and-Encrypted over a Simple Message, Header Protection with hcp_baseline (+ Legacy Display), Decrypted

The S/MIME enveloped-data layer unwraps to this signed-data part:

Content-Transfer-Encoding: base64Content-Type: application/pkcs7-mime; name="smime.p7m"; smime-type="signed-data"MIIOGwYJKoZIhvcNAQcCoIIODDCCDggCAQExDTALBglghkgBZQMEAgEwggREBgkqhkiG9w0BBwGgggQ1BIIEMU1JTUUtVmVyc2lvbjogMS4wDQpDb250ZW50LVRyYW5zZmVyLUVuY29kaW5nOiA3Yml0DQpTdWJqZWN0OiBzbWltZS1zaWduZWQtZW5jLWhwLWJhc2VsaW5lLWxlZ2FjeQ0KTWVzc2FnZS1JRDogPHNtaW1lLXNpZ25lZC1lbmMtaHAtYmFzZWxpbmUtbGVnYWN5QGV4YW1wbGU+DQpGcm9tOiBBbGljZSA8YWxpY2VAc21pbWUuZXhhbXBsZT4NClRvOiBCb2IgPGJvYkBzbWltZS5leGFtcGxlPg0KRGF0ZTogU2F0LCAyMCBGZWIgMjAyMSAxMDoxMDowMiAtMDUwMA0KVXNlci1BZ2VudDogU2FtcGxlIE1VQSBWZXJzaW9uIDEuMA0KSFAtT3V0ZXI6IFN1YmplY3Q6IFsuLi5dDQpIUC1PdXRlcjoNCiBNZXNzYWdlLUlEOiA8c21pbWUtc2lnbmVkLWVuYy1ocC1iYXNlbGluZS1sZWdhY3lAZXhhbXBsZT4NCkhQLU91dGVyOiBGcm9tOiBBbGljZSA8YWxpY2VAc21pbWUuZXhhbXBsZT4NCkhQLU91dGVyOiBUbzogQm9iIDxib2JAc21pbWUuZXhhbXBsZT4NCkhQLU91dGVyOiBEYXRlOiBTYXQsIDIwIEZlYiAyMDIxIDEwOjEwOjAyIC0wNTAwDQpIUC1PdXRlcjogVXNlci1BZ2VudDogU2FtcGxlIE1VQSBWZXJzaW9uIDEuMA0KQ29udGVudC1UeXBlOiB0ZXh0L3BsYWluOyBjaGFyc2V0PSJ1dGYtOCI7DQogaHAtbGVnYWN5LWRpc3BsYXk9IjEiOyBocD0iY2lwaGVyIg0KDQpTdWJqZWN0OiBzbWltZS1zaWduZWQtZW5jLWhwLWJhc2VsaW5lLWxlZ2FjeQ0KDQpUaGlzIGlzIHRoZQ0Kc21pbWUtc2lnbmVkLWVuYy1ocC1iYXNlbGluZS1sZWdhY3kNCm1lc3NhZ2UuDQoNClRoaXMgaXMgYSBzaWduZWQtYW5kLWVuY3J5cHRlZCBTL01JTUUgbWVzc2FnZSB1c2luZyBQS0NTIzcNCmVudmVsb3BlZERhdGEgYXJvdW5kIHNpZ25lZERhdGEuICBUaGUgcGF5bG9hZCBpcyBhIHRleHQvcGxhaW4NCm1lc3NhZ2UuIEl0IHVzZXMgdGhlIEhlYWRlciBQcm90ZWN0aW9uIHNjaGVtZSBmcm9tIFJGQyA5Nzg4IHdpdGgNCnRoZSBgaGNwX2Jhc2VsaW5lYCBIZWFkZXIgQ29uZmlkZW50aWFsaXR5IFBvbGljeSB3aXRoIGEgIkxlZ2FjeQ0KRGlzcGxheSIgZWxlbWVudC4NCg0KLS0gDQpBbGljZQ0KYWxpY2VAc21pbWUuZXhhbXBsZQ0KoIIHpjCCA88wggK3oAMCAQICEw8tJb0ROZdKzkJUh6HuPTQGirQwDQYJKoZIhvcNAQENBQAwVTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNhbXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwIBcNMTkxMTIwMDY1NDE4WhgPMjA1MjA5MjcwNjU0MThaMDsxDTALBgNVBAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMRcwFQYDVQQDEw5BbGljZSBMb3ZlbGFjZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJqVKfqLwaLjj+gBUCfkacKTg8cc2OtJ9ZSed6U3jUoiZVpMLcP3MUKtLeLg9r1mAfIDlB/wlbdmadXPmrszyidmbuZmOpB5voVQfiLYYy3iOx7YOqzXrl6udP07k0sV+UdSNRFxrfKeoQEFXgOaGdmnx4OG/e3p1fIKM0dPzZLoOAJF5m5O0xzXPL74zFCWp2f1ZkuE4A6l41koaZXCN5XL7wWTLMLeNf9Byb5ksKqUuqEHAMd1nmoNMgjY9VfVfcrv9w43GG8FtpSX+TWzB2zNS2OF+XIVnzRG5DeoULq8v88Z5bLpIJ/nx26r8A4SSwIBaVv4wPxAf1iPsIVKarUCAwEAAaOBrzCBrDAMBgNVHRMBAf8EAjAAMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATAeBgNVHREEFzAVgRNhbGljZUBzbWltZS5leGFtcGxlMBMGA1UdJQQMMAoGCCsGAQUFBwMEMA4GA1UdDwEB/wQEAwIFIDAdBgNVHQ4EFgQUolNB1UQ8gCkVfAEj8OeOr83zdw8wHwYDVR0jBBgwFoAUkTCOfAcXDKfxCShlNhpnHGh29FkwDQYJKoZIhvcNAQENBQADggEBAIFJeKCcsTKcFqQMpTryujRGzJdYA+R9eBAuDLsatbtKtl4FzkgRyOg31/+Cw7H8e30iLrPIFlWN1qjHrjgOyIs5AQ/hgxLvLir3hEUV2Z3MRsMtjH2x9SG91PEM046gfPnc9gMGHjMTg1qvaKcLQP5UzpEYPLror2X4P5uXxaP0LIZRzWmkw1RF7FOD7PfB5v94M5274XYxW2W4uKGd7QGnUZROSvSYkGiWDp1JhqXwfDz8A0enITGXnoEkAFvvjiCqh64P1hIeMorj36pgL19oWZD6YrzSWHUz1F00juyuOfQsqm6hvrDTqNpHNZ015fOURza1SkCvi9GFmNUPoVgwggPPMIICt6ADAgECAhM3QQV57XV/QqmiXDr0+GrOmqnXMA0GCSqGSIb3DQEBDQUAMFUxDTALBgNVBAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFNUFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MCAXDTE5MTEyMDA2NTQxOFoYDzIwNTIwOTI3MDY1NDE4WjA7MQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBXRzEXMBUGA1UEAxMOQWxpY2UgTG92ZWxhY2UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC09InoWDgWPk2af0+StijSNOR8K/hN8D+l078oullsk4ASvSwjsCNo7sHUa4xQUl5JO6VqY18LANwORjrc9BaX4MguzsbFXBe6uFh1mVpXmFxSpUByQ+950MFz/evPgP96wV+z4TtAwW2Z34rTiz4DxMI07XYNFUEOls/gkUP2GxzymsO2kaYWTut3SryCqeHEFbZFkB4urMk4xrIJC3CzWruS2Q0FHbBlfkgKN5wXVgkWFfiOucfCn+IQsaqpo1d3f9jSkbtAV5w3vzfog8919MxKI9H6l4KuElnAtJ7BtZcsl7dUy9u9COgEykRiVokFQgqQ7XNDU+r3SeOWwks7AgMBAAGjga8wgawwDAYDVR0TAQH/BAIwADAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwHgYDVR0RBBcwFYETYWxpY2VAc21pbWUuZXhhbXBsZTATBgNVHSUEDDAKBggrBgEFBQcDBDAOBgNVHQ8BAf8EBAMCBsAwHQYDVR0OBBYEFLv2zLItHQYSHJeuKWqQENMgZmZzMB8GA1UdIwQYMBaAFJEwjnwHFwyn8QkoZTYaZxxodvRZMA0GCSqGSIb3DQEBDQUAA4IBAQBziaI2p86poGkjd/4KkkOHG25nY/0eNARD6/oF0/sYonX2doizcGMk53riugAocCn5zbzhW/JVdYn30UxfyrZlRAzEf7GHqgB/NyjOad3pdpVYeDh4ciNKjbs+aEoTWgAkoqENt1sRxlcvb7HVX524bKZa1oPTUNlm6QpivtqDIdqGJdGf8L1zLfXBuo2zL3HR+M9CDr4Opq2JCkzP0Qhp7poIccGE6I9Tsg+RrOA9iCQsPn1+Tg8YedjGzUWF07rNmT0TzPCVzUAuBlr+JJtzOKypyQ3eoZ6EPazXqMyHAVcsm0GI364IOA0b8PSrJNtjh+AqJ5QfH+0e7NSzNnEmMYICADCCAfwCAQEwbDBVMQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBXRzExMC8GA1UEAxMoU2FtcGxlIExBTVBTIFJTQSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eQITN0EFee11f0Kpolw69Phqzpqp1zALBglghkgBZQMEAgGgaTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0yMTAyMjAxNTEwMDJaMC8GCSqGSIb3DQEJBDEiBCBARlG49zozFh95Jb3qN55AtQaDyR811KUu+Kt9v5+b9zANBgkqhkiG9w0BAQEFAASCAQAvsyHys6sl5UEThDVuQ8xBKoZOktYzIMuwy9TPtVJ0rX1vG4iXMBE+px8wWoyqlypvKkM+bN307AfxMENsBsWfm9vEzPAC3WjgXl/6T5vhgxWb+Cb0Zn+uaYGkxa43vsS6fUonAiKB2QTuG4LgHxD1lxsKOYvUx8DcNcS/I4y9Xw+rm74LTjyrGISWmq7qec+sduAWjkLU5025Opkh86yjSI0L89x0XEqcKeKoxp4O7lxt3LZ6rHC3pr2zHhgGo3ucxI/5nTWN98HT9N8w/jNkZSskHXbnCxNgLz/CFHXA41Qq0Wd7wrk9vdHammCjdc2U4RtIRPzk8ehj5ko6LULT
C.3.2.2.S/MIME Signed-and-Encrypted over a Simple Message, Header Protection with hcp_baseline (+ Legacy Display), Decrypted and Unwrapped

The inner signed-data layer unwraps to:

MIME-Version: 1.0Content-Transfer-Encoding: 7bitSubject: smime-signed-enc-hp-baseline-legacyMessage-ID: <smime-signed-enc-hp-baseline-legacy@example>From: Alice <alice@smime.example>To: Bob <bob@smime.example>Date: Sat, 20 Feb 2021 10:10:02 -0500User-Agent: Sample MUA Version 1.0HP-Outer: Subject: [...]HP-Outer: Message-ID: <smime-signed-enc-hp-baseline-legacy@example>HP-Outer: From: Alice <alice@smime.example>HP-Outer: To: Bob <bob@smime.example>HP-Outer: Date: Sat, 20 Feb 2021 10:10:02 -0500HP-Outer: User-Agent: Sample MUA Version 1.0Content-Type: text/plain; charset="utf-8"; hp-legacy-display="1"; hp="cipher"Subject: smime-signed-enc-hp-baseline-legacyThis is thesmime-signed-enc-hp-baseline-legacymessage.This is a signed-and-encrypted S/MIME message using PKCS#7envelopedData around signedData.  The payload is a text/plainmessage. It uses the Header Protection scheme from RFC 9788 withthe `hcp_baseline` Header Confidentiality Policy with a "LegacyDisplay" element.--Alicealice@smime.example

C.3.3.S/MIME Signed-and-Encrypted over a Simple Message, Header Protection with hcp_shy

This is a signed-and-encrypted S/MIME message using PKCS#7 envelopedData around signedData. The payload is a text/plain message. It uses the Header Protection scheme from RFC 9788 with thehcp_shy Header Confidentiality Policy.

It has the following structure:

└┬╴application/pkcs7-mime [smime.p7m] 7760 bytes ╧ (decrypts to) └┬╴application/pkcs7-mime [smime.p7m] 4732 bytes  ┴ (unwraps to)  └─╴text/plain 320 bytes

Its contents are:

Content-Transfer-Encoding: base64Content-Type: application/pkcs7-mime; name="smime.p7m"; smime-type="enveloped-data"Subject: [...]Message-ID: <smime-signed-enc-hp-shy@example>From: alice@smime.exampleTo: bob@smime.exampleDate: Sat, 20 Feb 2021 15:12:02 +0000User-Agent: Sample MUA Version 1.0MIIWXAYJKoZIhvcNAQcDoIIWTTCCFkkCAQAxggMQMIIBhAIBADBsMFUxDTALBgNVBAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFNUFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhMPLSW9ETmXSs5CVIeh7j00Boq0MA0GCSqGSIb3DQEBAQUABIIBAC7eDC6qLlW6dni6TljfOJWAP5P9RzVjPRjsgJJeEWxC4ddrf6UUR/HNSIEz0R+QFrbuzM45aZZdGpq8WEyRdhfho9R6hHdaDhbLFWpH5K5KNWVaUbmZkzvhbXAS6/ac9p9prd+0D7lPZySQv7sL43jFS72bx1jTF7O4Zfd+IoGg5mjroPVQBpP3K6oG/lOQydggNimBy5ISWRYtsHizfrFawjO7V6I8f7saeOf6jFB9t1SVbjNzuGSZ8R9hg3nVHjNsQ2x9YTHDzaJoMlvGwDFPOouo2MHEirAKIt62HCddq0tB6fGTUoxztrqPoNNTiZIN1Zb4eXp0JtpnXKMC5nQwggGEAgEAMGwwVTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNhbXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzB8R0APhiY6HGLS64MvlsDXhpQwDQYJKoZIhvcNAQEBBQAEggEAWMK/5bj6qVYBipvgvm/QXOqT7iH7R7z8RC0jlU/k/G2Vgcl+9Lk83z46Las0vnk7xgUJCwbFhw+hgd/rBZOuDJPtZhrx0G2rI0UaR8dH2YjitHPi12yNGWgxddaGAFD07GU5Sbi2Q/R1jDoVXuYRGIZWEGoatToIrQLmfKMoF0d2EbSOI6ic+jHNUD0NSzstRdsoqIDKM0PWcb7ap+uNsi2heJemWXQ5xwQuMCDNxicYwCzV9TjfaiXZV2EaJjtgSB0YbTxSu3AlpYRIx+Ao1+58TlK0bdv8EUqxb3ehR7B/yl5GoM7PtF1MbKF5m08JQCLUVULY41BLMEs6JTijijCCEy4GCSqGSIb3DQEHATAdBglghkgBZQMEAQIEEFcKhjcQbc7Lfa9Sm6HsEHOAghMAXv//vkE9RSpsfziFKfS2N/SASzpEdcNE1ByKrDHpehYSwXT3s/V+JqxyfxW0dBgRhrdQ/dw74DBv/Yk/q5auISAwC3ChtX0sgA5p2oMNOcDw1z+ZtniVHSYoDRRq5fnjlYLZ8yNrziZW2XF6gVLnsCE7mIjuCzliUXpSr3PSlVLTXRgqeXvrzEijprArIh8PSyoZ4Kd8js+N85yl1Lrh+EERevf184tTeRTjVdP4c6G2b5yPIwPqABM7B4EP5DLRAWaqEXr4g7xWkiuZLYjJVdTfh0I6oiKVKVoP7X8hMiOE0M4Sx9UG6FGUz7mvuraRaz3wcYWNKhf80XoLZM64on9t2700RT16NOPMi7Ik8nM/Soo9lPm7RxHGN0bzNba3eVgBV6iDn5bZgMxwocdY/A2b/kM0WReApCXNhcKJo3O1qORrCaTIfKAMDX6lyUI5bpE+3Bj+S7WYEblQvXs3iAcDqEtA6zLy/A8eCJdgy86i8QS2PKRb81+3496ogtRQa3cNoxBQ1nzxSOjnzgvIPi9wTSysSVbtSAZJxeGoDUk3T/pyTki9ODL4GsINGTewWDUuEHNulCYyj7RN6cDU/IV3ucww4WWvxos/npcQar994ycE+qCob3FEd5GUmQ5tESNOrYoHkKhqlc/eNJs4HmICbJnqk3YbXYsa3y0QHYrCAMvtXW4zuwng6nh9tM5fYseP0Az9tik1y9PWdRUfp1pZBPwYIN+RnDRsj3JGIjPy5Eu+vPyELGzSSm4iMD9f7LUwuSQAchF2ffKJZNiTmT/HKXB8MIRnowdBfhLIyNy+hv8JX7B78ixpsvsjTsFDDsqCOIV01Zf+/M/h7+RmV4tozT52KvU8jr1jOIo1PCBvp7QSj0L9M0u/M+2gXd0B4kB9zNLlByy9zlalHiIEuu1LVZ4zmwx19RtzCB0sgeAquCDBta3Qg1/pMhL9jQRwwEQTBgoH5Ibs819g/R6LKy7hHvl4Ea/a+b+LVT8Lz9/dCjY6orXgu/8ePcoiAKmYMFPXLoSHnH9LF81O4UB/Lejo3M4VUFtZzZFs/bVQK8pmzx9bbOMFoKlM5LsgE+RJW/oeLsJfF3iVWnvHMVgDTZ6S7OlhfL6ZJtnziwkq3Ub3MjhlhgiuaS1dzihWXv+mk/U8mMu7t7033YW999w9R8G2jpxU5Sp2GzEuAzzqfEL7eKnbRQJD93dOrwUmY6RYHzUGJbfm56J8+Uc4GpGmgRqnx96aodf/McUB/NCLD5DVJ3aPvktHrhyB3M2V4jq4RT/xXUvq+FLqK0nR3XwQicLcc1YREa3jbrf5zHJmcITdQTuZmgPXL2UAPzbdzm/esRK6o7b3TQIhwgyEWOAVrf91aDuBiOcw9/IaLDUOwy9moQJHb8g5HH1+XVhYwqfJpV0LNGSSxSu7abtgmmD02QC9mTXxh99lcE+z7SJXYjkNevf/SRzIyUIwtxD/Se0M2LYYArUntyOQmBVzUREV9wkZXCR5cRYS9az+nBjUEmLL0CBcPPl/ar8m/qzoWm9sJnn1NQOVP7F8EVoUXyPDchk820ZVJ/WcLpGPoPWQlCfKbGwKOftL8DQPFnZssBeQcNxihr1y2iDFGib8vt9vr10hR0XP0zMruXz2CukMILTV1je+UPV1uh41YVKJOsS4tFyWCvQXxfUZtCELQlaPu00FVvpzLqOmzRTd6os/zCGCo8lJ5VXeuQdEo9lPMebuFygtuUJBh4WchNieVjoAafg3+51+IY5Ft5qpHUFBQOWQwskA2Ly4KGVKu9XFrUS0rAPLk3CkPYxKA0AJlwdoc5CI3jE3IWWQf2DTFyQQzDE4/omkFCB3j7uIQVRYXD3IlncWsYa+0Ih7r6kLdEWWXBHSAZcMCAwBNK8+7JYtb3tQj0aUaOid6OTO2R0ozwuG9OAKLcYfI6z/z8ETf4UNQ2UxgoXGEmR2puKx+3+R1BZiIdk8VHbOZQDcW6qNEHdN5Aq841xFokdjg0AGt3WmUPXI4at4gxLMDYdqK+KTl+JuBBjqaR2ctC6Lpd3VC9jwio+WNCfLvvbhw2MtFmsOvGjBDUxnNkyhmNochTMsVv2IkxqJofjaGJ3cjFmU3Qi4ARyuB6tFgtw5pMqw72Hci63gv8pRrmlyEIL6iOXhHvaqc/xzlPPrb5z/o9X3iv3NetY4PhNF3FKaTmeFGPwGd9czdUUvBphb/zph+xzzA8rE1ItCHwNyv7JlX3veIlUjdyeKEDqSp1CIx9+HqYhZkCE9XiRfp5UgGJ2uFKgiP3gKHHn1eeLotKASZbaz02fwM9k5xIom9wHVHnnnPvTzOCI7iswvP7am7moWkMwAzmxEUhVyWTSCvE7Pdnp+XbNAwcMSf4AzEIlXMSuX0C876naz6LBZDdMQAaSRRjDab3YilCrVEMj4BMDmniPJ/r7IIBiNCtOJjSCr0IpTL9ASJqsBf/HbvQo5LVieTwVZUGZrCViT6LbLmT8/tBV3Y8Vw9Y9LbombG3TXMWEgtylKxYDvJ2zOBx1pspXnsGzB2QKxduinTDb6N3PBWR8Yb1ullcWEyzx16n9g9DqNOpi8cmVrd5f5bBMOD8CnPK4mWKkvpoQ0IXlNIDOQpjDZGgPleYQBlnT0jOqJG1Om4X/qv+1yzTltsYnjWzER/teKsjGXUvMHzNwx6iFdU0KQ/JjVA419ox0SIwS0N2/1ZgAosqw/N3oDuPEgfFYKsoCMFjn/WCX8LBdd3CsznKhvfsRNqgNHEVGzQoVT70qWhnNb5F/8tGuQZ3aX2PirqT/S8+e4sPdgtO0e4AZrmCC02wmwkWytPNtflN4GCmZmPJcAIqirm7ohaTdUSLfDKb2qBL/8OUFQqyL7loJnYnIEguLa/tNLfWUamgZOEts4ebaa559S6UbINlhwKDpuvuoh+XgloNRfxtLsszAmQJUfC2GMdWnOeKWMaIntPz5YucKa7nUYQHxzU93Ot9d15WhoqnEi4Fqgo15gJJq9AmODHDXr+SsBc7mpuE/sJBCIrn9XIvU3QxXniAXx8agQHwaKc4YYXu1EB+pium01HqXtqcCGiE9NDZRYTb3l5an7cPnC+674y3A3X6EIvFJAQ7yabMIXG7IZc+gdk4CwkG+XoG9R5zSOjFGt+x6FaWLOs0AbcZtX7htR6R4fnB5thsJ0u5UOOjvj3Ub7cSF4I2Gqf2ulHA19GZ5cC49or6jABUxQBhexoaI+ywQOXVRYcQ2CGrZkjy1yC/EmHOw+sAmrn95fwWDdz6izTOOVNsazPzKTSuLV6R+alEjiLqh6AgsYSqzCRTum8dRRflS6KxA6gKAA6c+XVZje9A2szgblxHFcs/FC3hs7veBPSbgCeA5nSHTk2LjmExQX5n6qsavHqUbagi01+X0792Ji/dPMNi1UOdN1PJ/LIHPioNcG7oBmF+AjVE64fe8G7Rxpum8JebfTsv1Pgq/aUsLb2adv/GlYe7vbuLQOyeUJFgcNHCEWxffh+wejHXilxxxZr5wjIkee2+yK7sHFJoY0VT+dFFdg2MU11hjz5VhE9vQRcwF142XKJqI842xdCvjiAexGDWC8BIqhNJDL85nJT6RddqoAylblR2AqmebZ78E1LVsfUJ2MBUcWH260Ky1oWp7RUdwzrKwxbHjoadueEom2DhdBsCl+AiaOW2S6iq7bBffqZTFdM3OXsXsdy6nNaWSviOoXDgXLK0Kq4uh6SRDl7tKFPoa7rIb0B5n7r82vWKYAcd6FcHTQGU2f/lXXnQuoycDMHssIDRpSxzMB56ecSBQrApjWS/NXUpAunJr0zW4FNWQiEd143VTFJEg7tgk2/0lnPG6fzKOiuJdqyCLXhxOsfy/64JAXbAIexyp9B++ZUq6pMZFewPpkqRH17L8EJ2NJ62jYABnH4S1uiyY5rfTeY+Sz6gwlD+fshZSWFla6D6wqKBT83I7gpvhbGgzctRpBUycd/IRV9NGOzF8RjpPtNOYUKV4C6/5cTMnT1NKOJ7qvYdEQRSRLCDVDpd7ZlptwFjtH5QEXqDA8w/B1UzdVKhvefN5ZQ33bs43/4A42USlEMFsPlntMQa5gibVLVaMjfZofDE/NoQUUjC8zpqoHXrPnLvnmZQoijSrv08/HEfBBo7NlTQXNmAdfVbVv7L/wMJziZBEE9ux2rTilRpINcNbGlTTMkaTZMkv9EbiHHQwbujiDjyQ8/3/rgmsigjKcUpcUX8vL/R6BcRjau9v52ISAMIRuOv2yeiyUT5PyjUdbSABZ4ApgHPjkIusTtGzEKNut5dmX+YsLQofapHwh84xvr0xBGfFNTpnEHnj+sIYjEiHVxWXbeFPnk/Arshq7UjOu57IQwtaBl8tO020l7HRxYO+PnjH1qLrvWSYVa4FX7BErCdzQsGDXoBeHdcmMsLiri6xgXET27TkSculjVYQKMZ6fTXhf+MJUYWlWatAgoW6YegwnfCw5zZgLdSxsf79eYUy7eePwko6a8jgFucRHrWCjmpCiCarLTbpIeMGMqlIBMl5D1gKKDVmmwmS+gM4n2XZ4dyrqzJMJHaSGX23gXq1S82rx2B9O82uWKOTrHAgUhDd5qfp63rGZJ/KXRwfPdjHy4ITGCPsi9sVo/Gt40+PhaH/F+156N6+YlmZ4NemtfxWRotBRla3BObLACTw2+T+Nus171wJu3q0nW2aSfHrf8laYCnkKUMqQ4Ju7Yf3c12B8a0EXYamiAvD1EijcTPQe9VexCXX8zSzK+A20dSxtAr9QhRAAao9ewV0oDbsO7G9dBGqjnAph3OLy0DY0a9ylz1DwJWeSAZvsQYJ4dCGJloBXHHB8VWjkdKe675lF7eDcvaN882M1jqpbedoV2QrdqKjITiw+jSMKalldsvM1f/WaIZ7CB+aqOmupKUdK75NJ0GiUBRB7L3zTJa9ryWZ05VVTVypRWPsD4m1wLS64GT0ZpSPNWa8FHeKYif3lVPoA6CpDvcL5AtExWpwsE4+rSGqMFFvk2MtJswUFVoJYKMxEVHDqYUz9c3Xati/wDDpmUuSeZ+V5yujjBmWTLKH5jX8gCyhHDWZpRWStMxxIo8KHtcR/q9yf6Fgp3OcN188Tx4hVqDFbDeJoiEqy27D1SK6zBtSRLaFeZ+t5E9degiG24xufCyXwg5o/Zoh9+J3opef4Hr9qfBk8GVsg169pNQsvqeAyI4pwlqvNLzl/B72TyRk/O/PibKICikUI/UrOkSKsyNBCj8NsN6PN0+KxNIsoCuHdPc7MKnMU4W5d5lRES3SmQI2wKBiq++VO2zz7G5Toi+69YuXEeTWn3a6+7MxG2NDsxu/YaR2ghqm+a7PN++WtpyLSw2rsdHRlTrOQ6FZBBuuLrR7zLl7pEtN4k2p43DURAWr3jQL9/iRdqYaBXMxdL3HKMiD4XTvaNw7vXs/rR77skc7hlFbOvFIk8FahdGHaXY2/uJUuI/RA9dKD7IizDtuVel9n8gsxfPE68Pm7y2ZT9fBeFXeoN1SnRCXwKPaBc/C+cErJbSx6/FOaWpraenLxA6bdKnA0dznNotzxZj1J5ekySVakMlhLBDCiIZhWQsbdNQPCLWv41XQ3uSdNWgOvWCkX6jxfr0+kq2fF3Ecy4x0oSU4QTi60lYKIpZmwS7vhyovQmR6h04KUFeagDDMQ31qxT0j+D95XHPRmTLflEpJSVdOwWXajTs8hOe7dtzfaIqgetdqSqoRIfx+WO7BEux9bD+KIznUWnHsuyaNwfnXEVe8+EcR3I9TlBzfpAdXeK8xnWJOIOBrCxN55xhuZGOExt//vaaWXPZb+KP0mvN+GaXrg1u3wQaEW5v4wai1URgFhCilXa3K+AyfYxSaBYCmKVUafF4tPOUkYUVjLGqLPTwPIS+PHnZtVtbEjT7vKEbVDz1s8c1mWEAaxVbfxAt5qfI3hTTKvW3y6CyaBWlXMlwmOFZSx0Q0ss7JKkYlTweuUygsnH4C0tj7tDHNxLDVkyDQoZEi3cgU9tl9xXu3LA6T0OC2i1Zp82p1CJy8sg42WDjw8af1Xf+KnyzbuZ2GKmCf/5Z8AGn8FBs04SG0PdamoK80/butLsVv2z6HNEdNzkJNkQTQsDfWc0EuLkQTQbHGwtekMr9aRLLEEFkmSeW+/OJwYC2hcuM2BjNY0oxVR868E3UXgr1evQ5IPsMAr6BlvSi5tFJfOkUuE44TynX/7qhBcsx4ieWZtGO87PRwjdTIFEynhISWn+S5iu27xBVHslSk+8LVHxT5zEQR2H+J5/ZEwKNN6vV0TfcJXCvGEgdaZSCP9mnLvwpGQL17cROU58KPVpHF/uaFFSmWdcwHhSD56dLJFog0Kc0phn6Vf6FFJ7lgDVJHj/2igEqEzxJjrnCtaGM32tX6yvytqCQwIInshpVWWsajcninsn3yCzDuQdiRTW5FnHqEqAi8k9LFDoF06QIvCHxWrg7ZdoJQBOTOwY6Cl1c77GnYyjg==
C.3.3.1.S/MIME Signed-and-Encrypted over a Simple Message, Header Protection with hcp_shy, Decrypted

The S/MIME enveloped-data layer unwraps to this signed-data part:

Content-Transfer-Encoding: base64Content-Type: application/pkcs7-mime; name="smime.p7m"; smime-type="signed-data"MIINbAYJKoZIhvcNAQcCoIINXTCCDVkCAQExDTALBglghkgBZQMEAgEwggOVBgkqhkiG9w0BBwGgggOGBIIDgk1JTUUtVmVyc2lvbjogMS4wDQpDb250ZW50LVRyYW5zZmVyLUVuY29kaW5nOiA3Yml0DQpTdWJqZWN0OiBzbWltZS1zaWduZWQtZW5jLWhwLXNoeQ0KTWVzc2FnZS1JRDogPHNtaW1lLXNpZ25lZC1lbmMtaHAtc2h5QGV4YW1wbGU+DQpGcm9tOiBBbGljZSA8YWxpY2VAc21pbWUuZXhhbXBsZT4NClRvOiBCb2IgPGJvYkBzbWltZS5leGFtcGxlPg0KRGF0ZTogU2F0LCAyMCBGZWIgMjAyMSAxMDoxMjowMiAtMDUwMA0KVXNlci1BZ2VudDogU2FtcGxlIE1VQSBWZXJzaW9uIDEuMA0KSFAtT3V0ZXI6IFN1YmplY3Q6IFsuLi5dDQpIUC1PdXRlcjogTWVzc2FnZS1JRDogPHNtaW1lLXNpZ25lZC1lbmMtaHAtc2h5QGV4YW1wbGU+DQpIUC1PdXRlcjogRnJvbTogYWxpY2VAc21pbWUuZXhhbXBsZQ0KSFAtT3V0ZXI6IFRvOiBib2JAc21pbWUuZXhhbXBsZQ0KSFAtT3V0ZXI6IERhdGU6IFNhdCwgMjAgRmViIDIwMjEgMTU6MTI6MDIgKzAwMDANCkhQLU91dGVyOiBVc2VyLUFnZW50OiBTYW1wbGUgTVVBIFZlcnNpb24gMS4wDQpDb250ZW50LVR5cGU6IHRleHQvcGxhaW47IGNoYXJzZXQ9InV0Zi04IjsgaHA9ImNpcGhlciINCg0KVGhpcyBpcyB0aGUNCnNtaW1lLXNpZ25lZC1lbmMtaHAtc2h5DQptZXNzYWdlLg0KDQpUaGlzIGlzIGEgc2lnbmVkLWFuZC1lbmNyeXB0ZWQgUy9NSU1FIG1lc3NhZ2UgdXNpbmcgUEtDUyM3DQplbnZlbG9wZWREYXRhIGFyb3VuZCBzaWduZWREYXRhLiAgVGhlIHBheWxvYWQgaXMgYSB0ZXh0L3BsYWluDQptZXNzYWdlLiBJdCB1c2VzIHRoZSBIZWFkZXIgUHJvdGVjdGlvbiBzY2hlbWUgZnJvbSBSRkMgOTc4OCB3aXRoDQp0aGUgYGhjcF9zaHlgIEhlYWRlciBDb25maWRlbnRpYWxpdHkgUG9saWN5Lg0KDQotLSANCkFsaWNlDQphbGljZUBzbWltZS5leGFtcGxlDQqgggemMIIDzzCCAregAwIBAgITDy0lvRE5l0rOQlSHoe49NAaKtDANBgkqhkiG9w0BAQ0FADBVMQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBXRzExMC8GA1UEAxMoU2FtcGxlIExBTVBTIFJTQSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAgFw0xOTExMjAwNjU0MThaGA8yMDUyMDkyNzA2NTQxOFowOzENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxFzAVBgNVBAMTDkFsaWNlIExvdmVsYWNlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmpUp+ovBouOP6AFQJ+RpwpODxxzY60n1lJ53pTeNSiJlWkwtw/cxQq0t4uD2vWYB8gOUH/CVt2Zp1c+auzPKJ2Zu5mY6kHm+hVB+IthjLeI7Htg6rNeuXq50/TuTSxX5R1I1EXGt8p6hAQVeA5oZ2afHg4b97enV8gozR0/Nkug4AkXmbk7THNc8vvjMUJanZ/VmS4TgDqXjWShplcI3lcvvBZMswt41/0HJvmSwqpS6oQcAx3Weag0yCNj1V9V9yu/3DjcYbwW2lJf5NbMHbM1LY4X5chWfNEbkN6hQury/zxnlsukgn+fHbqvwDhJLAgFpW/jA/EB/WI+whUpqtQIDAQABo4GvMIGsMAwGA1UdEwEB/wQCMAAwFwYDVR0gBBAwDjAMBgpghkgBZQMCATABMB4GA1UdEQQXMBWBE2FsaWNlQHNtaW1lLmV4YW1wbGUwEwYDVR0lBAwwCgYIKwYBBQUHAwQwDgYDVR0PAQH/BAQDAgUgMB0GA1UdDgQWBBSiU0HVRDyAKRV8ASPw546vzfN3DzAfBgNVHSMEGDAWgBSRMI58BxcMp/EJKGU2GmccaHb0WTANBgkqhkiG9w0BAQ0FAAOCAQEAgUl4oJyxMpwWpAylOvK6NEbMl1gD5H14EC4Muxq1u0q2XgXOSBHI6DfX/4LDsfx7fSIus8gWVY3WqMeuOA7IizkBD+GDEu8uKveERRXZncxGwy2MfbH1Ib3U8QzTjqB8+dz2AwYeMxODWq9opwtA/lTOkRg8uuivZfg/m5fFo/QshlHNaaTDVEXsU4Ps98Hm/3gznbvhdjFbZbi4oZ3tAadRlE5K9JiQaJYOnUmGpfB8PPwDR6chMZeegSQAW++OIKqHrg/WEh4yiuPfqmAvX2hZkPpivNJYdTPUXTSO7K459CyqbqG+sNOo2kc1nTXl85RHNrVKQK+L0YWY1Q+hWDCCA88wggK3oAMCAQICEzdBBXntdX9CqaJcOvT4as6aqdcwDQYJKoZIhvcNAQENBQAwVTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNhbXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwIBcNMTkxMTIwMDY1NDE4WhgPMjA1MjA5MjcwNjU0MThaMDsxDTALBgNVBAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMRcwFQYDVQQDEw5BbGljZSBMb3ZlbGFjZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALT0iehYOBY+TZp/T5K2KNI05Hwr+E3wP6XTvyi6WWyTgBK9LCOwI2juwdRrjFBSXkk7pWpjXwsA3A5GOtz0FpfgyC7OxsVcF7q4WHWZWleYXFKlQHJD73nQwXP968+A/3rBX7PhO0DBbZnfitOLPgPEwjTtdg0VQQ6Wz+CRQ/YbHPKaw7aRphZO63dKvIKp4cQVtkWQHi6syTjGsgkLcLNau5LZDQUdsGV+SAo3nBdWCRYV+I65x8Kf4hCxqqmjV3d/2NKRu0BXnDe/N+iDz3X0zEoj0fqXgq4SWcC0nsG1lyyXt1TL270I6ATKRGJWiQVCCpDtc0NT6vdJ45bCSzsCAwEAAaOBrzCBrDAMBgNVHRMBAf8EAjAAMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATAeBgNVHREEFzAVgRNhbGljZUBzbWltZS5leGFtcGxlMBMGA1UdJQQMMAoGCCsGAQUFBwMEMA4GA1UdDwEB/wQEAwIGwDAdBgNVHQ4EFgQUu/bMsi0dBhIcl64papAQ0yBmZnMwHwYDVR0jBBgwFoAUkTCOfAcXDKfxCShlNhpnHGh29FkwDQYJKoZIhvcNAQENBQADggEBAHOJojanzqmgaSN3/gqSQ4cbbmdj/R40BEPr+gXT+xiidfZ2iLNwYyTneuK6AChwKfnNvOFb8lV1iffRTF/KtmVEDMR/sYeqAH83KM5p3el2lVh4OHhyI0qNuz5oShNaACSioQ23WxHGVy9vsdVfnbhsplrWg9NQ2WbpCmK+2oMh2oYl0Z/wvXMt9cG6jbMvcdH4z0IOvg6mrYkKTM/RCGnumghxwYToj1OyD5Gs4D2IJCw+fX5ODxh52MbNRYXTus2ZPRPM8JXNQC4GWv4km3M4rKnJDd6hnoQ9rNeozIcBVyybQYjfrgg4DRvw9Ksk22OH4ConlB8f7R7s1LM2cSYxggIAMIIB/AIBATBsMFUxDTALBgNVBAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFNUFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhM3QQV57XV/QqmiXDr0+GrOmqnXMAsGCWCGSAFlAwQCAaBpMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTIxMDIyMDE1MTIwMlowLwYJKoZIhvcNAQkEMSIEIMFOxgjxvsd6O/C92x9Wv+OPyqNJRSBwoMdr0BlV5Y6iMA0GCSqGSIb3DQEBAQUABIIBACBPs5toz4DA/xDj8t/B3f8YR7RhxqF+607P29Qd7lvcc+PRfV9P+SEwlHgLtrvm242i5hDk0jWzwsZFTT9JfJa3fKMGM8ZpSnQQq8Q255PYOO03qh5xOpUT8KEoKQduLQbEdtUAzndZgfSNbBNW1buT7kaWqhk5ExB4qm+fPyfI+ZRng4B+PI8l9YpcuzybR10CylZLzJdB2EfHcXFDt91nA+iouUNCpN0ddLENJ6gZ2338fhZ1xokMqSXo88sEjh9KBr//UMlxsWUJ5rM1DBGs4ysMfmuoz0rAnh5U95NZfTDI2hVSCHWx/92NDZXQlak7Te6MFWpluHV8QLwn/Xo=
C.3.3.2.S/MIME Signed-and-Encrypted over a Simple Message, Header Protection with hcp_shy, Decrypted and Unwrapped

The inner signed-data layer unwraps to:

MIME-Version: 1.0Content-Transfer-Encoding: 7bitSubject: smime-signed-enc-hp-shyMessage-ID: <smime-signed-enc-hp-shy@example>From: Alice <alice@smime.example>To: Bob <bob@smime.example>Date: Sat, 20 Feb 2021 10:12:02 -0500User-Agent: Sample MUA Version 1.0HP-Outer: Subject: [...]HP-Outer: Message-ID: <smime-signed-enc-hp-shy@example>HP-Outer: From: alice@smime.exampleHP-Outer: To: bob@smime.exampleHP-Outer: Date: Sat, 20 Feb 2021 15:12:02 +0000HP-Outer: User-Agent: Sample MUA Version 1.0Content-Type: text/plain; charset="utf-8"; hp="cipher"This is thesmime-signed-enc-hp-shymessage.This is a signed-and-encrypted S/MIME message using PKCS#7envelopedData around signedData.  The payload is a text/plainmessage. It uses the Header Protection scheme from RFC 9788 withthe `hcp_shy` Header Confidentiality Policy.--Alicealice@smime.example

C.3.4.S/MIME Signed-and-Encrypted over a Simple Message, Header Protection with hcp_shy (+ Legacy Display)

This is a signed-and-encrypted S/MIME message using PKCS#7 envelopedData around signedData. The payload is a text/plain message. It uses the Header Protection scheme from RFC 9788 with thehcp_shy Header Confidentiality Policy with a "Legacy Display" element.

It has the following structure:

└┬╴application/pkcs7-mime [smime.p7m] 8190 bytes ╧ (decrypts to) └┬╴application/pkcs7-mime [smime.p7m] 5050 bytes  ┴ (unwraps to)  └─╴text/plain 506 bytes

Its contents are:

Content-Transfer-Encoding: base64Content-Type: application/pkcs7-mime; name="smime.p7m"; smime-type="enveloped-data"Subject: [...]Message-ID: <smime-signed-enc-hp-shy-legacy@example>From: alice@smime.exampleTo: bob@smime.exampleDate: Sat, 20 Feb 2021 15:13:02 +0000User-Agent: Sample MUA Version 1.0MIIXnAYJKoZIhvcNAQcDoIIXjTCCF4kCAQAxggMQMIIBhAIBADBsMFUxDTALBgNVBAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFNUFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhMPLSW9ETmXSs5CVIeh7j00Boq0MA0GCSqGSIb3DQEBAQUABIIBACAU9OH5PSuN9tLWwz3pZCIjfuhDPvElwIWMFLLaSLuRC5cnMqlxagX4RJaKeAhI+WZQzinX0SRGWosV1ixjq1RhgoLsdnQhXh1SG3HHdlke+bhxqlyfAxOxozsKYybrkx+dHIhZkOtG9XrEfUC/4QCEAy6pQz1M15i8NOOxXi7UaEHo7qwyW7NJ5wWe9QrDi8G3nazLEAWEro6kimhdSKiVvGi+7KCjLQpzHM/BY/ydpgLZ3BiMOOALCK8BiZlMhy//jp6Z8638UmjKDiKA8ExU3EhHO24yBT3yTVBCVx99bq1FwP1jnBBKg5VjeFpfA4JnUge5J66YIOR7DVeGglowggGEAgEAMGwwVTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNhbXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzB8R0APhiY6HGLS64MvlsDXhpQwDQYJKoZIhvcNAQEBBQAEggEAZ+OcEKyP/cfIy34M7u7ZUcdRHK/hm2UHKlcSixxIDvVZADtdSzJ5qE6gzeRtCzVgIXEWPzuru6ADSFPUNdzV+R9EG8pDkwzsZzxQ4QY37hkx6/bWDBcBBjF4/hVe4ubxGEvJ9QxixB2B34m0nCwxD6LYEN2g88Pc9kSSRbduGq4LRfyrVQEG+WpKXzjHQSpzqiDXuMBDDW/+dMHaGKsR24oZNe0Z0U/iOnU0J0VuuJbnPkgYUJXQvafZSJGIfhpocMMPD9Ll42XkMLIOJvDsGqVkqkp2uEUJ3tzd4Nsg5UAWIrMNWQRdWbdqLcuMfoabNck1lOrJritHc65jAyjv5TCCFG4GCSqGSIb3DQEHATAdBglghkgBZQMEAQIEEIp1SKNdHDNw0Ia57jzQav6AghRASnD0DeMznPkqrErin0IkCd2tCYouj0vON90o6QkuEMX0SsEL/+9c6JQRVAVxcxipa/FpEnBMRBGdfeujUTFp/AM89QL0TVc6jdjFRD5XbDsd4VSlk/HTDar0zv8YEZOuFCHItlAoN04WgyDK2AO16XPAzZN+IZMmh7pWRWS7k4IgWfuo6tcd0Vo0TEtZHlDpoJkxgSgg2bZwSXq3lb1sTDS1Cs/rG9h3GD6uBATdRKBD0+DRRX+Z/yPM96aFoX+0+DqPvun7amo+2xeTgJgkchz2XK1sK8OG0vb6aMv3PwK3p0KDVCLNAzkaz0BOQvdXUFng8/sNNu/P9+WBelewVfGDTdCocA6+9vQa6Gx1RzJz0js2Gt4MhH/MfsSbapjcomaveE6baODAHMcbqH4r77QrgORmUfBNQC0AsnC5zdm1+w5ULOt9YkKUWWw4F9sB0+2UeQpe0y+mtyQAtJvjTOcLEcAzRmV6Moaq+EThHfeSoyFJbIUqT7K8epNbhKwsQC1KdD118++t2+GxOjK4vuU0r3YFl2kHhDJIf5H/FJNR4YS+ZZ3S4IRky3HeSx0pCmJE5x5wbXLvLf6+NTcF1yzYjASQvwqmPSAjHMYzD3t8SDrKO/cJGNdud84FaWfxzf+0YyRulv7pPvmIK7Ul1Nh4T2We1ecFO7ON5qVLMeH5I+Zc/YwXRkyJGSgaAXHQcgh5BtOqQnsstX+nYofSceGgn/Vpop52pwWCf0/KnRi6C4Ih8o1naJOSEcU8UcxhD+ggOAvy/gLeag6G1DL4IzxqNHh7Qr9IZfk4doNyumkcOvMz7gSZGFxHoOPdH61S/ndqe8D1C0zFj446GIpj8hfhVLf8+7eVGK5GPcfAiM/fSjfe6ZVqn5zX398YjHGBH0HIyp/ZvWwNNMfdeJgG6ukdhqhx/NqK3/Dl0crpCbdGqqTHjl4UDfmMlUEt255NMp24Qd+rUeOtj+vGComumU23UueJz9/VDhQFfOPMnhLnqxNhC55R00CzXBla3fOZ6t4OyRo0JCT9fkGfHFgQxmFLFtXkpHK3HBpP/tu9rFLl9nc8KToOguY6N+c5T9RqcpCyRj5yQIwkS5sLREYyNlnVQXBK8jESSqEOuJOp3pHUgNKMnWwfplkuBVK1pAttGUUFXZEz24T9urWaJHXFsikB33aks59HrNddwamv2wpgaDmt2e5zDZWKgTB3p89loIPbM5X0W2RsTAZwPgbjnQs4y7YZNT+CerPoocgI226Jyhxi6e7dYGrOmpavgYHBieale2z0tZdYOyNBS3FspCQWTXOUtte822OFuVu5xF4GOm/11zYRLt85SuAxTsNrDwrBfLvuxwpx56GPgpoC42qyLbeuw19iTFS8kMXJxoSnfdJq59AwUqwdeFFxm8djTL8eCsyfyUoscvZLCD78mHMvB8IRzIQ/iCMESPfeAig5pZoeMMx2gVJFOZkEWqcWOC7Icm+qKPX6tjSi+EnUASklDfrRhUQ+BdVYXdEhwf6UUG4HZ6OEa+MxpFUC2ulD3kKddnMJZaDuvr3k23NhlBVhSOt7Uo6Soi/Sz1aow07d25JbLv5AVJJeE+cWPlSIDQTAlPuYtx6oMVn5lTjLw3KaF/Y5i+RQbvJ/HeNfrstrelx7brLHiIHoCf1wZkgJEaQUTt/GZlnKv7xeKleBvJI1mCdy16NZrklHMnPUgj1ZxEwBJ17M23B3hAkYLF0OEYtKUNushATxhMptM0sWQffDWROKD8c612WrbYo/zz+ApnNRUzEs20+cgvlTl4d9N6/untoFR0mPe+0ZuZ3iCKmGdw+LNwR3jBeLd0YxYWlQrRBWja4O0ofswqddQ9Iu99+ksCTch4n4BSDNQV0VLQ7dX9uWSgnno6fD3gpmIJxrNuAMfBavXqsP1Gtjl8uBwBXn//OiMIOgHYvLMEj+A0Q3/D/6sB7Mki15spxF3KDI+6OiFQJkruTuOF+f/SaGuGAYgEjANuOLCVu6aQZPf9lu5SV1MJJ3VjXzS2obkkk2lb6aNckXG8jZPzHwCoPJXDTwP8sM9VKbwMiv4wA/pxKjGEtJq4sslD2L5CaZBUakhIJtXSaTc93qkH3o7up4qyChBX3sm2aJPvw8s5fktLauyBrUwVl8/naaCNJq5QXhcfbGxoBaoDaDAZ1auOxaF802tArlDy3/c8KAcguiZhJTnPdtC//v8AyMYXbocblLoCblM8a2QTmif7LUcXZMCMiLgynIMMtQA7gfKN9uvAR+Yibh358h6vupmu1dW0LsCb9KYtuNWEIL5CM2sw8P1hGKrAxJrbQX3WWJIn1d+nv+ldqk3UOlwoKUTcxq4q7DYG9WjOev6LDGQyzAojrT1Ob+fAR50Q5ssBnmN8xgw2zk/lVZH69Iaql8vG+zhNJRbSox5hRrovJWyA9XtlUG9oVWLhg0aqd3FbTvlNth3S17zp2BLvAOfCctyoHHGCEzU/Bx5Sj55RvTlvl5KyUdKPU2lVox7C+ueMwzG3zwYHFud9YhmI21l4KfjHfaYICjqNY9QX15kJa6oxJKGi68meRATnQOm8l1fl+p2PVcmqB7Z1qkQwX7Fpjx2r3oJK0XO+s0du4rEvwlggqHbCaHYZzGHJM0CfI1zIo/BEkG/JkMrZlAT4lo7KIykGGVoE342OVvohXWqH6DyI+4QOzmCM/MYhcZwdeb2ucEeSlGheMzcksS+x/8h1uAhguFEf+y2+qcAuYCIUYuVPFn+T3Oee2vdXag6JYUzaRGSxfL7cCATB5O8d24HfiwGiyH/mQzuhk9CnK3IAkbdAcrkrOdzhbPrJzG5eqohCnarEwsE5cpfTrCveft+xqE/5nhM0zmgvXr6ZZ/i+Cc2e//FUw69jdtZsKMHqTZUx5oODaoBTAKXS81PW5pChQGNTCP9klM0nFspLEg7jsDnZm5EXHUqOfDCPdSvDGg9UkmiYrGujFlOywYn1Q+ai6Z045ILD23Ha//+yHZAms2OA8NWcA/UU+2kYwS5gYilvGDV7T1lvnfLiL6puNP3Uk0N1HTG/UWOQIBhYbtVfmGWnprz2SXuWQfrvgkCisjHqTrJ8UzaQaX0iPEewQZzqVoMIolxsnu73MqncRwDTbQv5UWj8zUUL6I33gCd5v+SLSUfAXzZq3YpiMNku+93VL8PnSh7d/fSD32N7/pBOewxANOR1JepV5xHCFTKoAvIg0fNJVgOvPmXTLU7RDrO/0ceGbIxDD6kEle8rFe3PQQYBZGjIHml+1Mf4XPHUu2IdQBlL9XJTAfGu7kYxNBfdvf0rx7vFjTwG4neNsgaG9XOTtRIWcq9LODeZUsP/Nnc+M2GcxMjJGLk+c9pFtoXYvgKA77UlIC84FdcNUiAYx14CYStMtiSmi5MMf7luGRy8JDjmHgUfN3e93nCABa+76VYaXkCbp1svkGJsuBCi7xSBlE0xVuQi1hHs6a4yL8STkLyDYkBAsiBxWo4kKJOgd1JL/lfscCUZW/90jbOJBlF9NhWn+oSCVG+e0JbdN8nbIVgVhd/I33bJMVOk+RyfYY04BU0BCGoV6r40CJtMFKq3SZIdnG0GfXjGMxoty3mKYrOAGui1+JMxyzabqRQTxc/k/HyPHuNCr6UNGlL+UXyfWAZSShdI+mVcsZ7yGWUz/sxLT19NFmv4hq1e8sBtdTF/Ws8SmEVlSmBRhokNkk0+rbM6gPpdCsz6rcv7d4mmhCx+A7kNlOA0KPenHr18coLApibfWmqliBwNQk+SR5ZYdLAAPcUs7xikmqXd+AIPfIeigGck+7fTvKf/c6tSG3JMUbXlnYH+18swnrclF4/Jswv1wMIZ4wCCYSwaAyX/CuIyUGah2OtPsOmg78hLQ0VCETt7Md1wld6NFWhiEGQt96wKL0215fiLORCfeitnK2Rdjq4OGnGUpQ2P6aXYJEa6TJ0EMKMFKeaoIwB9fiCEhVJhUuejUAAh01aciU11MT0ZjyfvQZIbv5GyFsQOjsvYO47xOY08Tfg5ZVKn1Zq+xVe5qag3t1laLrcEtAhhgpugHX+bAiwoOeP0QAeRpoIA5wsvvkyy6ou6VaB6+a5Xp3fcQC4gsr55CoYynF14/xD8obq+o6XzR0JQ7lkAOKYTnBRZirNnctTurdbbOHgYKyiE5a+0HhGoa9JI3MpfIWKu/RKnOVSwJk93SJww4Xi36ifBJwHW/534W+62DrOnoss4wTsmdYByOOxrQ11yeBNb1yV5/ehfRdAY2dRhOgv9ZQtutFdLopZAai7MZkh63P8PSyPvBVlpXrx1ZxCRuBeafxJfU+rWSS2x2Bep3rDKtdBLM/816NUvMprDeR75QiESZubyynANxocATJEkPOh2uGQ1RMlBlFz8dFLgVIRQ7MloIEiEyzdkta2XDKZ67X0F6uwarivnsUCeT/h9SeIg3C3tpxgBpb9NppMY+UVb46HB7XpzjHQObDAwC3VEizrKVma/6SynuNH5n/zNU0/MSY5M3GQL4xSfXq8AEId5UhuPiFwmD+sQ+G4VVm7d2HbXbL9D/NkDep0zvdqbnB1ygTnlnRf/Nl5uFsdu+/1iKOMP5guzqCj0bKh+52lQTBHPDOnZVM6Xvr+hWZPEZ7auSUqgeBR3DBXiwvRL5sxNysL6wRu/TXVV1ZIew+EiJJ9uZaf0f+vvd6CeF72Syt7ceE5vs0i7M7z7dHMxiBsskpgQbx/AtTxGQyMU3Ki4DtmmnJgYBnIR7n6Ywu33dIeivQwZVywdnwHo6/SujaAX0bEBcPAlQqczLouNtFB+OKbdQtjG8wMLs8eV/cdGiniwDXtSTp4VZw8lQNIdiGtgWAt/k11zFfn7A/YF0QfC8e1k9soLhZTic6SY33HLDJX5/Iq2b3Iw6ijzH8kkgTRCdtoJx+EqRIiV6ybT040cRgVCKpFSZyuTeJXKDGWFDpbhz/PD4Np+dzp0tVUWw0M8pFy3erWmKPqu5Q4lbwinZPwtUDPpP8CBKRWXanaqy558CIyJKzhkgGXR2z6OrOXSQtVDbcbQtxixdjV9lGP2qP25t8PCsHvbNGSvBlmIUWPFn4iQ9T7wnDMtxPDzBb0k6KXWi1IxxC97pfFwt7kVjGT7St6amDshEfCqLLcwCN6Aa3lKfP58FewuEoHoG5xFaT1+lOW/U6n9F6T2+CUM/3YOxNkq1oI9e2dCDvz9ND813U9YS8HGHqGQqjSQteWt49xRXqvMi7gurrNz6i2feOmCvIGMIsnp2rCDyIfmadJam0ElyYnSHbL+PyjhMt8883j+N3m5IKUfA1wo3KbI2zWa2wmP6rImkJ2WemM2Z5gIQWJ1DOKt3M9fUxwcoX8W8XEXiRVJgOTp00xn+fqXqItZDJqkdgt7h7bVnhQbV6fvOCSSwU1ta+bjVGFgHPE1C6+Z6UrHQwn3iM9ZE7A+ytZz2DCikVVFZANawbp9M5mM7PVPEY69n3WQ3VqpB0rZbCYFgNB0IyUu2yg06sH2wrKYE4pfMbmLOUyFTbfs8ChQiOVcmtZHux/wOL52MGFyBJkupHwhZ1bBSjZocuXx7pxe5L5EFMWtj6IQvQtE6XB7Nm5xcKty9EW/eIkd1aUXXRnzRKOZb7eWnRnqe21iVwL3elR26HfqfCDntOCSSkYdOmeOu/mD4oZoqT/PRcR5i9b6jQUtZyfmbFBG7ZdIuavn5aorjJCN2i02T7v2zN0aYTnMX+3fue/Ekgdvw7EfuBp73JaySDVByciSQkzDyJnWEbfw5dEF/Zxl7KhnMud0ZIOZkdaAWyF36jVUgj2znIA2cjVqd9P+CfH9YI6vXPefgErWUbg1ijrufE26Yd40Hj7hMVXdeIwDuhZe8AdSmovaqK06N0eBRiyCzznmmaO9aeVVdLoHyY5l/95Pc4cOZoeFWJ83agzcOrtSHWgAkVsycW9xg+g/oHBu3VoA8rlcs8Djv73l84caZKdwiQ9sHvsvBBMIT5Ozz9uts+STb4e/h3ElAAkddL7eFowqlVOGINX3zSdDv1sT4D82oAeMDxeCAxG18Bn03Vd8dt/zA8FxVluUuLmcBHVVgy6pPqdiitbuR6Saa08RusmygTIjzbc10ZUD/bLB7YlCWS6mWwriviXBg2ThitwQJL3vXfEWHFmHiGR5uc8dVhU9CmzqwQiiFFA9WOE8wgOudV419m6RbmW3grmVC8xskOYK7EzX7sMhv6dvIIY6in5dYp6hEcQYOsdxekSlltHUVIaijO+z9zxORP4XA2tkyU0ndXuWkgkivonLqcBXiaO7nICbpwLKDK/N1JE+nKZLUZg51OXig3obIe5C6oALyC5o56zw9q5opiXEKZBhjcEBdzTfBeYRE60zfqbacTyDS9wBzHo/84wY7fhNQsR3Y8t8bZZJcASTWQVzhjszD1i+WRnJJO9fc9htipj7I7Sec9nMvrWh+sCeF1/QY+rEqbhQWajyUiNTnIwHeuYIqtP8xi0vxqmBFe/t/WPrd+r53YOlObp6lJWPk8bnxA+5v76gjHAIHtutp3kvykjCbJizw0WFU6du/jgCXzaYFWK88smgM1xAJ9dXUkkMekx/kJwUr/5DfdeWMKT42eG/JxFMeauuRsOwMIxAuj+AJU3IHej9oYBZWuEMqid5ZvL05ZYO7IaDoOO/pfhG0YQ1mE8mCwlvqggUYfgVnfxBpAi5yikLMkTKP1YmKqfdDC3PvpDrqlp9PcrSMAnsydjO3K3JGoFDvv4RxCuIhn65Lqz1s9YepmHNfFlAZxEPhC5MJlwIXAT3VVimEMYLUHbb4HsqWX/KR/FuZO0zpHGZhPIdtiS6TdiRm4D9ywPfV7J36zDVFEP6mmkE7FrgI4Wo5aizOFA4GZFXN6h9IlsFiV9izXUoMjFJwR6Kp/QF1ikD0Pf/aPiUqu
C.3.4.1.S/MIME Signed-and-Encrypted over a Simple Message, Header Protection with hcp_shy (+ Legacy Display), Decrypted

The S/MIME enveloped-data layer unwraps to this signed-data part:

Content-Transfer-Encoding: base64Content-Type: application/pkcs7-mime; name="smime.p7m"; smime-type="signed-data"MIIOVAYJKoZIhvcNAQcCoIIORTCCDkECAQExDTALBglghkgBZQMEAgEwggR9BgkqhkiG9w0BBwGgggRuBIIEak1JTUUtVmVyc2lvbjogMS4wDQpDb250ZW50LVRyYW5zZmVyLUVuY29kaW5nOiA3Yml0DQpTdWJqZWN0OiBzbWltZS1zaWduZWQtZW5jLWhwLXNoeS1sZWdhY3kNCk1lc3NhZ2UtSUQ6IDxzbWltZS1zaWduZWQtZW5jLWhwLXNoeS1sZWdhY3lAZXhhbXBsZT4NCkZyb206IEFsaWNlIDxhbGljZUBzbWltZS5leGFtcGxlPg0KVG86IEJvYiA8Ym9iQHNtaW1lLmV4YW1wbGU+DQpEYXRlOiBTYXQsIDIwIEZlYiAyMDIxIDEwOjEzOjAyIC0wNTAwDQpVc2VyLUFnZW50OiBTYW1wbGUgTVVBIFZlcnNpb24gMS4wDQpIUC1PdXRlcjogU3ViamVjdDogWy4uLl0NCkhQLU91dGVyOiBNZXNzYWdlLUlEOiA8c21pbWUtc2lnbmVkLWVuYy1ocC1zaHktbGVnYWN5QGV4YW1wbGU+DQpIUC1PdXRlcjogRnJvbTogYWxpY2VAc21pbWUuZXhhbXBsZQ0KSFAtT3V0ZXI6IFRvOiBib2JAc21pbWUuZXhhbXBsZQ0KSFAtT3V0ZXI6IERhdGU6IFNhdCwgMjAgRmViIDIwMjEgMTU6MTM6MDIgKzAwMDANCkhQLU91dGVyOiBVc2VyLUFnZW50OiBTYW1wbGUgTVVBIFZlcnNpb24gMS4wDQpDb250ZW50LVR5cGU6IHRleHQvcGxhaW47IGNoYXJzZXQ9InV0Zi04IjsNCiBocC1sZWdhY3ktZGlzcGxheT0iMSI7IGhwPSJjaXBoZXIiDQoNClN1YmplY3Q6IHNtaW1lLXNpZ25lZC1lbmMtaHAtc2h5LWxlZ2FjeQ0KRnJvbTogQWxpY2UgPGFsaWNlQHNtaW1lLmV4YW1wbGU+DQpUbzogQm9iIDxib2JAc21pbWUuZXhhbXBsZT4NCkRhdGU6IFNhdCwgMjAgRmViIDIwMjEgMTA6MTM6MDIgLTA1MDANCg0KVGhpcyBpcyB0aGUNCnNtaW1lLXNpZ25lZC1lbmMtaHAtc2h5LWxlZ2FjeQ0KbWVzc2FnZS4NCg0KVGhpcyBpcyBhIHNpZ25lZC1hbmQtZW5jcnlwdGVkIFMvTUlNRSBtZXNzYWdlIHVzaW5nIFBLQ1MjNw0KZW52ZWxvcGVkRGF0YSBhcm91bmQgc2lnbmVkRGF0YS4gIFRoZSBwYXlsb2FkIGlzIGEgdGV4dC9wbGFpbg0KbWVzc2FnZS4gSXQgdXNlcyB0aGUgSGVhZGVyIFByb3RlY3Rpb24gc2NoZW1lIGZyb20gUkZDIDk3ODggd2l0aA0KdGhlIGBoY3Bfc2h5YCBIZWFkZXIgQ29uZmlkZW50aWFsaXR5IFBvbGljeSB3aXRoIGEgIkxlZ2FjeQ0KRGlzcGxheSIgZWxlbWVudC4NCg0KLS0gDQpBbGljZQ0KYWxpY2VAc21pbWUuZXhhbXBsZQ0KoIIHpjCCA88wggK3oAMCAQICEw8tJb0ROZdKzkJUh6HuPTQGirQwDQYJKoZIhvcNAQENBQAwVTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNhbXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwIBcNMTkxMTIwMDY1NDE4WhgPMjA1MjA5MjcwNjU0MThaMDsxDTALBgNVBAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMRcwFQYDVQQDEw5BbGljZSBMb3ZlbGFjZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJqVKfqLwaLjj+gBUCfkacKTg8cc2OtJ9ZSed6U3jUoiZVpMLcP3MUKtLeLg9r1mAfIDlB/wlbdmadXPmrszyidmbuZmOpB5voVQfiLYYy3iOx7YOqzXrl6udP07k0sV+UdSNRFxrfKeoQEFXgOaGdmnx4OG/e3p1fIKM0dPzZLoOAJF5m5O0xzXPL74zFCWp2f1ZkuE4A6l41koaZXCN5XL7wWTLMLeNf9Byb5ksKqUuqEHAMd1nmoNMgjY9VfVfcrv9w43GG8FtpSX+TWzB2zNS2OF+XIVnzRG5DeoULq8v88Z5bLpIJ/nx26r8A4SSwIBaVv4wPxAf1iPsIVKarUCAwEAAaOBrzCBrDAMBgNVHRMBAf8EAjAAMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATAeBgNVHREEFzAVgRNhbGljZUBzbWltZS5leGFtcGxlMBMGA1UdJQQMMAoGCCsGAQUFBwMEMA4GA1UdDwEB/wQEAwIFIDAdBgNVHQ4EFgQUolNB1UQ8gCkVfAEj8OeOr83zdw8wHwYDVR0jBBgwFoAUkTCOfAcXDKfxCShlNhpnHGh29FkwDQYJKoZIhvcNAQENBQADggEBAIFJeKCcsTKcFqQMpTryujRGzJdYA+R9eBAuDLsatbtKtl4FzkgRyOg31/+Cw7H8e30iLrPIFlWN1qjHrjgOyIs5AQ/hgxLvLir3hEUV2Z3MRsMtjH2x9SG91PEM046gfPnc9gMGHjMTg1qvaKcLQP5UzpEYPLror2X4P5uXxaP0LIZRzWmkw1RF7FOD7PfB5v94M5274XYxW2W4uKGd7QGnUZROSvSYkGiWDp1JhqXwfDz8A0enITGXnoEkAFvvjiCqh64P1hIeMorj36pgL19oWZD6YrzSWHUz1F00juyuOfQsqm6hvrDTqNpHNZ015fOURza1SkCvi9GFmNUPoVgwggPPMIICt6ADAgECAhM3QQV57XV/QqmiXDr0+GrOmqnXMA0GCSqGSIb3DQEBDQUAMFUxDTALBgNVBAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFNUFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MCAXDTE5MTEyMDA2NTQxOFoYDzIwNTIwOTI3MDY1NDE4WjA7MQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBXRzEXMBUGA1UEAxMOQWxpY2UgTG92ZWxhY2UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC09InoWDgWPk2af0+StijSNOR8K/hN8D+l078oullsk4ASvSwjsCNo7sHUa4xQUl5JO6VqY18LANwORjrc9BaX4MguzsbFXBe6uFh1mVpXmFxSpUByQ+950MFz/evPgP96wV+z4TtAwW2Z34rTiz4DxMI07XYNFUEOls/gkUP2GxzymsO2kaYWTut3SryCqeHEFbZFkB4urMk4xrIJC3CzWruS2Q0FHbBlfkgKN5wXVgkWFfiOucfCn+IQsaqpo1d3f9jSkbtAV5w3vzfog8919MxKI9H6l4KuElnAtJ7BtZcsl7dUy9u9COgEykRiVokFQgqQ7XNDU+r3SeOWwks7AgMBAAGjga8wgawwDAYDVR0TAQH/BAIwADAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwHgYDVR0RBBcwFYETYWxpY2VAc21pbWUuZXhhbXBsZTATBgNVHSUEDDAKBggrBgEFBQcDBDAOBgNVHQ8BAf8EBAMCBsAwHQYDVR0OBBYEFLv2zLItHQYSHJeuKWqQENMgZmZzMB8GA1UdIwQYMBaAFJEwjnwHFwyn8QkoZTYaZxxodvRZMA0GCSqGSIb3DQEBDQUAA4IBAQBziaI2p86poGkjd/4KkkOHG25nY/0eNARD6/oF0/sYonX2doizcGMk53riugAocCn5zbzhW/JVdYn30UxfyrZlRAzEf7GHqgB/NyjOad3pdpVYeDh4ciNKjbs+aEoTWgAkoqENt1sRxlcvb7HVX524bKZa1oPTUNlm6QpivtqDIdqGJdGf8L1zLfXBuo2zL3HR+M9CDr4Opq2JCkzP0Qhp7poIccGE6I9Tsg+RrOA9iCQsPn1+Tg8YedjGzUWF07rNmT0TzPCVzUAuBlr+JJtzOKypyQ3eoZ6EPazXqMyHAVcsm0GI364IOA0b8PSrJNtjh+AqJ5QfH+0e7NSzNnEmMYICADCCAfwCAQEwbDBVMQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBXRzExMC8GA1UEAxMoU2FtcGxlIExBTVBTIFJTQSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eQITN0EFee11f0Kpolw69Phqzpqp1zALBglghkgBZQMEAgGgaTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0yMTAyMjAxNTEzMDJaMC8GCSqGSIb3DQEJBDEiBCCSH/VshGTecXJjFa7ucaLu5N5h+XWZDoRRFzjPTfPjqTANBgkqhkiG9w0BAQEFAASCAQCmZj3YztDO1jbNLEaAm/3QumEiuQzGfQctHOakbQxvEdazDFQuz4XYtnXnadpjedB8CrzjKdgP8A3ls1mzTSrobnZ4hEd9uhuMDgVRUXaEy+0rx+XCfBek2fvCIwuVDT5dZ5k2X95CTtcAhBu4VcXo/WJEiPKAu1/p+iZtRiZeV4jZQBfquGT9sVqKEXkhfyAjl8pynl3yOMoX3AEnPOuFhEDm5Sx383zfzF9jvoaK5wOne/PzZ559tzHJBnv+nQN7UpC4O6LCCIyjzI+hoEV+GP0m0LpClvUcRaplG5vgwshhHJRyjeOtveiRr2vhYuXwo3pR+NzQGx3eaqOnksSP
C.3.4.2.S/MIME Signed-and-Encrypted over a Simple Message, Header Protection with hcp_shy (+ Legacy Display), Decrypted and Unwrapped

The inner signed-data layer unwraps to:

MIME-Version: 1.0Content-Transfer-Encoding: 7bitSubject: smime-signed-enc-hp-shy-legacyMessage-ID: <smime-signed-enc-hp-shy-legacy@example>From: Alice <alice@smime.example>To: Bob <bob@smime.example>Date: Sat, 20 Feb 2021 10:13:02 -0500User-Agent: Sample MUA Version 1.0HP-Outer: Subject: [...]HP-Outer: Message-ID: <smime-signed-enc-hp-shy-legacy@example>HP-Outer: From: alice@smime.exampleHP-Outer: To: bob@smime.exampleHP-Outer: Date: Sat, 20 Feb 2021 15:13:02 +0000HP-Outer: User-Agent: Sample MUA Version 1.0Content-Type: text/plain; charset="utf-8"; hp-legacy-display="1"; hp="cipher"Subject: smime-signed-enc-hp-shy-legacyFrom: Alice <alice@smime.example>To: Bob <bob@smime.example>Date: Sat, 20 Feb 2021 10:13:02 -0500This is thesmime-signed-enc-hp-shy-legacymessage.This is a signed-and-encrypted S/MIME message using PKCS#7envelopedData around signedData.  The payload is a text/plainmessage. It uses the Header Protection scheme from RFC 9788 withthe `hcp_shy` Header Confidentiality Policy with a "LegacyDisplay" element.--Alicealice@smime.example

C.3.5.S/MIME Signed-and-Encrypted Reply over a Simple Message, Header Protection with hcp_baseline

This is a signed-and-encrypted S/MIME message using PKCS#7 envelopedData around signedData. The payload is a text/plain message. It uses the Header Protection scheme from RFC 9788 with thehcp_baseline Header Confidentiality Policy.

It has the following structure:

└┬╴application/pkcs7-mime [smime.p7m] 8300 bytes ╧ (decrypts to) └┬╴application/pkcs7-mime [smime.p7m] 5136 bytes  ┴ (unwraps to)  └─╴text/plain 336 bytes

Its contents are:

Content-Transfer-Encoding: base64Content-Type: application/pkcs7-mime; name="smime.p7m"; smime-type="enveloped-data"Subject: [...]Message-ID: <smime-signed-enc-hp-baseline-reply@example>From: Alice <alice@smime.example>To: Bob <bob@smime.example>Date: Sat, 20 Feb 2021 10:15:02 -0500User-Agent: Sample MUA Version 1.0In-Reply-To: <smime-signed-enc-hp-baseline@example>References: <smime-signed-enc-hp-baseline@example>MIIX7AYJKoZIhvcNAQcDoIIX3TCCF9kCAQAxggMQMIIBhAIBADBsMFUxDTALBgNVBAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFNUFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhMPLSW9ETmXSs5CVIeh7j00Boq0MA0GCSqGSIb3DQEBAQUABIIBACsFMztj9S2Us6fsAlVzAPVWpbjptMkEGnAZb+17E/dDNLBf1K4WiN2WVycsvg58WSEIUfRBxZ6BHePpS3+4Tg4PlmzBV41gGZuO4eXWbrkGAwBOsckyRgpDLTmRpnN4lczjVx4gSfkEOXeDTU5FCoed4i1jnIHdP1Uwv7WWq/SnDrwVfBZZKya0RPn58V299JxTjDKL1VKsCK5NV+weQo16deS9d3deg48ndv/C9Gme0jUoOUilZCngEytRsGhJSoummFm2sieZ+ypP1zl8uZUHfnJXPqPiK2SnJi3nypkjx1BJXO8M3wsaifNGmk/Rj9mz8mXWkAL2RrhP7ViISsswggGEAgEAMGwwVTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNhbXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzB8R0APhiY6HGLS64MvlsDXhpQwDQYJKoZIhvcNAQEBBQAEggEAf7w9j/+bUK8AFDQHC69/A/xG/IygoRihTfsSINKsaezVLHmVvJXqOiPDavHRvHLMQNE0lqLy5edKD9tndyLCkOTyxa8kQWwzxfRJHBq++paJMNTgdSLWpSMVxxPO7FghXbJoHPRq5T1m4q6V0HjixfeqlvtnWcGTFhwDiW09beFZhZInMGJOmRcgqHjToye2RkN8Vna0ySczcoWl5yFqW61JbW1bHVun8Rn8OyEtw6XDDbnUgiVB3MYa5daDcVUe09npf+04M3gPQrDe27SBbmFmLD3KfuLs8Be4TBRVaNkiruULjidQ0akI4gEaSpAX3y+ALHPDFH4UbwQrr7wdizCCFL4GCSqGSIb3DQEHATAdBglghkgBZQMEAQIEEGKhwDGWZa/xZkxt86e1AK2AghSQhTHm2t4nNf1Tgo2kzG18BqDLWQNlUJVQdHShktmLMyXbJ3/qgZIm7wnh+lZecrR2aJ8yXfgWs8Po3atCKApsxA6eqUJN72NsrLIKiLSASXbsQHbRCtr+uJcs3M4z607HUHpLSej8FRWJ7iRY1d4wJM5K0TKS+VzbMgo6MzSnhlZKZtqOokDCVgfg7t0fZKEdmD7fn4qCeMCw3nkorWSBHnTkxaPC2vjPAMaFbxuRgbdEtEOK1DEvn4k1q0ig961i2b31Ne0VDTFyJLna+3a466wj4I9nnwaQsH/F3p5GAJl1tVBLQXi4VVYrDsn4XizagJMNmNBD4wXm2jKq7oT8KFTWy9vt9noH2qBgXYBvEkT0GDVx3gC5wCZ1YzUzUVS8X0fA4xsz3nb+YpP2ir6fXPOt7JvyRHV1LA9Gf18cQO9izQR4IebBu05xnn+XAp8/p7aFpcIJgJtrgUeE96cvO59lGCNb4pIgYTYYZaHyb7xNwbTWqGVhC+DQgNB8xiUT/jS6QmOvXUMjSWULEaAeMGlB2NdxBPW2tyZxBpAhlOwn1k0yPgxYBa0r0EVoK7o9p1ah7SOY+GA2UExATAtmionaJdBdBTADN7Cc54tipN6+ILHaSBm1j3F3H/G4C1l6qHatDbSeT1RucMmPW68GIeRAKeVgMgrttQAoTNWycyj+QYMKsZzRhmFirBsew37E8s0crEx6GuQ0yXLCQCW+eNIfNqkGelzZmg9oNKSItFfOMbeWKRksu23vKzRzix7sfBk7HwCWwjSmlbHxr9djjpF2wKLK34k73LJCE6TPktH69tzbQpI+2fPFeGJASyTiV3h2tjw/pWP8I4BOScHYoJ0pDB2zsio2MPXUKghI3gaS2UEdJiyNEBclh8a4OffAscxnVAIdKffJcDvuftlmEACd8lIOJSke9+fRNxvhKVk16rtxlovvnAlCL6HddrFDNMFCbAVERIHYwXUuzj75cL99/X51exRFFMZP43s1thRvwVL0BDAhrm7VebtyXQHniKjdKeBLhQ+FovYjve1vMcDPn1iaWKctQqDIK1xzma/YbmOAalrdODv06lwkYWeFy4G/ylLiPDsn0TisdFwslm8756750TEIXw+y9lLO60Jkm7Q35ldHPAa4I+mIc8w91MtqcU0Ly60nRHgdEJDJC5EO5YI2wGUPqrtnNxydU2+JEZ30o58ATJRWhJRW29JX0QViBhwmbaDkGGhnEQzjngNDqBLSgSN0KeDIYKPoGAza1b/cjhDmckaUM1cdA3Ie3AsaCNIizoTN4LS5H4TpkD3/ck98B8RiDbWODUigG5dLAMU+096Xw1CPp1BwYc6FhAF2n94fh0cY/PiSycXJmOVBHVv5K4iP+d+eHpcQrm0utMfccej21Uy8VG6cKCGw1Gv8YuAK7Sf7yLF8plNhEC4YWr8up8KFkaP26Vf3KvVWWQYI0uVqaTXECiqOA3XoBXN37nWnXe+tywkOUWZ2l8xpgirMTtBZjFSxlQV51bZY1D6Pl06qKHU34WijCCOZ5d9bZ5j3dZmfhEhHUjGHUWxON+JD5sAExSi0/bYGC0DMLSz54PHp0q0S1yPx4XKj9p45RWpfDTrpdB9iXDJm6qvDOHUZQP6uMjyEAu4nR3XXJlb2rv+qXhrx2S0fu8zV7T+uu+ZKPVU3AuVw1/ciCRXuXYPUZB3jDEYHLJ8y7fzeic3hN0zq+Dm56BOp/0BzzX/fTa1hwaW0EICeeTTzoCMSKbak494WxpaE/ekoC3T1/RJ6xWhvjrCqBlKeY9kmEQ500ZghhZG9J1wLVuEDD//6cyaMoakTGqv8QlBbfx++GRdUE+4zqFkB6GyjgywQwbJGy1rpYdlRpPNJ2/3zS2K+DTzKiuDkVo9Rn++AfLs7blZukE41KTnIO7TTdL3EMHRYv21JlCWmTsEPLjAbgAlNQNWK+EaIMEnuD62foRyajGvtXahPAqU61Yr1+DmCfQMLGCph0kTGoI2IJLf1U3dtRvI0eujpkjM0yi4tWVW0NdKF7rV9rP78VnXvCmUwurP9o4oCICaCkvYPhYpCan+P0JxaGcSNSrY99HHIDoDLk5/sCVyMEs+pXy/9DVDXluiwZG1dUU4f+2YZ7I76LcNXhUfZScKH6dPxxxQw1ypQWVdLGSQIXResiyI8XmTy1maF7MZJjUUfm2GhEExFLgjskwg7Tn+dV+KxDek1ucCGxfXQb4tod++ojyFzcpNnmLRFBj1t6BQV8P2rkq0tbXzJ+uqETp5VgZHY0pMnQqNHu8+U8f+4BWWLZNE9j5duMDij8uBAdZ8Cjzqlxnv8T2kn0KD+qoohmHzUQibGiVPM1heI5SuScE2wV9Kw5D9mWApogFxjpPfBhMLtPVVUvFp0dGplSME+5D0b6JPnauwo5Kng+FnDVtpiDPh/C2Xh3GSBPPebvP1MbOV7DVUxuAQYOeFH43YVACKgQskBH7bqZdrhI70d4R/4xB7kYA0HD65yTXjKyviGkRuPyEZjjkblR/OpzBCEYh+sJ+OXZjKkOW1gxVsOnYUIjYjUe9qZYAavaev/JRFIo2ungs1bwgOfgpnHdghLUW4UAtZdk9bOZkoUY4aIp6Q6ycPX9jbXzCurW4hjRwjdwaPcgrOROYYTiKrnZ18m1t+SFA7GfVsjDO6ivittdMQptTm0aNI1I3eTlvfTs7Ol2C0/XEyBJOTswJXNcukDG24bZAyJ2lWyYbqjEfwca3n7jOTZWLGz1oIJ3qrHRAw2urFXfsyGHKaEqp12QcIdS2Lu0PVDdUdYQ4JL0/BUPqoT/dq2W8miZLmygU/xcPPAYngkyT02FlibbtBMuptz3SfEU3XVzxirHRGnoQXDxKQMpcvbPf/obM580RH+E+U6a3ETKi/yHUI0F/5iuFH5AdaWqGbWlAWEx/TNGExGVSRiYLaZpvhXhw5hCnvqP/cti9fkYwK27EbrHsTSf3jdToTvddHZ0oxWIut+1Er+DKq48uDnF2ArvDJJmWQVBTuzxjAYtNn2HyByjSq8zuEZK6IepOhA5v1ltIRnrwpTaa2aFmeZec0HOyKr087p4Qo6FOztEXd650rzYtYfbaU8HvHfMkW9CeMCBUwj8obBYFuOeLPki/lklEU8JQ4/ZgarISB67pRs/sRciMgen9UW3WJXfhlMx2Rk0GPGzsG69t9amb4Vx/WE3KPSe5YS/hACUL+Hy9ods3ZGQt4yAR1Cx8NHlTE5fhDQL6zzDJOsTOamsXZJGstvVH+nPsW3AQfAfD/FWyFKJFCG6VsVhh60+p82ZGqBQk1YLZs236QVRmiZUXPeui9+0YRV1cvcvybx0AWwRCNajEA3fwAGoin5Lw4INIe+oJPN2rQaCD8wwKRzybKRIpSbr9mHB74aUQjmMd4c/Hn7liLnPbWSOMavxjO0lbykQxjIFVYbC/yq7chADdPpMOAyjlEKbMGpkUiGqtuU3Gf3r6I8M4yMRAHEKduNEZNRqprs+aHu9DcT5GN8GJ8QRHYxCCYwAsW1GX+oLkfJliy+hNW2EYC80u/E5ZI7ZzsdIcSZbTEWMrPHTpVw6UJPZ1hFxVUWYwENBlQNuZnAkR7P9U15ZWnEdheoXaj0O11x4ffgTvap167AOpflKBk3m4OWN7h9hMX+96FWSg1ee0xuOF4ENYLaWJ7RwJwLvWfc2tos8/Xf9/mEWqsJ2whjf81orpi1ze0fQgQmiTFnNe56ghXZcToOiov+GGZAQOEdfFWv2HyvBpfx9hZykW+x81XZTJN8LvInqRL/Gr4R1eXmEhNEbvH1PAGAZ2wa3t/ZNEPsGvq7vvGW+rE9dudc1o7PYooLVpV8g2IeEkFFO9+DjrTg97j2FnJbInOSQGR4Iv0HQOpJ1fMkWOJHQjTjbiNrVcmrNYlo5yD7F5nQDZJgtJXctXoMNDdjFufOTa0yzrLCOZjrO1SRssFVMPgpm0XgAe/I96d2PxAJA1wZBJWV5xQCekqIHnB2Jud7TxH2Vc4AsEEFbxkBFWGR/kHycX8XZMtDpPH/qPaJsh975a12WHQY1cQpHDCl2jadQi5u//6VIg0zxMS1wHB3TU7Mt/FQYooIMIjW6n5Lekoi8u8IKQ+sqy78m+DVoL4XRZr9leQpvSukCWPeQEbIOTitYNrbwTmakYir1Dt+vuzLDQBzF7pBNSxdZh3jKUZ/YYsW8/g/D4niekNP1sHSSYOcI6oiwh+sSWm746AYtg+dBERBcTjQKhK45zcjUDPkC7tu6HuanP4HvI2fZMXDySUYvISHGdyPtR29w+XX3n1Hy+TX1NsmyP3WNv6lqdClSWwxXTwyOJwvlk9OEkmGmd6APJpP0xeTXUozActjge4OxvGa06uuLdXIfDwcuX4yxpj+HEWsHkbOkHcxxaY+byFOr3SUJbo56UbDHQS+OGpELp7HeJL5MVvcU9N0OSGfKTFFKOjyCOj2rdeYsf5Hidb/9078z5C9L5x23ChCvd2ipkOEwcvWYkNwRJW0T193cur5qBGisZQfDbw6xNS2PCI3zp9Y2lEpegrtxi4pDWA030EWzHCw7kcbtlWdzIW2/iaMOW7S0hHjcRboPgSzuFpDwEFSM9k33iqH3vqfdrs1SfMXgumEzKAOnslMEzNHPJzCO7UaVlJOBgqTdNbAHqXSAfdZUN7z5+xnmdp1llBAbqNG4kS34JDEraArdfn0B5nQSYAPOyvu+Ub2S16/u91RYznbPcjbtAt1Tc7pw6/OV5xNEpjRYBHbG5kPZ3DjaSKIakKJpS+zfMXbtr0HoM1TryUo0KSPI/Ll99NbXXpLxW2tVOwNr+FexXYB4IsISC0Z331lqPTtr94rv+GlZ0f5KbFjRp30h0Wo7EKnENVLPaijrAhSYI7f51nuDsIi1/ZFqt4lA9Me3Vu/Etv3OZi5EHEqe+gVbiUb6HIvik/nnfWpDhjO5LFLga7C6rOKSnLRIidj46NnzH6yeRkQuAcU/FbyzqawmYz+1QfcyKAxNaqrIEbKDOn4ws3XHboxSJWzAQ+72/vqhzSV4ih3MLkDeWHyrWmuzsTJk2cdmSwt1+dL8UfjRDV02UdHjaBf4MrlKaX3ngfqibiskly/HFSfZrkKDB+1SMASPLzZ7Gd6pPK3Ie8mzVYnE2SSIpBzgAqIsOooYb1oA4qLLq75HfvEuJKmmBqcjsGuOFemASbZzsxrPbS4ASQ6L2MlH5HSoY4twvQ3b0SXhzYYKi++hZqB7prhMujPkThFQ1qyDvFHSdthJb+O+DtD0NRV3yPTkJNQTBEAVEPMEo3q87dkwAruhUpQ0uTtA2f8ROHW3YM3AKVhR4Zcwbf3Z3CEzg6gR2zdcXSZyD09OvyycryfmhA7CnhfUyy9uShwr4J57q+XE/nYU4vgGhoCyyf4LT3VcX0M+Bun2a0rqx+7cxCyzVlHaaIA3sZv5YQ2ZgQBd0YfbcWYGqxDH3SJoon7G7T7QWp3MilTWjtaGXf7GQOfZPJWnlrpH9ZCvxKJ/vKnM/q8BTsCKpbMqLc0bdL4WOSKioTp1UGqi5Rf0bW55d4b0oNn5tkP1nRLHdR+vP2KUc6B4pdZa8ZiI9ujg7R9xF/KwQb0B7WYC3a3Gu9IADtj5Z1oCvbK2JFQOiUER+OyE5VmoPy7QoGmiX1jrLWsuwflnEbUEkd+qkhx0uv84jRHCXFsgxSlHZ9hdNNvyTyFrmZrv2a2QcSPfnlvqGpYv+7pXL0gonnct5lc8PSVvuucbdV0R3Imj9Hdiz+TZpE+XCU88jqHx/lCYbdgu6pLgkcmvUx2Ug464aRATy381PTC1eie3Xm/z3tjOMCrOwkxfUa8VMTmI6gljeqPWodNgNtPLJDuWpHjCO2EWC2REcVAzCJGTnu8LRfHAPMyY1DmbLg5QmmPh5zmkkjGSlaRbuSr2+k5Cd3XjNbEO8dbJ0AEQtwtBkD0QSFx8IkCOiR03eV2+Wy43wnaCV5pvCYBHE557V6vkGYeRGrwTlRy/oGRQBKu7xvUwfKLTS63XAluObZeOREWaNEZd79TqTdsoSz6IYjbF2EKgXJly8tgfkSvAbiFL0MX3mUdxBUCSbQRw5eITl/MBrZA/VUYxIgJMvOH6H01uCaWxR48SZ2fim/NsE7+BUmq4+Ihx9ZuV1clIDUxMCuDlOx3EjycQfVuM6loiO/B2qxHVILoMbldTZSavL+iWbCFz2sLzt4b2ULzXZ/UUIJRY3efPlUzsKX60HAcim2IjCN2fWaPgv13oXT3XiGvtSymEz2T7TpTetaK5n40+nEfIDBC5WHOZ744zx04fj42hTbFWzy/I3+aR5vhdk4yJMUtpq8vrEdhzv4FJulxW7xUdJxgiBE5/YLHEw6EE2I9zhQWjLem8U+HdLaX1blnZu5mvZgEV0akIGuuMV7dyG7mf8RObqt17V4BOA0+cEugzirykruHnHSxtLAvWiRP2Qrqb10PErMjdRMQNCz3ZBNL43PHwc5z8S+JjNlgJut8YU14ZnQND+7Msb4bKrPB8IhQiZWWR3VmZfqcBeBNpwe8+1sVQcntUNViIPPBOK4XWGbHuYaI38fMFdsvghL1qvnWul9n5vE+fayvImn5m6THMcIujGsQd5vYEFAzUZHo4lL4RuN1MmbUTOsBvewyZ3AGBrcDix/ZdpSafATgAfVFDib26E7k9baX6+3XWfj8be6ND5gF597Yo9Ad12MyVhsOYXX5DeTswvO0/0OCbZQMluC3hgnPf0fI8FRLx+0ioxx0h8dxvTUhQOvQMdaq9TCwMNFfkyKt7RsFd18ZivEUVwy/sAIX9W75zjzNdZuZnyeyeNsB/XHR7TXgUKUUYw8Qfjb0RZ0Iaa9kX+LnWhppOGIAOcB9NSkHv9mwmZ59+ZWoYYjH2gCpbBz8lBZyusqFMBG2+EWVcXDmJ6H/NHgEkKGqqj74X1j/Zg+hOdrIZWXu8cu6Wcb2UqCYvkLvQB6lA7Ihrk0TXY6pECERvfrAhWhVQsxrBQqND3Fbc2Nk6vc=
C.3.5.1.S/MIME Signed-and-Encrypted Reply over a Simple Message, Header Protection with hcp_baseline, Decrypted

The S/MIME enveloped-data layer unwraps to this signed-data part:

Content-Transfer-Encoding: base64Content-Type: application/pkcs7-mime; name="smime.p7m"; smime-type="signed-data"MIIOkwYJKoZIhvcNAQcCoIIOhDCCDoACAQExDTALBglghkgBZQMEAgEwggS8BgkqhkiG9w0BBwGgggStBIIEqU1JTUUtVmVyc2lvbjogMS4wDQpDb250ZW50LVRyYW5zZmVyLUVuY29kaW5nOiA3Yml0DQpTdWJqZWN0OiBzbWltZS1zaWduZWQtZW5jLWhwLWJhc2VsaW5lLXJlcGx5DQpNZXNzYWdlLUlEOiA8c21pbWUtc2lnbmVkLWVuYy1ocC1iYXNlbGluZS1yZXBseUBleGFtcGxlPg0KRnJvbTogQWxpY2UgPGFsaWNlQHNtaW1lLmV4YW1wbGU+DQpUbzogQm9iIDxib2JAc21pbWUuZXhhbXBsZT4NCkRhdGU6IFNhdCwgMjAgRmViIDIwMjEgMTA6MTU6MDIgLTA1MDANClVzZXItQWdlbnQ6IFNhbXBsZSBNVUEgVmVyc2lvbiAxLjANCkluLVJlcGx5LVRvOiA8c21pbWUtc2lnbmVkLWVuYy1ocC1iYXNlbGluZUBleGFtcGxlPg0KUmVmZXJlbmNlczogPHNtaW1lLXNpZ25lZC1lbmMtaHAtYmFzZWxpbmVAZXhhbXBsZT4NCkhQLU91dGVyOiBTdWJqZWN0OiBbLi4uXQ0KSFAtT3V0ZXI6DQogTWVzc2FnZS1JRDogPHNtaW1lLXNpZ25lZC1lbmMtaHAtYmFzZWxpbmUtcmVwbHlAZXhhbXBsZT4NCkhQLU91dGVyOiBGcm9tOiBBbGljZSA8YWxpY2VAc21pbWUuZXhhbXBsZT4NCkhQLU91dGVyOiBUbzogQm9iIDxib2JAc21pbWUuZXhhbXBsZT4NCkhQLU91dGVyOiBEYXRlOiBTYXQsIDIwIEZlYiAyMDIxIDEwOjE1OjAyIC0wNTAwDQpIUC1PdXRlcjogVXNlci1BZ2VudDogU2FtcGxlIE1VQSBWZXJzaW9uIDEuMA0KSFAtT3V0ZXI6IEluLVJlcGx5LVRvOiA8c21pbWUtc2lnbmVkLWVuYy1ocC1iYXNlbGluZUBleGFtcGxlPg0KSFAtT3V0ZXI6IFJlZmVyZW5jZXM6IDxzbWltZS1zaWduZWQtZW5jLWhwLWJhc2VsaW5lQGV4YW1wbGU+DQpDb250ZW50LVR5cGU6IHRleHQvcGxhaW47IGNoYXJzZXQ9InV0Zi04IjsgaHA9ImNpcGhlciINCg0KVGhpcyBpcyB0aGUNCnNtaW1lLXNpZ25lZC1lbmMtaHAtYmFzZWxpbmUtcmVwbHkNCm1lc3NhZ2UuDQoNClRoaXMgaXMgYSBzaWduZWQtYW5kLWVuY3J5cHRlZCBTL01JTUUgbWVzc2FnZSB1c2luZyBQS0NTIzcNCmVudmVsb3BlZERhdGEgYXJvdW5kIHNpZ25lZERhdGEuICBUaGUgcGF5bG9hZCBpcyBhIHRleHQvcGxhaW4NCm1lc3NhZ2UuIEl0IHVzZXMgdGhlIEhlYWRlciBQcm90ZWN0aW9uIHNjaGVtZSBmcm9tIFJGQyA5Nzg4IHdpdGgNCnRoZSBgaGNwX2Jhc2VsaW5lYCBIZWFkZXIgQ29uZmlkZW50aWFsaXR5IFBvbGljeS4NCg0KLS0gDQpBbGljZQ0KYWxpY2VAc21pbWUuZXhhbXBsZQ0KoIIHpjCCA88wggK3oAMCAQICEw8tJb0ROZdKzkJUh6HuPTQGirQwDQYJKoZIhvcNAQENBQAwVTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNhbXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwIBcNMTkxMTIwMDY1NDE4WhgPMjA1MjA5MjcwNjU0MThaMDsxDTALBgNVBAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMRcwFQYDVQQDEw5BbGljZSBMb3ZlbGFjZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJqVKfqLwaLjj+gBUCfkacKTg8cc2OtJ9ZSed6U3jUoiZVpMLcP3MUKtLeLg9r1mAfIDlB/wlbdmadXPmrszyidmbuZmOpB5voVQfiLYYy3iOx7YOqzXrl6udP07k0sV+UdSNRFxrfKeoQEFXgOaGdmnx4OG/e3p1fIKM0dPzZLoOAJF5m5O0xzXPL74zFCWp2f1ZkuE4A6l41koaZXCN5XL7wWTLMLeNf9Byb5ksKqUuqEHAMd1nmoNMgjY9VfVfcrv9w43GG8FtpSX+TWzB2zNS2OF+XIVnzRG5DeoULq8v88Z5bLpIJ/nx26r8A4SSwIBaVv4wPxAf1iPsIVKarUCAwEAAaOBrzCBrDAMBgNVHRMBAf8EAjAAMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATAeBgNVHREEFzAVgRNhbGljZUBzbWltZS5leGFtcGxlMBMGA1UdJQQMMAoGCCsGAQUFBwMEMA4GA1UdDwEB/wQEAwIFIDAdBgNVHQ4EFgQUolNB1UQ8gCkVfAEj8OeOr83zdw8wHwYDVR0jBBgwFoAUkTCOfAcXDKfxCShlNhpnHGh29FkwDQYJKoZIhvcNAQENBQADggEBAIFJeKCcsTKcFqQMpTryujRGzJdYA+R9eBAuDLsatbtKtl4FzkgRyOg31/+Cw7H8e30iLrPIFlWN1qjHrjgOyIs5AQ/hgxLvLir3hEUV2Z3MRsMtjH2x9SG91PEM046gfPnc9gMGHjMTg1qvaKcLQP5UzpEYPLror2X4P5uXxaP0LIZRzWmkw1RF7FOD7PfB5v94M5274XYxW2W4uKGd7QGnUZROSvSYkGiWDp1JhqXwfDz8A0enITGXnoEkAFvvjiCqh64P1hIeMorj36pgL19oWZD6YrzSWHUz1F00juyuOfQsqm6hvrDTqNpHNZ015fOURza1SkCvi9GFmNUPoVgwggPPMIICt6ADAgECAhM3QQV57XV/QqmiXDr0+GrOmqnXMA0GCSqGSIb3DQEBDQUAMFUxDTALBgNVBAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFNUFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MCAXDTE5MTEyMDA2NTQxOFoYDzIwNTIwOTI3MDY1NDE4WjA7MQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBXRzEXMBUGA1UEAxMOQWxpY2UgTG92ZWxhY2UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC09InoWDgWPk2af0+StijSNOR8K/hN8D+l078oullsk4ASvSwjsCNo7sHUa4xQUl5JO6VqY18LANwORjrc9BaX4MguzsbFXBe6uFh1mVpXmFxSpUByQ+950MFz/evPgP96wV+z4TtAwW2Z34rTiz4DxMI07XYNFUEOls/gkUP2GxzymsO2kaYWTut3SryCqeHEFbZFkB4urMk4xrIJC3CzWruS2Q0FHbBlfkgKN5wXVgkWFfiOucfCn+IQsaqpo1d3f9jSkbtAV5w3vzfog8919MxKI9H6l4KuElnAtJ7BtZcsl7dUy9u9COgEykRiVokFQgqQ7XNDU+r3SeOWwks7AgMBAAGjga8wgawwDAYDVR0TAQH/BAIwADAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwHgYDVR0RBBcwFYETYWxpY2VAc21pbWUuZXhhbXBsZTATBgNVHSUEDDAKBggrBgEFBQcDBDAOBgNVHQ8BAf8EBAMCBsAwHQYDVR0OBBYEFLv2zLItHQYSHJeuKWqQENMgZmZzMB8GA1UdIwQYMBaAFJEwjnwHFwyn8QkoZTYaZxxodvRZMA0GCSqGSIb3DQEBDQUAA4IBAQBziaI2p86poGkjd/4KkkOHG25nY/0eNARD6/oF0/sYonX2doizcGMk53riugAocCn5zbzhW/JVdYn30UxfyrZlRAzEf7GHqgB/NyjOad3pdpVYeDh4ciNKjbs+aEoTWgAkoqENt1sRxlcvb7HVX524bKZa1oPTUNlm6QpivtqDIdqGJdGf8L1zLfXBuo2zL3HR+M9CDr4Opq2JCkzP0Qhp7poIccGE6I9Tsg+RrOA9iCQsPn1+Tg8YedjGzUWF07rNmT0TzPCVzUAuBlr+JJtzOKypyQ3eoZ6EPazXqMyHAVcsm0GI364IOA0b8PSrJNtjh+AqJ5QfH+0e7NSzNnEmMYICADCCAfwCAQEwbDBVMQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBXRzExMC8GA1UEAxMoU2FtcGxlIExBTVBTIFJTQSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eQITN0EFee11f0Kpolw69Phqzpqp1zALBglghkgBZQMEAgGgaTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0yMTAyMjAxNTE1MDJaMC8GCSqGSIb3DQEJBDEiBCAn/5Euey54zEPMTWTi6D1FzMPXZyPmKLehwiHUu97UIzANBgkqhkiG9w0BAQEFAASCAQCldWAb1Y3QmHJaNLnrFOVTdBYsVLQoKmleoajirYCQ8fv1D9dknCPl2tRdshOMtV+c7sR4wW6XNQNBdbLh/+zw9aV32quYp1m5LmvWZJnmbVCuFqZwG/frYlk46SXkggJZCFNuTKRNiBMERuYtyROlQUX3VlchX3NXn07FBEgy6SwD6avoVEG7pG11J6xlcUhOLl4aPcb94LkcUHpNj5kSet8+klHQw1KRVCjMvXymn4aygpSkiZT35CjFhZmAoEaFUilfl354sl21RjXMZZ/2fLho2SzWXCR4qwji+i7VzeP6sQ1Jyt4vpv4R2p9stcSEUpFMRQhqNfHiJd0kZLYo
C.3.5.2.S/MIME Signed-and-Encrypted Reply over a Simple Message, Header Protection with hcp_baseline, Decrypted and Unwrapped

The inner signed-data layer unwraps to:

MIME-Version: 1.0Content-Transfer-Encoding: 7bitSubject: smime-signed-enc-hp-baseline-replyMessage-ID: <smime-signed-enc-hp-baseline-reply@example>From: Alice <alice@smime.example>To: Bob <bob@smime.example>Date: Sat, 20 Feb 2021 10:15:02 -0500User-Agent: Sample MUA Version 1.0In-Reply-To: <smime-signed-enc-hp-baseline@example>References: <smime-signed-enc-hp-baseline@example>HP-Outer: Subject: [...]HP-Outer: Message-ID: <smime-signed-enc-hp-baseline-reply@example>HP-Outer: From: Alice <alice@smime.example>HP-Outer: To: Bob <bob@smime.example>HP-Outer: Date: Sat, 20 Feb 2021 10:15:02 -0500HP-Outer: User-Agent: Sample MUA Version 1.0HP-Outer: In-Reply-To: <smime-signed-enc-hp-baseline@example>HP-Outer: References: <smime-signed-enc-hp-baseline@example>Content-Type: text/plain; charset="utf-8"; hp="cipher"This is thesmime-signed-enc-hp-baseline-replymessage.This is a signed-and-encrypted S/MIME message using PKCS#7envelopedData around signedData.  The payload is a text/plainmessage. It uses the Header Protection scheme from RFC 9788 withthe `hcp_baseline` Header Confidentiality Policy.--Alicealice@smime.example

C.3.6.S/MIME Signed-and-Encrypted Reply over a Simple Message, Header Protection with hcp_baseline (+ Legacy Display)

This is a signed-and-encrypted S/MIME message using PKCS#7 envelopedData around signedData. The payload is a text/plain message. It uses the Header Protection scheme from RFC 9788 with thehcp_baseline Header Confidentiality Policy with a "Legacy Display" element.

It has the following structure:

└┬╴application/pkcs7-mime [smime.p7m] 8625 bytes ╧ (decrypts to) └┬╴application/pkcs7-mime [smime.p7m] 5376 bytes  ┴ (unwraps to)  └─╴text/plain 430 bytes

Its contents are:

Content-Transfer-Encoding: base64Content-Type: application/pkcs7-mime; name="smime.p7m"; smime-type="enveloped-data"Subject: [...]Message-ID: <smime-signed-enc-hp-baseline-legacy-reply@example>From: Alice <alice@smime.example>To: Bob <bob@smime.example>Date: Sat, 20 Feb 2021 10:16:02 -0500User-Agent: Sample MUA Version 1.0In-Reply-To: <smime-signed-enc-hp-baseline-legacy@example>References: <smime-signed-enc-hp-baseline-legacy@example>MIIY3AYJKoZIhvcNAQcDoIIYzTCCGMkCAQAxggMQMIIBhAIBADBsMFUxDTALBgNVBAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFNUFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhMPLSW9ETmXSs5CVIeh7j00Boq0MA0GCSqGSIb3DQEBAQUABIIBABcSvh6m3bqMqug7JtspPDcpNnbUKLh0maZfxtgFkNpttPxzoOrbgzttatlfuOHinFXrm9p3onp4B/J+UqntN6mGVogOhpbBeRFDxDEEI+2rs0NPkOqKSTmIrPSu38mHMtUCfYpXegNs6Ez5pxf813Ack4X504qFKjKcP77YqBVrOZq/LL20s6+kTABWgPsRP13lUNUbp4HUcaQ+SH3uZpOO5IzFrboYrDb0vDjLvYKvfjraLgLlzFW1Ie2eGLQl1L3ri8hlMIWq9MX3hUlegecVyKo75l5i3CTocdp+8YROM5zWx7ID4y1lL0gy77wZrP1JWLUa5jloPOB9omzvl9IwggGEAgEAMGwwVTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNhbXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzB8R0APhiY6HGLS64MvlsDXhpQwDQYJKoZIhvcNAQEBBQAEggEAVPIlzTVhXAsgTJZHlgb/wSMvaGSEh6a4nM5YllTEfvhO0IXIyrzgMC14HCAMLkrmjDEnXtCvMHMd5vLKJB49UX1sn7x8EKYLqHC3RJkq18DN0mnIJ2mr9qiohxSQN9ie//93a8ar+kKgrl2qRCTtgTcPb6CXHVwLm9FazwJlC/ZOjS3YY82Up/P8cgXEbAji09ZIryaUUrljr1I8R5ivjIPFcAFtnkcZ32eyahNU97pmnF8nZD5JUxBpQ7OtOqemBBkJAy2YcqVzzCJG1seO8id5O5Ogc9YTehBq1EbU7HAUsHMw+3T8cZgH22vec7HJPvrS+BMvPGlNYWBGyvvc2zCCFa4GCSqGSIb3DQEHATAdBglghkgBZQMEAQIEENgnBbo7rgFT+sfWGsbYpOeAghWAeDNEsIoFnkJJHiOW+TI6ecod4Gdyku4qQKjULEzI35mhJhbofl/IrffWdG8CAdgfVYjItKwG0zu0W0RRJtVqaYcjcDXX2HXcgz0QjsLwJETWR6nOZ92PfYwJki0sW6PKsfnZPRnK7K9Sb24rEOnMLgb3pmLXXx9JsH8LMlTVuN/JMk9wkqSwDgubLMix6eFSQHtpLYs0YLoIyli/sw+fI58IzplPsCzpUA8z06jptlroij3j6iCWuSj2NlFhea+ct5PVR6I+UuGhgCj8VaQisat1yFyUL+jeoeD1EvDQK2wMioOiEpP/m7bJuxi1malHRfDkeAWxLf3A3P1aK8gBxVGEO3hFyWjmdw+hOJoK/AEk+0q2ctSfyc0bmkz8TiHRx6j68TnDkVUpAUd5NlW2ikitk6nsA4c9Bj99Br/1LqKonmA357r2sYG1vEtxviJ4pqxZhHiKsIs0D/eWbheXuXkbT/jrEDlr9ibSuRXmgqq8JV40tQtDvUvdVTq/h9XgJCR1zjOPWUSAHyz1iCg1yDIO6YLvHPgFlxQtT97EiX1WRAlkEGL//W6v33vkhXTJoTYyLr0U3d+oQCiLxQBCIrsBl94p1t1NjeEK79NrMs+yhRAQ6Um7ckddPBWKHM/hAcOPv8oAyu8eDTiOoJv1ZKNcGIc+itQn0HyMHBBCOsRPVOJ5MIZcgdw8yOe9pYbj4mY70rq2IiOnrjn+y2zr0rswfKB73fQNdfF04rCTbzLo4x0oH0BODSdQJ67CmtJ9hBKLRjb4PPd0sdDaAjTFnVYOXjZUOKj2DUhDcDBkiiIrPf+PgOXtE5qc85FgzDZ3gKyAnaKqEnVqYbmEhSKMRJ/dfAWrFQQBX+5Da5tp4BSRxNJ8glP+fvqr4W6jftPF9R1SfpltX6xgPRgrHaDKc/l0rAliBs1JaGpR3ggYB+C+Bd9DVD1MAmuVoWTwOLNmpJnHCHsLsvR9hgcUuobIOEVDspIitfi3Phn5KGfGZ3a7SN5a5gX0+l++DuX3PgZox+34fGY00wN9EdtNOqxu3PqfRNYQr6723oHh4aTxwx2P2hr2xCp5t6aDWFie+U+nyZ89q8f63WUl8GooOKjnuxP4I96w6/eG7ixLvORe2QuAFSEvF88NzN9m8CiZ8yQdPJGPoqbgeM89CbM1oFoI5p+PsGgtZp1vxPtiOpv0eVyjlwBrGEX6PO8iimAoe1HBp+Sk+UdmAUGmxGFLLg+Ju2PqyIMRrYc4NV7cTi0S9NXV1lF3PXo4aIQuVv1HGJ9H7x3KAcM8679WLTjXTNcDifLTXJlH7RO+Ut1UMc4gHZ5MqOI2WLXWjGW/UJOcB0uPQ0AsWvpDsoOFw69qPooFBf8bt4CjjOx3Z1IWIGLiva61ct2QQjnv2Mo5ccxJ1qoD/Uw7FjCGj5NHcHd0P0o6fv7Kc2QyJSJB0rjgRI3dbeZ+N6h7kyx430JaLvU4hXiYB3CHeoea5y6YrAv8nAmhXgXy/kaKISJXyHmWTAP5t/z7eoCPYbUNPyKmNEI1iYqRswDc5ENFOQFhs6r+xbak4KEVd8RLjP614KxzVrPZyPE5mkmcZ3xWK/YZcUhDKZOhXqKx5Jh83yWMQ8VgGxqUd/rhUOltSnjiRpmWOwGft3fLh/x3AD71j3MEKrkJHSBKeu6HcC9ratgaCXunlbvcx6QOx/q2fb+eyEhFtSoZQwo47NbJHUSYvFOjqoqA3LhH1j8GfPzN+sLlkZ5HWBtdIAWXTQOC4epY5n1BYWsRCeDjKl/s04wR+VbGJsrPQ1jqf7143t1T8yMS5g4iIpjEOL1RL/WoPYL3ooIz8tCCMQQh3qL/zaKCi2JZaj1gy4y7dusQRV0azSNNwjK+1WYbzabodXHsQ3R87TNq2CNWrIEcRkYibeBEA1xWvECf5TGhjtOnkEZcIFKMHnYpIK+9D8yYtuCarzol8BeOyuQN6LWZyMiNOZXm0rvzCIzqORQFMI+xL4WJetdEt6wwFIskTVGpJPr3HyjU9ageiNSpXql7+A+DMCSgaQoyMKRtl8SftizJCqGdWD+/S6iZTnr4voJdsJ3nPArNlu5Tf+tz63S3APwbj5uS9qoBR2Vas3cbIVNgTwURgznpRa5TXO+sDlSz/nNMr5uZAXiSORearVtOyK1aTM6LZ6t1Yf6jVh01XZlGcmW3hW5bdN0UMbmgZznuSuqA+0rjCJsHoPUw+3ubSdegmBGbIa7lyeuGGyJZsNeB9KdddRmOCbk+0RybzDCZJhPTHpw8yqVi2htOs1ZElAa3obCrbVEU10xMs70LNxdPXZPiv/VDw72JEcmfKUm8fTbQfatWeM10U9mOs7Eub32VH0V3RbB48bnDrslhXL/ZUs7OY+csMemEVy8XrbBvNuhSZLo3mdD0/XmDYrCxa5pKOhZmIt3PGeamYRdfIQDN8WsaNGIDsPN3w0M96sJWhn2pYyErwpsSiBMRnLmz71yo+embXKJWTsxTXubNbmCIG5vxJ1Ew9vxqj88y+sbWrpI+2jUT23GVqy3+/iSruFtqZL7f4QNMemCWq2SC1m3Bisoq48TObm88Q6BOk8+owhjeG7KylFKQJEZvJE1NSisIsEDQQRfzwGBgpDyUD1diWrCmpiynhqOmBDeljtjIHQT83knRiY3XbSABr57w4TM9SLCUZ+/b826TpMiXhl2aKH73/zVPH6PAamxKCub9YP15ZO0BHKKi0zZHQQtesEH54iUGY+O+1/LCSuQ/Q45Qvu5CnWBFx4sYvFRtJfMynalAjUbWfqK/BGnS9H1rJKYiXlZr0lt+/cqU+r+hPOc4OAeyORsg+szBns4y55gWhGVicyNU2RRqNg3dsyj/sUZhysFiNbyWF+NCXsYaND79DR0UL4nm7XVXjz6y34dRV7u00nWRPRWLBhum/ekv08Fv03oOEQ6sfJElhx5M6fNV8R+8849k5oZ0FxvsMb6sJU6N8hxgpMqlCODGH6KnizJZOxfjJhMgiyEX9h8JCSV2noFCpbDsIu+JKOSi2LFCfj8wT35q1hsdrn16sUq4/crG2NMOZrYPhh5UxwimnCGWJm309+TUh0CRV3JmU4t/Ls1mdduErrO/W/7SF/pD6zCg11hmpHBKFu2mzXTTGjWlJuHSy23yzQ3x8kaZLkw0tNWVOtWzlHdjBq5TXOGU/IBjOfRbnsSxC8btiIFSZlcyVfRphNT2WXgXZ6pX3soWiE7rkj8geEsYkQLIT1yTSYRzlX98NuFUEgrgTWaNj0VgflqIXfO4UrMhkHp/cTcAE311blLaackHTdRIj3Xciubs0dZrIuc2AlJYJiOeITdAzgFKx437Hh9MhVdW9DC6Osa8b5FEesiexc4ZRYBALp+XCQLiSO1flUoQxXLh8dvr2dAYkITswQNQtSO7FJlvp3ugNNW33BJs2LGmaLhvosBh0YngJx10fr7FbkybYHenw90TSy6gtF37j/xmtUjz4vI0cToRunPh18fUJjxQbaepXFw6M+YC2Up4S0GFsZEAv0qQjBdXezU5z4V8wz4hgPcuvb5w37l+fP50lmqHjC0FHKwi04JdinaetrpSNwg/hI6d5A2s0gMEd472SLP2bR0INNGW+DZKtewTC6WqrniR+WT/TcA2O8NNsZVTGZOOSf5/Kd+HR2apkmOKq5hIYsDX84Ji/eY32jHZO9K0DfCQ+zBatQ00JUOpYMEqlDLxoXKV/qUuXEp34foZvZT0699btpmPhaD8aTKLlFV59WD+TwdC15n7V6at9Jnqkqe5AVV28faXxCi4LVOJunjNlkCA7SUraGVayRPEL5SG7dUsqcP5jFPOwHAZgC2KCrr+zJZgwYJqTaUI7gKUAsxph0bFqn3RL4Qhnc6b0OZx4zVcwMIWTDt0W39JZrnz3ia0x9U1KvrNlnLMDl5xPro6XwhqOD1QEGZOGaZmByTZO7Wkvoe0kL3s8s0xCWHWbjoWydg6rxeyfPW3ZY3Htr3nzqfVovFupFbdj7icm/iPM+B9gw+0sb7IZ11v9HmyNFx6DqPDQXvOTijea66hKfIyxPMTfZFZszX/KOOO9MNBX7OzAibgprJ/fK4VYUscNPSJlHZ59DWpAaZZEaCaolcWJBrxvb9ycir5ydPudQUpTN8z7agosdkNPT9hxGKzWrsV5hxe1nhDklG2VJ6ohkCbiJawBO8pZE48nE1r4cwYT8u/CvzfIHX50SmXN20lugVbTDygrRG8nCKKkym6hqi+/0kzHKRk2V48HAal8CNv7h/iVz8R3a/PyGD7cc65w9fDjyjpex40hsTy6tmz/7dZtu3lFznNDUYuU/lDqDAJUG40SGSwCUzlp6TRmTZdz4U+26pPW74eKJ1isz8QVfrDEsn3Jk/IBE3SrzM1VyfuvxLKYEMXARAJoSSVk5pzn/rM+gIKQ0hXTUYIyoKgfE75SXV4fSCSy1GHgdbuub461HDEXKVc43qTbQkhOlYp5u4OjdfdXcq790GfGL9NslVxTVCCpTrQc9n7jjkplvBXQXwDXCfpOqzTar6+NkcwEL9r2+5PsVOzw5mpHDY933W9AkVaLsnqxyVsFJz3l7Up0Q7y0yqM8ecA+6SW4gAhEr7UHcEmljNidhLGdoZKjMijDGRAiCIavFi+nbihkRumrDhStQHKqQhfTU7JyiLqUmWNlhkPax7Swc/zBW9J272LgYV40mQfjYNacY7KaHu44xGda/SOrMeUnFPZB0mUedkdsuG/jhVT5UgifL8SXnCL6DzyA9Lo/IDb7PQhUHhEhWfNsWd1F6qAZohJrdqqlDShd+g3t+MBshapvaXtwjI7DbZ3WKRFeyhdye+Leml+Z0eD58cR1N3GqCPMRyWa+fEvrVdaJKBizTXgeph3g2Uc3vjGnmNH4x861zuG3+5pKpONV+10z33noByApeZgGrVOwwXVZQfr76ZSR8wwLpAy6EvJ9E9gCMC9Q2RlJzdZ93hCqQVn1srocqu9RYD/YL+P0Mafk7TpvEJmYvAMMydiBUfGkrCIOZa5J3D1oYZSd392gt9SYeju+EZ4HRJnusZhz6T/eZpSNJcVEgrHSoRI9t83o2Dms197VyVElOY52KgpF2H7sGTauWuMwJJOMmaW7xzG1mP7+4miBs33urlijeToL05EkXD0eEL4lOlddLHmHQ96189+orgzi8qtkB6yeEFfwK1h+7ilooPmfSaQj5Re6G8HK82CIJaVH59Yo3QoCIeAZhcnxMKrNJShGRC5+XEntchPH4iDyGC7k5Du0CfNKNyrFpJ8vwdGmNZiqnEatCtXEtzqEo4Z3ib9NHLz/bJzPPDqG1sLIe+fv3Cpb9a7G9uMyn7ZzAcDarsRCJdjdfsT3NG9Jeh2LeeKvEDFK6XyQiz9QxCqNqdpEGgUff/zuWMHaXN9RmR88uyNPN2mClnF1A2pY8oRhdVCkvF6urIbOPS2Tiih66duBPd3nF1y8xFwwCCjgeWSffhzVRfvpdqZ7mlN4GimsI71o6V6ztsVM7A247X1jOZ1/WBIhF1fyMF/jf37Rq6N7FAFnMOZWJSf0b+UTXeXzS6z6v3PbA4grpEC9U6wDDO6zq1JVdAD69Ecw/IsLa4uhoJNJa4ZmXxhPg9gl301nMlaz5LMulGDSHtgbOUYA6Z7E7WGDm1oTYPeI+O1ZzPDzpcOrKd/QqX5zhSAAaYqcuQPZi8S1CON6AYL2r0bAvrBCc3oKUgIAXCgcltiRrt8jW3Tm1HylgtX9hHxmQqx5FwvEK/F2qxnZLpwX6y3ooQncBIn14TC2fGTItbAdwReyTZjLv6l13zSgGWNjcDXQFPzkoLT4iykPcFXJARBOn+TQqbEQC/MkZ6Vej9DHYhmN/dXIAX6aVWBgJ8yKRs/8YK3QhAzQizaOgtluVA7cNcrVk1lk87Ee6aeYKB94fa4Nkl42vukEerCGXNUW+wZfwO7wK/+yCh8yFIKSeZPRk9hejMCCuhl9rLoVVXvr7kOp55Eugi8ioBBjnJ1Hj73p2djHowx+JIEFrT526Zmf1oMxnjT23+mW0UQNxQGVev4/+XdfR+mG6ah9xF0b1MD+9oPvVqHxsdUuLtqPqFWmcg7JmbWgAB+tvCa4ET9Sg6yID0UH0FenejcotqaltZiDRGGg1YiI3llBU9CASFmzN3bXVfIs4u6RyYHSo2VTNA4A4Uen06chZkWNxYtb1BjIMnl6IG49GlfTO+yhtk38Z/JZzB2WcVAFNExQdgxlfpQEU47NSTa8EgyJFD+0uwr6A1ogm1e2S85ViHL26YTzmDP1CH5CjD5/ZlBl6mOBZXt3euA7hr46zFe/XCa5YqlUuOsPER2c0UlvY58rEiJghTvy3p9sTbAj9m5wUef54wivUXXo04LoZhlleHpiFdi1kYJ13B1KWkS9HwLIjv3AML+rSOgWZjT1QLDM04RohzDJP1GKRmMp0uNY2RtcQeWt7hvIgNQyOb0BUtWFiQye9lpF8rmtsfTFfQmFfYmcALTvGqEAL/hQbYYSZLDHJBGt/D0FMlX8K83o3do1IoAYw2kBcm7bHLAXT6e6WY5URJ6bhpYk29GpLIe/RPtbNLefqwLOlzomfzU6I21VRqb1A7NrWge3UPIx++mIMi/qK7n6OS4pORq8qvpZqoVSgWNEOwdQQD6Zh0RzjyB+H52xyGZTSb5GqJBMCJYw/2ZiHOHGMbH6iqChMT5abMzkCFejWlXLHtD5szlj5Bkc1ptpM3jYoIwFLB1er1QnNktOFFzJejj4f+OiODBIFYxkakc1zKxJdgkL6orA2jZ6AE5Bv5QbinpUySz6o7hlGvi2bdjnJUti3I3dtaMnzF9BJxl3aqNsSsm0obh5ds5xURSxhkK1Q7T3buV/hMZlsSbakX+xmHA1eA8uWYROQqf7KCQqGem6Hk01xjz797mSnpmi4w3LrI52MSjjXdr9sf5aCcLJ0Niok5I6SLoNyeH7TwaKMZfReMp83rBGP+KLEyfGMp0/PuMajQAsqXgJG89T22tMq1+G1uGuWqYW4GI3Zuk4mDqygZqKCwHiR8wvDjppzTiuvQegN/K6MIwjgKRcfoPmBxI4KryoKK83Xs7rA+z6spKzJpUtlGSV24ooyVcWy03RQ85Gc/HMMwP+zOg37J/YZASBpqjvlSWxDaK8ZzR+dEJ1EAhJ3uCRenTRURzMyrysBdLayLFW+gHUDFC5F+INKPGMertJqtYdfOs0tqG2uPUJX8U3mubey4B4G3j58ok7ZBD4rOll+h/8Z2Nahs8udVMMfSB0xx8bmf7rwaJKf/Kyg/AjedixIkUNA5CfMErF/h1EV+zEux7jyQGdVQ7xJI=
C.3.6.1.S/MIME Signed-and-Encrypted Reply over a Simple Message, Header Protection with hcp_baseline (+ Legacy Display), Decrypted

The S/MIME enveloped-data layer unwraps to this signed-data part:

Content-Transfer-Encoding: base64Content-Type: application/pkcs7-mime; name="smime.p7m"; smime-type="signed-data"MIIPPwYJKoZIhvcNAQcCoIIPMDCCDywCAQExDTALBglghkgBZQMEAgEwggVoBgkqhkiG9w0BBwGgggVZBIIFVU1JTUUtVmVyc2lvbjogMS4wDQpDb250ZW50LVRyYW5zZmVyLUVuY29kaW5nOiA3Yml0DQpTdWJqZWN0OiBzbWltZS1zaWduZWQtZW5jLWhwLWJhc2VsaW5lLWxlZ2FjeS1yZXBseQ0KTWVzc2FnZS1JRDogPHNtaW1lLXNpZ25lZC1lbmMtaHAtYmFzZWxpbmUtbGVnYWN5LXJlcGx5QGV4YW1wbGU+DQpGcm9tOiBBbGljZSA8YWxpY2VAc21pbWUuZXhhbXBsZT4NClRvOiBCb2IgPGJvYkBzbWltZS5leGFtcGxlPg0KRGF0ZTogU2F0LCAyMCBGZWIgMjAyMSAxMDoxNjowMiAtMDUwMA0KVXNlci1BZ2VudDogU2FtcGxlIE1VQSBWZXJzaW9uIDEuMA0KSW4tUmVwbHktVG86IDxzbWltZS1zaWduZWQtZW5jLWhwLWJhc2VsaW5lLWxlZ2FjeUBleGFtcGxlPg0KUmVmZXJlbmNlczogPHNtaW1lLXNpZ25lZC1lbmMtaHAtYmFzZWxpbmUtbGVnYWN5QGV4YW1wbGU+DQpIUC1PdXRlcjogU3ViamVjdDogWy4uLl0NCkhQLU91dGVyOg0KIE1lc3NhZ2UtSUQ6IDxzbWltZS1zaWduZWQtZW5jLWhwLWJhc2VsaW5lLWxlZ2FjeS1yZXBseUBleGFtcGxlPg0KSFAtT3V0ZXI6IEZyb206IEFsaWNlIDxhbGljZUBzbWltZS5leGFtcGxlPg0KSFAtT3V0ZXI6IFRvOiBCb2IgPGJvYkBzbWltZS5leGFtcGxlPg0KSFAtT3V0ZXI6IERhdGU6IFNhdCwgMjAgRmViIDIwMjEgMTA6MTY6MDIgLTA1MDANCkhQLU91dGVyOiBVc2VyLUFnZW50OiBTYW1wbGUgTVVBIFZlcnNpb24gMS4wDQpIUC1PdXRlcjoNCiBJbi1SZXBseS1UbzogPHNtaW1lLXNpZ25lZC1lbmMtaHAtYmFzZWxpbmUtbGVnYWN5QGV4YW1wbGU+DQpIUC1PdXRlcjoNCiBSZWZlcmVuY2VzOiA8c21pbWUtc2lnbmVkLWVuYy1ocC1iYXNlbGluZS1sZWdhY3lAZXhhbXBsZT4NCkNvbnRlbnQtVHlwZTogdGV4dC9wbGFpbjsgY2hhcnNldD0idXRmLTgiOw0KIGhwLWxlZ2FjeS1kaXNwbGF5PSIxIjsgaHA9ImNpcGhlciINCg0KU3ViamVjdDogc21pbWUtc2lnbmVkLWVuYy1ocC1iYXNlbGluZS1sZWdhY3ktcmVwbHkNCg0KVGhpcyBpcyB0aGUNCnNtaW1lLXNpZ25lZC1lbmMtaHAtYmFzZWxpbmUtbGVnYWN5LXJlcGx5DQptZXNzYWdlLg0KDQpUaGlzIGlzIGEgc2lnbmVkLWFuZC1lbmNyeXB0ZWQgUy9NSU1FIG1lc3NhZ2UgdXNpbmcgUEtDUyM3DQplbnZlbG9wZWREYXRhIGFyb3VuZCBzaWduZWREYXRhLiAgVGhlIHBheWxvYWQgaXMgYSB0ZXh0L3BsYWluDQptZXNzYWdlLiBJdCB1c2VzIHRoZSBIZWFkZXIgUHJvdGVjdGlvbiBzY2hlbWUgZnJvbSBSRkMgOTc4OCB3aXRoDQp0aGUgYGhjcF9iYXNlbGluZWAgSGVhZGVyIENvbmZpZGVudGlhbGl0eSBQb2xpY3kgd2l0aCBhICJMZWdhY3kNCkRpc3BsYXkiIGVsZW1lbnQuDQoNCi0tIA0KQWxpY2UNCmFsaWNlQHNtaW1lLmV4YW1wbGUNCqCCB6YwggPPMIICt6ADAgECAhMPLSW9ETmXSs5CVIeh7j00Boq0MA0GCSqGSIb3DQEBDQUAMFUxDTALBgNVBAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFNUFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MCAXDTE5MTEyMDA2NTQxOFoYDzIwNTIwOTI3MDY1NDE4WjA7MQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBXRzEXMBUGA1UEAxMOQWxpY2UgTG92ZWxhY2UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCalSn6i8Gi44/oAVAn5GnCk4PHHNjrSfWUnnelN41KImVaTC3D9zFCrS3i4Pa9ZgHyA5Qf8JW3ZmnVz5q7M8onZm7mZjqQeb6FUH4i2GMt4jse2Dqs165ernT9O5NLFflHUjURca3ynqEBBV4DmhnZp8eDhv3t6dXyCjNHT82S6DgCReZuTtMc1zy++MxQlqdn9WZLhOAOpeNZKGmVwjeVy+8FkyzC3jX/Qcm+ZLCqlLqhBwDHdZ5qDTII2PVX1X3K7/cONxhvBbaUl/k1swdszUtjhflyFZ80RuQ3qFC6vL/PGeWy6SCf58duq/AOEksCAWlb+MD8QH9Yj7CFSmq1AgMBAAGjga8wgawwDAYDVR0TAQH/BAIwADAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwHgYDVR0RBBcwFYETYWxpY2VAc21pbWUuZXhhbXBsZTATBgNVHSUEDDAKBggrBgEFBQcDBDAOBgNVHQ8BAf8EBAMCBSAwHQYDVR0OBBYEFKJTQdVEPIApFXwBI/Dnjq/N83cPMB8GA1UdIwQYMBaAFJEwjnwHFwyn8QkoZTYaZxxodvRZMA0GCSqGSIb3DQEBDQUAA4IBAQCBSXignLEynBakDKU68ro0RsyXWAPkfXgQLgy7GrW7SrZeBc5IEcjoN9f/gsOx/Ht9Ii6zyBZVjdaox644DsiLOQEP4YMS7y4q94RFFdmdzEbDLYx9sfUhvdTxDNOOoHz53PYDBh4zE4Nar2inC0D+VM6RGDy66K9l+D+bl8Wj9CyGUc1ppMNURexTg+z3web/eDOdu+F2MVtluLihne0Bp1GUTkr0mJBolg6dSYal8Hw8/ANHpyExl56BJABb744gqoeuD9YSHjKK49+qYC9faFmQ+mK80lh1M9RdNI7srjn0LKpuob6w06jaRzWdNeXzlEc2tUpAr4vRhZjVD6FYMIIDzzCCAregAwIBAgITN0EFee11f0Kpolw69Phqzpqp1zANBgkqhkiG9w0BAQ0FADBVMQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBXRzExMC8GA1UEAxMoU2FtcGxlIExBTVBTIFJTQSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAgFw0xOTExMjAwNjU0MThaGA8yMDUyMDkyNzA2NTQxOFowOzENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxFzAVBgNVBAMTDkFsaWNlIExvdmVsYWNlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtPSJ6Fg4Fj5Nmn9PkrYo0jTkfCv4TfA/pdO/KLpZbJOAEr0sI7AjaO7B1GuMUFJeSTulamNfCwDcDkY63PQWl+DILs7GxVwXurhYdZlaV5hcUqVAckPvedDBc/3rz4D/esFfs+E7QMFtmd+K04s+A8TCNO12DRVBDpbP4JFD9hsc8prDtpGmFk7rd0q8gqnhxBW2RZAeLqzJOMayCQtws1q7ktkNBR2wZX5ICjecF1YJFhX4jrnHwp/iELGqqaNXd3/Y0pG7QFecN7836IPPdfTMSiPR+peCrhJZwLSewbWXLJe3VMvbvQjoBMpEYlaJBUIKkO1zQ1Pq90njlsJLOwIDAQABo4GvMIGsMAwGA1UdEwEB/wQCMAAwFwYDVR0gBBAwDjAMBgpghkgBZQMCATABMB4GA1UdEQQXMBWBE2FsaWNlQHNtaW1lLmV4YW1wbGUwEwYDVR0lBAwwCgYIKwYBBQUHAwQwDgYDVR0PAQH/BAQDAgbAMB0GA1UdDgQWBBS79syyLR0GEhyXrilqkBDTIGZmczAfBgNVHSMEGDAWgBSRMI58BxcMp/EJKGU2GmccaHb0WTANBgkqhkiG9w0BAQ0FAAOCAQEAc4miNqfOqaBpI3f+CpJDhxtuZ2P9HjQEQ+v6BdP7GKJ19naIs3BjJOd64roAKHAp+c284VvyVXWJ99FMX8q2ZUQMxH+xh6oAfzcozmnd6XaVWHg4eHIjSo27PmhKE1oAJKKhDbdbEcZXL2+x1V+duGymWtaD01DZZukKYr7agyHahiXRn/C9cy31wbqNsy9x0fjPQg6+DqatiQpMz9EIae6aCHHBhOiPU7IPkazgPYgkLD59fk4PGHnYxs1FhdO6zZk9E8zwlc1ALgZa/iSbczisqckN3qGehD2s16jMhwFXLJtBiN+uCDgNG/D0qyTbY4fgKieUHx/tHuzUszZxJjGCAgAwggH8AgEBMGwwVTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNhbXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzdBBXntdX9CqaJcOvT4as6aqdcwCwYJYIZIAWUDBAIBoGkwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMjEwMjIwMTUxNjAyWjAvBgkqhkiG9w0BCQQxIgQg48aQJVg4Ai/QpEFw8rsxq2fGKjdKAo7F9AiyJ9AcdQswDQYJKoZIhvcNAQEBBQAEggEAVvcWqGsebWjsEhsQlER/C5Pib2KPH+9KhVGFbCjDFZvBmNklEI2YomGPyrXqOoPdQEQpVKLXB3M2VfV9BotUyXNQRR48gRU/P2kRGclOnaKOkzJVnBQjuNkcTTDF+CHduHMFTcBHNmvWn9TsxhzIksqIWWqTS2ugc4JGJ+Oh9IGX5HBpFcuXU3ouznUtRQDZNZuiqo7MFcw4z8uJXHXiZM4lWici8jlSs7LNtlUX01Wd/K8rTJZZZ01zpEtDvjVftz2p54sEevwkS++c3eM9MUyNYT+GC/Hm2m3japmH8E7grmssDeo3d4a1aKy9wd7sRi7PdwAgwUXiOuso3yAoqQ==
C.3.6.2.S/MIME Signed-and-Encrypted Reply over a Simple Message, Header Protection with hcp_baseline (+ Legacy Display), Decrypted and Unwrapped

The inner signed-data layer unwraps to:

MIME-Version: 1.0Content-Transfer-Encoding: 7bitSubject: smime-signed-enc-hp-baseline-legacy-replyMessage-ID: <smime-signed-enc-hp-baseline-legacy-reply@example>From: Alice <alice@smime.example>To: Bob <bob@smime.example>Date: Sat, 20 Feb 2021 10:16:02 -0500User-Agent: Sample MUA Version 1.0In-Reply-To: <smime-signed-enc-hp-baseline-legacy@example>References: <smime-signed-enc-hp-baseline-legacy@example>HP-Outer: Subject: [...]HP-Outer: Message-ID: <smime-signed-enc-hp-baseline-legacy-reply@example>HP-Outer: From: Alice <alice@smime.example>HP-Outer: To: Bob <bob@smime.example>HP-Outer: Date: Sat, 20 Feb 2021 10:16:02 -0500HP-Outer: User-Agent: Sample MUA Version 1.0HP-Outer: In-Reply-To: <smime-signed-enc-hp-baseline-legacy@example>HP-Outer: References: <smime-signed-enc-hp-baseline-legacy@example>Content-Type: text/plain; charset="utf-8"; hp-legacy-display="1"; hp="cipher"Subject: smime-signed-enc-hp-baseline-legacy-replyThis is thesmime-signed-enc-hp-baseline-legacy-replymessage.This is a signed-and-encrypted S/MIME message using PKCS#7envelopedData around signedData.  The payload is a text/plainmessage. It uses the Header Protection scheme from RFC 9788 withthe `hcp_baseline` Header Confidentiality Policy with a "LegacyDisplay" element.--Alicealice@smime.example

C.3.7.S/MIME Signed-and-Encrypted Reply over a Simple Message, Header Protection with hcp_shy

This is a signed-and-encrypted S/MIME message using PKCS#7 envelopedData around signedData. The payload is a text/plain message. It uses the Header Protection scheme from RFC 9788 with thehcp_shy Header Confidentiality Policy.

It has the following structure:

└┬╴application/pkcs7-mime [smime.p7m] 8190 bytes ╧ (decrypts to) └┬╴application/pkcs7-mime [smime.p7m] 5054 bytes  ┴ (unwraps to)  └─╴text/plain 326 bytes

Its contents are:

Content-Transfer-Encoding: base64Content-Type: application/pkcs7-mime; name="smime.p7m"; smime-type="enveloped-data"Subject: [...]Message-ID: <smime-signed-enc-hp-shy-reply@example>From: alice@smime.exampleTo: bob@smime.exampleDate: Sat, 20 Feb 2021 15:18:02 +0000User-Agent: Sample MUA Version 1.0In-Reply-To: <smime-signed-enc-hp-shy@example>References: <smime-signed-enc-hp-shy@example>MIIXnAYJKoZIhvcNAQcDoIIXjTCCF4kCAQAxggMQMIIBhAIBADBsMFUxDTALBgNVBAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFNUFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhMPLSW9ETmXSs5CVIeh7j00Boq0MA0GCSqGSIb3DQEBAQUABIIBAEY/MQAP8JUkxGJr2+gL9fUy/gTYqzyKkkZFGQqKBR98jCom6wtry9FqxMqirqkIXmy6QgPsFh9nf6QmP62K3QjP/aGDI2VLeKJkbeQfZRQRCLqqsP0MRQLT2d8lAJAHCO57N8tdm3jXavSWxaZkEqWF1rtcVCz2QQRgiKJ99BPNEjwLLK81VCjxTkQOcxRgUNUK21pMQVFoltXE7SGVjV8jeEiEHj9q65nbITmfNgmTP9oNk8gojEj/cmTy+hHGPVFjDJZxAHtd4tjU4k/LP46NRAW3tmaxOKMPv/WkGMcYQGy+qdaXn3n2Fp5VCTfJjFW1bZHdSHwW63kTGr+uOQMwggGEAgEAMGwwVTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNhbXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzB8R0APhiY6HGLS64MvlsDXhpQwDQYJKoZIhvcNAQEBBQAEggEAk75ys1csbLhA8HayfcCB6yPP70oO/9hlsazxTzL8NcP/f3vzlVEdaCXKGzQSWRSMgf5RoxQvUrFCTaq/F+rbGM7gS03e1DfxGb8wUgE2ZeZB1o0GvSd6eNB6gjayEJ9AEHwpT4bEJeh7TQ/Mi3PDwelFkbmA056B7R7529w55YeQF7ZgsJxicJFp00ADPw8iYGd1bOj3wGt3Kz5uycUqsc+4Q8VWlU5N+8jeJRDVPtEQJwa+S2HyuaPLUZcyZWkuGtVAOPRyCqSjtgSwenLmRTGUYtwAFvQ6K5E+vCRPyIAg/HYwaYNeUJn5Cr++YkpNBofnrofxaV8zKRIx96IoxTCCFG4GCSqGSIb3DQEHATAdBglghkgBZQMEAQIEEHawOvd97z0NJQe7ccQnSR2AghRAlqu1gwka8gwMldV4laK3pICEOTa0bvJGWO7wrvSEAgZUObXjd3ekfVtDGWgXhWbB8uaam5ssV4WViD4h3iZ8HTRPiczbSsJ2lf8CKOwqOYp8VKQ/wy87yVB6Mna3ZHCTPqyEOTYYsc6nrf9vQIxrE6I0Roa6FJ33+PpS312CglFyMyhs5bS3TTt2xwnBvLJXHoPF8JwGxe5xkD9xqOC8jjkMdBcUM8y+DRf9vcDYLAONiuJzpaixkEVG8lFdsXtz95b3Uedf7XdXe9p/gnqfeVvDLvTjUoxWa98KUM+ZC0bm4gHhTwdP2itiUGMiGYZfyl7WICIW2jVPVZ6GGrcE9fYwqsG6O+5vygpte2juAQUkwQ74PIcVY6sSWMVbFmfuiWCQ07OXmNDOtcSHd8Uhz1uqUGQxNElzFQJoKc9RzO4O+jSgSRenVvfwR0AtZy24WnvbnyUHESgmcn94eHBYow7fqmC7N63kTwtr4NXuMAEH1MvW1iVkJNyB9ZI/DOCr0fv+/yPfLr3Jobx94CYnP/FRqir1h6dO1M9RonpK5wj+YEl2zNUmegCDizVCcuvPmd2nj91RGccyWgmQ4LPrNdMk2+nQvKNm9Jrv2iHNseyuwGJrc9cczvl/E3Xf0cnumS8Y4iMPY/wRnIBN5+D8IzgWXvhMEGumwtT58XFL9KwrLjOKRvai4iNIW6K1fh8Jhh0D7HrdneBas9x0QV7yP2TMuOO9LBln0M9OAlIJAa2LNBoMLlaaeJvv4/AzTIEmGEYbVIxD3ovj0jm9GCEn1XNgktaTJZt1g+u1v3bsUOIZZcNGdsiUpMXY5a4xnO9N7KGyn0K/ALBt4dsfY4V0hfQ7HrgAlOs/pO/6bgfGfAul207nzGUV05C2gvn0HApqtU0RpW7F59q5rr/EMlMU4RIE4RtsKFv/jjLVMqwyQ8c6SAVsdCUNCqWPPN5KPKneB7NQ397Wfrpd5+f0IiQ/g6GQpSpiQjjfZW/tKq+EGxVpHqrM/wtM9W8phh+rRas9meavNl9EuB8aJ2gjansk/IezbZkUuN8GUzhFxEQHzSQNADeWjt4rnPaBzPrKzDlhMqRk1j2LrH8Oh4xBzimpEz4Z+MzEY13pbdu7g1ZWyTCiewHeyZbIoRZNLFtYG6rYuGjEX1MHkY8HarcAqii4Uk5KTi/cEoH6bOYj8zIlcGxqiA9Xha6jsaG/BkRQS0Mm/YqBxllLNoyiTV/VC53MoHfA4Ro2/4YrdaykBZEPoAn0mM99EUdgm0vqQeiKLd3jIePb2udTgpPlHIR6Nw9XNlqiUxFyD5PcBIz/JNY4FbZQ8xWB5OpiQNm8zL4Q7Sim6RH13Wpl1MIU6FhS1K9966Pjkh/nMnS7hPtsH/rBXxrgFVBv75Kn1gmccadIXvQhfgZTXjXDgw+7ilNxJn7c0tCgZpuGM37TmjIXANDwBCSJHfeVG4WdJTKsM2NXJrzH9uFOUnhwY8LLmy0MJ4BgYMqe7cCHBZ+Els7bbUCA3la4tYXQKQY5Z9XtE3bst8rO2fxWkwF0qncK/giXEhSURyiMr9yc1T0lGfF3jSxMahSohnBA3cKHBww0Y5Kj9n4lkemATIjN88n7IazxyAztz9n7/I2FXmPAtu0W8FG5QBoIhfBw4cunuHkzAU7yTSNlMNCjYW7FL/ouvnb/MY5I1LySF0XqfJ5JEdgfk1gXsQKG5g4350i1T3I4XWsK6h5jdJxTS9v6U2efWIDWYtAKqi0tNnvcbJjQBNx4zt/sPqqU6dCTSz3tn9QdYm40EuiFaEBcna52jUCncF1EETp2S+yv2ZudNOUysRGAfy7maNGcqrUuLtXRfa1xdJ/TBYhswlAwdMKtakFv6dqu/h3kMBDEqcu3y6pWnB7mFlcso2CUkv7/CEl0cg6KNOtPz5k2WAin1RylzYjBkR+OoMexQXQNSXk1Zf8PKZ9QBTfFOiuifAfAizyAGao3CebY6WNT1ewkZBAMoyM3iFjvCXjR203l2bkKSIZopA0FFIsDsGWn3ILZmPWq/9TcrNvqPTKIWzyIKlml2VUse6OtvGShW18wW7BNBlsZeAi8naGvMe/9JmOShIJj/neKxgoivxrVoM9B8a5k/qB7W9tecEHAyohQPOy11+1HfDTeClJmdhui/uhqFJW6zQv5+qCdx/slKRXR2uxdmpFex7u6EfaDUmKyO1PZg7a81808fTaBX+LL8N2LpNrpeoO8feH6nnKEvvUl4wH1fabHsqUcOr+WADC1Uxsi54HmUszrdK95byESEjaVLJwL8LXj2APu7cx6tZ/8qsDqz5x3CgsCTS1QXv74GwvnJdzs/O7vE0mG7c1v7ukn9qxd99wPg9vHwkEf+d/45beotS4F5kBnxL+wXmlPBJ3+k1BgnFYuYodvXaDMUNZDnpPPQuKoC6RRVqYRpjaOpmi9tuIjURYQMuSuiBUt28OfzhBK+kte8rZIZ+ZwykY/BIVEWbobOZMXEZyG+3kPPrPxcV5omNiPdE7qjo0Skj8QPAEx4IcT1KBIS9vL6OXgH1tDbz5IYrX5eF3AjFE38ykxMAJ4Z4NRFzHddZmqiPBWSPcR6+aYSGjiw4T4ywP1ZwKaPtB/2AXDz88blViai4VNsa1feH2UIMKY3BPpWRf6ADfWI1n+jIByAc0UkNynB/gL/UOfUOCLaRm0QUchsCqO6vou+/Yil/czE9VxrW/ARBTw+mmOh7Hn+7aW3jsPxZLdTMaia9exM2VFrBcyA/1iv+7zEPhlWJv6rVQHR6/goDQsaVfuyeumZRouazmKXpwVRu5i0pV8Ie/nQQ2UXU7JytaLkeSqqsnLXo2K+NdIp0MXOBCu1TIz7fOZs/iUZphAxhZ+9qZCzHR+j1X74Pu2lzGDWi9ElfIH5xrb0H9jYnqYWzM2Od5nLG9KB2oGluR8pgVSZ/c6FWaf7o+2X0QpBdX53Ggpp4LqE/Mi6HbePQyt3c2ldkpOy/IFlg0WvyTWH/G3CBYPLldbiPv//0yVozh8ZOKRpbNLUAjguDd6+m7cSNloIECRjeZ9VwDU6YFnRwraFDOeTbkZ/5jjwrKVj+bCX+h6puLsBh+KZDFnw/T5Jlt5Z4CbMv5sPdwMBLjB9AmMCmEHwLVrE+pWoT7lTl6kfqBd3Kyb8e5WeqqtvOQbYaVuxArxEFsKfzg6T+iN7F3jElfcBG3vXRIgBkA7MhyMs4ymwjSH3GMKCE72nQ5w//F5L/Pv9kpMzB/t6SJ08TfnYvzqWbp8HuSnYYYtoyys6+DdmWlPNWESYX4sGYkov2vHbnRojo4qGSqfsf7hmZ4lWKKcbyRpNcZX8s76oWYpBfGDfRQS0MxOwnuh6B3TL6dD1Xy+HPhNePF+yp6eIDIo/pfji8pzF0WZMKN+DGqNgF/EZw2m2hZGY2EyWXuDvSRe6C7d7jbbbLE2ydfxCpWjNWwQ6lD/SKqCgpiyLmLG36Ml7MIDy7xpfra9pqadnoAMzfkzMnjky9pS+Torv+Yn4pP5H3ml7dE0M43sLRx1ypkBSjd5S7sHYvlmqf1aWYQ5KveElT1Um1UtPz9j3qFyeJMYhBd0/yBU7AZEHzaM0/Bwjz1fZQTw+5IdfM3CNPhxNC6O+zEgFwXDKlFBGQ8Ys1ygryH6vXU2Vkg6Int5TWUJw2JPvBznnkqv4eQxK8WoGCeIHCaFryS49nTpa2YL+BAOC3CtDu7wF+FEEGr17xsJq6ok4IzqoA5LtTa21lde5PssaeEeJT6kqXyw8XjZ6aOPn76v0P60mu2Bbp3xC/yU/SbVrAvkekX7Ah9ZTeGlLEG7ZxW+oZg/wnOc7eMkdz8xj+OXX3an+SsHkf8xuIs/ryPyR1UU877yD9J/eV+1xgP3x7xwnWUrGigan/qK/TGe2WM3FdzAFloPaq+jAjzItnZ59+RYOBCGiGMzUu7XDN0t15yXL3CeAP42YIi2exVQdj/ujC27PzoF6+diNsenHt95jedzYB9FjY53++B7jzhqPTmv0QL+pt4O45Rbqtk+whgdMuSFTsFXvL9L5BkBfM3fg2yYwJTAmyra8516c8TQj9PNtua0weCTf9WYfcmH+j6uW2Dfhc6Zuu+OcXFXWhew50PqlfdeYJvxGGOqLP8hSBMN5zhyj8Q5z4MxiyOa0QVH+4N+pAqiKw9rbrg5JOfMZjI9FgmcVJAbxZpxXk1oDpCgYMp1RcgkMJhaZOl1x959bpfcbgL6HqyP1T8iQxDJt3wpRAinPVccScBEOJcJcaPXk1pVRfGTfwUtH+PI546huKdJF63tGZPIExodinaerZBiqkbP4jxPB4rGbrSJBi928QX5InN+pz3MQ8uJmyNDuGus9+FNgJ7a4j6mvdOz8lfcRn+U3YE1jLIEE0R/VtIg6jgezyt7/Z4J7rbf1pJCZHJQ6x6UR1VA53pQKoFVF9bsPl3ZvsvHWT8yblfKL3U3EJm0Yl+GHbVqaZR2XF8aknL2/j4tpd/73jOvlb7eAR+eFgjh0HQdR/aEQ46eF0gYZTPDoXHB+9lxjtikAO6LHgAQ6y1OnxuQWRaburXeyXYEoPVLUrYfdueBBRn8lTZY4esZNCAaCeqsICN2eKElwbF0oNH9Hn7vuIkdPCbSLMQxs9JBelIjgv1X/V0VVG8xiA3F18Jwf6XZl7AwpWBaMBD7iBxovI0XAClxcWrB6ZlRYxwMujdIw2Dm98kaAeGpr9vXvkjxpLdcsSZF25cgiSBoXR8KAbAvO8X0EciO/Or1qptyUgu6tUL+jFox7pC9Byaa4BW9/Dr4biwelUFDIT3M7OhrYJDEwoF6UIjlcMpymnJYmqGasG59Ah4uaEieQxYk01RRFiytF+N6oc2U39qNFtxzMs14dQr/+zuLdbugVge7v6DgC65iQl9ontT/lH/EX3hChmY6daUmz4kS2VmwdoEhuO6H7yeoIhBTZ2v4+vkGihgQTo8xm+6rw/t55+nQfgQYTC/ZZ+9MuAN3uKSvTsrorp1I6kK5zI8s6rOY+YaqS10ckNrYXmyq9TSIwyBzk/btb/mDvZMF/TpKQIaHsSVlkIdmfq5YmTr+iNlwK1fcOZjseesYAhehpPJUzuP4KdGWr8Jc/pC0QNYdiGL23ieFbTHKgPyGCmRdYgEMqpe/THE65H7pGuINigDEgkG4m0Eq7xDVbvy1SVJCjc7o/O8cONg3kbHyYbGUlaIKBBap285GWNSotQSChkaDo3hT6S6cjPVsrPoqMN8jPQNPARqKYRriyI3ej8msK311VRTjAGKWwEVgxn4nF02bvg9HBqv/TiFrTrFLSsd86g4HpglcnewxmVWjAeCsruK3IJv79JWRNPxOX9+tnd3k28E1QqwuEA02uNuHZLbBTvlHswfi9xmPwZG1bytwrSB+kv/oE0cVLI9fPCKpe3I9N+oL8xLrlqG7vNqwaZAKMTd1VoPxWmlvj/z2NahU05eC12yx29sJN9Oqz4DB2juUaLFSA45+rJMQc9Vj8fFr/Qrq91UVuXQJIJXCWfC598YJ/p4VwL/glK4ofs9ssl5MZbj3IesHFEwN5BQm2BJBkhO/s2kG3dJ5jSHSFcB/EDexFZtdLCyEwjiMNQqniOUwQjaZCKf4U3QYV2vxTL9rjA7KfBOgAdwgXX+tKRWv0VgIOz6gITE21u9envfZ1eqOfexlfGT1xv/E+iGauISTqgVKh0ciZMPqhRgaBHrtrjtTyifweXbSKo4AFVNHN3K+swDmXW/XHQ6Y7UAjseZSZFtjurmHB+uYz+O4kxAct4fJW7d2e5iU6tEGKseCnBZ//PGgzkLbwigdNhopou/Zs53h4I2Z0rxJFz33NHwTx2wquT7MLwCZwD/Thttujx6uI2JXMa0zudluK7S+lj2yd3DBHNGszistpi7cUoOgYVMvFwuTSPgvLfyb3CiyUHlK3TIEqox2BJun3tXL2P9s7tFBjgqVRqm8AYDRzSpkw5jKL2xWBCI0j9hd2PDOQbhw/EgLNqlHmLK7Yqy5TK/vCMk2aLkVAORtQlryJ2M8WlObq3RPjwfc/zB9NWKTpX/EuY03nYXQLG951OajvodusNZB4JyeNKbIn9LPNZ+8mfaxHE8Zmqd3A8XSN/KfSGOj5k1wkh2qrWWlhbZQGBnUocpwedKqvxKxun/nGsfRmDvMzSMqRfXYxATneXH5IhmCLsBx3qeGLiYoRkLd04343Z4937SMWwtg+oZYcd+ndW1OnEVyGqTmWB2UKhJhfIhL1YzpkS6444tdlIV2LKeKGwhG/6RzVZ+qnNzeEFlJjwUsMTd+4Xa3k2bkMBJQZggOtFxCeiANkVsBzrT6DTLaL9xJqDPD7SROKHubosXhFwx/cDcFveWL+mbkfQc9/edehffeCvdgXO1CIxPmxXHYy5vETDTiJqDd6+wjQHRrjoTv17Zz2ZblhhvdxLnoE9IMABvmd8H6fF3L4jIn2k3KKc0CAy20FA9K2eMgCOW1+JeYcgA1Sh5Y8x1Fg6Ah0FFH62SMn33B9rMYOB++Sjg0vh/1cfHXaZPwpMb1gNU9hipbThL+2MH0irtzQ7sn7X9FQqvkQwA57OaXXpUId2NuU0rjXrw8AxmaUtFpN43rCk9t58eP+vosfCsG/uA80ptkEqb0Gz3FM9B6Be4crw2O3Oivl7+0dpJ/rAD1lG3Vq6VAvpAQNT0g0/TmrHJ2rnhX5UUxZB7YPF/eufDDtLF+BZNXMT9+snguEJHRifIxhFXIsE/MFti9ROSsbT90u4k9WxY0PI5hp95dkvX/PfUOlNsNQvN/OjVFx860ZCY2UR+l8VhYwUkTL6qlBAeVca2QvdZ8BIhr/GNHfXyge0yocIbqf3WQnU/05jV6v1YOq2TJZaN8tLaf+rJait129WW48fCv/oxW00xUeRwB6Fnp
C.3.7.1.S/MIME Signed-and-Encrypted Reply over a Simple Message, Header Protection with hcp_shy, Decrypted

The S/MIME enveloped-data layer unwraps to this signed-data part:

Content-Transfer-Encoding: base64Content-Type: application/pkcs7-mime; name="smime.p7m"; smime-type="signed-data"MIIOVgYJKoZIhvcNAQcCoIIORzCCDkMCAQExDTALBglghkgBZQMEAgEwggR/BgkqhkiG9w0BBwGgggRwBIIEbE1JTUUtVmVyc2lvbjogMS4wDQpDb250ZW50LVRyYW5zZmVyLUVuY29kaW5nOiA3Yml0DQpTdWJqZWN0OiBzbWltZS1zaWduZWQtZW5jLWhwLXNoeS1yZXBseQ0KTWVzc2FnZS1JRDogPHNtaW1lLXNpZ25lZC1lbmMtaHAtc2h5LXJlcGx5QGV4YW1wbGU+DQpGcm9tOiBBbGljZSA8YWxpY2VAc21pbWUuZXhhbXBsZT4NClRvOiBCb2IgPGJvYkBzbWltZS5leGFtcGxlPg0KRGF0ZTogU2F0LCAyMCBGZWIgMjAyMSAxMDoxODowMiAtMDUwMA0KVXNlci1BZ2VudDogU2FtcGxlIE1VQSBWZXJzaW9uIDEuMA0KSW4tUmVwbHktVG86IDxzbWltZS1zaWduZWQtZW5jLWhwLXNoeUBleGFtcGxlPg0KUmVmZXJlbmNlczogPHNtaW1lLXNpZ25lZC1lbmMtaHAtc2h5QGV4YW1wbGU+DQpIUC1PdXRlcjogU3ViamVjdDogWy4uLl0NCkhQLU91dGVyOiBNZXNzYWdlLUlEOiA8c21pbWUtc2lnbmVkLWVuYy1ocC1zaHktcmVwbHlAZXhhbXBsZT4NCkhQLU91dGVyOiBGcm9tOiBhbGljZUBzbWltZS5leGFtcGxlDQpIUC1PdXRlcjogVG86IGJvYkBzbWltZS5leGFtcGxlDQpIUC1PdXRlcjogRGF0ZTogU2F0LCAyMCBGZWIgMjAyMSAxNToxODowMiArMDAwMA0KSFAtT3V0ZXI6IFVzZXItQWdlbnQ6IFNhbXBsZSBNVUEgVmVyc2lvbiAxLjANCkhQLU91dGVyOiBJbi1SZXBseS1UbzogPHNtaW1lLXNpZ25lZC1lbmMtaHAtc2h5QGV4YW1wbGU+DQpIUC1PdXRlcjogUmVmZXJlbmNlczogPHNtaW1lLXNpZ25lZC1lbmMtaHAtc2h5QGV4YW1wbGU+DQpDb250ZW50LVR5cGU6IHRleHQvcGxhaW47IGNoYXJzZXQ9InV0Zi04IjsgaHA9ImNpcGhlciINCg0KVGhpcyBpcyB0aGUNCnNtaW1lLXNpZ25lZC1lbmMtaHAtc2h5LXJlcGx5DQptZXNzYWdlLg0KDQpUaGlzIGlzIGEgc2lnbmVkLWFuZC1lbmNyeXB0ZWQgUy9NSU1FIG1lc3NhZ2UgdXNpbmcgUEtDUyM3DQplbnZlbG9wZWREYXRhIGFyb3VuZCBzaWduZWREYXRhLiAgVGhlIHBheWxvYWQgaXMgYSB0ZXh0L3BsYWluDQptZXNzYWdlLiBJdCB1c2VzIHRoZSBIZWFkZXIgUHJvdGVjdGlvbiBzY2hlbWUgZnJvbSBSRkMgOTc4OCB3aXRoDQp0aGUgYGhjcF9zaHlgIEhlYWRlciBDb25maWRlbnRpYWxpdHkgUG9saWN5Lg0KDQotLSANCkFsaWNlDQphbGljZUBzbWltZS5leGFtcGxlDQqgggemMIIDzzCCAregAwIBAgITDy0lvRE5l0rOQlSHoe49NAaKtDANBgkqhkiG9w0BAQ0FADBVMQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBXRzExMC8GA1UEAxMoU2FtcGxlIExBTVBTIFJTQSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAgFw0xOTExMjAwNjU0MThaGA8yMDUyMDkyNzA2NTQxOFowOzENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxFzAVBgNVBAMTDkFsaWNlIExvdmVsYWNlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmpUp+ovBouOP6AFQJ+RpwpODxxzY60n1lJ53pTeNSiJlWkwtw/cxQq0t4uD2vWYB8gOUH/CVt2Zp1c+auzPKJ2Zu5mY6kHm+hVB+IthjLeI7Htg6rNeuXq50/TuTSxX5R1I1EXGt8p6hAQVeA5oZ2afHg4b97enV8gozR0/Nkug4AkXmbk7THNc8vvjMUJanZ/VmS4TgDqXjWShplcI3lcvvBZMswt41/0HJvmSwqpS6oQcAx3Weag0yCNj1V9V9yu/3DjcYbwW2lJf5NbMHbM1LY4X5chWfNEbkN6hQury/zxnlsukgn+fHbqvwDhJLAgFpW/jA/EB/WI+whUpqtQIDAQABo4GvMIGsMAwGA1UdEwEB/wQCMAAwFwYDVR0gBBAwDjAMBgpghkgBZQMCATABMB4GA1UdEQQXMBWBE2FsaWNlQHNtaW1lLmV4YW1wbGUwEwYDVR0lBAwwCgYIKwYBBQUHAwQwDgYDVR0PAQH/BAQDAgUgMB0GA1UdDgQWBBSiU0HVRDyAKRV8ASPw546vzfN3DzAfBgNVHSMEGDAWgBSRMI58BxcMp/EJKGU2GmccaHb0WTANBgkqhkiG9w0BAQ0FAAOCAQEAgUl4oJyxMpwWpAylOvK6NEbMl1gD5H14EC4Muxq1u0q2XgXOSBHI6DfX/4LDsfx7fSIus8gWVY3WqMeuOA7IizkBD+GDEu8uKveERRXZncxGwy2MfbH1Ib3U8QzTjqB8+dz2AwYeMxODWq9opwtA/lTOkRg8uuivZfg/m5fFo/QshlHNaaTDVEXsU4Ps98Hm/3gznbvhdjFbZbi4oZ3tAadRlE5K9JiQaJYOnUmGpfB8PPwDR6chMZeegSQAW++OIKqHrg/WEh4yiuPfqmAvX2hZkPpivNJYdTPUXTSO7K459CyqbqG+sNOo2kc1nTXl85RHNrVKQK+L0YWY1Q+hWDCCA88wggK3oAMCAQICEzdBBXntdX9CqaJcOvT4as6aqdcwDQYJKoZIhvcNAQENBQAwVTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNhbXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwIBcNMTkxMTIwMDY1NDE4WhgPMjA1MjA5MjcwNjU0MThaMDsxDTALBgNVBAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMRcwFQYDVQQDEw5BbGljZSBMb3ZlbGFjZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALT0iehYOBY+TZp/T5K2KNI05Hwr+E3wP6XTvyi6WWyTgBK9LCOwI2juwdRrjFBSXkk7pWpjXwsA3A5GOtz0FpfgyC7OxsVcF7q4WHWZWleYXFKlQHJD73nQwXP968+A/3rBX7PhO0DBbZnfitOLPgPEwjTtdg0VQQ6Wz+CRQ/YbHPKaw7aRphZO63dKvIKp4cQVtkWQHi6syTjGsgkLcLNau5LZDQUdsGV+SAo3nBdWCRYV+I65x8Kf4hCxqqmjV3d/2NKRu0BXnDe/N+iDz3X0zEoj0fqXgq4SWcC0nsG1lyyXt1TL270I6ATKRGJWiQVCCpDtc0NT6vdJ45bCSzsCAwEAAaOBrzCBrDAMBgNVHRMBAf8EAjAAMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATAeBgNVHREEFzAVgRNhbGljZUBzbWltZS5leGFtcGxlMBMGA1UdJQQMMAoGCCsGAQUFBwMEMA4GA1UdDwEB/wQEAwIGwDAdBgNVHQ4EFgQUu/bMsi0dBhIcl64papAQ0yBmZnMwHwYDVR0jBBgwFoAUkTCOfAcXDKfxCShlNhpnHGh29FkwDQYJKoZIhvcNAQENBQADggEBAHOJojanzqmgaSN3/gqSQ4cbbmdj/R40BEPr+gXT+xiidfZ2iLNwYyTneuK6AChwKfnNvOFb8lV1iffRTF/KtmVEDMR/sYeqAH83KM5p3el2lVh4OHhyI0qNuz5oShNaACSioQ23WxHGVy9vsdVfnbhsplrWg9NQ2WbpCmK+2oMh2oYl0Z/wvXMt9cG6jbMvcdH4z0IOvg6mrYkKTM/RCGnumghxwYToj1OyD5Gs4D2IJCw+fX5ODxh52MbNRYXTus2ZPRPM8JXNQC4GWv4km3M4rKnJDd6hnoQ9rNeozIcBVyybQYjfrgg4DRvw9Ksk22OH4ConlB8f7R7s1LM2cSYxggIAMIIB/AIBATBsMFUxDTALBgNVBAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFNUFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhM3QQV57XV/QqmiXDr0+GrOmqnXMAsGCWCGSAFlAwQCAaBpMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTIxMDIyMDE1MTgwMlowLwYJKoZIhvcNAQkEMSIEIAsnTrJmG9vhEDGPGAIiq3jNFKAZg/b5qnb8K8AAVkcfMA0GCSqGSIb3DQEBAQUABIIBAH/7j5oqF/rfVNLmPNfU3UFn3oHiaWt3+y8+fLX1e4uMgFOshe5YIz5rkMeHmP0HHtnqfbPjyktjTR/wlmHazGcasD5/KT2/1/HXOJJdaM/YQ4g5RiBih7TDwAfDsNMMeEfYII+gDXrVeTc0BvtrWetxrGYhbMUNLtM5tskMhuUMVYrQBcUhvkYBamQMVmiZMBOFHhhA9hEay6QFIlAC1v3WtJvyiJCShld1Qetd+NuDbaCr6vZt+C8LsBh8hQO+TIT8AnV8yBhQnqFGj61JQjwGBRRwQHbvAEG4uxaWr2OwCa0VWOh5237SKEh0m/haavxKarioAGkbzlAGbNElyX0=
C.3.7.2.S/MIME Signed-and-Encrypted Reply over a Simple Message, Header Protection with hcp_shy, Decrypted and Unwrapped

The inner signed-data layer unwraps to:

MIME-Version: 1.0Content-Transfer-Encoding: 7bitSubject: smime-signed-enc-hp-shy-replyMessage-ID: <smime-signed-enc-hp-shy-reply@example>From: Alice <alice@smime.example>To: Bob <bob@smime.example>Date: Sat, 20 Feb 2021 10:18:02 -0500User-Agent: Sample MUA Version 1.0In-Reply-To: <smime-signed-enc-hp-shy@example>References: <smime-signed-enc-hp-shy@example>HP-Outer: Subject: [...]HP-Outer: Message-ID: <smime-signed-enc-hp-shy-reply@example>HP-Outer: From: alice@smime.exampleHP-Outer: To: bob@smime.exampleHP-Outer: Date: Sat, 20 Feb 2021 15:18:02 +0000HP-Outer: User-Agent: Sample MUA Version 1.0HP-Outer: In-Reply-To: <smime-signed-enc-hp-shy@example>HP-Outer: References: <smime-signed-enc-hp-shy@example>Content-Type: text/plain; charset="utf-8"; hp="cipher"This is thesmime-signed-enc-hp-shy-replymessage.This is a signed-and-encrypted S/MIME message using PKCS#7envelopedData around signedData.  The payload is a text/plainmessage. It uses the Header Protection scheme from RFC 9788 withthe `hcp_shy` Header Confidentiality Policy.--Alicealice@smime.example

C.3.8.S/MIME Signed-and-Encrypted Reply over a Simple Message, Header Protection with hcp_shy (+ Legacy Display)

This is a signed-and-encrypted S/MIME message using PKCS#7 envelopedData around signedData. The payload is a text/plain message. It uses the Header Protection scheme from RFC 9788 with thehcp_shy Header Confidentiality Policy with a "Legacy Display" element.

It has the following structure:

└┬╴application/pkcs7-mime [smime.p7m] 8690 bytes ╧ (decrypts to) └┬╴application/pkcs7-mime [smime.p7m] 5422 bytes  ┴ (unwraps to)  └─╴text/plain 518 bytes

Its contents are:

Content-Transfer-Encoding: base64Content-Type: application/pkcs7-mime; name="smime.p7m"; smime-type="enveloped-data"Subject: [...]Message-ID: <smime-signed-enc-hp-shy-legacy-reply@example>From: alice@smime.exampleTo: bob@smime.exampleDate: Sat, 20 Feb 2021 15:19:02 +0000User-Agent: Sample MUA Version 1.0In-Reply-To: <smime-signed-enc-hp-shy-legacy@example>References: <smime-signed-enc-hp-shy-legacy@example>MIIZDAYJKoZIhvcNAQcDoIIY/TCCGPkCAQAxggMQMIIBhAIBADBsMFUxDTALBgNVBAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFNUFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhMPLSW9ETmXSs5CVIeh7j00Boq0MA0GCSqGSIb3DQEBAQUABIIBAAms1ngOySnXdmv6DCfeI7GaiqqHxwOGv1EIl0jgi8u7Y72KiMZwvjFeRLtLpbE3/D5s/MEJ8AJ9LN63jhEUv+AyF7L29pqX7h1RSQVY2I51zrm5ilPMkB+v1Dng6GguD8XDqmsxgi1oloDgExg4dsqPbGvYcXqQOUliB4XdqnREveBuiXp5KetN7RROt3KfD7o3Flakl90pyUIh1gpArSbndjbnjinlwbbyfChri1V9NT99P6BVcdtOoduxEFIUxW8Rb1mmjlbpZQHUN9sxFftA2+qZE4YPGOnnj5GyLFAmVbJSOXYeWN2S0TMrFl+RF0H5HVfoTqOMtEaKbro+CgYwggGEAgEAMGwwVTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNhbXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzB8R0APhiY6HGLS64MvlsDXhpQwDQYJKoZIhvcNAQEBBQAEggEATEB5GYpWDLjGLqDyORR4LW+h3+Sz2jt7VF8p4jo9c2WubRx1jmmzULRw+Nc12RKtprjftmWXCrzEwiqMy6KKijCIe9Rd5812SDL6iNp1WUXYbqp1x969IQNvBTfNGutgQogB21jNm/qbaL6fAjwIZXxWlLvTBi5LDe+K6/dwlRjPJlZ/BBhyj2miqz/x+rYsSaG3REExLsN/uIv3f5DGrqg22kHrHjXjIQE8/qYPa0t2fKXFJsmH/4FUT/384aepm8oiN5y8xSxlgeQoW1drFvGCsqFVHomUGvReor5zM6Q1bwrj2FAKQS+Qd1r5Z8bWatQmMfWGu5Ix8m1/kocX9DCCFd4GCSqGSIb3DQEHATAdBglghkgBZQMEAQIEEPUytcsL/JFRST8refH5jrqAghWwmyavNN8eGoalhPR5erxp3r1BVoRpk1biqcaFsojj2XyGUSqKM3bcnoVAW70KVLCkHhxzxEFYVeK1BGhW/W9d9JSiwn0OOl7Z0KX0Zf87C9xgnigpjpB8c7/Nm/7bmD7RXp4stpyVCjn15E0Yz2R5wLMvh23b7Od/c7UxS4yivIxM8eW6zDsHUVmb8/TT+0tGkVXIc2I81l4WQfVyY2KsQi7Jn8nYt5WO63CVin+FHoSRSdx8hChedXptVj6YXeKp24Ugp6cclAEHgcjo0NHNZC6wnOQjEhsra0VyUt2e8FFWAVE58M1HpFNRIgSXNFdYeq1O5nBt5g2XnYgiJM+AuEuXD/QpZwpdjIrQif4UwLW4nJCUCnyTxquT2wE+CuU/8JWm/8xeVmGlXfSHRU9ElHdBTFS3OiIAZBfu+9S7LHnnB2TZraKBqKQuk+K/DQMjCZMzXLt7HMVvSl0lw8erpkPTz87ugBzXvLq9iCVZ8CirmQouXXTWXyoEf7uhtOBFt+Y3aNhNnmjoqs7S/Tw2HCyvk6azw9hFibYm7TCqviLhwpEk64Ol5g3OPhpKGZdwsYY0eTndS/j1uBNT0uUCluwj7Nh60xCmRtzpuFZXG+HN5iTR0wgGpxJH0Mj9QdTVuctaEakmHfeJZZqo9N7DfqrQV6Cs5MKnWQ9YZQX/mloY2WDtQ62umI+T6avdkfsYAJPUMnxBZgvS6TYWwpW7xwxWMs+skLRyzdjFBds3A+O8A0k9E1pQ0Cr5VPV9pYNsn/tZyY+LMgF3VV6+eN+menuNet9BDEqntk2R+waAlLDZ3mQXrsNTgJ8U8MKXEu3ENdcRRl6ekOmbEW1X0Wn9N+oVndbZbIiERHHLRhmmzo7nNSniBKn/0AHNGBM425kTHfUYPVsm8o38NAQ0lnSJfa35Q039UucojLLazsEQnPr0T1gSy+CMhz+K/HYF2OHYS+mV+lNuXrvfZ7sUUdSsKWoqbxwVvrohhXSUrmmwZrd6DVE2GuOjogOAhP4xA1p36/NN2/3szADTOXDO78jmchqYu9Beg09K75VByVFzpc+1A9ZCJv6qSZ9GilWoaPbzRIR8lxox9Vtjj4JD1toPL2Nm5LHdL1napAMNuolktDL2lKuMVCyGTwaMM/T9DSDfshr+FTB7rD6YKd/GcBCCJehy0cRd3Y/hLFI+vJBaVEtpCSeH+FuYU17ap9+EPGmjkJwkVqPyBXWlTYr3fthwtWsrwE650RH78vBbkoE8zny6RRTdV0ENPZEsKgCp7wpt1/JrGN2M5S9P6A0ZTsAkBvkPMD52m6dYJsopIDyaDvtP/QMlIPuS5o7npfvDCsr9qpE3DObT5L3dRKbDdnW365+13oaZ6JnxOFqL/XZp9h1n6vxAxx7MGm0lrd3sl/nLQI8w22c+jeJbfINsIzkbgfasPxdbYGcgU5xGCROOTlAqn8cU1W1NRkYGSxTZSp6lvNGc5MN9ShtJDlcOxoG8nW/GMhx0MGNh13htAfcQB6d61v1tFAT3sJFruaUF1pF30DGQtY1Lh8UQRqAYkfVfSeW5oTd52hBZZfeHMDHEwXOHJLjKR4pLTqPskMFSpla35F1uw5abtKgDpqT5ilf4919FBPKT/Ev1BRENt2nlq4jSDjSkTm+ZyZtRdWKoUMM6LDRnA6T1GXv/+WNDS3KcGSSKZvMwQHbOdgs3lBEzvcNka2jGiNiwsWpj/6axZIjlAyH2ySc1zR47bfb/Gks3NVZiyAmedt4WU8Ph04uZuoSYuV40V8c6ntk5P9g4y+rGRdXpmUhKN5cTTezrs3EH+p8O/cD0Af5odbWQE0EZtam6Vdnl3afFeJoKdnlBET3KQ0kTL8aFxKeRAbpFOTbCgNqzcP6iozqlxz2OmBGdNBhDLwLWDzQBJOOO1aeXe9rs3NvO3t7oZ+ZToy5swk8JdLAkS9JOWAc5ofZwfhwZDLnpLdkWticucEjyn8SoqeLAtFAG67GGFStNrpPXtIbdndhSlNLP45UxCeZU8eO3fcs8doRjsaTTbpA1MmQMH3+8pCJci6DlkLvwtb0DwwQ+LWSW9bEHWkGfxHo0y2hiwhUCnTw/DvQRoLa7feb6cSFWo1wWO8F0kzyD7I4Qc6gTdhnksSepJdlGOFia9R7HNmWhpJL8QY+Okp6WFxF9MlBuTJkzhwK4XwdNPoX7eKPK+0Mhft4MFedAbPNTgHyJO2JGtUik/h8dduxrhDtgXVw/jBUg1m0BBslrhuXk77HedXoj2ws690Fb7UdwbyVAl2+8GzGri19zOjYMHpE/V7Qqu70zUByDhqEQHCeomGS27jv6mBrL8jkqnB+EP7p7prxSwrGsXIfIzg2+cKp53SRy4eOR2gNzdHFfMH5rRNM0ad8aCBtL6/My/7zTEOuh7Btm1C8XDtkksQuJaTz7BrR5SyBUrf8g7S5gk3oezrC+U3GQ+B8vOAlQ1yVJbIYpHNuHy4VbiiYC56zDUc5r368OR0oF3tcbQn39X+sTQbtjjK7dftxgCTwr4irxxCxxAEAOwcgK0XBhIlMIL3Vo/FsfwFxjai0LgkNTwY9EwgYNdgArlZzyuSoOZBhQZ6oxf5jXEBh05tYTIunCFIwfFLqho8sg3ZoaUS9NHaGEsruz+sBG8zsbwSgGjzPAyJyw95CN3gM6HI/Uaoi9x5Dx/IR8883bTyK7wcjy4l7P7XZF+Puw9fGoGOADVpjux9brsBluoYQ/Pm3F9RvCOJi/89LToMZnU41ZEkFNGOSnTuGr1lbKSdSe9DTt2J2oQwJFnskVYPhGrLIa2UetQBs8OqveiMKrNP6CRhKwLbjgwe1fC7WTiYgrhrLUUsjYxlqRsaPlKeefXZzFBWH10o01lkU6vkrr5Rl9xtv0zJVPGDOjbWVMY9QLWu8Mne8evi2OLSJhyiNcVv4my9Taf1fHCSS73xK6rdJPWy27eCNVoQwE6USLwsSybO5hsZCbECWXYM+mvD7EudFSPPRSJzHyB1RP8h0OwZVM/V0S1G9HTBFJHx05iCxqszlePsKmZPzGQFcl5xIxQdt3xtlIOQy2FQVqMfz2Eecw+mgr0Yf5q38i/IxvcJRN9x5u9efAuQNuf5mW2CJTmll2JEtNuYQ3r9W5QNmSvQZn0+whGIGyfbhvBLhDQJYGN0TXmImoJ93qceLyWoyOTLrTRrM1y6h1sfypHrTnW80Mcaeqwx7/K9oDkU5yG3i5LOuy4I80kM1HMuY8zUcuf0tWbqwqb9kJn4ow/FWhpJWmaUVoHy/Z8J0ca9bVUNEzgs1DV4TJSzYyAJiS8vfCuhpFiwZn9IdEN2B8xQzKj1gHH8BKzViYNsFyjxPErPlwe3HYH3mYSzketCyMAWqGCLjnx0A7h73FGAe4qOqkI9Ea1204BH7+zZUuaX3l62SXwwXXNIWPGZquXrvwD1IT7ylJA9quKM3GShUXADv4J0tR4GB4VzVijEBJO9Z7Yo47PQwLYU/DpbimfSgKOSKhUyHF0McHzyrLV5MvPwB4qCvvvTH1xL6vCKzQBssZPIFfPFSu7G/xUTiSytioTeTn0ecnyVXOGrBuUaQFIXe1Tn/M3rz9DYBoutCVE8iW3nTPF3v5OP0LfYn0sooxy0mi/5e0fjtoesz7L5smnLVwWPjEg7PAHQS5jHSDhRW2x4kd+Rx7DCESIJXEqrc8ge6CQTWe5IoA8IwqN40e+MwXmCScDSe4OHTqbx7+OtN/HxqbzGWCjITTVEh9QKnCjhjNlLB05KTV4nFlK2YSeomLT7FdE0LxsNbZIBTZMAxfSGJUCaEylikNHEseRc4AbKML4YdtL/5Mtg/yOzMBqwIldlXDjjwh87iYDwJoxBGL4GewGbcYICMZu76qnnyfZd0j6R6jDg3rna6v9cXr8RAI15+3t/bnmGjWV4E/18/9CE/N+8Lk1+LknVbehykbnM9vBb3smEJgESqmn1sT4quISc3z1Pjv3q47iR+lRWG9F5icqRSu7ZgmCXnWqw6iuep3mSea/HyX23x0U6oQdvLIl9vT4ji8wG4F+WXlFVe5acl09Um/30cG3pJTjKcogmBvlyJPJt+1HESmJT9UrGfrA9k/94+e2Ye9ksf9irp4rPmBVYTAvnwzr2hLAqlaas8yxGMy15fOuPQ20IWXsFP/eRuAeVfbYDGGsqmYhSKXbvd5AJtupiM9SBKqBHCjQYT9G1Q3hUE2qspHrweEhvhdCcK/T0sfVuZrcykUtBo5G8wTtdxSLMUU9prqtYR/brtQGBveM9BchW0iPgTS/jY1R8V+j37GQG5oWV5EGXS8IObsMYzRM2SugwsE1zb74LJrsM209+n4Z+CQT0Ile8zOEkBikQMtx6Im2SCYyYXRi3elIhFolCszCQel0bsr8neZOjVS9aQkH6OEdl4C4JVit2D41Vu7nq2CvWqsjgwz71vD2nVEEBVqPnk3SC6dXXUP47GAiyu0XoL+zFdLkzQoFuiBSmWavO53kUOLhSWdt/hkIqzRT7uyd3APBIHSG8ZvTqEEYX18c4dzr8BzW6Q6o2DNnI82Ht1I7g/ioXI/U/gmc6sWdYh+W+1VxIntu7sjTZz9i+PRQPEvjWdMbG3hqkOaPj62+2Mp58FHC8CzILViy4uND4AsFrzBYOsybRi48SR8LA0a2QuUPzHa2/ofW8pehUmhYtqP6kFqtibHdEGBmxz0ntkYzp3bZAPrlyLfSF+aWS8rKVbrgxjvwGHUxaRvLUKaqJMq+h50HzglaUPPdElq2cshqYVjyIKqrESk4m3si/CKS6GqWW5v3oaxs+WIn4cil+PUgIKhRtJEwpZnJzXOteK9gyKabPJvNsJWmkkI8OdXafDVdJ7FiJ3PQGZmrturTlGRavwk+EW6cN9jG7KTrQ1jBgYpA3r3ll7EKe4f2YlScmzLswXOGeV6FIcdu3xC2a2NOHSSCleglNffJiYJPtCwKiQK2bY07pgL4jXzsa3YqnjoOJ32pDC5DMaTQPLjNW6hCC7JxVDiDhxCj67b074YDyhWjQMnIDXLVFanRsZVG0Rj5+YlQPk27a8EUF65vGFAUAvXOIXNPDK/JwvT8BylHX5HjASqK62i9fuHqOrg/OBsDTKIXKJnS1T802HuQze1ZZEDs1lDays6Bi4JdIVZZKXt+RqevZ6YoZ2O/1Jj+t4P3cb8e7GK6vLEelOg3F7N42POF4Nl6NiycFtuF3c1RNvGbPw46HAZvUkU+Bdd+ZFy9OyFCCaVsHo6/9YGK1oSASdr8wY9yMBZSQFJ5zdA5ytOUSWARmu7YWkGN0vRpUYhOoAN0WGS+lVSmfak2QplyGHJzkkUVTLgcaBCbdO5RPyLRe/brwvGQo39tTCHlgsspNLORyDWZ64ZqFVSBCjcH9ys4BCSxdFzS56fAFQwX/Yq2bIXmbf0RIjDgMju7e5hqXvUr0Q4uesP3V7P1tOuYz8pJV8L4hBiJHoPb0vgx45wzYrp7n6d4aqBm6h644Q1/OhSIrf6cCU+ue41dyCOw2pPjNxAaFHPwBRg3J6ogg74LwUWZUQEKycQ1KjI8AHY2jLq9F9nVb560KPnob7G4BHS+5T1mKZmi6qx8o7VTWLF1gYudHKldF9eNY0dvp9/9kKX829kbKQQpX0xPiOkdZyOq5O37zcGTRuv6EIfqJTERYkIxHCfsPFHXUloyhgzu3X9fFJUO/ue/P4ZXT8K2EbeG/9Eegzytw1LDkFn1KjG/G4AVx1+Hd3/UY7ia7ZPMCARSw/l9ZyElbzoE/x1/7elpV3r4rjkJeUh6oRBknd/nENW6gakpFxYvHDnru3AEoxKkNZCTqyH7iL1Xs8RN1QUHILLXNG9wc+bIgrEpwmqqEAbxVHcmZgX/07bxGmYTHGXtNHt3QcKaA7EuVTF2Fx5kKXgdeM6P1NaKgnOIArXHdfD4OrLDPa9Sh5TF0APOW6ZvRvuG1qv9biI7+FMJBUq2TSPCVX6i4VM1i+Tckx18VoBK3fQdOmnc+BaLks4FQNAayKrnZBFRvr0n+aUPfb4pfBWn/1YFcJDKXN4Isqp+BD0rqJqXUi0zEAhHsJdjiZPdXzpKSygdjR8w+d26KKlky6HS5dBuoUA1cKo4kyMTBU7SRv5kHmm8WWKg02YMM0K/Gj1ApNrNib5wCoBClLrGS1IpeHNjCI15/mQGJPk4wF67GT/37JkDQH+hiWhOvdNEvCEGqc5YkTFh8OTwDD+5uSLmNvSWdf9BFaQVR2RwbMSVAaUc6dggZe5qlmBqN4RT3xrkPUADPxYZiP11jUJCFis6wsLP4bOEpvg0KZ/9r4+27UvUbmZk596ptB4I5LECk7Dwf+Hiiui/RL2RHfjPFfRNJX80OdMHjRz4meAWvS/0HlyENc2ruc7lt9dVECWK11KiuFec8zbEZGDBJcv4V3SvkpLf8H7zZSTER7oBONvi8uNsIaU3l6JdpusAfiVUHCYJ8kTaVoT6b6h/9cJ2TufSfv14ktvdMiW0wJ1vKEyb3jE3fQgaHQXbihPAX+guIIgYYoO/myUIITzSKjOINU9/TPgrs5M6fYDHbrZVDA964EDYIToiGFQZTu5TbyDojrdR9FTiuYuoki8fkTPJc6HicaY/rDyKvNlpINpa2jA5qSv+MwtLdLX7c1RcBFF/z9pOHo7SeZiREWqDJZ6pN7bpAumE5XgLW1WGnUWBbtLATjqyOeAUnRbyXv2RhFWgHjwk6RDv0ScssPTcribodZWHpKo8jf1GzE/AxkjDXxH7ZkoXfuK2mTNRnynFhqp328FwkRvik2udbFKa0AXI/phsaVgffz335si9EYxEGa9VXR6K2ikZ1YpTNykvN8NinJk2YRXjVWp8zlsswNwmyEaRdsv6E5EYmpCTOxFD6YnHanV8t97X1EmWYV8Vg1v9jaL+nhm8zrEK/R+sG6nM3Mvn+7/igG8QObvZfsmcRTKxjtpHX0aXgz/vuDACgR4wVMY3xSogDsg+azivtAmhCpkfpbRkjr8PdySvoY/t9FymrZjBFFlHYLsIsr32KKCy/cEwUm/a8yUcGWzDfDUWeTxpr9kVy6NpKhQopnVlVoYwruYEJFauHcXKI4htembVZuUNio46th+9sSzj8AMCpn0PDbVq4Q+XMnXK3seF2tvclwCei4r/pwudKum8ggxx+Z0pRpLkCn5tYbjgKedS3nDpTEHLOIRa2zACLvsqCbsNn05af11MTOVyRfUWkAIFkEq7a3esIoeIkbhjv1P4ZVnmWwK0HlmVdI/PxH39qJDIl7Oy9OiXQG9OGA4NRwlHI+BvWMJJ234mBSUFIZ3N/nfmHl6/S0HE9RhCHgDBTqymCdLiAmEQQO+RXvehrh651ecm3eKdxurHuZKq/0LMFykxJH0RJyh1SDLwb3eePI=
C.3.8.1.S/MIME Signed-and-Encrypted Reply over a Simple Message, Header Protection with hcp_shy (+ Legacy Display), Decrypted

The S/MIME enveloped-data layer unwraps to this signed-data part:

Content-Transfer-Encoding: base64Content-Type: application/pkcs7-mime; name="smime.p7m"; smime-type="signed-data"MIIPYgYJKoZIhvcNAQcCoIIPUzCCD08CAQExDTALBglghkgBZQMEAgEwggWLBgkqhkiG9w0BBwGgggV8BIIFeE1JTUUtVmVyc2lvbjogMS4wDQpDb250ZW50LVRyYW5zZmVyLUVuY29kaW5nOiA3Yml0DQpTdWJqZWN0OiBzbWltZS1zaWduZWQtZW5jLWhwLXNoeS1sZWdhY3ktcmVwbHkNCk1lc3NhZ2UtSUQ6IDxzbWltZS1zaWduZWQtZW5jLWhwLXNoeS1sZWdhY3ktcmVwbHlAZXhhbXBsZT4NCkZyb206IEFsaWNlIDxhbGljZUBzbWltZS5leGFtcGxlPg0KVG86IEJvYiA8Ym9iQHNtaW1lLmV4YW1wbGU+DQpEYXRlOiBTYXQsIDIwIEZlYiAyMDIxIDEwOjE5OjAyIC0wNTAwDQpVc2VyLUFnZW50OiBTYW1wbGUgTVVBIFZlcnNpb24gMS4wDQpJbi1SZXBseS1UbzogPHNtaW1lLXNpZ25lZC1lbmMtaHAtc2h5LWxlZ2FjeUBleGFtcGxlPg0KUmVmZXJlbmNlczogPHNtaW1lLXNpZ25lZC1lbmMtaHAtc2h5LWxlZ2FjeUBleGFtcGxlPg0KSFAtT3V0ZXI6IFN1YmplY3Q6IFsuLi5dDQpIUC1PdXRlcjoNCiBNZXNzYWdlLUlEOiA8c21pbWUtc2lnbmVkLWVuYy1ocC1zaHktbGVnYWN5LXJlcGx5QGV4YW1wbGU+DQpIUC1PdXRlcjogRnJvbTogYWxpY2VAc21pbWUuZXhhbXBsZQ0KSFAtT3V0ZXI6IFRvOiBib2JAc21pbWUuZXhhbXBsZQ0KSFAtT3V0ZXI6IERhdGU6IFNhdCwgMjAgRmViIDIwMjEgMTU6MTk6MDIgKzAwMDANCkhQLU91dGVyOiBVc2VyLUFnZW50OiBTYW1wbGUgTVVBIFZlcnNpb24gMS4wDQpIUC1PdXRlcjogSW4tUmVwbHktVG86IDxzbWltZS1zaWduZWQtZW5jLWhwLXNoeS1sZWdhY3lAZXhhbXBsZT4NCkhQLU91dGVyOiBSZWZlcmVuY2VzOiA8c21pbWUtc2lnbmVkLWVuYy1ocC1zaHktbGVnYWN5QGV4YW1wbGU+DQpDb250ZW50LVR5cGU6IHRleHQvcGxhaW47IGNoYXJzZXQ9InV0Zi04IjsNCiBocC1sZWdhY3ktZGlzcGxheT0iMSI7IGhwPSJjaXBoZXIiDQoNClN1YmplY3Q6IHNtaW1lLXNpZ25lZC1lbmMtaHAtc2h5LWxlZ2FjeS1yZXBseQ0KRnJvbTogQWxpY2UgPGFsaWNlQHNtaW1lLmV4YW1wbGU+DQpUbzogQm9iIDxib2JAc21pbWUuZXhhbXBsZT4NCkRhdGU6IFNhdCwgMjAgRmViIDIwMjEgMTA6MTk6MDIgLTA1MDANCg0KVGhpcyBpcyB0aGUNCnNtaW1lLXNpZ25lZC1lbmMtaHAtc2h5LWxlZ2FjeS1yZXBseQ0KbWVzc2FnZS4NCg0KVGhpcyBpcyBhIHNpZ25lZC1hbmQtZW5jcnlwdGVkIFMvTUlNRSBtZXNzYWdlIHVzaW5nIFBLQ1MjNw0KZW52ZWxvcGVkRGF0YSBhcm91bmQgc2lnbmVkRGF0YS4gIFRoZSBwYXlsb2FkIGlzIGEgdGV4dC9wbGFpbg0KbWVzc2FnZS4gSXQgdXNlcyB0aGUgSGVhZGVyIFByb3RlY3Rpb24gc2NoZW1lIGZyb20gUkZDIDk3ODggd2l0aA0KdGhlIGBoY3Bfc2h5YCBIZWFkZXIgQ29uZmlkZW50aWFsaXR5IFBvbGljeSB3aXRoIGEgIkxlZ2FjeQ0KRGlzcGxheSIgZWxlbWVudC4NCg0KLS0gDQpBbGljZQ0KYWxpY2VAc21pbWUuZXhhbXBsZQ0KoIIHpjCCA88wggK3oAMCAQICEw8tJb0ROZdKzkJUh6HuPTQGirQwDQYJKoZIhvcNAQENBQAwVTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNhbXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwIBcNMTkxMTIwMDY1NDE4WhgPMjA1MjA5MjcwNjU0MThaMDsxDTALBgNVBAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMRcwFQYDVQQDEw5BbGljZSBMb3ZlbGFjZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJqVKfqLwaLjj+gBUCfkacKTg8cc2OtJ9ZSed6U3jUoiZVpMLcP3MUKtLeLg9r1mAfIDlB/wlbdmadXPmrszyidmbuZmOpB5voVQfiLYYy3iOx7YOqzXrl6udP07k0sV+UdSNRFxrfKeoQEFXgOaGdmnx4OG/e3p1fIKM0dPzZLoOAJF5m5O0xzXPL74zFCWp2f1ZkuE4A6l41koaZXCN5XL7wWTLMLeNf9Byb5ksKqUuqEHAMd1nmoNMgjY9VfVfcrv9w43GG8FtpSX+TWzB2zNS2OF+XIVnzRG5DeoULq8v88Z5bLpIJ/nx26r8A4SSwIBaVv4wPxAf1iPsIVKarUCAwEAAaOBrzCBrDAMBgNVHRMBAf8EAjAAMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATAeBgNVHREEFzAVgRNhbGljZUBzbWltZS5leGFtcGxlMBMGA1UdJQQMMAoGCCsGAQUFBwMEMA4GA1UdDwEB/wQEAwIFIDAdBgNVHQ4EFgQUolNB1UQ8gCkVfAEj8OeOr83zdw8wHwYDVR0jBBgwFoAUkTCOfAcXDKfxCShlNhpnHGh29FkwDQYJKoZIhvcNAQENBQADggEBAIFJeKCcsTKcFqQMpTryujRGzJdYA+R9eBAuDLsatbtKtl4FzkgRyOg31/+Cw7H8e30iLrPIFlWN1qjHrjgOyIs5AQ/hgxLvLir3hEUV2Z3MRsMtjH2x9SG91PEM046gfPnc9gMGHjMTg1qvaKcLQP5UzpEYPLror2X4P5uXxaP0LIZRzWmkw1RF7FOD7PfB5v94M5274XYxW2W4uKGd7QGnUZROSvSYkGiWDp1JhqXwfDz8A0enITGXnoEkAFvvjiCqh64P1hIeMorj36pgL19oWZD6YrzSWHUz1F00juyuOfQsqm6hvrDTqNpHNZ015fOURza1SkCvi9GFmNUPoVgwggPPMIICt6ADAgECAhM3QQV57XV/QqmiXDr0+GrOmqnXMA0GCSqGSIb3DQEBDQUAMFUxDTALBgNVBAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFNUFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MCAXDTE5MTEyMDA2NTQxOFoYDzIwNTIwOTI3MDY1NDE4WjA7MQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBXRzEXMBUGA1UEAxMOQWxpY2UgTG92ZWxhY2UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC09InoWDgWPk2af0+StijSNOR8K/hN8D+l078oullsk4ASvSwjsCNo7sHUa4xQUl5JO6VqY18LANwORjrc9BaX4MguzsbFXBe6uFh1mVpXmFxSpUByQ+950MFz/evPgP96wV+z4TtAwW2Z34rTiz4DxMI07XYNFUEOls/gkUP2GxzymsO2kaYWTut3SryCqeHEFbZFkB4urMk4xrIJC3CzWruS2Q0FHbBlfkgKN5wXVgkWFfiOucfCn+IQsaqpo1d3f9jSkbtAV5w3vzfog8919MxKI9H6l4KuElnAtJ7BtZcsl7dUy9u9COgEykRiVokFQgqQ7XNDU+r3SeOWwks7AgMBAAGjga8wgawwDAYDVR0TAQH/BAIwADAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwHgYDVR0RBBcwFYETYWxpY2VAc21pbWUuZXhhbXBsZTATBgNVHSUEDDAKBggrBgEFBQcDBDAOBgNVHQ8BAf8EBAMCBsAwHQYDVR0OBBYEFLv2zLItHQYSHJeuKWqQENMgZmZzMB8GA1UdIwQYMBaAFJEwjnwHFwyn8QkoZTYaZxxodvRZMA0GCSqGSIb3DQEBDQUAA4IBAQBziaI2p86poGkjd/4KkkOHG25nY/0eNARD6/oF0/sYonX2doizcGMk53riugAocCn5zbzhW/JVdYn30UxfyrZlRAzEf7GHqgB/NyjOad3pdpVYeDh4ciNKjbs+aEoTWgAkoqENt1sRxlcvb7HVX524bKZa1oPTUNlm6QpivtqDIdqGJdGf8L1zLfXBuo2zL3HR+M9CDr4Opq2JCkzP0Qhp7poIccGE6I9Tsg+RrOA9iCQsPn1+Tg8YedjGzUWF07rNmT0TzPCVzUAuBlr+JJtzOKypyQ3eoZ6EPazXqMyHAVcsm0GI364IOA0b8PSrJNtjh+AqJ5QfH+0e7NSzNnEmMYICADCCAfwCAQEwbDBVMQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBXRzExMC8GA1UEAxMoU2FtcGxlIExBTVBTIFJTQSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eQITN0EFee11f0Kpolw69Phqzpqp1zALBglghkgBZQMEAgGgaTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0yMTAyMjAxNTE5MDJaMC8GCSqGSIb3DQEJBDEiBCD7w9aychKiKqa6/shtF4TUlddh7IbF6DnI0Vaa95yhfDANBgkqhkiG9w0BAQEFAASCAQCEsnuIovDVNOBBUSthxOARiNhm/IrfGyx0uYeIMCR2K+UZIEQ2+aeYGEYKh/2yocr6VfauX0pK2prWs8bxDewJdOVgw13QbcmgyhOMg/5dQLh0pTcFx/5b0rYQp2dLwpFIOzUrFnycGJI/6qo82knE2ch/7NMWtKB7Y7n9xKBXTC6kD8LwIrG/li0tSyrqcx/LUODNznTB6xoVKwNJHBOJiBiqYQFHoH3wyXF7nw3l5dr7OTSpAt2A/SplGSYA6cKzvI3XcEZD3/5g9IUQmkPXIZPWnBMigxBZX31d+R+RRwSIt5gDOzwFo82KnuHeoDtH0lOcaxXd3ocRTucFUmr6
C.3.8.2.S/MIME Signed-and-Encrypted Reply over a Simple Message, Header Protection with hcp_shy (+ Legacy Display), Decrypted and Unwrapped

The inner signed-data layer unwraps to:

MIME-Version: 1.0Content-Transfer-Encoding: 7bitSubject: smime-signed-enc-hp-shy-legacy-replyMessage-ID: <smime-signed-enc-hp-shy-legacy-reply@example>From: Alice <alice@smime.example>To: Bob <bob@smime.example>Date: Sat, 20 Feb 2021 10:19:02 -0500User-Agent: Sample MUA Version 1.0In-Reply-To: <smime-signed-enc-hp-shy-legacy@example>References: <smime-signed-enc-hp-shy-legacy@example>HP-Outer: Subject: [...]HP-Outer: Message-ID: <smime-signed-enc-hp-shy-legacy-reply@example>HP-Outer: From: alice@smime.exampleHP-Outer: To: bob@smime.exampleHP-Outer: Date: Sat, 20 Feb 2021 15:19:02 +0000HP-Outer: User-Agent: Sample MUA Version 1.0HP-Outer: In-Reply-To: <smime-signed-enc-hp-shy-legacy@example>HP-Outer: References: <smime-signed-enc-hp-shy-legacy@example>Content-Type: text/plain; charset="utf-8"; hp-legacy-display="1"; hp="cipher"Subject: smime-signed-enc-hp-shy-legacy-replyFrom: Alice <alice@smime.example>To: Bob <bob@smime.example>Date: Sat, 20 Feb 2021 10:19:02 -0500This is thesmime-signed-enc-hp-shy-legacy-replymessage.This is a signed-and-encrypted S/MIME message using PKCS#7envelopedData around signedData.  The payload is a text/plainmessage. It uses the Header Protection scheme from RFC 9788 withthe `hcp_shy` Header Confidentiality Policy with a "LegacyDisplay" element.--Alicealice@smime.example

C.3.9.S/MIME Signed-and-Encrypted over a Complex Message, Header Protection with hcp_baseline

This is a signed-and-encrypted S/MIME message using PKCS#7 envelopedData around signedData. The payload is a multipart/alternative message with an inline image/png attachment. It uses the Header Protection scheme from RFC 9788 with thehcp_baseline Header Confidentiality Policy.

It has the following structure:

└┬╴application/pkcs7-mime [smime.p7m] 10035 bytes ╧ (decrypts to) └┬╴application/pkcs7-mime [smime.p7m] 6416 bytes  ┴ (unwraps to)  └┬╴multipart/mixed 2054 bytes   ├┬╴multipart/alternative 1126 bytes   │├─╴text/plain 384 bytes   │└─╴text/html 479 bytes   └─╴image/png inline 236 bytes

Its contents are:

Content-Transfer-Encoding: base64Content-Type: application/pkcs7-mime; name="smime.p7m"; smime-type="enveloped-data"Subject: [...]Message-ID: <smime-signed-enc-complex-hp-baseline@example>From: Alice <alice@smime.example>To: Bob <bob@smime.example>Date: Sat, 20 Feb 2021 12:09:02 -0500User-Agent: Sample MUA Version 1.0MIIc7AYJKoZIhvcNAQcDoIIc3TCCHNkCAQAxggMQMIIBhAIBADBsMFUxDTALBgNVBAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFNUFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhMPLSW9ETmXSs5CVIeh7j00Boq0MA0GCSqGSIb3DQEBAQUABIIBAGPIKUbO7uaza7TKuUY2av9QvGOrh+II70JFjmfXtOq2FRJynyfRCzQtOTh9HmQiuv/0D8oNXyiyMvPZEXbXc2IECoErnn8dCN0jfpq06OkYn/tpAsUDCLXiLPa581D574tMwb74AZ2AULbEv7TdNT2HtddFA3ZQntsl8+WB6KiHvr3Q9Bwkf0tyj+fUvvm7MeIn+i6PmdlQjoYyBGzKsYj/dJXFfNM1YHC4GNuHvUM8flg4r9yUb7QkjMmXksY5CUbVb+FGRy5tMa0qY8AHeM7eSYdu04rdgBaWPUC8CP+QWU7lau/XoH6Gq9WTgE88fEZpdiaMPEsLXoc4eDuWRxEwggGEAgEAMGwwVTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNhbXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzB8R0APhiY6HGLS64MvlsDXhpQwDQYJKoZIhvcNAQEBBQAEggEAOLJlujTXnL4l2INjDQAwOHzdh2yJNC1q02iZ0VHyGxsA8Q0YTHjggbCB7Div5MxlAyAKZ0URNwDkPpkEmlM1l0P8hH1N46zT740PBerrdR4+tCHoxExhwdwS7D/5gh/5FGZTx+TqLswH4UG9hyVT3fWFf/bEXPTaTpm1SwUajnJVsBNwhNxzXUR4ANzCIJVStWsxRxCwv/U2v77oCZkmbpY5yGz+BeLSx5hXl5PbL0AjYiVnMHPx1DeerBU/4fyxLRBiO+2LpouR+K7NjhmDh7JU6DQabdXzyh97AF5uR1neBztOLx6VLbFh83XbeLBoRh46WsLrFP0HuggyCZV8+TCCGb4GCSqGSIb3DQEHATAdBglghkgBZQMEAQIEEIYh3k6aQwiv/CB/9ZJiM1eAghmQWIC9ITS+o9nkZZyCWgZEmdcygI7lzgLRCP66EibaFTqKmbfPUbcSkzKz/yQgTYutY7KBMXLh1O66qhEK9HzUlShfQLtt5G/+FI+YcYwgWY3W50HHkGXtAVfFi6quVP5GfuJEHx7yVl7KCgVSqvgG9S6inZPXDHONHEo0GhpKRvs0OLyVpR9NT7ToDIpLMihTGwxKw8QtvmIPkp3cxt2zT8+6VZR+M0DsPkqKTZcP+yFd1ekvifdB+TEdx27YO96h0oCJWxzkKYVqHYHBmI9Mn16p/I42BaHLqL4q9PxlAZlAxG030dHUrVHf3+z0nARCrTJwolgsxtrAYJ288okEeZUgI4Ia3j7/vSXu51k1ZPgOiui0tw/rOxpHB/XStsJzqC7Qnhi+FU1nw8icx9d9WzzhVFuY0Qcmnvk1xoLuSdDYCVShUvh13punCT+k6/ZoT2HGqqO39+NYfZBi8DhpefyXyRFT47YB1Xyi4JUa8/e8+9+JrJdzpcRflYPED7Bn+tDz/OqQOGY9G7hNS+2BIXmIBK7QlKQo6L5wT29MjpQ5fCNh5m+lpCPPP48zi9z57duvKwRM+nBObxSFdFhpxr5A91n1OCnd3ptb5XNaIoNQ00COFM5CUYDTn6aHr30AQK4xKaDX2ktEKwIVifziPtvlsIHEOBqawn1C/ABM7lW/7BRDRddzs21B1IOfS9aH26bcy4vQw/+NSemAuREIOlhY9HAlDTgY29ogWot3zPE26TRD854eyi/ETKnh1x3tGlxsDbEitSoykXpuBHncmZeFUyGO10zjCuzDwlMyf9D8zHARm+65Mx7ViKa3XPsv8x7BK/OhYbqSSQDthDtL/El5icm9Sl/yCZijnVIldPqa3jmPM0QfEy3/Liea8UTSODaJ/tyJ3pV9SocZf7DBBXUhkHBb4fRrJKsK/sDFh1CGWFRL0AS+YhaH/qs0NNbA9Lns6XbbSC/4iV2IJxoTuJoZ45+05f/q5ZGFgO62m8nvgMAQV/eK2glVa5/jWkwGlMn6X4JT4wv+uqaAqJWm1Mlb+9gdbV7nM7VY6th10Qm8Cm1bQdvlx9d5MSkm2oK1/LwSCnf4riZW437lCBucGpmmWcguoQvokf9jew2nzpBf+ED84hEtHX/IiAvzZlHIT0IvB0jMXd3j2Rt6h7HuhxuBgTb6ZcTvOfoGZsxRMFZEz6niVCq5ob0GjfFO0RNbv2jCLAQ0h4H9KkpUZxSTKNSypxXIBXyWylQm407WklCLZJb9qkXKWaHswoFGIYmXVqpmNTsthLgou62KeVssCypiASBLo2fVbJwhkWVHiaqOc2KxYiFecesfyDe4S4Ux/OluQCDbQKdSNoj/nDX7oFF+iTCCVFSnEr/6ihskWCjnWmYquOUqSYOzZv161F0ZajOU6WcUUVkycB6KuHPgzMQqMLbHFgJ8J4lkO9IMg3GYSZubZRq+XnwriAsnuZQXlpNGh2EzZdjUUp2f7U/FFNZOCVAXinaxJVVuRszi/1lhjNs5D5ZbMZdfb1tWuZ9FgSRdDvFsnAs2Z79cMD0fowSGefBHp/JmNctqZvGaknvOkwuees36nvxIe2R8GgpiHsrgyXWfsJMX47Acl2IHWmXdSBLWT+RG4yuiXvKQ2nXiwFWr1LgyAv7V4RX6oNKZYvnQbDx5QfjZuBnBRW1tg3RA6DfJaeacZJLXG/fTAB8Mfi9xMHLXOm0Wrbsjz9MlRn7EjvH0sHlXvos0ayazwQppzynCn6O1MNxVqZpU2MSWanSshllLB76zqZHPNMd1mM3Qy3w3q7aN/6pI2EPraFTtbNaMufQ7fTnxeLGs6pBgZjBqGl8AZ+w6Legs5AE9k+tJpmZbaGGyhOW2d8GgYW347y6ZRfRdGv7uSwkvE0iaJt7//zLChnBBx6OVAzqdfFztNGDShQtJ4Q+nx6uKt9D32kWFsvS6aDwviqWE1oBcStBSNzrDQApVvKUNksh6P0ORT/hq9QQHM6WnRH55L35CQzyj2UTlQ7mIoZ6C4Iibavx9Ln81SnErr0IUVIyDQGdAUYtvyvVcc1dgLSPlSw8AIr93BHs9tJ2r33gmpgQS1CZT1nMqjNj+H73A50Z8lfri5Dz3fP8LT3RnSIfSaxaw6yYTOysL0P/3M5P0D5qFw58srJjq8Wp/NueZKWqH+5vBpgaxn/pIy2xYSiSsP4o9jk9Yx8ptRBh2Sw3xeoyuLOsgzQzL9CqyncgAaGP4W1aWsLziQkO2klzDSPaNo41S6w4320EiM7Txi2XJbsnmKq3ad6sv5yuC6sOSW620ywMHL5PJxG+iFGuOLbeb9zgoxhDU2nvzjOApgZKrotf2Nq8d1K/x1taS1gQrUVnfhS2M19ifp9ymmZqm0D/wKuvfnSkHkN8pizK9CrpaFzUxNk6X0d3+pqQUHQ4iPBJEjizY5DUq5AECn1qNJ7/UONjnneZcQMNArfIXzYDyDPNWjs3uptM56AOS3fRP6U7glXFgyybC4oKlTo9k6Vx1VALOskWSrT+WtATUMcGXfD73EuqJVpjOOWp4ATiaqIsfQiXuCB8fsbFxidjcm2tJ3A5k8NKMYTdBOYhEzHKDRk+rlk06xagghXird0fJ5rx0cPzNvZTcSleLXKHQ8elHAo8NYF+dLaXIrxQoghAjZFqCp9Al8ksvoFUbXVVpaND55bRMaaCVMOPXscSORTD/UP95kDstpywBQVC4GjILK1bZ7n9lfKMRuT/3lqqJiW5jFTId9wmeelCWSUtExyihpJBsBKro900+bTZHOp5Kai8YPjPxf5PNw9lFry9bPFXAPbziUOVwYXj6EZMtzZFNu0dw9ddsyZw3ZO0RWHVErBMR6j50JkCyBCwbU4F4hcGsKkyM34GQBrrtCdVWsq0t09rTzFXj/D/oeTegveQelRhAeNWkIl0z3HOV0c7HdM5Zw5dYd0wlD4pBOJvLiR8B4/9HlSStyuVEeu9Df2qsXdbhnNrghY5KP+nPUOpJxyGeG9NYxlylCc+b0jMW4gzMUOf+n7vux4ixKqsCfkG/5ju4dgnnJqAZX38dsrL/MaU4Kfh8skm6ovp6RTBggxQ+js9tG5g+5Qee9y/uq+uKzGic2oOIz0LkXOwH9k70Sm44d7jlzOsIRG3qeT5MnY/Teq/buX86kcjbK4h3G6u8haDt2QohCFOkQ5elffeZCUKk/da/WyQNUv2ERmgtfZCnXzafOCnvkZayhBFfeo6rYlbt3S2kJgIjgfwgPuSl+wZuXV/5URoKKK4RcVeY5pcqkUNjXhLTlMQXnC3Ahw3N+855qbqxsyeFTtS++Y1htM4xH6Gu/fewKXFTiSyzhyOnVbpo5Hf8gEnITBiMa7Ji0jgscZ4YZyyt5X50misnSRYzMf5icnM0BKNddRTRzN5UQk82lKYYoqam2fMSWMTdW9SNvdSPy7B4uX42XVqCHz3u5rS//1kasqSNmOeOhVxn+2Q3/5AaScU9c2MCu2rqc3Zy1eiVtUYPDkR28jDpGHueM9UtHfOoysd0l65ihmG1sv8IEpPpVUq2qjIL5FI9Mk3IX3C4geYHf07+85oXV8f75QKlJ86eCdJ1DEzcN6MPOzOJ2DycRyPL1wSGBmiZ9x2PS/k1S3N3Qh8tWJ7KTzFRod18MSEm4n20F01yWHX9fZfzlXH3NIJJTdw4lPUW73lxfrMeE4/j8OrtjQv28aIRiHQ33hNVXoHaGO3Ws2iEZweYRiroUk7wJXBx+K9U8n9ZuvmaFErfX5uXGcsM9jxfMbY2/DtDxqTBoxItK7s5cThwFm0tcFfM68JmyqunprH6A5iUikm0cY4Hkz2xSmbovW1DYK9/TQhhr/axl+jp1jr8pu1GXG0fbfAT+jc+WM2SJqwnrKgAvcLCMs3QeXe02piT0pIWG47aIrAjr5iFkJtBsc7HQEh99zhUTPE5rfISvr5xpPi1nhGTwG4PhGUWZSvBkwOcn5BjPqcBM4selB3B1fm4vVcy2Gq+wd1LPhiYSPw0nQrHWysxljkOBbmZln/X/XoBb1/66MosPE5CVkoi5B2kpJCPMfAIuyQEqbH+RGPWLpcg8sP18oQU6HKlMB13KYNEKOT3o0Yeq1OLEsc+wTmu+zkCJSajRtWX93TtLtjSo7oA5cSgyjvcFepLtE0CvyS2XVwL7luU7cEbOsMtJRdtm3ZmbqTp+zgbJch10DIc8BN+EqkxOwL8iHuvJRTv3gp6yeg3M/3jsz7HBMeVPqrrTWWaAMRd2vX+RfoxqPRD13N3A6quD61iXvi0IYeStHLMsLKRFzLoxc5dpDgxXEqq4UoEsJbLilRqr68Db95zS+3sqAomgDela1fDGl3BzdH95Okw2fQuvuMTm5XBEymrsmFxbyslVb5nX3jKoM8IGHn0qiIDN1DoAu+iCmJxQbDyJ1HcyI6HjTC8jfyp6DT/eEwnKzahiopMemQXBYDQ8tgVhm4IkM+t2gG2enlGVK0lrubR2EZJ4HQa8adhNjGxf2MkzUfh1Effmy9OxpCvShnQ4xp/Y8JT5B2O5SduazYH2llyjyP3CtRPa34fPPE/lym6aniPs0R+bRwG/ExVqhdzcNnp2QCJRVafhZB7ORvIx6qux5Hf3wdb3HaFqmpH7PH4Q/r+QPk8yE3xtLyjBShmYrx5NfRfBlr32HpjdBCtNlVmaR7yNy5TBORO5ihkMZ4nMXzcP/GJ3Ag4e6kmWZuHkUBo/pTmBBRau15Ybtz0emLNYjMiWgFgOXMXxZVpuMwiSmxVj3aJUjMSAp+F7uVlPOi4pCm2/4lYdBDoU5xZ9nOrijdXm/YW0QFqwOKoMNFuwlx6KtGBMHUgxPeJUlN+oaUgnjomroGSZhoarruT7G1NyKSotBiaQkDSEkSWn0WnjcObCdedLGJqkYGeeadITiRWL+zxbDgGXaRTHuiX13avTwapZPYfD81dXMq69RHfhNGr5rhU9eXMowKALeoT0uD1bzEQvg3Mr/YDtQE53Ysfe0ktAs5Vn5w5kgFMeHxb3B9DnZCE6DK1j9qU6G8/NGe8Ev0tihT6XVbhFovfwN66igL6MNqm6pBqtIWImVAPeMp8C6VL9EkvcFLRUDSBo1HTPl85UPciDgJTERFXiS9GmR7Rh9bO1JFjVwMW8DbNwimi+6LZiLA9GtcdRMFG8V4usHDV4OWzYv0cjLv94O3QmXZtvcUjBl716UIngAx0bLlZ/kvUh60xo4hkp+FSdnH+R6+XfDG244YVX0s5Bnd6xMaxc6Wm8FNlvDYTmkkqVmn2i7z8EaSuif/08VhNNP7sMFodG34yyhmhtVW3fkod1G3CzeDKDVUuRLKOo79BTh4208GtNLOQmy6iUCxnjAbmgc7LIfzPJ2euFeMD3ysne9tVK3h9J12iBUHEvlpeYVew/BwcnbZgBenQO3PlqfNRxW9pBMQFrtrv3zeov+H4l8QT8wnOthzTmDQUEu3BYsbyZ+mwKs9Dd31qNvZ/4oV0HBoYjfn7ETMLy0cFi+L5wfjxHbfOOwgxlf1/cH4tc/0moxqFtsPDzt2kUzfrTPJjaxui1wz9AFnAR2Vpww4xITn6nZo6UJe6BMAD2TNLMnvA5EFWNXJEoUzbvOQ8uJkfJhLEtCpEBwll8N0R7KDUWI39xzKGA9+j/A+s/00zGG5Vet3DdKWW/domeWo+d4rYmpKQDtrrV0/Dp0rJJkJVItyuDl+0yEJe0mDDhHgffQIhx/Y6lD0KvE0yEG404z1OeGvHoVGXaSv86D10a8IHVoJbXRtNMF525c4UP7VPh1l1wKD0sjzYkofaJvwPqZp/GSi8wSYopyVmrzIWfwDXYrqEIxFDLzXxcGW+L7gl5ntEqP/XLsda9DQFJSg2hTAfhhWgMOogfmIhHUyOcEUtycb4RvQSM1Pkg5h+kHUmMMpUKuhF50Pgw3+UgxwG2J3CW1DKUQZdj+cuO3J46b0o4/0eY8NoNqpWK6XksqSH0g1wVsyenFuugRsuESiSiZMTNmCqURSlPPFUyeMtUgSQ23EDLV9T2RkaabSNmVG35jE0CQMOBaF7XU67reXpLsUqPg2yhQwnEzX6KM4qioqC2wrqk2a1SdqRB8L8BEKykK2kv1bqvc0DNl9FoUxFt5uEH6iKHArKSkjLaQZsRmzu+ueHRhTqcSHEKeVstq9jWc/heW4RhP3LQgD43CVc8m7yRqSaOkor08Pc7O7++t7SDvYMsXFVmJ9MbB34HNgmXk5gTTb0AqI6fKyXEZCfJloUMbWWBsKUmEGUu0YOmgK3hRCsXBugFIS6K4galFCx22U3hoByZoiVjLduQhRQNPC0mFk5aB+iNwPL02YlB8rylvz3fV88GH9A1PrIEPJzCVsabxORVQeiJYCISJnvRn+PME02aqBh7qOtTDOlTChfj7jBgMsDtgpytWEnObAsiL9+Rm4UsnHBbbpOMbn7rhZLyjEKkc8dEj/6LTuQGjIOdPEcfIU4LMFh3mZiWojhLtDXi8mEF/+m2BcX77fKgduM3KM1FXzwTe4TnpIET18zeigaj5ie+BKmac2Jxmxa8sOlrmUP4KLD1kwF7bgTOsahZzkPHmBPykrogqTdmYUjkTyQvDzVUykI4PhnthaljLEYOj+LhZ0DSr0hhbsfM7OFUXqpPLeE+tr2hGdj3YZOIJkfSYWH2DqtEeDlWDbhBfoaT7EbCFi0doFHsAz+BX2PlZJsIqJ2BuA9mci9XB43ssokteKCqGT4QQn6KAekoEDZ96wHDTudcXIbYPdZIrD1xFHGjS1aZONl09Fa2IBuLnMhKuYQXoZwUUnXSI18Ga3Yt2ljCEcKeXmo/juIkt0b9UPTLBq8r4kb/ExUJ0kUgqUGmL5rSZszWWYmxt1nzOJkEd3v4i7LUk+0mGIdlKOE0hqLSMn7YVJwhiEqIPHu2PnnDUtqlDPVMGG8wCZfZnnzP/sDBm98/nIJRVXSEc15BYFtiUqfcqGOgVAv81z40FFg6TlpOAGoZqXjk5It0plTwjWRR5RaoggYzL20DmL7Q054ogDI5lEgMtbY3jvN6XAA2X3qPUsCwinlxaUMCJJsVEN8c9YkouvsbNG19eBRCpsC70+lHMp5Ybh3ypJxSqHCn8zEa4KmJYsW+7Q8VQ4nCMekbhH7Z8l+5Mmw4/Y6+Wn3j+Zinl95bYnS0S/FF/QVI2CbZAn2IKlwmGVtIsv+XgGSlrPk6YvCgHurK9NhrRSlj/5/ZbFWKUZmCPBbXwuFWP6yS0UBzTRCTaEGIZQTpNJawmoyHsRJm45Sxxq+q/0Gkieuu4GD2XQsYZhBKL24NhEW2fMTrqHeuyiouQiOdKJlV21pCDo9cgqbd0Ikz5wx8ZxqDKVP8yc+RXQHKj6PYnmAQDzsqtO+21rRCrT4zt9I9uhSIAoEhv8ue6TSnhhc0QbM8aB588Ass35/PGIDRVpBdIEoDrjHx51oss9J0WGN5E0iVkDcwVRpuB2ttM7UmNv73lGG+Hji/FconVZjwkSEQ8KUZ1jss7Sx1Ji1Kyv02+aQ0VsTePkh5JJpJoRFPrckdgjZyCnLl/VysqlGFcwKbop2QfgUqlB4ZWZMsnBT9ZmgkD9pUoS12DnX0PiFqT3+x7YWr+z13W7br9amR57w7TYwdTB5dYCkfuLFC2th0nR7cHKPxAB5O9pbdtqTIVvBQtNUy3DpqVpiAp8pAM67ElHjfP/WZrnP8SafvE5tLZtOvcvVF2fHnW4visb/VCStxKIKnhsqKJZ8gLZliL/zV6dQmvAVvWeAwsS2D2OUyHlvHKLWnA9fWVq6GsTC1wJ62El67XOVbGYPIHgbQ1PgMecWwaapHsmRu8Lh4z6nnv+H3vUG9R+rykvR+D7x8V0yxXt9hoFbhfp6PaXLhFkEwAcaXE+w3bLyPrWS8rUv26zYL0KN96FeJTysT+/juML2FQP706NRcsHaxoBp3jddqxdiGMxUJDOugh7zINNZwCryMq95j1jFP+JZFumD43AjtPfvfqv0vZ9RJiirxF08skjG14NNovMYs+jyaDv41/1MRt4TJq3Alu9Fwc5DibVyKWKzf2XlvnYsXwiB7hLc9hv/QG/YTjJbNHoNSlhEP7fgNI5WYZhefmzzkrk1ueW5IPfgwrQJSG68IpZOGb1r71n74YgtyxtkM8sVpklHz0l/mUFSoUczFLFc78nTjiR4Zl54J+pfv6dXQp8KBIhDnyjg1pH2Uvg4Ie5YU5twJ0QufhBst7ookPbj4czYBTcZdha1mFjbVPTTqaMuZsiRSfMjMvE653QEWAG+bt9bODNFTk6/8ZFnmuLH6M3h56xsLnAEOUs6ikIKwJON7AxVZ+YfG6WJpHbqelmC2V8MdBltN7kU70tm2KmE0SleadBW3p8lzad1pvL/A+F+3ZzcVYqGV62ojnSOHb7iSEttZAlEmLVArtcVCcAqM5IWtjyTQ+aazgaKMEVov9FY28UB3YOl+6SMPWq/r2jxJcTd2z1y3L9yXDLTLg/eIYZtPOVMiqIkeQ04Lq7CNwQa1GXbIlYmUSqKra+588IQWG5dbCIctteTtY6iLsquK0Yu6RePCs0IQnGrZ4W+Pp43CEZ2+UtNL775n0WgBF9T14U/toMd6+EwTth53KmKVQWdYJqOF7NhRuOi3RGHQFHUv20RyOwHMRP3xsCWLpx301zLxKzzy5y81puzEaGcsZ9nbq/1XGazzMVR4ksU8jkHPdw1nA==
C.3.9.1.S/MIME Signed-and-Encrypted over a Complex Message, Header Protection with hcp_baseline, Decrypted

The S/MIME enveloped-data layer unwraps to this signed-data part:

Content-Transfer-Encoding: base64Content-Type: application/pkcs7-mime; name="smime.p7m"; smime-type="signed-data"MIISMwYJKoZIhvcNAQcCoIISJDCCEiACAQExDTALBglghkgBZQMEAgEwgghcBgkqhkiG9w0BBwGggghNBIIISU1JTUUtVmVyc2lvbjogMS4wDQpTdWJqZWN0OiBzbWltZS1zaWduZWQtZW5jLWNvbXBsZXgtaHAtYmFzZWxpbmUNCk1lc3NhZ2UtSUQ6IDxzbWltZS1zaWduZWQtZW5jLWNvbXBsZXgtaHAtYmFzZWxpbmVAZXhhbXBsZT4NCkZyb206IEFsaWNlIDxhbGljZUBzbWltZS5leGFtcGxlPg0KVG86IEJvYiA8Ym9iQHNtaW1lLmV4YW1wbGU+DQpEYXRlOiBTYXQsIDIwIEZlYiAyMDIxIDEyOjA5OjAyIC0wNTAwDQpVc2VyLUFnZW50OiBTYW1wbGUgTVVBIFZlcnNpb24gMS4wDQpIUC1PdXRlcjogU3ViamVjdDogWy4uLl0NCkhQLU91dGVyOg0KIE1lc3NhZ2UtSUQ6IDxzbWltZS1zaWduZWQtZW5jLWNvbXBsZXgtaHAtYmFzZWxpbmVAZXhhbXBsZT4NCkhQLU91dGVyOiBGcm9tOiBBbGljZSA8YWxpY2VAc21pbWUuZXhhbXBsZT4NCkhQLU91dGVyOiBUbzogQm9iIDxib2JAc21pbWUuZXhhbXBsZT4NCkhQLU91dGVyOiBEYXRlOiBTYXQsIDIwIEZlYiAyMDIxIDEyOjA5OjAyIC0wNTAwDQpIUC1PdXRlcjogVXNlci1BZ2VudDogU2FtcGxlIE1VQSBWZXJzaW9uIDEuMA0KQ29udGVudC1UeXBlOiBtdWx0aXBhcnQvbWl4ZWQ7IGJvdW5kYXJ5PSIzYTMiOyBocD0iY2lwaGVyIg0KDQotLTNhMw0KTUlNRS1WZXJzaW9uOiAxLjANCkNvbnRlbnQtVHlwZTogbXVsdGlwYXJ0L2FsdGVybmF0aXZlOyBib3VuZGFyeT0iZjMxIg0KDQotLWYzMQ0KQ29udGVudC1UeXBlOiB0ZXh0L3BsYWluOyBjaGFyc2V0PSJ1cy1hc2NpaSINCk1JTUUtVmVyc2lvbjogMS4wDQpDb250ZW50LVRyYW5zZmVyLUVuY29kaW5nOiA3Yml0DQoNClRoaXMgaXMgdGhlDQpzbWltZS1zaWduZWQtZW5jLWNvbXBsZXgtaHAtYmFzZWxpbmUNCm1lc3NhZ2UuDQoNClRoaXMgaXMgYSBzaWduZWQtYW5kLWVuY3J5cHRlZCBTL01JTUUgbWVzc2FnZSB1c2luZyBQS0NTIzcNCmVudmVsb3BlZERhdGEgYXJvdW5kIHNpZ25lZERhdGEuICBUaGUgcGF5bG9hZCBpcyBhDQptdWx0aXBhcnQvYWx0ZXJuYXRpdmUgbWVzc2FnZSB3aXRoIGFuIGlubGluZSBpbWFnZS9wbmcNCmF0dGFjaG1lbnQuIEl0IHVzZXMgdGhlIEhlYWRlciBQcm90ZWN0aW9uIHNjaGVtZSBmcm9tIFJGQyA5Nzg4DQp3aXRoIHRoZSBgaGNwX2Jhc2VsaW5lYCBIZWFkZXIgQ29uZmlkZW50aWFsaXR5IFBvbGljeS4NCg0KLS0gDQpBbGljZQ0KYWxpY2VAc21pbWUuZXhhbXBsZQ0KLS1mMzENCkNvbnRlbnQtVHlwZTogdGV4dC9odG1sOyBjaGFyc2V0PSJ1cy1hc2NpaSINCk1JTUUtVmVyc2lvbjogMS4wDQpDb250ZW50LVRyYW5zZmVyLUVuY29kaW5nOiA3Yml0DQoNCjxodG1sPjxoZWFkPjx0aXRsZT48L3RpdGxlPjwvaGVhZD48Ym9keT4NCjxwPlRoaXMgaXMgdGhlDQo8Yj5zbWltZS1zaWduZWQtZW5jLWNvbXBsZXgtaHAtYmFzZWxpbmU8L2I+DQptZXNzYWdlLjwvcD4NCjxwPlRoaXMgaXMgYSBzaWduZWQtYW5kLWVuY3J5cHRlZCBTL01JTUUgbWVzc2FnZSB1c2luZyBQS0NTIzcNCmVudmVsb3BlZERhdGEgYXJvdW5kIHNpZ25lZERhdGEuICBUaGUgcGF5bG9hZCBpcyBhDQptdWx0aXBhcnQvYWx0ZXJuYXRpdmUgbWVzc2FnZSB3aXRoIGFuIGlubGluZSBpbWFnZS9wbmcNCmF0dGFjaG1lbnQuIEl0IHVzZXMgdGhlIEhlYWRlciBQcm90ZWN0aW9uIHNjaGVtZSBmcm9tIFJGQyA5Nzg4DQp3aXRoIHRoZSBgaGNwX2Jhc2VsaW5lYCBIZWFkZXIgQ29uZmlkZW50aWFsaXR5IFBvbGljeS48L3A+DQo8cD48dHQ+LS0gPGJyLz5BbGljZTxici8+YWxpY2VAc21pbWUuZXhhbXBsZTwvdHQ+PC9wPjwvYm9keT48L2h0bWw+DQotLWYzMS0tDQoNCi0tM2EzDQpDb250ZW50LVR5cGU6IGltYWdlL3BuZw0KQ29udGVudC1UcmFuc2Zlci1FbmNvZGluZzogYmFzZTY0DQpDb250ZW50LURpc3Bvc2l0aW9uOiBpbmxpbmUNCg0KaVZCT1J3MEtHZ29BQUFBTlNVaEVVZ0FBQUJRQUFBQVVDQVlBQUFDTmlSME5BQUFBY0VsRVFWUjQydVZUT3hiQQ0KTUFnUzczOW5PM1RwUncyMGRxcGJmQVJRRWpPeXdpd1luQ3RrREtuYmNMazY2c3FsVCt6dDljaWRrRSs2S3drWg0Kc2dyemZjcVZNcEwyam8wNDQ3Z1lEcGVBcmsrT25KSGtJaEFmVFBSaWNpaEFmNVlKcnc3dmp2MFpXUldNL3VsaQ0KdmRQZjFRWjJrREQ5eHBwZDh3QUFBQUJKUlU1RXJrSmdnZz09DQoNCi0tM2EzLS0NCqCCB6YwggPPMIICt6ADAgECAhMPLSW9ETmXSs5CVIeh7j00Boq0MA0GCSqGSIb3DQEBDQUAMFUxDTALBgNVBAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFNUFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MCAXDTE5MTEyMDA2NTQxOFoYDzIwNTIwOTI3MDY1NDE4WjA7MQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBXRzEXMBUGA1UEAxMOQWxpY2UgTG92ZWxhY2UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCalSn6i8Gi44/oAVAn5GnCk4PHHNjrSfWUnnelN41KImVaTC3D9zFCrS3i4Pa9ZgHyA5Qf8JW3ZmnVz5q7M8onZm7mZjqQeb6FUH4i2GMt4jse2Dqs165ernT9O5NLFflHUjURca3ynqEBBV4DmhnZp8eDhv3t6dXyCjNHT82S6DgCReZuTtMc1zy++MxQlqdn9WZLhOAOpeNZKGmVwjeVy+8FkyzC3jX/Qcm+ZLCqlLqhBwDHdZ5qDTII2PVX1X3K7/cONxhvBbaUl/k1swdszUtjhflyFZ80RuQ3qFC6vL/PGeWy6SCf58duq/AOEksCAWlb+MD8QH9Yj7CFSmq1AgMBAAGjga8wgawwDAYDVR0TAQH/BAIwADAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwHgYDVR0RBBcwFYETYWxpY2VAc21pbWUuZXhhbXBsZTATBgNVHSUEDDAKBggrBgEFBQcDBDAOBgNVHQ8BAf8EBAMCBSAwHQYDVR0OBBYEFKJTQdVEPIApFXwBI/Dnjq/N83cPMB8GA1UdIwQYMBaAFJEwjnwHFwyn8QkoZTYaZxxodvRZMA0GCSqGSIb3DQEBDQUAA4IBAQCBSXignLEynBakDKU68ro0RsyXWAPkfXgQLgy7GrW7SrZeBc5IEcjoN9f/gsOx/Ht9Ii6zyBZVjdaox644DsiLOQEP4YMS7y4q94RFFdmdzEbDLYx9sfUhvdTxDNOOoHz53PYDBh4zE4Nar2inC0D+VM6RGDy66K9l+D+bl8Wj9CyGUc1ppMNURexTg+z3web/eDOdu+F2MVtluLihne0Bp1GUTkr0mJBolg6dSYal8Hw8/ANHpyExl56BJABb744gqoeuD9YSHjKK49+qYC9faFmQ+mK80lh1M9RdNI7srjn0LKpuob6w06jaRzWdNeXzlEc2tUpAr4vRhZjVD6FYMIIDzzCCAregAwIBAgITN0EFee11f0Kpolw69Phqzpqp1zANBgkqhkiG9w0BAQ0FADBVMQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBXRzExMC8GA1UEAxMoU2FtcGxlIExBTVBTIFJTQSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAgFw0xOTExMjAwNjU0MThaGA8yMDUyMDkyNzA2NTQxOFowOzENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxFzAVBgNVBAMTDkFsaWNlIExvdmVsYWNlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtPSJ6Fg4Fj5Nmn9PkrYo0jTkfCv4TfA/pdO/KLpZbJOAEr0sI7AjaO7B1GuMUFJeSTulamNfCwDcDkY63PQWl+DILs7GxVwXurhYdZlaV5hcUqVAckPvedDBc/3rz4D/esFfs+E7QMFtmd+K04s+A8TCNO12DRVBDpbP4JFD9hsc8prDtpGmFk7rd0q8gqnhxBW2RZAeLqzJOMayCQtws1q7ktkNBR2wZX5ICjecF1YJFhX4jrnHwp/iELGqqaNXd3/Y0pG7QFecN7836IPPdfTMSiPR+peCrhJZwLSewbWXLJe3VMvbvQjoBMpEYlaJBUIKkO1zQ1Pq90njlsJLOwIDAQABo4GvMIGsMAwGA1UdEwEB/wQCMAAwFwYDVR0gBBAwDjAMBgpghkgBZQMCATABMB4GA1UdEQQXMBWBE2FsaWNlQHNtaW1lLmV4YW1wbGUwEwYDVR0lBAwwCgYIKwYBBQUHAwQwDgYDVR0PAQH/BAQDAgbAMB0GA1UdDgQWBBS79syyLR0GEhyXrilqkBDTIGZmczAfBgNVHSMEGDAWgBSRMI58BxcMp/EJKGU2GmccaHb0WTANBgkqhkiG9w0BAQ0FAAOCAQEAc4miNqfOqaBpI3f+CpJDhxtuZ2P9HjQEQ+v6BdP7GKJ19naIs3BjJOd64roAKHAp+c284VvyVXWJ99FMX8q2ZUQMxH+xh6oAfzcozmnd6XaVWHg4eHIjSo27PmhKE1oAJKKhDbdbEcZXL2+x1V+duGymWtaD01DZZukKYr7agyHahiXRn/C9cy31wbqNsy9x0fjPQg6+DqatiQpMz9EIae6aCHHBhOiPU7IPkazgPYgkLD59fk4PGHnYxs1FhdO6zZk9E8zwlc1ALgZa/iSbczisqckN3qGehD2s16jMhwFXLJtBiN+uCDgNG/D0qyTbY4fgKieUHx/tHuzUszZxJjGCAgAwggH8AgEBMGwwVTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNhbXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzdBBXntdX9CqaJcOvT4as6aqdcwCwYJYIZIAWUDBAIBoGkwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMjEwMjIwMTcwOTAyWjAvBgkqhkiG9w0BCQQxIgQg2xAxJLd5cNPk2o3iJrcgqk/WAtQzwmzkVadbd10R1gkwDQYJKoZIhvcNAQEBBQAEggEAWsHGjwENgVc0GRVd3mp7i5QJPmYvHhAuma75gcRKwPleEQdka1P95xnNFTJiDmaMzf+5wDEuj27Lzgf7UffeIJns/d/xIGGXTuUR/IPvT1ROsY9dS74mzFHl5fY309iHtBLgaBjJ76WDJQ+9To+vEIk/gFhx931G9fYBZ3i5wqMCcoG0UhYG2AXTNLfEDhW3+7Yz1leqS6NHyCcfwEB8iLvLs9hIGoCbsczkgYPSbbQx82NzQjaEHOtXqLHXAn/c7a4zn8y6qV2ko9ewCiLmqimEsacO9ZJYmi7XdwDolB50ylpcM45Mvn0n0WIjaLcU3Ooqw8LPQWS2ybK5q4kRvQ==
C.3.9.2.S/MIME Signed-and-Encrypted over a Complex Message, Header Protection with hcp_baseline, Decrypted and Unwrapped

The inner signed-data layer unwraps to:

MIME-Version: 1.0Subject: smime-signed-enc-complex-hp-baselineMessage-ID: <smime-signed-enc-complex-hp-baseline@example>From: Alice <alice@smime.example>To: Bob <bob@smime.example>Date: Sat, 20 Feb 2021 12:09:02 -0500User-Agent: Sample MUA Version 1.0HP-Outer: Subject: [...]HP-Outer: Message-ID: <smime-signed-enc-complex-hp-baseline@example>HP-Outer: From: Alice <alice@smime.example>HP-Outer: To: Bob <bob@smime.example>HP-Outer: Date: Sat, 20 Feb 2021 12:09:02 -0500HP-Outer: User-Agent: Sample MUA Version 1.0Content-Type: multipart/mixed; boundary="3a3"; hp="cipher"--3a3MIME-Version: 1.0Content-Type: multipart/alternative; boundary="f31"--f31Content-Type: text/plain; charset="us-ascii"MIME-Version: 1.0Content-Transfer-Encoding: 7bitThis is thesmime-signed-enc-complex-hp-baselinemessage.This is a signed-and-encrypted S/MIME message using PKCS#7envelopedData around signedData.  The payload is amultipart/alternative message with an inline image/pngattachment. It uses the Header Protection scheme from RFC 9788with the `hcp_baseline` Header Confidentiality Policy.--Alicealice@smime.example--f31Content-Type: text/html; charset="us-ascii"MIME-Version: 1.0Content-Transfer-Encoding: 7bit<html><head><title></title></head><body><p>This is the<b>smime-signed-enc-complex-hp-baseline</b>message.</p><p>This is a signed-and-encrypted S/MIME message using PKCS#7envelopedData around signedData.  The payload is amultipart/alternative message with an inline image/pngattachment. It uses the Header Protection scheme from RFC 9788with the `hcp_baseline` Header Confidentiality Policy.</p><p><tt>-- <br/>Alice<br/>alice@smime.example</tt></p></body></html>--f31----3a3Content-Type: image/pngContent-Transfer-Encoding: base64Content-Disposition: inlineiVBORw0KGgoAAAANSUhEUgAAABQAAAAUCAYAAACNiR0NAAAAcElEQVR42uVTOxbAMAgS739nO3TpRw20dqpbfARQEjOywiwYnCtkDKnbcLk66sqlT+zt9cidkE+6KwkZsgrzfcqVMpL2jo0447gYDpeArk+OnJHkIhAfTPRicihAf5YJrw7vjv0ZWRWM/ulivdPf1QZ2kDD9xppd8wAAAABJRU5ErkJggg==--3a3--

C.3.10.S/MIME Signed-and-Encrypted over a Complex Message, Header Protection with hcp_baseline (+ Legacy Display)

This is a signed-and-encrypted S/MIME message using PKCS#7 envelopedData around signedData. The payload is a multipart/alternative message with an inline image/png attachment. It uses the Header Protection scheme from RFC 9788 with thehcp_baseline Header Confidentiality Policy with a "Legacy Display" element.

It has the following structure:

└┬╴application/pkcs7-mime [smime.p7m] 10640 bytes ╧ (decrypts to) └┬╴application/pkcs7-mime [smime.p7m] 6870 bytes  ┴ (unwraps to)  └┬╴multipart/mixed 2373 bytes   ├┬╴multipart/alternative 1423 bytes   │├─╴text/plain 480 bytes   │└─╴text/html 640 bytes   └─╴image/png inline 236 bytes

Its contents are:

Content-Transfer-Encoding: base64Content-Type: application/pkcs7-mime; name="smime.p7m"; smime-type="enveloped-data"Subject: [...]Message-ID: <smime-signed-enc-complex-hp-baseline-legacy@example>From: Alice <alice@smime.example>To: Bob <bob@smime.example>Date: Sat, 20 Feb 2021 12:10:02 -0500User-Agent: Sample MUA Version 1.0MIIerAYJKoZIhvcNAQcDoIIenTCCHpkCAQAxggMQMIIBhAIBADBsMFUxDTALBgNVBAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFNUFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhMPLSW9ETmXSs5CVIeh7j00Boq0MA0GCSqGSIb3DQEBAQUABIIBAFzRRJ4ae2Mk8l1B7yZRDGmCK9wJNrPFJTno34WR+wNG0/sDCZCYzBvpNXScUVbk/+Y90xyCKLXZYvP89rkPvPPEDjm0faAKPw7r9CodT58+Zxc+mW50t1G/ERj0yLlMFa+yAvWjuAXuQ25+mZ1fB2TkMQ6pZPg38smkGtl3Dzqx31lCmB3JSYfBJQ3SCNOeRQzZENp9dpo0o4+wfxBCukVTGPexmnX9GIkL9bfoTfqcOt9gPQBXKnOG/hg6vmEQN0avXjI71fCMUwj6nUr7Jmd5e5P9Js01/4QajScrAk/JdFNixNiVarqYWEWiIeTRu8NidcW3L941Fb/3CSfcgR4wggGEAgEAMGwwVTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNhbXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzB8R0APhiY6HGLS64MvlsDXhpQwDQYJKoZIhvcNAQEBBQAEggEABb5CqsgXnqKOQb8V12/4362FJ3hgPcMNbwO/59c8Fmn1ETL5R85beGapoHKD9hlejMVgyVPJucrSzVX458JBx7F8Q2gcINWqe4i1Vul4vGwFPQVsyK5ufH7VnNYJ3rwaig1mc+3zb2NaF8rS41xnCHVD0Fcl9lpsN3iQ4hqzUNKTupjVKmZJfIVvjdwwrTnqdSbovmCAFYe4b5h+lIPfGJ9pRZNDWB4mZk+adxhK6qYxoAqzJE1HmF4NwJz0BKaknBPr9jWPa6Y6A+ap3Fn4OfYVNXqRS0LSsqkT8D31CoSDbWsBH2SlVWHmOtSZvQfNh1jXDRfQFssgg4dOXiL+LDCCG34GCSqGSIb3DQEHATAdBglghkgBZQMEAQIEEMGuYxUySDVL/ohXx2NMvHaAghtQpoigIUJ21hyg0R0MwSilmOnxXu6RlAVjlj9LiS9iEfWStaxj1wv7I03AnTJDMpEn4JUC6w+ZKkG1N7KF0viOCi1l/dIBCmBrUIBH6GTb1AVVlUI8NwnIR0Edv/RqlNSjdViDiZerCe6EJeD0oirYPPjzofrD56glnYCetuDXFnMas2ECP7pu6YaB3MiuLO1GMcK9B5G5ior0BiAigYPpMW1dmufoOJFYX6F7v5+1ZrIlTOYvGGYU0WeOvM3mY1Js49qkzg8l/6qc89+vlAMDa3f6P5Iv0g10/s37Yz3N8roT78C9ZegPC/85RgA2KY6tU6wgGDllqgPUfg0Fd9yVd/konoBN4Nxik2YmM6mJTj73Ii3H2LFSWD9HRJjXwpdaJZqkCjWHOjbugF+z1wpLSFLznRxdgje5Q4BkQDSw7BJsm9a04EgRg/4IDZTXsY6ezncUIslIJvf2dKCMzLzNA/KNBoSZPxvZo3MDIBr4z9Mp07I2jbtdM5OAQCbWwNGzoUuu4p1NvUJDJoLae/w2j8v2RDpI7rss5hWLqmwEnJJNPMmR7PtqU5tL7kbonPjsew6t4aAN2AakJOjHBHV+ABtScANhCDacMa15/0MyS0CkxAIU9ydf4WHtvQlsu81i4XXLgm8JYgu1znbsil+FSJtVIrsasEtHny5xJAHAlCwFCr10Wt9gqCv/t8tji5XlgKoxdtM2mp4zsXurP7BsKDXSA27QGVyuL2l6Oq7VHrwg2ex/7AB31qCP0hZni86KFk3O3ZxjjN3aZo7iXeN/IjaQDhmKEg4qaZ/Kfs+gGA31alBopZKL4UyFehX5Le/JBbXPCFaXCxU1eztGqLA4BPSNSuDoUXzHMnvm/nRsuUF/d0YHsNp7iVORUVMj9JQP891eNWch1R7OI2q5THAFJVLWwCCScO89vFeeFhZDJHMZ1EdZRP5hdE4pGOj11Om9DGYIWjd59fN26eSbB8Eh0R72L/K8ziXIObxLd1pLy7F0ae/WyDKl5fykSTd581MBUqRflyAiTn8lojH9b1svp2XXNVBNRDuCtJCjqd2VT5NqO0UNN5Hy9ojVyCyqTFZapwbyx3V5MCZfnZMtEr9A4y8e37ogWC6zm2Hg/3/mgapslPJsWBZHRqPaIhnytKDqJ3WlegHY6f4WF1XyTVOKZ98mjTytcwRZ+D5QwrNdULT3EYOeFGdBJ6Ao11+2EDZh0vMVjdxfLAXxIyZ3srdqf1jFoLnAqsmJMolWBT4eX1379SQK4UULoGVIUOrjsCd1YK7vKED3e502hQc1IKHFD79OTg2VssER5QTLXkxHvoLXzL35fif9gZN0K5WEin6KaBHSMcFzT2sFtESHpzs3Kl2FlEUBnxA4QfvmiFcvH212yUAvnwczoH69w3+xaaqWmmOqMpNRMxMap1j1lLI9lzGG4bp4sHNPd/t4uN/RPjq71+f6HNjbJsu+My0bNTIczfmwTlsg8zN8L1biu0U1Nfn79XY01xsLpJqFYGoYUiTuY0SBPz77LT3BE6j2OsLpH8NhlJVlrfBeYWdJJnwkGbElwbQwI9eDkjxf38oUv79Az7NFcg3VLtuUgr4VWdBv6e4vEwamNB36hEtHZuTL7tPuv9mSZD4wzK+sPHxrVyw7Qvnln0PDmzS8Bs2l1dQIRIi7/oN7bLJ8YUZwALukzJ919wuiCYjfJg43l5Gvhwh1PBZ4mHNUsU6/EUmmm+rCULCIyQqAY0CAzjO70EeI96JOZHh9Yh06ZOdh2iNGaZmQ6QRCIzlEiikKPKK6euhfRtzTM2pFQNu+BUj+vB7rQ8aGD2snw72kD175+Mup85Ac7VJiJU25mR8ojNgnku3xtPRvU0z+/bWw/l2RhRfvNUy7Eh4CTB1jixlabRWHQFgs69cLrPly4kJxIR0yw1/Y7l01or7cL2mFwRzoBJVcu+/pVr9DKya2E65ZrmitUUBF/QWUBEzc78adBHQcT2Ih2bkfB/E7I7KVQd1p7n7eo95RnVtS0WbwFHcXkr3cK5PzJAOQwGi9sj3CSk6cHrzUGSi5iGA51V5MAo38pYJdhBPPzAHsD1PLRYcFP8McjBTuBT30xKE6BO8voV/9NsAka0OuhpABP1GwQl1l84a8mECVCHkfPge/HJ8T1d9my+Ra8jYakMIWiudd9a2q4/hQVzL5Lp2TjAqO9IWbpPZvT0GFej+4KCb5nfW4vgqGwRc3XSX1PNsrDpfrFPUyQjdQmAcfjK+kYYBaYgsTYZBaZxOOoCqs5BbstQ+Ibs2M3IPqDaPhY5pZ/cWiDtMGRliyy6yyM2B4oLUdXJH7wbjIlUeG2Zip56QmFbiob4s3v8w2iOfPaP69+tIeGZSCdpkynqKWZejZetqwhdbiXIapD3+CsKNmmJHDTnwWqr/kRzatdDIYICZtf+WGLGoIo2txg+y4N57sn+CZLEnI7wKwZYcPTSXsWrsdA7+h9EZT8FIagdesKx7B59SNXPQO/7EGqzH1ko+s4NbuyZJbyiXvEVmD5bNQ7w2VrvOtZMekQa4CtDusF0zjStqHSZTJ16J7785dMVo8xO/72VlP805jokuTJNGTYddY+Jh5FbotALz6qtrQiQQ0xRqv1oKlcC71X/dsH+xzBFvPCq19dn2zEcgrJuLyu4Ojmy5jLGfg33xVMYEMNVaiNd45SU/cEbDXrBxtsKJs/e3zmKqi7siJ/GvAIVGrVQzMOT1iZvJyQ/OUZMFh1vUbvBTFAY8e7LjAwbVB9PD4VdtwjPZdeXkGylCjskNUmlTGi4hO4mKnOFbuLxOFMTDrU73RE58tsdqkMI1Z7AnhyyTRWUj6s+jBoXtRXwWZgvGb1Ro4CZ6EC1c5Z6DFFcy5ICgI52r+Pz6xcdINTvTgPedoDqDXv+5kPy1+EyT5/pFzRfp+eIzZmfnzXvrUzXSK2UEyxVxvJe+teS+jmBFNhvkzZQ10UcCsdKjhgDc42dR+N1gNUem5UXvsMV8JGv6rcK+AoXgIA6lBAby/E5dXc1YT5CJLs9NRGidWXW6ltJgoYORM/97GVNJeQRa758t+7A0rV/CaHJlgHR8pjTnelOCQT99BmYknS2NhG0XrZsT4/rtCsUvJRrR3bPyd6M868jWmW443w0FxAYkvOQW2J7GDHjJRwJqhK2tDhTpl9Mtuv1Uv75UuPSP+sxcncjz4mGYR/A4vkjFDWlZLDXH4RcS405llTQPI6Tf9ii0C5qFTVqj1yZUVnYAE49nqqXVFaRH7b+z68VMqD61ThDEMvALeMNrMOuPK6czLqu7jpwbAFaJGsjrFAgfQ8C0VE1+ZcjWM9uP43msH2CNaqPKu6rhZgbhNtlTMSzISOhJeTCK5LT7rGcOOCLDnM9yqosAZ/3Txq0xw5pKXOtUsaCvyXOH1WGk0IJGA0W5k7Q/tV5zBuddtt8rVj8WbmV659SLU3TTZkGOp6SeAFsoN3/w71djAYPJtNhHPqB+TICv7rs2JhhHbHvrHU16L6118UgSM2TUtxZEQ5CXdCFGvyOzap2VHbUyiSdE9mGzvOLrnhR1IarQDYy6Raxha+5Efd87bhpCdluiT4oSw8zsq2q00Yv9XyGDBgpZPRtZC2GJDyarXvnHWtqVvFoOHHyNk8GrOWfthhR7uINuPxopCfRl7ijnBhVSjC/cdxpE4KItJkp5CkkRLxuy7polGvxzB1Y8EP62iyhP9Oz4oAW6jwfvYaAa9bjX+B+QZYKjYZiKXbdu55h1WMGXng9yDhQONyQMPbCMprfu4tLr7Tv/bFEak1TOahNORfVzioWE/Flig3JotDqB6wJE2EmXtjH426cn4orFNyai0fF47PsoiGdUJvjKfWVe1X+71AD9+xe46JyJyrnvLY2y1gjYljVKFe4rhLfrCwU91xFoDsvrzv7LMSSJhuCdvcPq9OS6fw97upSYVlUWt4KIRtDOi1vxJpeR49VppMY4EXNpS6+6mv2g4SWIfPCSw8C42q+sO6KUmqmCMcdXx37mrBy9DT1EjAbrq17WyVPmMQz9vehaCSiAAOZCXC2sX3pC6N6o2d56Z6tdFbPSgMBOFW1vuHUlMUtOkCXuxIjtucF/v/vZVmtSATOv+tpDqcB2tWg5a6vq1/EHXV29XsSZ/Hty/1j/Gt4oirtmmajAVMevuUpk9+WaDwWtJ44cWEOLnw5d1aiSupG1Xt2Qpo+QtSLFtYSoalZRenOvZcdEqMEMg1ufw2oTq5uwGdoVbQP+CjdOhnbaIjqArj0BXMZ2dcxcluy0txz4kyRn72DvcpTiYUaPFchqerEJ41wTAD5xeM6vfLpnUjnhHTuY8Z2muYlIAspCHaSuQbGbCvtkLsFVEgM4U7W7xM37XoM5UNnuY5CROkBs4+RpKC9WxjL9b1u2mHSmHWg4h+bUNSG/OQvM4jq58X2QVYE0MsHeCgUS+dWAaSsvi01YpeuWkf9LSH30jqrclgCM9cbrkpodCSrYrxp7YJpa2OhUAB7zobQXNBavpxgOJSniV/NmTYSe+7B7qNPX6Hm3rq2ETH03JvWolGOCcWlmhJfxwIKK2ddAasxiZ5h9+rOjE4YDxXOSFCUoTtHZvOAES+5MT5g0ZwMjKtkmSx7uqngBbnYeo3lsnUIQXuwjbjymeD4sXNcGEFAB23EpJ6ewzdpX8NsNj4agpUbtj3qoXs+gvQjmAj9dI2AKhRuhpBAj4kb0CQyFLO8LJjnipsFI5Bjsxh4Ntc80Ww51Zb8QCaSEZlARJ0T7L6g/kjUd0q/cviMb5zCUdA2hq7m8zL8MhTIpehZgq2MIeFqc7nY5YyvKZDkIQF9Jza6bN/8HRSJLS2rYehVDOja6QOR5xVsV7EYoEvorBxg+e4MutPpSDEgQFqGkFQuaKKT2cOIfv1j9FMyv55o+/puAebsnEBLOqeXGVY/1PWc2D1YNQ0E0o1fQeSvvqdCOc54vbU1zsnOGdgcna0w6VgN93aNFmifAcUVoCG/QVGmfg3yPGQh0/t2RjX2Df3b/oie0Vr37m7Wc9fTmlwPuaiB4WhBgzbkAnNKan5eFu2OrE9NnaXTBGJPMRQ8/aNafl78a8L55rFRDJJ3d0MGdq8/Km+1u1P+ckJ0yZtX3ini58D8q0o19JS8D6r8OFPyYpGbM4xA+EovnWiA8udN/C3VXfTPflOsIzQ7BxoiFKZJJ8etGlINGRftBrCuP+sp5TfhfF/9wzLvryCT0wBXbWsqe9+rOuU4OyzSF5OX9tX/BZDrVrIn9lo2t5a5KVYz8gLJvTCDvjdLdE2wWAX5wnmqXZSvoN8vjC1rxOLpJaHH73fNh2POpbonAfVj0eWXsdI3AH1nC+AsS2rDQguURUH6i/pFJM3iT23vBkFDVK1s46SXrYIeUx0LNqoDlJak4hD7DV6JROMJ2CnXbMe1K8VUXNla80yoh2juCU33PG9DU33DN2pUMwUIO1p4hYatx6k2m+bB2cJhncW9ApK/seF4XvvS3HmWZ7yBZVv2OmgzOHSwz4pIoLhJ7sHXUTRFdkF59D8Jho65gmGaoK+EJqtNZU9hPxRcHMw2yKW027oVw1XCBATnASxDifgA5wIqtP4aK9fRPPI4zJu4voqK/qe40DVpjDF/4xnacbmB70q5X9wgIiBWeZW9Yiu2Ssk2u6s0nfb+JpfqK6IniAtLtct2LUlcOh6uiWQq+B26UgG+IkEDKVriy7HEuzaaM2m4lmUy0bay1On3et+sdmbSg0oQOy0GQBP+TOUZl72y4FNGnqedg8Dhd2rlIfKn8RHs52FudiEhbtxHfmKIapvj+SDPqN4FzpnUtrk8ul5t7ASdr+XdOLqp0uAXlK3kDqEZc4eVmBKeQjet7aNb3goEEnbu6AxUbeB/8GQbv5aNeQUP0Z/NPxh0rhtPRGkM7x/LgFw/nCqW7QU2fPQf/6jJE5/CpXUgo0ZuT3HZriSLFoIqfS3iOls8MS3WhsaodETFNyLbalwyFvMqS64KlP+yWbCVm/G93ermWj4uoLZ3Jhbx/tjPs1mKxGBXu8JhUrqOsBwMv58qTVYyNPKgxssPGohTdGiC9Du3nhEqj5vUVRfGDpnD2IaQ8O/ugsIr3XIsaXU8p8QbORKaWAbmz3B5pt2vGRa36lyM/pirNUse6h8Xb8KC2pHottzkt66qWz3Q+sbRjexeJdL/0qjx82QyPaDAfwT+A+8utjBrSy8rvHwFcoNYCfKhzq6SYnUSmo36p1wZae+CSP+ls+1zN3uPtXEzar81ULsvVYn5Sj6+sgZaoPw5ROqExM8MFua/aab+kMjIVU6DYcAm4r+E4tv0P1Pf6FKstFSdVDCGVhHkmlpFu7/lcjcXbOlcpMoGLkC0CdDoiScJ0D29jMaO8Fc0ifq6PCiJuAHKowqJS2H+VnUwoOwdwPLiKDim6dSCzAVatzM2/SRB6mso4LjwCzGEukOChkbbDinC9+UoG6tV8xdovKrx0i4ZZfkwiQd7P+cGs/CMdDYk+DYPWJi6w3n4MNvlLMkSTce+C99n/7CEAPU7PomizN5Us4y3bQ42pXJMZbPriedEplEAoTBcw90FZ8qvxuTfkZuyb75roe6lm4S7onF/sn4T0YednconxhGorshMLRZ0aDQDwf602+8Nm3qyEY5gLfbe0JjdBnPomLo0rgnYCi6MLwns0T9QhMQfAR6JOp3fHQ6rMe6ih9su73qqmsIkRrly4nSJL8LwhFdV8dqPoEMFeKb+tnFmi7SOaT6m0oZREra1iyiwpZPqkhA15LvcCDq1zcK3pd6M44hg+Huk4SZ0aBGRY+WReNsmYDIT3WnS9uKJpMSx6pCWa4hhcmnOsp8xwZK1UEEKzNEc+Oky+/WoYQlajv9vjRsQ8mVP2o3hpjAJg0HcvVn6BsJYS0fZykAZh8tA/MBGBzkmNjPm3awY31MM3MVhtFQmQtjIZYzsKKxLWb8k1N6bSs9tKFuZx0+FZSRvjwA6mSg6YKBNHiZ3W4nf4HSc1EwhgHemDU//n30xAIvX8oSFf6YuxtPj6PZ8elBVvNYHflesLW0S3o/nQVSEukU1z1aZUB70lnejzvGC5EEvnTHeohRrjHP88R0oz6K7HgsCw2GVS9XT0XTjwIwmX7Q3rifjVxrju6sdmyTywLlwPWPMHFZbNWZMoaZdr1f2p6HoUJrIkKOpk9QD34KpaH56pG0qJ3NxcsjF0AttISbfljn2FE7t/N6AXjwOWFKfMZyIMm/iSEYp1Jp7HKxw3owdFmB41P2FBHT/eehbfgLozSG/bhVj7pEuaY0XozKDu+0OqRxg+iUJCfcngZP4nP5D6pG2ll3sFM+i37A2tGrGlGescgQk/SgWrnkDm+FZjIG9vLJMG4/wBjVRqF639bUrc8qrhx/jRPxkgg4Ly7+UW3mwUnr3Erf3p6ZL1//Nd7f5BC8RccYXY3dR+gAMpAFE62akhotTGVqUxcVU76KxI9geFg3e8pMHJ1ycygoM1b9Gt98IvB59nId0bbvOm4iLuzs3cSsdboDlS/tWMqcETzrpIOqaqydrbTkwxGGv0/3vAV19+vlFy9IQ8Z2mUF+S2CgJ9bTzTXh2QqIIugoBYT3TpUlq+Tbl9oFH3FBej1J3EKaxW8s0mKvro8GmNxR2sbhBL1LnzLWs6vAstngAZmPlj1mYcbgNU998+27/+5Iln9IZ6X/jrQhWtuKg2QgQV0gtraDqz6/lMGKeUidjg2C1IKXo/m87hJWFSj9TMr+/2K2OMrXReM5ER2YFKsGqCNFkiTkl+T3SPw6qynf3S7lxtxmys8zOu7f/JFILKZarfWRyIE2qyOWmBfu6/sEuVMGOWLpHbpGevp+SMT8J6187NH1NGO29jmGO9rjh4f0B8ZSmJWFFnwQm1PalAzCPGxlgVbbERuRZ6tnPTFIBCpE4I/9d/lNbHeKgZRjhK9jsk2Fc7vQCdpedO1qwysKFmC0otrromr6mTzEZepedKYuB1TDuZMBTwIQNWf4oGiBZlQ03z+VuXgWhgWZJxspGZ8CgYBi9CoTgsu/fkjq0n+rd9LrlRhoLPR/iVdhtSvHp1u/BYfOL9a2cqXRQfIze+cJfD2Ler8h627aW59SA8g566CSxPVw/GvO2Rk2mm/PCwep6lXgpWu81riycD6VFUnSCDrw0aqpNfhNOBnx4bNqvGM2msMTJ46BgGv7gMHoUzjracztsP5Y8qS17FsxptAmPjP5GpFihHQv3JO2XgbaAudsKGMAf/bUZf5djDhmzZxWqrrTW+abp6gKjktu1Ug2zYl9JYanABpb8/9oYI1AattVoAokUjlWca02bGqeMRpBtwjoo5E22qyEkRIhfoHrWLoUg/bt2vEjKAdbe/Xp7zb1Mf6MDksa5/IIMhB1l6y0yV4JKeRvxji3t7bNaYzTCtAcLMQRAoqrp/B97emRVQSx21ALE7puVLezZHTPDscyz7chijAssGK+6cb180XGxtM3VSZg3R8tGiETu6nFhTB4ojh7CG+szqAkWKupBPxOUkOl5zIkutYJLpFhCbQ4cj6cF1faug6POMcww7iBkqRCU2Y0c4QcQ9z706+t67Sj3oyg62KUvdvEiA+lm3MSTJASj76mi1hi1rdTNU2pdfT4JIzPAMI6RDN0Jike6Y/Vr7zwuHcGe8inCjn0+14A5sdgRouC0v5tkId04pRewc3eUixnVvzsXTp1jvbMcCxTHYGrM1GsyxHiB3j47De343GLJo3JUxt+X8e/Xfs/dwDbTppYa8J67/w74YRRvgGq/A2/c/lyk/JOkuZcbnKGJa8UsflyXfEhbFDnA6ogWRxBHYTsOs27Du95SvrZwk4GL3jpW4KkX80gGTY857dMJm8OEuxZbVDjhAyBgnC+pq4m4AyfIOzFcXKHSb6e581n0jEZ07Agv5hPcO9phCHyn3pIE9snR0Jwn7vlGaMrv6uv6DDwWIx52yNrucgYCi3WRxcXIwOTYWaGhkFJ/HDHd2gCmVbSsZPTEaU9IXxmvScOpfCl7sUe5baRYR5X4VS5Oh3jNpFO5YYLwvN5CAnPRXa6vlKWZzyq34vgQhsHHiJJq40GdyKV0ODlWE6ZoyGenxErV0yLodGch/JAzig28oODwnw4D3IsCbu5hCVQLy6unZsxwWRjMT0onfFrnoO5ttlXYq5LHaxkJKF9aBzSi/AcNWao3wEXVyKTT1P2DQcGCmVz+6fsR1AE22e094tULy4mSAC10R8byELoQs+W4i8GdND86fG+mRQKoR8fYsrOF1CZpLXDFG4AnmiaBF5Ro7CX20oNkEZ4yhYoiSOTp/yfWOphJ9iDxfXO0RVHSrO2Aw=
C.3.10.1.S/MIME Signed-and-Encrypted over a Complex Message, Header Protection with hcp_baseline (+ Legacy Display), Decrypted

The S/MIME enveloped-data layer unwraps to this signed-data part:

Content-Transfer-Encoding: base64Content-Type: application/pkcs7-mime; name="smime.p7m"; smime-type="signed-data"MIITfQYJKoZIhvcNAQcCoIITbjCCE2oCAQExDTALBglghkgBZQMEAgEwggmmBgkqhkiG9w0BBwGgggmXBIIJk01JTUUtVmVyc2lvbjogMS4wDQpTdWJqZWN0OiBzbWltZS1zaWduZWQtZW5jLWNvbXBsZXgtaHAtYmFzZWxpbmUtbGVnYWN5DQpNZXNzYWdlLUlEOg0KIDxzbWltZS1zaWduZWQtZW5jLWNvbXBsZXgtaHAtYmFzZWxpbmUtbGVnYWN5QGV4YW1wbGU+DQpGcm9tOiBBbGljZSA8YWxpY2VAc21pbWUuZXhhbXBsZT4NClRvOiBCb2IgPGJvYkBzbWltZS5leGFtcGxlPg0KRGF0ZTogU2F0LCAyMCBGZWIgMjAyMSAxMjoxMDowMiAtMDUwMA0KVXNlci1BZ2VudDogU2FtcGxlIE1VQSBWZXJzaW9uIDEuMA0KSFAtT3V0ZXI6IFN1YmplY3Q6IFsuLi5dDQpIUC1PdXRlcjogTWVzc2FnZS1JRDoNCiA8c21pbWUtc2lnbmVkLWVuYy1jb21wbGV4LWhwLWJhc2VsaW5lLWxlZ2FjeUBleGFtcGxlPg0KSFAtT3V0ZXI6IEZyb206IEFsaWNlIDxhbGljZUBzbWltZS5leGFtcGxlPg0KSFAtT3V0ZXI6IFRvOiBCb2IgPGJvYkBzbWltZS5leGFtcGxlPg0KSFAtT3V0ZXI6IERhdGU6IFNhdCwgMjAgRmViIDIwMjEgMTI6MTA6MDIgLTA1MDANCkhQLU91dGVyOiBVc2VyLUFnZW50OiBTYW1wbGUgTVVBIFZlcnNpb24gMS4wDQpDb250ZW50LVR5cGU6IG11bHRpcGFydC9taXhlZDsgYm91bmRhcnk9IjNjNSI7IGhwPSJjaXBoZXIiDQoNCi0tM2M1DQpNSU1FLVZlcnNpb246IDEuMA0KQ29udGVudC1UeXBlOiBtdWx0aXBhcnQvYWx0ZXJuYXRpdmU7IGJvdW5kYXJ5PSJhZjMiDQoNCi0tYWYzDQpNSU1FLVZlcnNpb246IDEuMA0KQ29udGVudC1UcmFuc2Zlci1FbmNvZGluZzogN2JpdA0KQ29udGVudC1UeXBlOiB0ZXh0L3BsYWluOyBjaGFyc2V0PSJ1cy1hc2NpaSI7DQogaHAtbGVnYWN5LWRpc3BsYXk9IjEiDQoNClN1YmplY3Q6IHNtaW1lLXNpZ25lZC1lbmMtY29tcGxleC1ocC1iYXNlbGluZS1sZWdhY3kNCg0KVGhpcyBpcyB0aGUNCnNtaW1lLXNpZ25lZC1lbmMtY29tcGxleC1ocC1iYXNlbGluZS1sZWdhY3kNCm1lc3NhZ2UuDQoNClRoaXMgaXMgYSBzaWduZWQtYW5kLWVuY3J5cHRlZCBTL01JTUUgbWVzc2FnZSB1c2luZyBQS0NTIzcNCmVudmVsb3BlZERhdGEgYXJvdW5kIHNpZ25lZERhdGEuICBUaGUgcGF5bG9hZCBpcyBhDQptdWx0aXBhcnQvYWx0ZXJuYXRpdmUgbWVzc2FnZSB3aXRoIGFuIGlubGluZSBpbWFnZS9wbmcNCmF0dGFjaG1lbnQuIEl0IHVzZXMgdGhlIEhlYWRlciBQcm90ZWN0aW9uIHNjaGVtZSBmcm9tIFJGQyA5Nzg4DQp3aXRoIHRoZSBgaGNwX2Jhc2VsaW5lYCBIZWFkZXIgQ29uZmlkZW50aWFsaXR5IFBvbGljeSB3aXRoIGENCiJMZWdhY3kgRGlzcGxheSIgZWxlbWVudC4NCg0KLS0gDQpBbGljZQ0KYWxpY2VAc21pbWUuZXhhbXBsZQ0KLS1hZjMNCk1JTUUtVmVyc2lvbjogMS4wDQpDb250ZW50LVRyYW5zZmVyLUVuY29kaW5nOiA3Yml0DQpDb250ZW50LVR5cGU6IHRleHQvaHRtbDsgY2hhcnNldD0idXMtYXNjaWkiOw0KIGhwLWxlZ2FjeS1kaXNwbGF5PSIxIg0KDQo8aHRtbD48aGVhZD48dGl0bGU+PC90aXRsZT48L2hlYWQ+PGJvZHk+DQo8ZGl2IGNsYXNzPSJoZWFkZXItcHJvdGVjdGlvbi1sZWdhY3ktZGlzcGxheSI+DQo8cHJlPg0KU3ViamVjdDogc21pbWUtc2lnbmVkLWVuYy1jb21wbGV4LWhwLWJhc2VsaW5lLWxlZ2FjeQ0KPC9wcmU+DQo8L2Rpdj48cD5UaGlzIGlzIHRoZQ0KPGI+c21pbWUtc2lnbmVkLWVuYy1jb21wbGV4LWhwLWJhc2VsaW5lLWxlZ2FjeTwvYj4NCm1lc3NhZ2UuPC9wPg0KPHA+VGhpcyBpcyBhIHNpZ25lZC1hbmQtZW5jcnlwdGVkIFMvTUlNRSBtZXNzYWdlIHVzaW5nIFBLQ1MjNw0KZW52ZWxvcGVkRGF0YSBhcm91bmQgc2lnbmVkRGF0YS4gIFRoZSBwYXlsb2FkIGlzIGENCm11bHRpcGFydC9hbHRlcm5hdGl2ZSBtZXNzYWdlIHdpdGggYW4gaW5saW5lIGltYWdlL3BuZw0KYXR0YWNobWVudC4gSXQgdXNlcyB0aGUgSGVhZGVyIFByb3RlY3Rpb24gc2NoZW1lIGZyb20gUkZDIDk3ODgNCndpdGggdGhlIGBoY3BfYmFzZWxpbmVgIEhlYWRlciBDb25maWRlbnRpYWxpdHkgUG9saWN5IHdpdGggYQ0KIkxlZ2FjeSBEaXNwbGF5IiBlbGVtZW50LjwvcD4NCjxwPjx0dD4tLSA8YnI+QWxpY2U8YnI+YWxpY2VAc21pbWUuZXhhbXBsZTwvdHQ+PC9wPjwvYm9keT48L2h0bWw+DQotLWFmMy0tDQoNCi0tM2M1DQpDb250ZW50LVR5cGU6IGltYWdlL3BuZw0KQ29udGVudC1UcmFuc2Zlci1FbmNvZGluZzogYmFzZTY0DQpDb250ZW50LURpc3Bvc2l0aW9uOiBpbmxpbmUNCg0KaVZCT1J3MEtHZ29BQUFBTlNVaEVVZ0FBQUJRQUFBQVVDQVlBQUFDTmlSME5BQUFBY0VsRVFWUjQydVZUT3hiQQ0KTUFnUzczOW5PM1RwUncyMGRxcGJmQVJRRWpPeXdpd1luQ3RrREtuYmNMazY2c3FsVCt6dDljaWRrRSs2S3drWg0Kc2dyemZjcVZNcEwyam8wNDQ3Z1lEcGVBcmsrT25KSGtJaEFmVFBSaWNpaEFmNVlKcnc3dmp2MFpXUldNL3VsaQ0KdmRQZjFRWjJrREQ5eHBwZDh3QUFBQUJKUlU1RXJrSmdnZz09DQoNCi0tM2M1LS0NCqCCB6YwggPPMIICt6ADAgECAhMPLSW9ETmXSs5CVIeh7j00Boq0MA0GCSqGSIb3DQEBDQUAMFUxDTALBgNVBAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFNUFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MCAXDTE5MTEyMDA2NTQxOFoYDzIwNTIwOTI3MDY1NDE4WjA7MQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBXRzEXMBUGA1UEAxMOQWxpY2UgTG92ZWxhY2UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCalSn6i8Gi44/oAVAn5GnCk4PHHNjrSfWUnnelN41KImVaTC3D9zFCrS3i4Pa9ZgHyA5Qf8JW3ZmnVz5q7M8onZm7mZjqQeb6FUH4i2GMt4jse2Dqs165ernT9O5NLFflHUjURca3ynqEBBV4DmhnZp8eDhv3t6dXyCjNHT82S6DgCReZuTtMc1zy++MxQlqdn9WZLhOAOpeNZKGmVwjeVy+8FkyzC3jX/Qcm+ZLCqlLqhBwDHdZ5qDTII2PVX1X3K7/cONxhvBbaUl/k1swdszUtjhflyFZ80RuQ3qFC6vL/PGeWy6SCf58duq/AOEksCAWlb+MD8QH9Yj7CFSmq1AgMBAAGjga8wgawwDAYDVR0TAQH/BAIwADAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwHgYDVR0RBBcwFYETYWxpY2VAc21pbWUuZXhhbXBsZTATBgNVHSUEDDAKBggrBgEFBQcDBDAOBgNVHQ8BAf8EBAMCBSAwHQYDVR0OBBYEFKJTQdVEPIApFXwBI/Dnjq/N83cPMB8GA1UdIwQYMBaAFJEwjnwHFwyn8QkoZTYaZxxodvRZMA0GCSqGSIb3DQEBDQUAA4IBAQCBSXignLEynBakDKU68ro0RsyXWAPkfXgQLgy7GrW7SrZeBc5IEcjoN9f/gsOx/Ht9Ii6zyBZVjdaox644DsiLOQEP4YMS7y4q94RFFdmdzEbDLYx9sfUhvdTxDNOOoHz53PYDBh4zE4Nar2inC0D+VM6RGDy66K9l+D+bl8Wj9CyGUc1ppMNURexTg+z3web/eDOdu+F2MVtluLihne0Bp1GUTkr0mJBolg6dSYal8Hw8/ANHpyExl56BJABb744gqoeuD9YSHjKK49+qYC9faFmQ+mK80lh1M9RdNI7srjn0LKpuob6w06jaRzWdNeXzlEc2tUpAr4vRhZjVD6FYMIIDzzCCAregAwIBAgITN0EFee11f0Kpolw69Phqzpqp1zANBgkqhkiG9w0BAQ0FADBVMQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBXRzExMC8GA1UEAxMoU2FtcGxlIExBTVBTIFJTQSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAgFw0xOTExMjAwNjU0MThaGA8yMDUyMDkyNzA2NTQxOFowOzENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxFzAVBgNVBAMTDkFsaWNlIExvdmVsYWNlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtPSJ6Fg4Fj5Nmn9PkrYo0jTkfCv4TfA/pdO/KLpZbJOAEr0sI7AjaO7B1GuMUFJeSTulamNfCwDcDkY63PQWl+DILs7GxVwXurhYdZlaV5hcUqVAckPvedDBc/3rz4D/esFfs+E7QMFtmd+K04s+A8TCNO12DRVBDpbP4JFD9hsc8prDtpGmFk7rd0q8gqnhxBW2RZAeLqzJOMayCQtws1q7ktkNBR2wZX5ICjecF1YJFhX4jrnHwp/iELGqqaNXd3/Y0pG7QFecN7836IPPdfTMSiPR+peCrhJZwLSewbWXLJe3VMvbvQjoBMpEYlaJBUIKkO1zQ1Pq90njlsJLOwIDAQABo4GvMIGsMAwGA1UdEwEB/wQCMAAwFwYDVR0gBBAwDjAMBgpghkgBZQMCATABMB4GA1UdEQQXMBWBE2FsaWNlQHNtaW1lLmV4YW1wbGUwEwYDVR0lBAwwCgYIKwYBBQUHAwQwDgYDVR0PAQH/BAQDAgbAMB0GA1UdDgQWBBS79syyLR0GEhyXrilqkBDTIGZmczAfBgNVHSMEGDAWgBSRMI58BxcMp/EJKGU2GmccaHb0WTANBgkqhkiG9w0BAQ0FAAOCAQEAc4miNqfOqaBpI3f+CpJDhxtuZ2P9HjQEQ+v6BdP7GKJ19naIs3BjJOd64roAKHAp+c284VvyVXWJ99FMX8q2ZUQMxH+xh6oAfzcozmnd6XaVWHg4eHIjSo27PmhKE1oAJKKhDbdbEcZXL2+x1V+duGymWtaD01DZZukKYr7agyHahiXRn/C9cy31wbqNsy9x0fjPQg6+DqatiQpMz9EIae6aCHHBhOiPU7IPkazgPYgkLD59fk4PGHnYxs1FhdO6zZk9E8zwlc1ALgZa/iSbczisqckN3qGehD2s16jMhwFXLJtBiN+uCDgNG/D0qyTbY4fgKieUHx/tHuzUszZxJjGCAgAwggH8AgEBMGwwVTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNhbXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzdBBXntdX9CqaJcOvT4as6aqdcwCwYJYIZIAWUDBAIBoGkwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMjEwMjIwMTcxMDAyWjAvBgkqhkiG9w0BCQQxIgQgFPMLhnhgVYfwoQAWNtNbXfp6/cWw0vajQObfIM2N1+0wDQYJKoZIhvcNAQEBBQAEggEADBKPOlAhmQvuL9r8u9eh4V7q50gjztxHMFw2kcppxXNAEoy6iQ9LeHjSXSmVNIsNyD34OfqIWUOztwbva/xC+qOC/4GwaG4nvqCmyT2FfN19X+2XHgaLtlgUSE5JhYifHm2cfFGH4YObujre1NS+tZubVHdqf/Stlr1vFhpBYcsu0ZInwbeVbUJBMYd2iqG5sE702eQpMPeSdh4C1CB8W+1n0eMlPiea/V2SZC3WCTpErF7llbYdc6jLAWsOeT8tlJ+DhfgBccPpbsCw2nlWyAxju5U8wojwW5qTVdVdlerenMLyzVmaxnVKZU5b5PPq8WV27JVzEZtG9YUTZV3T8g==
C.3.10.2.S/MIME Signed-and-Encrypted over a Complex Message, Header Protection with hcp_baseline (+ Legacy Display), Decrypted and Unwrapped

The inner signed-data layer unwraps to:

MIME-Version: 1.0Subject: smime-signed-enc-complex-hp-baseline-legacyMessage-ID: <smime-signed-enc-complex-hp-baseline-legacy@example>From: Alice <alice@smime.example>To: Bob <bob@smime.example>Date: Sat, 20 Feb 2021 12:10:02 -0500User-Agent: Sample MUA Version 1.0HP-Outer: Subject: [...]HP-Outer: Message-ID: <smime-signed-enc-complex-hp-baseline-legacy@example>HP-Outer: From: Alice <alice@smime.example>HP-Outer: To: Bob <bob@smime.example>HP-Outer: Date: Sat, 20 Feb 2021 12:10:02 -0500HP-Outer: User-Agent: Sample MUA Version 1.0Content-Type: multipart/mixed; boundary="3c5"; hp="cipher"--3c5MIME-Version: 1.0Content-Type: multipart/alternative; boundary="af3"--af3MIME-Version: 1.0Content-Transfer-Encoding: 7bitContent-Type: text/plain; charset="us-ascii"; hp-legacy-display="1"Subject: smime-signed-enc-complex-hp-baseline-legacyThis is thesmime-signed-enc-complex-hp-baseline-legacymessage.This is a signed-and-encrypted S/MIME message using PKCS#7envelopedData around signedData.  The payload is amultipart/alternative message with an inline image/pngattachment. It uses the Header Protection scheme from RFC 9788with the `hcp_baseline` Header Confidentiality Policy with a"Legacy Display" element.--Alicealice@smime.example--af3MIME-Version: 1.0Content-Transfer-Encoding: 7bitContent-Type: text/html; charset="us-ascii"; hp-legacy-display="1"<html><head><title></title></head><body><div><pre>Subject: smime-signed-enc-complex-hp-baseline-legacy</pre></div><p>This is the<b>smime-signed-enc-complex-hp-baseline-legacy</b>message.</p><p>This is a signed-and-encrypted S/MIME message using PKCS#7envelopedData around signedData.  The payload is amultipart/alternative message with an inline image/pngattachment. It uses the Header Protection scheme from RFC 9788with the `hcp_baseline` Header Confidentiality Policy with a"Legacy Display" element.</p><p><tt>-- <br>Alice<br>alice@smime.example</tt></p></body></html>--af3----3c5Content-Type: image/pngContent-Transfer-Encoding: base64Content-Disposition: inlineiVBORw0KGgoAAAANSUhEUgAAABQAAAAUCAYAAACNiR0NAAAAcElEQVR42uVTOxbAMAgS739nO3TpRw20dqpbfARQEjOywiwYnCtkDKnbcLk66sqlT+zt9cidkE+6KwkZsgrzfcqVMpL2jo0447gYDpeArk+OnJHkIhAfTPRicihAf5YJrw7vjv0ZWRWM/ulivdPf1QZ2kDD9xppd8wAAAABJRU5ErkJggg==--3c5--

C.3.11.S/MIME Signed-and-Encrypted over a Complex Message, Header Protection with hcp_shy

This is a signed-and-encrypted S/MIME message using PKCS#7 envelopedData around signedData. The payload is a multipart/alternative message with an inline image/png attachment. It uses the Header Protection scheme from RFC 9788 with thehcp_shy Header Confidentiality Policy.

It has the following structure:

└┬╴application/pkcs7-mime [smime.p7m] 9945 bytes ╧ (decrypts to) └┬╴application/pkcs7-mime [smime.p7m] 6346 bytes  ┴ (unwraps to)  └┬╴multipart/mixed 2005 bytes   ├┬╴multipart/alternative 1106 bytes   │├─╴text/plain 374 bytes   │└─╴text/html 469 bytes   └─╴image/png inline 236 bytes

Its contents are:

Content-Transfer-Encoding: base64Content-Type: application/pkcs7-mime; name="smime.p7m"; smime-type="enveloped-data"Subject: [...]Message-ID: <smime-signed-enc-complex-hp-shy@example>From: alice@smime.exampleTo: bob@smime.exampleDate: Sat, 20 Feb 2021 17:12:02 +0000User-Agent: Sample MUA Version 1.0MIIcrAYJKoZIhvcNAQcDoIIcnTCCHJkCAQAxggMQMIIBhAIBADBsMFUxDTALBgNVBAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFNUFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhMPLSW9ETmXSs5CVIeh7j00Boq0MA0GCSqGSIb3DQEBAQUABIIBAEYCnMa5cAMGlFedd4M7eVuZRV3TQlSwv6zqHizrFLVHcw2IQIXHK5qbN2Gei2g4nukYK9jX/nlfLZcKwB2iyG3737Ga9ioiW3WG9tJdD7gCDmqmuXW7uOfY2Y2czyJfxwygJ9rcYVF9J6bdq5yXxiuPCpIQEYZY2d6OHZKvDTHpCbDksSrj7YHAc7vzWFSGDvJ3qZ0Pax0782/oPI4e0I7IhpSJyi0kSJyw4ibrBeMXcSokx6wn80hdJK3gb2txJIbAIKCQ4cdTTsni5kYZ1eU+si0eXLLADGoQg1dcw0Lcniv/iElqQEeIqitEjrgcMOGa+7NfUt8pl2ql3/SgyGgwggGEAgEAMGwwVTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNhbXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzB8R0APhiY6HGLS64MvlsDXhpQwDQYJKoZIhvcNAQEBBQAEggEAdhLP26FYAU8560yDWy0tAg0kr9TR3H8R9QxKI604FXSK3bmOXqq7mWT58NTkquiB4ZEycB+eC44YS3CpPq0oUxlvKO1x9vjGq8ksFQwaZ+CRLlK+pJWPOkcfLd2m3vYbj5arKGNdJe+cqqxoX+GXJlY37TUYptqU7VRj/oe7IfawjmORo8PUtcftFmNNTrd+ohS01RTw+czmu8OS4SDEVQZfmgLFHTVqj0BfTGUJDqA917N04GYBRXSYUVL3oNjBBRRS3aWTRZYUW9lp8XRl3LJQberrHomKqkY1aLBn6m6bY9/RkyACqmcsar5HuinbuNS+v7WNuQKeFgWPDDdiNTCCGX4GCSqGSIb3DQEHATAdBglghkgBZQMEAQIEEDkYoCBUV2kALKjvqgmyJIeAghlQ4G3n7gBTsLWMtbnseEYMFqoVDK2AtaC6iq1AEi7qVHvCueAQQzmiFDD39N13w6+WMnMkUG9BSN3Bpt99HaHITGsfnzkD+Cv17da/1WfWPIDI8yClA2OzUKOTdyBUvrBzwZKrCMrfzGQEgzcsjzHTP7aHezlCKU7aNc3GIvY6V+y7OYARPAD+xlsdNEBLdO/riZCtxCe5RaK2DBQxu4wOCHiWHGBx5wl2iR7uPHi+dXyhRYb4PKh/8uxBo0WzBYmtkNdkYIcNeK1u7lHFCzD8S5Il/wB9jAJK4BnzKz0Z5aISDtrsIeOv4khtJB54KVf9Ho829bIUYuPX77MWyoR8ce/+HD0xXxrorm6f9qIk4chBTC2m1AVDtTiRvPWG4eCANQfg47pEwgz3cVeGCHExyGwVVl3BsOZ3azeh2IXM26oqOCrxeEmYcuK5Kletg8e+iNecpmOUBcNtBB3ivdG1kUvlSeBmF3NIkDup3G75lFMuCQUUYmMTOofzMA1pcKMqjPaQmzydKZhe2UrhYtr6Xzqxnj+WBli2iLX3VDBaQHWCUI6NgB5P3vS+3/qRUc7E1PjQ1jzwwfmNCZQQBGrzfAdqMCAJEqgaWj0VNrQ2O8pRecynNqavlpO5pn4K2JjrnIV4xmillWypRkAT2cl+Vow+DeN+HImKhZPN/kRQvs6iRx0OuZ0uTe6wE+F4LoyVREg0O4lJQeUnATzXIyHz/QENOnmkMa+k8OQYI+FihUkFIOLzvQw3CBG4vmO3sei3mxCb0Ciy6GCVMXxk3BzeaUMifd8YeAfwO9aNHnVsZ5oEzTEfIGUuVt8P3UA+83j/VXyogQznyhlvnu81J2cj8k0qfH+yyIqAqEDjx1a3toNRcutfdCGURuIGbbF6p7l5rWE3rgPOYvyDGkRx6CdvnCUG/kiOX3XSP/e1R6QUO8+NR9ZfgMwBHmnfBgD24RGWucLTRaKwD5tQrPxp0KnKrdoQ5qTcfWEYirBtYzI/cDsONkmt55fL/efSdVsUZZ6WoThl95axTiOrW+EeZkkOhYFFWGaPV1ZhJbyzYgFHjumLlSMB2dENEo1XtjHwlggM+RhIMxfTcWr5bk34VxtbgGCcszTGPJpUZhf+lSIvVoIeyVN7YQ+VT2JsgDd2oiklZ5YZ/pS7z1oIDas2cgguRuAHyz3WUT9heB5+fjx1Uw14K4iFRq+RBwFulCOqCBgxYUnEwj2C4c62qloS7kfLQU95Z/q265wbf1sYl+ZHwdYby4UPcvcqXgGCwSGZTJvDxMHXmfkKB596UAlXefx1qb5tdlJdss18fXMwCrmbb4O/XxcOzoa8eeNs7urHP7jYfNLEjpyAD/soGAdJcxP6o1IqItjXtZqPCRnRE1QSqU3RaLQngI+B1QSM8lJjsQx9qZMVznL+ROEUbAAdVR83oDpbA9qi9Xq07QLOcoUekYLdND0Pup+zPgjQ39fDtJLA+loFvZGrTUhTQi9On1d4ZrdJziTwBw/l3lVuFjvBfVbYeGhdsVyQgxP1MHlGiBA2DdHcD3EE0MRoiqgV9rqwspp4ar2OqOc/kVvh3VcA6fTASYL/d5254WWnxq9sc2HR0GH79c/4fdjmEPvE5iwc3USMWsVO2/2dOjNurBWdPRqHIkSSVSnf9xkRfWFY2p7UDTSzkQOKQ/3mG06ke2nV33tna4EnVB8tZaL0bcoUXwGtclkCxCMftHikU8M4tbayRA9bzhse0/WVHqtDWeoQvifls/IkdYmlRCHRcc3wDCi5VVaX9BOpCDKaFxfatb40RTBfSYSoeFaUkhTjPBEoZUPuE6qXWGMvS4tbTuqGK7u8WAkVC71lc3zqisz2q7VsqBJxqnIZRFbJuxRuOlIoQPEUPsNJgTqOAtWzWcFQwG6hJ9CBR4uQRVmr1bRJsik3jSvcVjbLeTTINDxRRVtPa9preDrr494Nykt7+5D2qhGh+CiAQME9P+Wbf0fwhotnM/1X/GGPmT5XZA27ia1OJ3+/MRLqP1m3dR5VXDRZBtXqxPiB72aP6TsXLcSdlky+n3mmEB4aplUu+F9ZKDgDXImP3cFSqqqMkkOKNKi/J0omabZfXOnAx/vYOtjjSl6KKJc/j7/bo5q75WaiRUzVbFc8RmnDCVF0ceICrATgHAtsbDBD1BM2SC72w63Ic6rgTNy4wecyaQeyP5qJFeMLENGA73a2xPCFh4Xg3RgyxLR3xUJ+1NJO7iE8EF7T2peHAzL6+3ZAfKg0Q9uoxr748cs9p5s8r3RAaaFAjk8ZVrn2mljrOqMatAfIQ9TY7+VhAMpfa4PFLcm1bHlIeRD4g0jdJ4ozJlDHrb/xAyW+IIwlm7W7AirdNldCw8B7rdmyNbiYtlEd99MsmKOK1fpYmke0i4BVsFFGaj9OuAynIBl0yUaSQ284l9ejaTUlQ+YJFeJjDZ1o1WBbFb6j1LuZ9k3vDye55ZphlykGo31f1LtSmZ8daBHp64h2f+BrylRvcHdszK1TwhBg2TCVM9+MJ4jplf/ls8pSVtoHZQUVJkm1T7lm/tA6CPSRvCjjtuR63YwTHOvx6NfQr0vr7LSaG0sSBugTgMepBja2uh6qR2QkJaCQgFeUFEjDtPzkQ9k4UZTm0u4g+FW61XN6T/BFC7euKLXzhI6htv1foyWcOSEO0+wz3vRYXVmsYOotVHSeiK7TA/oUSyu+dADbShFimJ295RZIALW3nMx2H/f6amg+n8NA9uEn33er74g+JRbAOE78tRz/190+ub4v0lspkb3osm1Wf5TKVFKpCbQpTEac422pjpBeO4iekCkW+qJBv1s2kd45S9Fke+s5o6d+lapwL4finUNOiga6yh70vjm2l7MxGtS1D6ZnsLPFgb7YuSUMeNJ5UvSwrM/uOReWmZUX7pETCt28U+3dqnR44VYJ15M2CpWgB2IxoLph0D8GexKvxXFYpF3xS8w7cmHpYsBkiaAWMfQvYop+huEdQLNtFT4QfVLOtxVkJKZXS7810ylhG9Zl25+c/mwJj7+i5OOQz5Idl3yeqrtTbk0P4Olo9Q274ZlkeonxfWcI4qeQZc8vswWpCbyHneoYrhMREexO02ikGYuK0fYhGfySTaYbQPDX6+altrboUmXoCIth13vbZ3KD/2JMKvctah/2Cb/2ZeQimCrvYtehTlJiwl0qkS3AcSTHlp/5juh3oxVneQpFKYo3chZ9s6xd6Nsae71rpZ24olpkZtAbrEC78ao0gmULuxvXgzzll984KclCaTYoSbk+ayOEORUgrvEwJEWf6MP1wRIcx1b9r+GBjtogYvJrLFJ7OZDpkigkLKYdnWrztRgvfWpn5S77S/ZFPUK8Ija8G8zBdOz61Bhbl5tLBOTedDiC5NMVUGAVknHlR5PtQE2NkVe/kfvn7w/Vy7AnyDIkepsI4rZUIbXqkId8xUKq1Y+r6BgaSqtztXu0aUnr5qKU2K9F6/2AM9mZPo0VhBJU5qWiMZeev53vKGvrXCd7PodPWg0CKOMP4f9XfBl+HlsKkdOgcMMiiazq/xoG0OThczQhpARNXaMDxzZmrO9K4+tG5NxVVlF7INfZADFunqox8hpk2HW2sas/8wQ3FqoGU774go1g7ldkBed2vOETee211rXDyf7DIiTHg1/Ty20q+qc33dR8fVgLRB4wZbuKiwb7mvOaUDXQCHxMK26w9uS/7OmQGoOTJs+RjxGhy7sL20fn8LlCLLRm/RKcc1EPIWR2pFi/dvbUHLCYcqtl6EAwtUSXXXJ3q7NHsi4VPnVxjF6b/iKaBuWsXzGmSfws5PmriK3JfXK9N8SippZwwdhqGX3JavUoFH6FswEWrsWTGnalU6l9B1/yYTrlB3+XDFtkGuBULENI/BJoXPA50BZpkvOF6d2Q2CRYaUFGIFthgqnMLJJYozxmblkM6f2teCwgw1zD1Hs6emQ5Bf6eBOiNnvFHYA/wT2c6yBoXiGjJ9HOrxuKGpoD6LekD2dAzSzZVkla5IwnzfCd8Nby2260LJP4TAxZvkVne1cK+/Hsa9fNvR9rh4VprQpKTcqLH7TXAy9HayqCpeggbMbxRbXGsxgC/szMjKHoFqjrfU17kXdo5hp4LowHlpl0+4FsSYXvl/zFRNFUSj/EyTrfwPGcC2WPY8JaPLYxMKUjeKKlvH3PQ0QDgeU/0GoCTwekBa2mwfwdGtQfmNPeP/usTiWN5K5ymeeLbgwbEJNtN+QqZynBqUAuVBv8JOyHv8SzCgEWLK0WEK3zQUrj79lQ62p5sFSd5fWpOv4tge9n65e9O1yyu/olkhEW+yc4SKz/V42knHifYIfVGsQ9Gjq26m578QAn4wtylNKWf4m7bg8jLP87k0eDB5Lkr+bzFiO9UdYYE2sSO/Cn/WCeU0UNaOsDRB0tGA2bJVDcW5GhHt/qR7OzOc/h5HR7JIY/JR2ekN43juTCsPypLfZthgUbHTxWj9H9/3rQNfniXlIooLIDXTi/MotzcZwFqMVyQhzd9jgHOY4dOlET77rpGHJv69UmjwHYqfoeiDdz7OWHXTCDelVKT6IFlqxjpfrh/EUWjBUE1/Dzx4/ZQIoLieOYvqMaELjjedwOpEoIxhcK1rsvBDiU7XR9VTvA7VTI1egqmculyeBON/d+MlPtylFYRZtw9m7837EMPuAwDJawBJdw1M8DaznEiLm8K1PKH0MqQHjXnXSgQz9BjX6JBaQZYEMyaH3XtS0LMN/AsGa1DIS5VMxCFPNkP3IJKEz9+JeQpUKA06uYxcHIQEaIr171wJ55JbxJnQef0klSNxFNZbJ8HrMp7ebfsezsX0qL86HpmAqamzJblXjpBWdujxF7haTG5JJOvfDWVAIeo2L1JJxn4PlvwHQ8aCFDfdhtSGUm0ht3dAdcdxvKSBXtn51b6vr8Jk4GEX7Qt4MZNQ6ioS/i77KNflKUcGsH7Vs7g8L+d5Gix9yuGln39tUF6NvdKeCpeLIJR0wq7BiD5FViBa/K4dymxQl+3zXcgvCZ4f07LOHMTkwONtyXKxmx3/NgOgsXEE5o0ynFp36wO/bfA4t0gHQF/t0XjF9QwNYNcL9Zl/ih440TuElOsIAiWGp/dUYVfHGtx7iri7ZwBeOWV8An9oy6w3U/6d5gZhWOLU1tL8h2LiXqFOLFMMT9F+3ozCyxEFSIg+8lmrUqGD6Y0XX7Fzb29bsaSqYAzBAHJw5XWgqFSI/tnbR3ciitWNGj1bBUzjzRzoUKumW/oZt3MvbdtFwxM+lzRQyYoNZi8or/qQWls1pF4GNdTUKDROJvOzyLP3b59Eo3tLUPmIH9f2dX3XnDCncAf1zmtyXy+dIJcO2FD6Jzz8E9G2bMNR/6zB9u1r+pYDAjJnmi+V1W7vfw5jPFT1xWKype4RiYXa6uSV0wl9QvEz1GNnwXeC1P7ZDALQ36v1v7pmDSmOldaIZQdbCONLwWjZnLMB67OR0r6AbiTn1k/CgLGTJ+GQ8TsmZ/eAKPo00miDKaHggRpeofpLOSk69vJtgXYkaWh1YdaadHW1t6SWMy2CRe2HHIZ9g7jxDKOC5lgpDloFP1CRmJe3ZcCWFUYrabiEJtyL9NCw+jcjBejA2sM/CWEEkx/dEOwZFCu51U92dgzjGoHPlpiMqHAQYL2xt3xbZfc1Z/O93Wv2huB2/eu8J3bk1+BSLENr63NUwK+PbK6tcCF5jtrDsLowOnAYeXdj0EnxaV9LwequsKiVJxfik2H1QGed7MRYC8Tx4aCrqx5pdMNm78438mie5/PgRpQ8AJJ78A4AWHaOOXbg/sWUXF1bBgSj+mcdyAEmbJUZ0zMv++vJw33nNmum2hoUfgfq8SvPT5LizVnzzuN/Xd36+I1W0dsWVMBwgTH9m0IrGKIK4Ddx1AlntqZCCeFetwP1Jpec3X7HW9GVUTIjMel3TbCOgNt/qmd6GxKHZGfN0v+iqm9icPZjHfoWkh2NXbHEA1qjiiXl9bmYdKBX7pBrlukr6sEc0nknQiU1aCFzbD0Z92j40Q5ZGAFZqFIeHXGRR5tlOQXeA9r1xdnKocsC8mAnXRzLIyqgW1y0IxoGZ9AwMXTSsG97A+JvqZYOjQFqFNJNEpIkmYmQbEIwkTu+xuUJ7X4Z3trCc2AzdPsBh/sw70m7dm8++WmQXYfWRxEy67fqCRte8OQFuhOzBksVeEdisdWcAtoft3pX/Qwr4vf/M7HR+av5lUvDsNtXA2tjK/SFfHN4VkZf+jyuzb/U8zAM+WixSAachsLIDxYVCaJq9E/OU8XbDOUDIhlGxA1NcktIaDrYdGwTYb5rQEmekzbjk6Fm6lCW4IlefBKd5dRGUx64ootY21qqxJCUiffYQtLBi/tZVbIJpsLH8zn5OoRNMkkwGNprkNQpOM3NaQl+HlICbPfPHv6FygLYU26SaBt8fCsBSIvGSKmvOMRVHuIeuavoqhj/K1z2avC7R725PaUJMitj+8fE6iAVkxV6vqh3EqKcF4570J77pp0j71PR3D8VQkn93qkLfWLJIgNZ9DGCnlWfcRLaG3MjKait9PikUosTeA3XSA4tdDyF/AaaDUSfbqseFQuOW15lz8hEhiR1wMlwcRkanCGxpJdYW3wfCrv3nNMa2Ehzw1fxoBXqrUKbtY+/3LjUAy3DmeF3YjunYL5Ij+6Jvvs1vDnmleE5DRsU0QsygfjuwmdsJZ3JXUD2fRaZJLNqc1s4im6R++Mh1jrmRrazBsgTWanqdxPLwRAq9V3JyjxjU/wAirCX5pCAXzAHIiFHdJnlliD21SPK2RPbrJ/G64KMLAWK8r4SfbmfiifOCJH+8F/YLiKB2W1oHNdaF4MagvgKzIybYDy85kUGgaRy6IhCgp4gqd8Of4N3YHQhhQkl4/vYHEzaaBZMTU5TU+q7jzSDH0wT2UoXjO5wlJgZy6UYCAOzN1wY0M89OYU7pUXacjNaXUEhajY2zSHIKZva/lTW1Ug1111xYHLqZ/93d68Jb75nszdbLcwnHtyUuMtiQVSVyXzIYgmTjjRZ8WLeS1rIku/a3y1HLT+3m383l8p8S5HKwAEehz1zhxN7Oy/A/sFYZ/iQyDkBivOoyHTkM2596uCGdrrSfrGw0aFGyi5Zk3QxKwhunul/0rZcrFu9VPYr5UrBcB3TQC2hCc0MyfLaDxBLo3JaKr1K7dfeBoyAXKSSv6K7eUYpWP0GBEmmLeb3xHMEQInpwYBuDgFX4dOzNckwYUOukJHh6TJeX+FynigAs91Ai1sNgwKVEQ7MZKv12MPfScL2IXs238oDxOO9zAHzXNjf4iLH7fYj8k97/8CLLFncbdoGKaR1yItKcxjTxSkXtimZk5uY6yQqnyV7mf6JHKCQ6Nvgq8NWAVUOkLeRrifhRHy1AjFMpp7o/AuWy5mvx92LhYB+uWfRhoBZWeefmw4xcQCe5+Sp+Z3XP5r4c+h5rXXaGdmXFNb72eOEY7AOabo9gi1Vj4LgJPLg7L7qDYpcz8FCeSgIQ6iSttk6Lhg0AZ2cv7fcMWQcO3cjTU8HgRET4doy2AznzP9G3a4jYKuQoElzfjYycYR06qCoyCCCw0IF2Lfmwxf3XUbIMjEwvI0iiK/epN6izO3mxMxZf4MmRMe6p+XallW3R3AozDJuUWw1GoQ/tokMN/HNK8sE3v8Jf39xQAf6uTA6qAtY5BpK1lXCRyYg0YLUIhBRz0zSkBA94GGK687z6PSDVlkY/pqGFhThTcR0h1lbbvOeOT+9xqi9WckQqEVPklD76g8x2xNxw+AYObCjvPYNCfK4q0RAKm7Js7OFhpJS9pxNs2vGaZ7y3w6f7AFa3KSbyiYmbW3nj8g9Ew0yNEDM/3C/mGEQWfYk8Ay3QH/TynWogsx3K1kn1+LY4WpaUiZjYVXKNNVE8+eiyykZ06P+fcOTZak42ARyO2+q6H/yXoVs6C+H4xPHdq2WE7z0BrC4dmL5ihnQ3tPhfU2gU7+sYI4q0uUpuVNOs2yHzwMbAeCTctqNj7ZEDdz/D7uYhdJFEbBYxi86pBCWtOCuaEckRQuqgy6lYGcyoFkxJMhEDKLhj3I9t3dqwaIWTKITodE8AL89Vc1GSu6SDPQKrHj6hlDPtXhIrh1uF35C9uwKNUI01JDhzsbX7yjIVdF7FI2sKCJWb/OARZ5sm9F5sOn8c0+ZVBvOpA2m5j0BA8mP+JtXcGg7SerRK6wxxkyFyF0DMcyrHs++Gr+8lY+RrPCbZYDWOsCib4nqqb70htn2bcgC4EO+40JuW4MpLrxtIjMkQPjmynj9REM6qkJwOveYbEtJyaIaaHo/ZJ7mCaTP0xD2ha5HLtyw458elqQEDy/JcMiS35az5arnYr1jF1ceqGyuaKYwwlKwB9+Mr9gzvKAfqwNhON1LL0u/RjnvmVoahWqTreTg6lTEYxx3K9ufl66QFkIP0lQP7sHjQy5ksd3xPEgMKw15xgyB+k7QuZoQi8QMjMxnmI1ecc7itvO9yG8YKAIkI87O0hVtNwYkSatxPc2w/eJlU2EiVYo5V2c35zQagOjZ/1qSkXOZU1hPifl5V7LD8hr1wpJMJkrk+ofrrjZ1VE1bios7wIFyB8g2Imk9c84Rk8k6SjUYa82mkjkvHytn0SSq48aPsJXiHw6
C.3.11.1.S/MIME Signed-and-Encrypted over a Complex Message, Header Protection with hcp_shy, Decrypted

The S/MIME enveloped-data layer unwraps to this signed-data part:

Content-Transfer-Encoding: base64Content-Type: application/pkcs7-mime; name="smime.p7m"; smime-type="signed-data"MIISAAYJKoZIhvcNAQcCoIIR8TCCEe0CAQExDTALBglghkgBZQMEAgEwgggpBgkqhkiG9w0BBwGggggaBIIIFk1JTUUtVmVyc2lvbjogMS4wDQpTdWJqZWN0OiBzbWltZS1zaWduZWQtZW5jLWNvbXBsZXgtaHAtc2h5DQpNZXNzYWdlLUlEOiA8c21pbWUtc2lnbmVkLWVuYy1jb21wbGV4LWhwLXNoeUBleGFtcGxlPg0KRnJvbTogQWxpY2UgPGFsaWNlQHNtaW1lLmV4YW1wbGU+DQpUbzogQm9iIDxib2JAc21pbWUuZXhhbXBsZT4NCkRhdGU6IFNhdCwgMjAgRmViIDIwMjEgMTI6MTI6MDIgLTA1MDANClVzZXItQWdlbnQ6IFNhbXBsZSBNVUEgVmVyc2lvbiAxLjANCkhQLU91dGVyOiBTdWJqZWN0OiBbLi4uXQ0KSFAtT3V0ZXI6IE1lc3NhZ2UtSUQ6IDxzbWltZS1zaWduZWQtZW5jLWNvbXBsZXgtaHAtc2h5QGV4YW1wbGU+DQpIUC1PdXRlcjogRnJvbTogYWxpY2VAc21pbWUuZXhhbXBsZQ0KSFAtT3V0ZXI6IFRvOiBib2JAc21pbWUuZXhhbXBsZQ0KSFAtT3V0ZXI6IERhdGU6IFNhdCwgMjAgRmViIDIwMjEgMTc6MTI6MDIgKzAwMDANCkhQLU91dGVyOiBVc2VyLUFnZW50OiBTYW1wbGUgTVVBIFZlcnNpb24gMS4wDQpDb250ZW50LVR5cGU6IG11bHRpcGFydC9taXhlZDsgYm91bmRhcnk9ImViNCI7IGhwPSJjaXBoZXIiDQoNCi0tZWI0DQpNSU1FLVZlcnNpb246IDEuMA0KQ29udGVudC1UeXBlOiBtdWx0aXBhcnQvYWx0ZXJuYXRpdmU7IGJvdW5kYXJ5PSJhYWIiDQoNCi0tYWFiDQpDb250ZW50LVR5cGU6IHRleHQvcGxhaW47IGNoYXJzZXQ9InVzLWFzY2lpIg0KTUlNRS1WZXJzaW9uOiAxLjANCkNvbnRlbnQtVHJhbnNmZXItRW5jb2Rpbmc6IDdiaXQNCg0KVGhpcyBpcyB0aGUNCnNtaW1lLXNpZ25lZC1lbmMtY29tcGxleC1ocC1zaHkNCm1lc3NhZ2UuDQoNClRoaXMgaXMgYSBzaWduZWQtYW5kLWVuY3J5cHRlZCBTL01JTUUgbWVzc2FnZSB1c2luZyBQS0NTIzcNCmVudmVsb3BlZERhdGEgYXJvdW5kIHNpZ25lZERhdGEuICBUaGUgcGF5bG9hZCBpcyBhDQptdWx0aXBhcnQvYWx0ZXJuYXRpdmUgbWVzc2FnZSB3aXRoIGFuIGlubGluZSBpbWFnZS9wbmcNCmF0dGFjaG1lbnQuIEl0IHVzZXMgdGhlIEhlYWRlciBQcm90ZWN0aW9uIHNjaGVtZSBmcm9tIFJGQyA5Nzg4DQp3aXRoIHRoZSBgaGNwX3NoeWAgSGVhZGVyIENvbmZpZGVudGlhbGl0eSBQb2xpY3kuDQoNCi0tIA0KQWxpY2UNCmFsaWNlQHNtaW1lLmV4YW1wbGUNCi0tYWFiDQpDb250ZW50LVR5cGU6IHRleHQvaHRtbDsgY2hhcnNldD0idXMtYXNjaWkiDQpNSU1FLVZlcnNpb246IDEuMA0KQ29udGVudC1UcmFuc2Zlci1FbmNvZGluZzogN2JpdA0KDQo8aHRtbD48aGVhZD48dGl0bGU+PC90aXRsZT48L2hlYWQ+PGJvZHk+DQo8cD5UaGlzIGlzIHRoZQ0KPGI+c21pbWUtc2lnbmVkLWVuYy1jb21wbGV4LWhwLXNoeTwvYj4NCm1lc3NhZ2UuPC9wPg0KPHA+VGhpcyBpcyBhIHNpZ25lZC1hbmQtZW5jcnlwdGVkIFMvTUlNRSBtZXNzYWdlIHVzaW5nIFBLQ1MjNw0KZW52ZWxvcGVkRGF0YSBhcm91bmQgc2lnbmVkRGF0YS4gIFRoZSBwYXlsb2FkIGlzIGENCm11bHRpcGFydC9hbHRlcm5hdGl2ZSBtZXNzYWdlIHdpdGggYW4gaW5saW5lIGltYWdlL3BuZw0KYXR0YWNobWVudC4gSXQgdXNlcyB0aGUgSGVhZGVyIFByb3RlY3Rpb24gc2NoZW1lIGZyb20gUkZDIDk3ODgNCndpdGggdGhlIGBoY3Bfc2h5YCBIZWFkZXIgQ29uZmlkZW50aWFsaXR5IFBvbGljeS48L3A+DQo8cD48dHQ+LS0gPGJyLz5BbGljZTxici8+YWxpY2VAc21pbWUuZXhhbXBsZTwvdHQ+PC9wPjwvYm9keT48L2h0bWw+DQotLWFhYi0tDQoNCi0tZWI0DQpDb250ZW50LVR5cGU6IGltYWdlL3BuZw0KQ29udGVudC1UcmFuc2Zlci1FbmNvZGluZzogYmFzZTY0DQpDb250ZW50LURpc3Bvc2l0aW9uOiBpbmxpbmUNCg0KaVZCT1J3MEtHZ29BQUFBTlNVaEVVZ0FBQUJRQUFBQVVDQVlBQUFDTmlSME5BQUFBY0VsRVFWUjQydVZUT3hiQQ0KTUFnUzczOW5PM1RwUncyMGRxcGJmQVJRRWpPeXdpd1luQ3RrREtuYmNMazY2c3FsVCt6dDljaWRrRSs2S3drWg0Kc2dyemZjcVZNcEwyam8wNDQ3Z1lEcGVBcmsrT25KSGtJaEFmVFBSaWNpaEFmNVlKcnc3dmp2MFpXUldNL3VsaQ0KdmRQZjFRWjJrREQ5eHBwZDh3QUFBQUJKUlU1RXJrSmdnZz09DQoNCi0tZWI0LS0NCqCCB6YwggPPMIICt6ADAgECAhMPLSW9ETmXSs5CVIeh7j00Boq0MA0GCSqGSIb3DQEBDQUAMFUxDTALBgNVBAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFNUFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MCAXDTE5MTEyMDA2NTQxOFoYDzIwNTIwOTI3MDY1NDE4WjA7MQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBXRzEXMBUGA1UEAxMOQWxpY2UgTG92ZWxhY2UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCalSn6i8Gi44/oAVAn5GnCk4PHHNjrSfWUnnelN41KImVaTC3D9zFCrS3i4Pa9ZgHyA5Qf8JW3ZmnVz5q7M8onZm7mZjqQeb6FUH4i2GMt4jse2Dqs165ernT9O5NLFflHUjURca3ynqEBBV4DmhnZp8eDhv3t6dXyCjNHT82S6DgCReZuTtMc1zy++MxQlqdn9WZLhOAOpeNZKGmVwjeVy+8FkyzC3jX/Qcm+ZLCqlLqhBwDHdZ5qDTII2PVX1X3K7/cONxhvBbaUl/k1swdszUtjhflyFZ80RuQ3qFC6vL/PGeWy6SCf58duq/AOEksCAWlb+MD8QH9Yj7CFSmq1AgMBAAGjga8wgawwDAYDVR0TAQH/BAIwADAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwHgYDVR0RBBcwFYETYWxpY2VAc21pbWUuZXhhbXBsZTATBgNVHSUEDDAKBggrBgEFBQcDBDAOBgNVHQ8BAf8EBAMCBSAwHQYDVR0OBBYEFKJTQdVEPIApFXwBI/Dnjq/N83cPMB8GA1UdIwQYMBaAFJEwjnwHFwyn8QkoZTYaZxxodvRZMA0GCSqGSIb3DQEBDQUAA4IBAQCBSXignLEynBakDKU68ro0RsyXWAPkfXgQLgy7GrW7SrZeBc5IEcjoN9f/gsOx/Ht9Ii6zyBZVjdaox644DsiLOQEP4YMS7y4q94RFFdmdzEbDLYx9sfUhvdTxDNOOoHz53PYDBh4zE4Nar2inC0D+VM6RGDy66K9l+D+bl8Wj9CyGUc1ppMNURexTg+z3web/eDOdu+F2MVtluLihne0Bp1GUTkr0mJBolg6dSYal8Hw8/ANHpyExl56BJABb744gqoeuD9YSHjKK49+qYC9faFmQ+mK80lh1M9RdNI7srjn0LKpuob6w06jaRzWdNeXzlEc2tUpAr4vRhZjVD6FYMIIDzzCCAregAwIBAgITN0EFee11f0Kpolw69Phqzpqp1zANBgkqhkiG9w0BAQ0FADBVMQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBXRzExMC8GA1UEAxMoU2FtcGxlIExBTVBTIFJTQSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAgFw0xOTExMjAwNjU0MThaGA8yMDUyMDkyNzA2NTQxOFowOzENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxFzAVBgNVBAMTDkFsaWNlIExvdmVsYWNlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtPSJ6Fg4Fj5Nmn9PkrYo0jTkfCv4TfA/pdO/KLpZbJOAEr0sI7AjaO7B1GuMUFJeSTulamNfCwDcDkY63PQWl+DILs7GxVwXurhYdZlaV5hcUqVAckPvedDBc/3rz4D/esFfs+E7QMFtmd+K04s+A8TCNO12DRVBDpbP4JFD9hsc8prDtpGmFk7rd0q8gqnhxBW2RZAeLqzJOMayCQtws1q7ktkNBR2wZX5ICjecF1YJFhX4jrnHwp/iELGqqaNXd3/Y0pG7QFecN7836IPPdfTMSiPR+peCrhJZwLSewbWXLJe3VMvbvQjoBMpEYlaJBUIKkO1zQ1Pq90njlsJLOwIDAQABo4GvMIGsMAwGA1UdEwEB/wQCMAAwFwYDVR0gBBAwDjAMBgpghkgBZQMCATABMB4GA1UdEQQXMBWBE2FsaWNlQHNtaW1lLmV4YW1wbGUwEwYDVR0lBAwwCgYIKwYBBQUHAwQwDgYDVR0PAQH/BAQDAgbAMB0GA1UdDgQWBBS79syyLR0GEhyXrilqkBDTIGZmczAfBgNVHSMEGDAWgBSRMI58BxcMp/EJKGU2GmccaHb0WTANBgkqhkiG9w0BAQ0FAAOCAQEAc4miNqfOqaBpI3f+CpJDhxtuZ2P9HjQEQ+v6BdP7GKJ19naIs3BjJOd64roAKHAp+c284VvyVXWJ99FMX8q2ZUQMxH+xh6oAfzcozmnd6XaVWHg4eHIjSo27PmhKE1oAJKKhDbdbEcZXL2+x1V+duGymWtaD01DZZukKYr7agyHahiXRn/C9cy31wbqNsy9x0fjPQg6+DqatiQpMz9EIae6aCHHBhOiPU7IPkazgPYgkLD59fk4PGHnYxs1FhdO6zZk9E8zwlc1ALgZa/iSbczisqckN3qGehD2s16jMhwFXLJtBiN+uCDgNG/D0qyTbY4fgKieUHx/tHuzUszZxJjGCAgAwggH8AgEBMGwwVTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNhbXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzdBBXntdX9CqaJcOvT4as6aqdcwCwYJYIZIAWUDBAIBoGkwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMjEwMjIwMTcxMjAyWjAvBgkqhkiG9w0BCQQxIgQg//G1y8IBZR2ZHaxvjng5wsDzqScPZmGqfXdsuHb7bBYwDQYJKoZIhvcNAQEBBQAEggEAgNAXRpWDJX8taLEvapUOax4C3CeJQgG2loke7SrgSqmJrNeCSuu80jFOxNY9YGiz8jUKOfk5lBiiO8p8bq5MpX8NraGtWaL79iK++2nZ4D0D4C4VXYi6lVEio8cvChUS/HURa8ehtmOxwHFKq0+Qw5OA0LvYNNu62oThBLdJzfbirxlQL+q5/xLndvEZkz1ljmiATIEtJ1vvsEdG0vXeLi0Ppa8M50VOVpzK6DQ2Ay7Gu2ebfq99jLY22Cfe3GHab/WrUeJZ7mFmaqBGWM5HN/DtOsBA0zgDBSymieKaXbzfFAzNcgm441xlPMWCWH1ceqgzrq20KHTts6yvpm6/ag==
C.3.11.2.S/MIME Signed-and-Encrypted over a Complex Message, Header Protection with hcp_shy, Decrypted and Unwrapped

The inner signed-data layer unwraps to:

MIME-Version: 1.0Subject: smime-signed-enc-complex-hp-shyMessage-ID: <smime-signed-enc-complex-hp-shy@example>From: Alice <alice@smime.example>To: Bob <bob@smime.example>Date: Sat, 20 Feb 2021 12:12:02 -0500User-Agent: Sample MUA Version 1.0HP-Outer: Subject: [...]HP-Outer: Message-ID: <smime-signed-enc-complex-hp-shy@example>HP-Outer: From: alice@smime.exampleHP-Outer: To: bob@smime.exampleHP-Outer: Date: Sat, 20 Feb 2021 17:12:02 +0000HP-Outer: User-Agent: Sample MUA Version 1.0Content-Type: multipart/mixed; boundary="eb4"; hp="cipher"--eb4MIME-Version: 1.0Content-Type: multipart/alternative; boundary="aab"--aabContent-Type: text/plain; charset="us-ascii"MIME-Version: 1.0Content-Transfer-Encoding: 7bitThis is thesmime-signed-enc-complex-hp-shymessage.This is a signed-and-encrypted S/MIME message using PKCS#7envelopedData around signedData.  The payload is amultipart/alternative message with an inline image/pngattachment. It uses the Header Protection scheme from RFC 9788with the `hcp_shy` Header Confidentiality Policy.--Alicealice@smime.example--aabContent-Type: text/html; charset="us-ascii"MIME-Version: 1.0Content-Transfer-Encoding: 7bit<html><head><title></title></head><body><p>This is the<b>smime-signed-enc-complex-hp-shy</b>message.</p><p>This is a signed-and-encrypted S/MIME message using PKCS#7envelopedData around signedData.  The payload is amultipart/alternative message with an inline image/pngattachment. It uses the Header Protection scheme from RFC 9788with the `hcp_shy` Header Confidentiality Policy.</p><p><tt>-- <br/>Alice<br/>alice@smime.example</tt></p></body></html>--aab----eb4Content-Type: image/pngContent-Transfer-Encoding: base64Content-Disposition: inlineiVBORw0KGgoAAAANSUhEUgAAABQAAAAUCAYAAACNiR0NAAAAcElEQVR42uVTOxbAMAgS739nO3TpRw20dqpbfARQEjOywiwYnCtkDKnbcLk66sqlT+zt9cidkE+6KwkZsgrzfcqVMpL2jo0447gYDpeArk+OnJHkIhAfTPRicihAf5YJrw7vjv0ZWRWM/ulivdPf1QZ2kDD9xppd8wAAAABJRU5ErkJggg==--eb4--

C.3.12.S/MIME Signed-and-Encrypted over a Complex Message, Header Protection with hcp_shy (+ Legacy Display)

This is a signed-and-encrypted S/MIME message using PKCS#7 envelopedData around signedData. The payload is a multipart/alternative message with an inline image/png attachment. It uses the Header Protection scheme from RFC 9788 with thehcp_shy Header Confidentiality Policy with a "Legacy Display" element.

It has the following structure:

└┬╴application/pkcs7-mime [smime.p7m] 10945 bytes ╧ (decrypts to) └┬╴application/pkcs7-mime [smime.p7m] 7084 bytes  ┴ (unwraps to)  └┬╴multipart/mixed 2525 bytes   ├┬╴multipart/alternative 1605 bytes   │├─╴text/plain 568 bytes   │└─╴text/html 740 bytes   └─╴image/png inline 236 bytes

Its contents are:

Content-Transfer-Encoding: base64Content-Type: application/pkcs7-mime; name="smime.p7m"; smime-type="enveloped-data"Subject: [...]Message-ID: <smime-signed-enc-complex-hp-shy-legacy@example>From: alice@smime.exampleTo: bob@smime.exampleDate: Sat, 20 Feb 2021 17:13:02 +0000User-Agent: Sample MUA Version 1.0MIIfjAYJKoZIhvcNAQcDoIIffTCCH3kCAQAxggMQMIIBhAIBADBsMFUxDTALBgNVBAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFNUFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhMPLSW9ETmXSs5CVIeh7j00Boq0MA0GCSqGSIb3DQEBAQUABIIBAEBXJpGHO8AJVfwKb9Juhai3fwEaeyt576LQwqs5p3GhRIBPkKrkjOmtlZbO46vl1BvR6FkjXzBpMTkD+atUlAgwcR6v904kwV/J8Lab/rxrhuyIYWXtip9z1gJZLq+2YVW5VwafpPyn1rP8Bv7nzzW8J6ewu3RWRs1gXdALRlUG2vgMLUGld8Ztvztz4idD1ixj3Gebv2YwOcPPNxT8jLe+L0XvNtRqAdHsf7PtLnorVWLwiZmTj5lFBy8sEUxCgY/ZOtj12iVgudsxiaMecZwN2GWe469I4pOFuEqpKOwOkiosPbeCFrFYYOgo01v8myLHEHy99OTiEQNn68tY2qcwggGEAgEAMGwwVTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNhbXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzB8R0APhiY6HGLS64MvlsDXhpQwDQYJKoZIhvcNAQEBBQAEggEAoHffD4M7tWWdVj25qIu8/aMzGpu5MIUOI2Sz/64AOTmvrQRU4RXMR4SYBqaGiCrL/O3Y8EMFnLvUNP/6fE7EQBS0fu/bsALlL+eLVQv9HdN/2SxCxzC6GHlXCwOfwCk+QgzVcbbct3ZLkeP4OILmTQoBar3ZQQEGRO976398AdChG9t+8tlGPAWeR9QWnoS3IBZQtqLiHzZAWobHgYz+iKSf5qfCdByCZ4jyJooEOeFTVWSHFyOZhdnRFlJQU0X7QlhG2Np75WDG4N+A6kEuKrr2SK/4va7JtDE9hWCdMOf9ZSRrMss0tpGromCoOWleWujL9XIW3jvuEkyInx+CYDCCHF4GCSqGSIb3DQEHATAdBglghkgBZQMEAQIEEDR63F3Ex9ZJaqBncRdFmSCAghwwDyQUVu2Oxy7BDRXBlsAlBK363lgVpACqFnCDi+oR9dHUUqJ8zsO9AhjeROI/RxNoYVx0Jy4sWw7QpFWQ+qy0tHpjfgTmr+qcMsmxxkTihbD+vn2dWMKjb07wchVOuN976WTJcoKz6f8WRc+2skkXioKJW2SRc/n0Ii4Frf95JN7Yy+taMKSgb1gQVGZBG+E2zhEkug1fBodQlUNOYtqy0gs5YGUxXKHnIUAX43F/e9xYcNDXelHZk2mRIUiygW7AOETb5DIbY/EtphHfa7WMnHhgRVK8EpKqrfKYUxWtJ2VFkS0hat+hbzQlUKcOtOigQbdZGYU6RCuNdvVS2tS6BJ2K4guWkK2XHPTZWFGMPR3RiAGisySNxvo585mHrwKrhG79/caPmlcHCopZKikPXAYrNeOqlcaObsfasZ3TIFiwD9JSJik5UnStdrsz7R/SD1GNWUwETvcRKtqp2vrMhvHmuNp0C9dN3biCmzLc2fB/1vKAGLglRP6LR14nQJlSCAPHiA0af3SGxt5Wy2mU2vWLEb1D0pIXOsQ/Easx2htl+fHC+CiO7HRFgmp+Sah6NoE0Mt/LZAYvjEl+BpzChTY9RThaa2igmMeqRyy3PdQtR7GMylfpObsayqy+Me8swR6DyIXa5tF3AxjxL8o+5hrYieL8D8N/04aJHroJI/Mf6iotFxzpzl34jcw4g0hvVElBYHti7+YL4wvslb74f6ba5CHP8QjQ/eGw9U2ZIB/KpWiMmUqgxm2ANmCEwT8z3tAfpglE3V+Sxp89YySC+tYXtEYwf8GhNO7Es0V+qx4yD60mC7NGS5kpjT2gUJON/wiMgx8w8vzvrwRM/QR5vzVuWRchwT7Jg/NRFaNydMz3y1TxWkHlEuqE6WoTe+XZZLDhSeCi+NLcYDVtYZ0Y+D2PoBZLJvpWtJkr9mxTdGIdXVG5mibxKW2YyGpJKUPhAXUGqf7xwrXwfifEwpVqWbUDm1U/69xW1Mrrk+TJj9C+tdb7Txwu0MEVNl8oHFEUCbUIUlOee0/H2/ENA4cgswSUvJLDojB29sfUvcYOW+EJbIpOf1UfDe3R3XVH/iEyc7SzK6Df/nxlGUGvIMMMMuCjzrZm9FKAFwgJKHriTIdrWQMCUEhxQdkTPoMifyX+3YuzZ+7f0VWFlfuoK5esvGOl31DrnvffO2WcY6Dx48RhQDiRlm0rGL7tM9N3ii3vQ27dUcrUQDVaEoEJB4qgh4RBAzHwkw4xOanzo/gBQIGo9cW1XP3a8IpTFfkhVrNg8Z9I/VsjYfxgwNDnMO2VRgV3lGpGKNVhWz9SzcjmOEyjwwNw0l9uBLxseSrgaGiPzARiqLV/SWK+E7FwR+INQtrncRs2yvMPCqayZdOn1TN+F+ASIfbWm5yaIMt0plN+7o/CfzXBc0M2N7HnveJXKhCysZOosrrTaSWPT3SS/gGLxQ2dXMHmHAaZvEkFVjlXxzg6FTTPt4xVLKDxJrK7U8xj4PF77YxuX62vlvD9cdqSb2sri2c2+SF+VBCTF1r4/dOj35AhSFLqunWR0A114tXeoP4PN2Y/0u1Vq0Vi/uQZHQG8Xqzpztj/kHYJM9V6yKu8NbGtxjunBW0t57QeB+xycD8EK1gDDyswUpTENzI9T4dhijv9zVHlEWrwQ6ovu+rKgtP1o04h1+hSeUjhCLGijYEXsT4MWKJuiRKnmbh9sFSa024dB24x+AQJvZ7kt3lNC3Y2cMop2mpK6rMjruh8FXH4q1Bwn1CyWMzLYrjD7uld5UsyL7o2rhR7mKVZFeosAcyN27WI+peHi4L+bkeBHulwxwrXib53HYZrISLFPuGtOwvVhY1WuX6yiFWfl30jQ4FqNY1/qgOpq3HkWMzVn955A5H2YYegGbsVDed2lJ4UIQR1sMBkJHLR0TCWjcTK/OqEz3XScJuXHjgAwYgagUGb+Voc8LQO174iwoVXvdaBE3+mGFWcA1x1UOOZOr/vty7I13Yqb/GtBj2l4t0pF9THeqsDgIlP8IJWLwKSKSUmCyyoN0xxC//A38rGzXxE186ri/ZLkFd1aCg9Mw0RHEdUOSg1K79BFHNFJdkxWgUuAT7CX7q25u0R3PKNqSNZRyUrwRah6MAV8XRCHNvtuKk8UUqbyIy7NNcO2PwAduqtdM9P4u5AgAuzNuv+v8Sy168YT6854/52dHcgYScWLxHCnYroRnjY2DUNkM85clpUBkX/QlB0yiLiE/w0VhmT/X7iOI5uFl/eW0jU5oD5dWSmD5DCuY+qz0JKvDQKqEEwMHtKjkkyQBt6vnOOqBCBqoW0+aJEWjzhHaOM/wE7U6H1NSaORP0tPKy7Jt+K8MajdUuU3s0nRJfgNNacrTEnReJxC7B4dV2qtzs/SDQryQPTuVlR/2+KkgAUqiDYMZvQfdRlbJY6rid3EvdbbLPN1w6c8J5qV/+W9uDWTofx9fs9uK0wZlIwfc1ac8Fke2aZSpG1OTs1dP6BWcgah88avKEV/pLt5I5iigj1u9q5A2PwdWoxdlvSyhL6kOj618+B8Pun4NBdVmvNIp5Awp/ACatR0AFoPCh1Gdf+39P7STfkBB+5v7+OKtajL+rMR7AFwGHxg5NIQ+jc6dPfI27AW8D1kDLH5SuugDzDy+S33y0j9vY754x1YrKYoUwf/aRvG2EfGCdrwxjH5bswukMntuWpQMhBEy94vdTNWo5xplNvCkiJCGfY7AMhWfHgacae+uY0WqxgUxpJPBaFc5rvZaKD5QS6udPyyrQ2xPdKPJ3Ky3Xh7NREeDYHWq/fJXIbq/AM5LqhijWtcwH04YkjsYJ2DcWnrj2grNxOAVD3bK4HRgtl1nSUBop5kn39zpK5ZgRPqOfRKxZbFCPm1cQ1avhCXwpYaFDa8Q0vBA8n8fQ+GdBJrjEtyUC31M5w4spY8d9uEwNtLaJc9okmB+TsRIbmRLaGkwfUh2jlQj6X2Jj2dldfT9uwMkxBzEg6H0jfH1EyJ/xWbeLrGgkKrIJ9CjbbdNXgsBVT892yvRczix7z/vhCKomUXmKQzEKv/vOl+UVyCtdcPqUMblnsBuj7wxQHBH7kYTIAmPMIKMAcpLhpYecD+6AebpX2Bjq+i/kM+1Xr02czQTBbJYn6jaYWDoGM84S64TJYXgsGffyysh/aBbB3rhN071BjMIwIPgtC9sD06TUNIVwr0+bMQNajsnpZ09qlLM3izMgXzYB8DFTL/UW+aGnwQN4fQiStPPQlo0JwqVtUbB4qr23ncnp5n9gPb7iLeCOZ5Je9qqta/Uj90BPM714qXbMZpkICPSJI6VSvkBG/WMnnHjCF+x9ek55H6XPD8e5LWWSVrqK26LY/VKtYQVtIhPP4RsZluSl8Yk9TwGx7ZBOzwyuBZySeTTF1Ao7MYzk2wMOhcwBexcsPC5W5voWIQy/hXc+Q/K9Zm2ewbqC7q06hH1L/bX8wjbjVYm9OOLSfUvtHSzyShG0tchXh9aCpoVKLybARfaiJqAKvsUMXNTiFiXzF85NUAWGqBHtKyJ+R75Ud+OiZlBjplDYo+j177iXqw0E+0YmPRC815f7x25eOz0sTry1xRxlQEweP9ooT5e+2XdUYQSi1QuZJb2h2LX7rDA/IDD2TtTTYg1UbRfROayzgJUQb+2kbyHArQJdIoCeOYGOnpFboS6ssOlgTmp7zIkh5M/PLQraASzQmXZMVJ9SR9iOrVBdZN1A0DDJq3cM/iDrTQYjfigL8lP5xz4CA8uMD8FLQaIpwL6SCby50RFXXRKldybjfn2LD1nquQmA6yqI9d32CucawMyASf+70qrmtW9PNzfgeAhIaFMuK0ah2AymtgrFrH4U4qxJVweAvwrcyWtpNx1yASrYlrz0MbV8qhdLdpsAENlltYzPWtyqFbuYEMKkMFTdNlzKCJnXFw3ui1gHoALM1mRJENzAPx3nQ7f7npmnzG3xBsjmwuXQDROQlVIu9PLi4NWE/51NGgvw1PCJvYIqTW5OfkkeHnmnxtzH7L8mKHYJYKWMtxGoaN0g+CxXwwOmoe84EBtSlw/Tz3lRtfo3wm5Haja6PMAE2oFEReXlMupow3jrZs0/R1JGUzudUKsneDa1N9cdG7IZdFgImxZFQU+Ensp1Jh6zWOM5eYjJEohoL+XlTi9YZpHGoWDecs+UA54mNVbhQrQnynY3T0/qmE+lMAortbCNjCZ2TiHSxdf5ORqdMxjoHDzKpqmIcBnQTTcEfx7Mzg7WRzAMWfAy4ZgA1K/En905C3MH3+j3gX4lS0xa2mpJjEMS1Z7Iuu+dM8E7ZSAFdNWoGJTV1ekoKMaHbfMe4OiKzx7NqFTmbLAcMqmgx/s0xtZYqsYjUTornbzK8/F48VlyGzJKbvSA2UVXggcdI881iaCuyJIDy3Pv7A7Bh8sA/lthTkn9VWI+iDcKgzQanoh/JSfAcdXhcRDbpJrQvMMnEzvJk+c58aiHnDcDgA7Mm6hCqq3rSdd/POhFBgeCMLYEvWu6OtrM45Lfte52/EmYsdBorniMbuN0G0KJrQgQblMmx34vZuT/cYdJvoeYZXGniZodNs++ziupzrfB2GIQIFqCLhDhw/pFsrMPOjcZyzl+iKT+P/ZWg5yMB5cWPOzZs/0IXrKpbkhAquFgv7AkBAlDMORyBDSKSmA6bu9XccVm926zeoo6pNFgz4WDHLeMieAN/O+NUZnK/P1SBjIfksvTyHQY8DdPjgqrK47TmNjKL8k+jJh76Gcs47DbcFOKsDjDPRRDZyl1LB5c/iA9V3aESjEpZ+0lYnHcDFt3fb6hsO8vB5caby0QBHBk8+13xnoM1/lCbUKmforcjF+I1R8vJhUFBoxVCIZVoPwjtkQOuBf2IijAJavog5Agf4Y9SHcQhnbaeuBAzBY9jBx98mhZj9HGdAUhuBGTvUO9rkqHIrCyiyjUX24RqiGSF7517Nr6TVj2JZlosIuqcEtpFFoAjGZ6yvTE185toj42tn8KISHFu1J1LdkQgUdVBc2Hn9VTF3wfVBXNvoIV6gZckzVQM7VT8CEOoEMdkt2RC+xoTOIKIzER0+OQJxTG3Zgga+NPzEC6C4gohaOT5jaJmDURWnjeewkA0uWsWVzhN6e+oVUirLt1ml/biJ8opoKdcxwHA7hwY5V/G+u05Ezr9HqXm0530gTOCRi4strmzXQghJ+We5XcL/TXDrkU+GGCD2+rrtCMoa27qY7WUS5B9AOtmWjoZnvs5BeqDkXHwxDnMbRvHKMmCaUwHoeBAJobT0PKqOxHzeC1N+Q4E4yIN4guOfjoCxsEVEHB2H/KeBfaxLY5dHr6NMWWR5FAZm+AYind4/pimQc6OX6VgSRBnwgvLJdu5RkzpnpAsrXxJNcAgR0m6UFB3Lmz/DScPeQIL/OD1E7FyDsL384AqIP8xPkiKxgs/TrVzTTLJmGuzP46qPFb8cmNJ8jj2dEjMfSlGZ8gGIXDT08CpU622QaA365L+w77gH9KEWDDs+CtP3HS2GPL3jO531a9w9azTPxYmuEGM3fJNCXx9Z9du367DSzylA3f+yjwR8wHnLiXnJGTe0Pfsm/KD4KW2jk4EAWbAts/Msm6rebnFLWltEFbHQAFRixv6L4AS0zhFVCs3CJj1yYwgdYJvl5wlw3iuf+1oup1Q3cij+S6b0/QqG7uk6FpboQhTpOVGnw9xcV1ySACx+7/AHQfIVgfODNln0T56wGsOs4hOp4YTuzL7nRpaMCr3u3f+OA+DH1c64bC7pUSHZjlTcwXkVR80C79Xwy5RTxg/dJHgcQ4IsPfdSV95J+FwkHAZtn00Ig2/nyTO0NQahYFrg8gcei1OpSCU8b/1cU4YD50WJfuGuFyFsKVKWFQrdfUZ1JyGBxnrOPIy/kf1n1jELO4TpWDg0G41Awd3O78bacC5zjPWp0fgCeSTKJFqXnG4AIo7hD3SXiSrKj5nKLz1JePRwd4rf9I82cyl7RaiVDIog0vMLVxvewecUjWqKa9mdKDUcvEGMyt2gzcd7171pdr7NV9/1mAHTeoWSpg/iIW/Cd9T0BeLMHiLNc9eujy21E6zwSXkKEBrYP+33rFKeSGa1l/8ypUJIFLOmz3tDCZRYBO/uFSDEKZ2VGEy1fFSS8qemCHNmlCP1yP2e3V1fJh0z6Cl0MSf1AbRQ+J6OFpbeMZS4U1wIs/AVdsirMcuT9pnHrkYH6W8DBLIdoUttGTfH+54ipKUg1WrkJLxUmR6CCJd095jyzB/p1iYhNWz7etGSNd5/mrZ6sgGGXPnI7LCwGSWtEPazcPBqfHEy8nsbXoYzlXNqxcldCGmi1RJsyxqcY4izgu40TXlhDDJZ6hoPU/bFXVtds3btPwNy0uFGX06fu/t0pznWGRalANSp/21n8j0d7nswjbO0u0AZuewj43FgJWWKgfi7tSMbAQl4Lth6XF2bf4cFHvegg+AUnvC8cmL+IydY1RURBUJBVln3OiD0q7KzO/OQntLUcrt02wG+FbW5Zp1deXMMY9Y12yxccxAgVeNRJxaZfsPPJobn39ZI8ilEU/W/6NZFXUSk30vbBMb/dlGrP60n3ig3DeDR0flvqS/2hLZb9ER0CzLfimZ35TxbUoPm43OH3QWoIM28+mr2srObrCeJQeO6SFumif5iXeljOcDRbm+jjUVC7Jdwng79npdt71Q3jUPp8ge15uiKr329S6qwYtmG1phsACYRCaXhxv8yzb9ZjFykp3VaVW9GK3AJF57HIIC33LF2YmEBWwa7HAs46k841o/HtNZhAn4ti4ogWH2YJTiBzfQQVYv7L7BAnrcEmsdONEEYdaHKHA1/jR09so+5sxEiyRTNLtaf9Qco4NR2AFYYRfMgxPKpR5pL1hpmcAsKIrUvZBElXvmDTwoZFtQR3/DWQaFUMnExXLTglkLBtB6z2FJfy1RFJkjLm3Cr8Q0VitUbByDtBYkK668SLEU7r5gKcvtHlcFih/QwMiAXygCU0k7pxUK0qHa1yNyiVxeBAvUtTEr+S/hkO70iwSliILbKOef+8pLRLZucZXDC5TWn3TCTSjeSI9XjERRF3P7ueM1jsfhgVzdtCxaXqgDyNeZDbTHM9ZuKYIwJgrpRK/UQGl7uKx1IBMECo5UrVOhT4WwxH68GlOOilENsatV2oBjNz9LhCnhaqb9YAqBb+OEopDuXhIhc75P5CBOccn+u6S+PU7myWbLOnQVVXh/d1GJSZEsDnietW0Pbw9o/5hXTOupX4uFAvbgkkQ0D016jc+5Wqn665cEfm60OehNQmToSr0ODF8TUbV9QWvzOc/6rvjm1ymIRkHUblC/9lJzjJTpw3gBzfXmpKEnyPniBVAiKa1NtWrfK22LNDDI8mdmSSoIyTrD/2Y9Z0OVCbxlLkXBsnKHNmUUDHCSDqZe7DPONQEY9Quua3qtEU1mcOGk3HIKQR8XeaUDnlvs9gG5P2AxQEZs3dP1M3OJ9AIwKjpwHy1jfPuKqh6mJTvBYkJC3zY0rfhJwkabIBAqjdTUbdUokVUOIE/wMA2PJZxbG9SFsQPU+mBvGQv3siLE0iuPYUw4ICox7IhMDetWP69iaI03jGQbuEmOdd9yvI8fjCcroUbw9PbB3gUHSSqm+sqqfb02LCWdpv1d85uZC+VE21Ch2LQIrINhinhH9ZJiX+iLAjthx55mGMCORoWUmNMBl5aACuaVf6wvm33GxciQDMWWbL69IAUmSu2g85FrBpuUhe8IFOkkVF7053IBFw/LF083OrDzE6w5tEr3NM2I1gLQsvqL+bpgGkixVthBh35I54shZzykwUJSTlQDrxQRrm2HTuCj5JNkSnm3W03DHdmiKMlDOLIyAuRIRuTLMUEtlgqz328Mo/6k73SPFuAwpVokN2kC1xDtHS82PyvwO1m3a9WFiSoVG576XPDDTfGtyx2KYZdxYbE9WNd9euMYYGQdaGheQ9SF2U3+rQXaFr89GUAe1XhU/24npcutZsA68o6e+NU4e8pThbPtgWhXyX+NHuWjArbnuSoltWcwaNXcReHaKfdoE9Z0Uixr+XYuHfgYDgyEO/U+Nl1UGys/89wbEK1B/08JxW5TFzEQ/EER/Q9ZB3/RB99pL8sqq1LJq30al+NIi0P8KeMrOSjGmXu3ZH6CHFcPXj/uTTT356mWiGr+SJAYN7DvjYuWf1MA9S0p1V20rcZN96+yt9c9CubQSUdU0yUh+Xbzq9HTM5JaHACxjsc3RQB4CDaAp/67toJQcCSFtHHwXf88Sc3WPpXAJAnaSHxgsJu1nlo7wPj+jiJ7kMwD19Bl/BPrHGc+aeUTvIVWD8Fu+XVtFPnywenrYnooqkyOFkTbck08MYDxOiiyXhVWKLlCnSYwfIQvDtEN/bq+ObXlYQZKiwLcQAjx0o1Dr1gEEUMDlUNYo66MjRfnxgtetDgOjAZNWNB1lwVv44tHZ15bb2QdMEBL5cSaEQzO3CtuLNUnPJHb3NiJV3YuWuLeBtcwJNzTup4GLD8kbwqzIJD4aG+bCywKs6epTifI9zhLorDJUrmxaxy5sxHDrzufAMNfZTV+nTGGQ6iVsLVcRmfiQ7b8varVDVtrBHX8vzI2Quier/gNLxn4AYnFtXQjbalYOp5ySOG7Fx8GGZvW+NxHLedmmASlubNLYBre42wV6OnGZ/eZJtkoH+c3spaq6Ujsp8pZiwE60jfwnrB6qHRxP98ftbEdcB586TvOx2zYNbd6MRMgQMxo/8k6YRvJTeHfAdJ69TsUI3OLVu6YdrxpGcDKK84JEt7W7h+6vlPfG8RzK0X/M3U2EEZ8CHL73caVcPTQ5FSm/rGj1smUZBja96TPY2JYv4YB69drCTjhH+nR9JAuhbna82e/HKN3Od0fU54JjN3C1FUrhiAh1k8oFabzoF96YVdg/mSttI1zH3Sw010NmyuagwYNcoLELq1mgWM7Kd2989KkX2j8/bQRsJxO2Bz2IdNbD7E+hBjedywDaqvxftqQBcoQePfMnAhhzVCrAB6z+UfjS9Qhus+CcqS4z+3YXun2a+Mv+qayDqVjWcZy5sDmXXtS7rxHcOdE5CwDOoH9quLS9N4kaoZHzN2jc1ksQ9v32jimBKQfmoMohIvAwVkRgzCBxGRJj1xJsROMK4bmAaCiY1pXeGbbwfTenscaZVy5OIa+pEmFIjlQ1UvX10D4nhQGGskAJkzz1u3FD6mH7MmtDJVlpfOdegJt1w63DyKRB7zXAY4KP5nCdV+PGiJa8KCyVfDyrm0+/UlLIvpmUJP/akFzH8g5VEv4CP/Wa69P72w+xZcbRaEwvg2ZZ9fdQ3EWNi14yyB7utbf8kdJPPBNGutH/Fl9XyOtzTlkOHUETcZ+jE8LBCSjVmLU2ELMKFmWNsST9cM1nmA/NN8ba9ijvVA/cMTAloqLf0OdXnzUNrdabQ4rxvQaIeW2iyQjyjQEFKLOOKcqwvtu4Wy9w4DibfP4U2IY6QVehXNXveg5x0wvfxH/gMT9Vp0N3xCBwx89Bh3OS1x9ViXVObJDLWwO/ZxCBGbFvqM/RNJ0ew6MUYDU6Tre6LAvPcLgYL2dlywZGWG2OJC1MOajDnRH9iRgBZdT6yI9K5QPEcFa9AErInwKFQ==
C.3.12.1.S/MIME Signed-and-Encrypted over a Complex Message, Header Protection with hcp_shy (+ Legacy Display), Decrypted

The S/MIME enveloped-data layer unwraps to this signed-data part:

Content-Transfer-Encoding: base64Content-Type: application/pkcs7-mime; name="smime.p7m"; smime-type="signed-data"MIIUGgYJKoZIhvcNAQcCoIIUCzCCFAcCAQExDTALBglghkgBZQMEAgEwggpDBgkqhkiG9w0BBwGgggo0BIIKME1JTUUtVmVyc2lvbjogMS4wDQpTdWJqZWN0OiBzbWltZS1zaWduZWQtZW5jLWNvbXBsZXgtaHAtc2h5LWxlZ2FjeQ0KTWVzc2FnZS1JRDogPHNtaW1lLXNpZ25lZC1lbmMtY29tcGxleC1ocC1zaHktbGVnYWN5QGV4YW1wbGU+DQpGcm9tOiBBbGljZSA8YWxpY2VAc21pbWUuZXhhbXBsZT4NClRvOiBCb2IgPGJvYkBzbWltZS5leGFtcGxlPg0KRGF0ZTogU2F0LCAyMCBGZWIgMjAyMSAxMjoxMzowMiAtMDUwMA0KVXNlci1BZ2VudDogU2FtcGxlIE1VQSBWZXJzaW9uIDEuMA0KSFAtT3V0ZXI6IFN1YmplY3Q6IFsuLi5dDQpIUC1PdXRlcjoNCiBNZXNzYWdlLUlEOiA8c21pbWUtc2lnbmVkLWVuYy1jb21wbGV4LWhwLXNoeS1sZWdhY3lAZXhhbXBsZT4NCkhQLU91dGVyOiBGcm9tOiBhbGljZUBzbWltZS5leGFtcGxlDQpIUC1PdXRlcjogVG86IGJvYkBzbWltZS5leGFtcGxlDQpIUC1PdXRlcjogRGF0ZTogU2F0LCAyMCBGZWIgMjAyMSAxNzoxMzowMiArMDAwMA0KSFAtT3V0ZXI6IFVzZXItQWdlbnQ6IFNhbXBsZSBNVUEgVmVyc2lvbiAxLjANCkNvbnRlbnQtVHlwZTogbXVsdGlwYXJ0L21peGVkOyBib3VuZGFyeT0iODhiIjsgaHA9ImNpcGhlciINCg0KLS04OGINCk1JTUUtVmVyc2lvbjogMS4wDQpDb250ZW50LVR5cGU6IG11bHRpcGFydC9hbHRlcm5hdGl2ZTsgYm91bmRhcnk9IjZiZCINCg0KLS02YmQNCk1JTUUtVmVyc2lvbjogMS4wDQpDb250ZW50LVRyYW5zZmVyLUVuY29kaW5nOiA3Yml0DQpDb250ZW50LVR5cGU6IHRleHQvcGxhaW47IGNoYXJzZXQ9InVzLWFzY2lpIjsNCiBocC1sZWdhY3ktZGlzcGxheT0iMSINCg0KU3ViamVjdDogc21pbWUtc2lnbmVkLWVuYy1jb21wbGV4LWhwLXNoeS1sZWdhY3kNCkZyb206IEFsaWNlIDxhbGljZUBzbWltZS5leGFtcGxlPg0KVG86IEJvYiA8Ym9iQHNtaW1lLmV4YW1wbGU+DQpEYXRlOiBTYXQsIDIwIEZlYiAyMDIxIDEyOjEzOjAyIC0wNTAwDQoNClRoaXMgaXMgdGhlDQpzbWltZS1zaWduZWQtZW5jLWNvbXBsZXgtaHAtc2h5LWxlZ2FjeQ0KbWVzc2FnZS4NCg0KVGhpcyBpcyBhIHNpZ25lZC1hbmQtZW5jcnlwdGVkIFMvTUlNRSBtZXNzYWdlIHVzaW5nIFBLQ1MjNw0KZW52ZWxvcGVkRGF0YSBhcm91bmQgc2lnbmVkRGF0YS4gIFRoZSBwYXlsb2FkIGlzIGENCm11bHRpcGFydC9hbHRlcm5hdGl2ZSBtZXNzYWdlIHdpdGggYW4gaW5saW5lIGltYWdlL3BuZw0KYXR0YWNobWVudC4gSXQgdXNlcyB0aGUgSGVhZGVyIFByb3RlY3Rpb24gc2NoZW1lIGZyb20gUkZDIDk3ODgNCndpdGggdGhlIGBoY3Bfc2h5YCBIZWFkZXIgQ29uZmlkZW50aWFsaXR5IFBvbGljeSB3aXRoIGEgIkxlZ2FjeQ0KRGlzcGxheSIgZWxlbWVudC4NCg0KLS0gDQpBbGljZQ0KYWxpY2VAc21pbWUuZXhhbXBsZQ0KLS02YmQNCk1JTUUtVmVyc2lvbjogMS4wDQpDb250ZW50LVRyYW5zZmVyLUVuY29kaW5nOiA3Yml0DQpDb250ZW50LVR5cGU6IHRleHQvaHRtbDsgY2hhcnNldD0idXMtYXNjaWkiOw0KIGhwLWxlZ2FjeS1kaXNwbGF5PSIxIg0KDQo8aHRtbD48aGVhZD48dGl0bGU+PC90aXRsZT48L2hlYWQ+PGJvZHk+DQo8ZGl2IGNsYXNzPSJoZWFkZXItcHJvdGVjdGlvbi1sZWdhY3ktZGlzcGxheSI+DQo8cHJlPg0KU3ViamVjdDogc21pbWUtc2lnbmVkLWVuYy1jb21wbGV4LWhwLXNoeS1sZWdhY3kNCkZyb206IEFsaWNlICZsdDthbGljZUBzbWltZS5leGFtcGxlJmd0Ow0KVG86IEJvYiAmbHQ7Ym9iQHNtaW1lLmV4YW1wbGUmZ3Q7DQpEYXRlOiBTYXQsIDIwIEZlYiAyMDIxIDEyOjEzOjAyIC0wNTAwDQo8L3ByZT4NCjwvZGl2PjxwPlRoaXMgaXMgdGhlDQo8Yj5zbWltZS1zaWduZWQtZW5jLWNvbXBsZXgtaHAtc2h5LWxlZ2FjeTwvYj4NCm1lc3NhZ2UuPC9wPg0KPHA+VGhpcyBpcyBhIHNpZ25lZC1hbmQtZW5jcnlwdGVkIFMvTUlNRSBtZXNzYWdlIHVzaW5nIFBLQ1MjNw0KZW52ZWxvcGVkRGF0YSBhcm91bmQgc2lnbmVkRGF0YS4gIFRoZSBwYXlsb2FkIGlzIGENCm11bHRpcGFydC9hbHRlcm5hdGl2ZSBtZXNzYWdlIHdpdGggYW4gaW5saW5lIGltYWdlL3BuZw0KYXR0YWNobWVudC4gSXQgdXNlcyB0aGUgSGVhZGVyIFByb3RlY3Rpb24gc2NoZW1lIGZyb20gUkZDIDk3ODgNCndpdGggdGhlIGBoY3Bfc2h5YCBIZWFkZXIgQ29uZmlkZW50aWFsaXR5IFBvbGljeSB3aXRoIGEgIkxlZ2FjeQ0KRGlzcGxheSIgZWxlbWVudC48L3A+DQo8cD48dHQ+LS0gPGJyPkFsaWNlPGJyPmFsaWNlQHNtaW1lLmV4YW1wbGU8L3R0PjwvcD48L2JvZHk+PC9odG1sPg0KLS02YmQtLQ0KDQotLTg4Yg0KQ29udGVudC1UeXBlOiBpbWFnZS9wbmcNCkNvbnRlbnQtVHJhbnNmZXItRW5jb2Rpbmc6IGJhc2U2NA0KQ29udGVudC1EaXNwb3NpdGlvbjogaW5saW5lDQoNCmlWQk9SdzBLR2dvQUFBQU5TVWhFVWdBQUFCUUFBQUFVQ0FZQUFBQ05pUjBOQUFBQWNFbEVRVlI0MnVWVE94YkENCk1BZ1M3MzluTzNUcFJ3MjBkcXBiZkFSUUVqT3l3aXdZbkN0a0RLbmJjTGs2NnNxbFQrenQ5Y2lka0UrNkt3a1oNCnNncnpmY3FWTXBMMmpvMDQ0N2dZRHBlQXJrK09uSkhrSWhBZlRQUmljaWhBZjVZSnJ3N3ZqdjBaV1JXTS91bGkNCnZkUGYxUVoya0REOXhwcGQ4d0FBQUFCSlJVNUVya0pnZ2c9PQ0KDQotLTg4Yi0tDQqgggemMIIDzzCCAregAwIBAgITDy0lvRE5l0rOQlSHoe49NAaKtDANBgkqhkiG9w0BAQ0FADBVMQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBXRzExMC8GA1UEAxMoU2FtcGxlIExBTVBTIFJTQSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAgFw0xOTExMjAwNjU0MThaGA8yMDUyMDkyNzA2NTQxOFowOzENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxFzAVBgNVBAMTDkFsaWNlIExvdmVsYWNlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmpUp+ovBouOP6AFQJ+RpwpODxxzY60n1lJ53pTeNSiJlWkwtw/cxQq0t4uD2vWYB8gOUH/CVt2Zp1c+auzPKJ2Zu5mY6kHm+hVB+IthjLeI7Htg6rNeuXq50/TuTSxX5R1I1EXGt8p6hAQVeA5oZ2afHg4b97enV8gozR0/Nkug4AkXmbk7THNc8vvjMUJanZ/VmS4TgDqXjWShplcI3lcvvBZMswt41/0HJvmSwqpS6oQcAx3Weag0yCNj1V9V9yu/3DjcYbwW2lJf5NbMHbM1LY4X5chWfNEbkN6hQury/zxnlsukgn+fHbqvwDhJLAgFpW/jA/EB/WI+whUpqtQIDAQABo4GvMIGsMAwGA1UdEwEB/wQCMAAwFwYDVR0gBBAwDjAMBgpghkgBZQMCATABMB4GA1UdEQQXMBWBE2FsaWNlQHNtaW1lLmV4YW1wbGUwEwYDVR0lBAwwCgYIKwYBBQUHAwQwDgYDVR0PAQH/BAQDAgUgMB0GA1UdDgQWBBSiU0HVRDyAKRV8ASPw546vzfN3DzAfBgNVHSMEGDAWgBSRMI58BxcMp/EJKGU2GmccaHb0WTANBgkqhkiG9w0BAQ0FAAOCAQEAgUl4oJyxMpwWpAylOvK6NEbMl1gD5H14EC4Muxq1u0q2XgXOSBHI6DfX/4LDsfx7fSIus8gWVY3WqMeuOA7IizkBD+GDEu8uKveERRXZncxGwy2MfbH1Ib3U8QzTjqB8+dz2AwYeMxODWq9opwtA/lTOkRg8uuivZfg/m5fFo/QshlHNaaTDVEXsU4Ps98Hm/3gznbvhdjFbZbi4oZ3tAadRlE5K9JiQaJYOnUmGpfB8PPwDR6chMZeegSQAW++OIKqHrg/WEh4yiuPfqmAvX2hZkPpivNJYdTPUXTSO7K459CyqbqG+sNOo2kc1nTXl85RHNrVKQK+L0YWY1Q+hWDCCA88wggK3oAMCAQICEzdBBXntdX9CqaJcOvT4as6aqdcwDQYJKoZIhvcNAQENBQAwVTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNhbXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwIBcNMTkxMTIwMDY1NDE4WhgPMjA1MjA5MjcwNjU0MThaMDsxDTALBgNVBAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMRcwFQYDVQQDEw5BbGljZSBMb3ZlbGFjZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALT0iehYOBY+TZp/T5K2KNI05Hwr+E3wP6XTvyi6WWyTgBK9LCOwI2juwdRrjFBSXkk7pWpjXwsA3A5GOtz0FpfgyC7OxsVcF7q4WHWZWleYXFKlQHJD73nQwXP968+A/3rBX7PhO0DBbZnfitOLPgPEwjTtdg0VQQ6Wz+CRQ/YbHPKaw7aRphZO63dKvIKp4cQVtkWQHi6syTjGsgkLcLNau5LZDQUdsGV+SAo3nBdWCRYV+I65x8Kf4hCxqqmjV3d/2NKRu0BXnDe/N+iDz3X0zEoj0fqXgq4SWcC0nsG1lyyXt1TL270I6ATKRGJWiQVCCpDtc0NT6vdJ45bCSzsCAwEAAaOBrzCBrDAMBgNVHRMBAf8EAjAAMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATAeBgNVHREEFzAVgRNhbGljZUBzbWltZS5leGFtcGxlMBMGA1UdJQQMMAoGCCsGAQUFBwMEMA4GA1UdDwEB/wQEAwIGwDAdBgNVHQ4EFgQUu/bMsi0dBhIcl64papAQ0yBmZnMwHwYDVR0jBBgwFoAUkTCOfAcXDKfxCShlNhpnHGh29FkwDQYJKoZIhvcNAQENBQADggEBAHOJojanzqmgaSN3/gqSQ4cbbmdj/R40BEPr+gXT+xiidfZ2iLNwYyTneuK6AChwKfnNvOFb8lV1iffRTF/KtmVEDMR/sYeqAH83KM5p3el2lVh4OHhyI0qNuz5oShNaACSioQ23WxHGVy9vsdVfnbhsplrWg9NQ2WbpCmK+2oMh2oYl0Z/wvXMt9cG6jbMvcdH4z0IOvg6mrYkKTM/RCGnumghxwYToj1OyD5Gs4D2IJCw+fX5ODxh52MbNRYXTus2ZPRPM8JXNQC4GWv4km3M4rKnJDd6hnoQ9rNeozIcBVyybQYjfrgg4DRvw9Ksk22OH4ConlB8f7R7s1LM2cSYxggIAMIIB/AIBATBsMFUxDTALBgNVBAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFNUFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhM3QQV57XV/QqmiXDr0+GrOmqnXMAsGCWCGSAFlAwQCAaBpMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTIxMDIyMDE3MTMwMlowLwYJKoZIhvcNAQkEMSIEIFT1fYL9gAEHvzGwOrKYPQPsCdQ+Dvgh0flzrEz5H3UXMA0GCSqGSIb3DQEBAQUABIIBAIaD09L9rNPSxDuaCb1sGOVYYWZmZ17BoLp28exTLU4Z2peJZiipmAZUAuKGeZ1CdLECVqQ+t2snrG6EbfDad8TT0xmP3BXbQdeIO+hftHNyM9B6MkRlaWIcMHzuW3q62w6d9dMRg4G/PxUWWP7L9c4M3t5zsf3S88JcWA5zLyXxScvYtT6Qccu43HSXciTWb9rQvkEwATVblSzmhVA2KFICXRw8s6OdiLy9q0l/8OdXZ8oZBpRgPbn0s8Zp0yX2bldFw/7Rag0W1j+d3uefP3kxLm62jnd17H3TLlpqNqKo86Ho0TG/Tuwqi3OsBVnOqrBDRzEIRwi/BymNcaR2Bac=
C.3.12.2.S/MIME Signed-and-Encrypted over a Complex Message, Header Protection with hcp_shy (+ Legacy Display), Decrypted and Unwrapped

The inner signed-data layer unwraps to:

MIME-Version: 1.0Subject: smime-signed-enc-complex-hp-shy-legacyMessage-ID: <smime-signed-enc-complex-hp-shy-legacy@example>From: Alice <alice@smime.example>To: Bob <bob@smime.example>Date: Sat, 20 Feb 2021 12:13:02 -0500User-Agent: Sample MUA Version 1.0HP-Outer: Subject: [...]HP-Outer: Message-ID: <smime-signed-enc-complex-hp-shy-legacy@example>HP-Outer: From: alice@smime.exampleHP-Outer: To: bob@smime.exampleHP-Outer: Date: Sat, 20 Feb 2021 17:13:02 +0000HP-Outer: User-Agent: Sample MUA Version 1.0Content-Type: multipart/mixed; boundary="88b"; hp="cipher"--88bMIME-Version: 1.0Content-Type: multipart/alternative; boundary="6bd"--6bdMIME-Version: 1.0Content-Transfer-Encoding: 7bitContent-Type: text/plain; charset="us-ascii"; hp-legacy-display="1"Subject: smime-signed-enc-complex-hp-shy-legacyFrom: Alice <alice@smime.example>To: Bob <bob@smime.example>Date: Sat, 20 Feb 2021 12:13:02 -0500This is thesmime-signed-enc-complex-hp-shy-legacymessage.This is a signed-and-encrypted S/MIME message using PKCS#7envelopedData around signedData.  The payload is amultipart/alternative message with an inline image/pngattachment. It uses the Header Protection scheme from RFC 9788with the `hcp_shy` Header Confidentiality Policy with a "LegacyDisplay" element.--Alicealice@smime.example--6bdMIME-Version: 1.0Content-Transfer-Encoding: 7bitContent-Type: text/html; charset="us-ascii"; hp-legacy-display="1"<html><head><title></title></head><body><div><pre>Subject: smime-signed-enc-complex-hp-shy-legacyFrom: Alice &lt;alice@smime.example&gt;To: Bob &lt;bob@smime.example&gt;Date: Sat, 20 Feb 2021 12:13:02 -0500</pre></div><p>This is the<b>smime-signed-enc-complex-hp-shy-legacy</b>message.</p><p>This is a signed-and-encrypted S/MIME message using PKCS#7envelopedData around signedData.  The payload is amultipart/alternative message with an inline image/pngattachment. It uses the Header Protection scheme from RFC 9788with the `hcp_shy` Header Confidentiality Policy with a "LegacyDisplay" element.</p><p><tt>-- <br>Alice<br>alice@smime.example</tt></p></body></html>--6bd----88bContent-Type: image/pngContent-Transfer-Encoding: base64Content-Disposition: inlineiVBORw0KGgoAAAANSUhEUgAAABQAAAAUCAYAAACNiR0NAAAAcElEQVR42uVTOxbAMAgS739nO3TpRw20dqpbfARQEjOywiwYnCtkDKnbcLk66sqlT+zt9cidkE+6KwkZsgrzfcqVMpL2jo0447gYDpeArk+OnJHkIhAfTPRicihAf5YJrw7vjv0ZWRWM/ulivdPf1QZ2kDD9xppd8wAAAABJRU5ErkJggg==--88b--

C.3.13.S/MIME Signed-and-Encrypted Reply over a Complex Message, Header Protection with hcp_baseline

This is a signed-and-encrypted S/MIME message using PKCS#7 envelopedData around signedData. The payload is a multipart/alternative message with an inline image/png attachment. It uses the Header Protection scheme from RFC 9788 with thehcp_baseline Header Confidentiality Policy.

It has the following structure:

└┬╴application/pkcs7-mime [smime.p7m] 10575 bytes ╧ (decrypts to) └┬╴application/pkcs7-mime [smime.p7m] 6820 bytes  ┴ (unwraps to)  └┬╴multipart/mixed 2343 bytes   ├┬╴multipart/alternative 1138 bytes   │├─╴text/plain 390 bytes   │└─╴text/html 485 bytes   └─╴image/png inline 236 bytes

Its contents are:

Content-Transfer-Encoding: base64Content-Type: application/pkcs7-mime; name="smime.p7m"; smime-type="enveloped-data"Subject: [...]Message-ID: <smime-signed-enc-complex-hp-baseline-reply@example>From: Alice <alice@smime.example>To: Bob <bob@smime.example>Date: Sat, 20 Feb 2021 12:15:02 -0500User-Agent: Sample MUA Version 1.0In-Reply-To: <smime-signed-enc-complex-hp-baseline@example>References: <smime-signed-enc-complex-hp-baseline@example>MIIefAYJKoZIhvcNAQcDoIIebTCCHmkCAQAxggMQMIIBhAIBADBsMFUxDTALBgNVBAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFNUFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhMPLSW9ETmXSs5CVIeh7j00Boq0MA0GCSqGSIb3DQEBAQUABIIBAAh8BW90JuemYqxwwiLjK0/1puC5akUSDDzwnwIP1+zCjV+RBTnuJbc1Yt80deysj0WOADJQxHdjGLqhqwy7tYChAopgpvEmZIFN9GOioUSRxGHbRc9fG+OPKYhTqxy/sPWY2E69RjE08wgh3+g1NLGW968F2hQ8T955aWD6gffqhVHgUg7ZyBV45TwaqJhtKU0NykP8fM7QMTLfAleXwhfC0XDg/edowQSZ+8Akm+Q6Z0Wc+f19QSNVUhs57E3Aj0RXeUzVND+uaajAyWEv5IrkIZsYyqoA33461bGfkgqa1rZwCr0nd47+L/JSIEigsEs4BO4HCL/3152nd+ujEiwwggGEAgEAMGwwVTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNhbXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzB8R0APhiY6HGLS64MvlsDXhpQwDQYJKoZIhvcNAQEBBQAEggEAY/JjLXmn6NbOt3TjrWIQyj7zUqVUsuGDTnOvGzlmr3aX7MAGb9gcbiJvbEi1qBddKbc5hBy5MOAaa2eahJW32e66Q2YcvCrj56tjKGHnKCKNhEyQaBIJwa586dT87MAlhCgSAOlPRWInWkH8yjHkxgF5VXw2UuH1zk2momhA0c9dkX2vAXihIaldSQXrhAKcaUYH23VcelUtFitlyo3jbs4VsSdYOhfEU7agSSCuUghB2SYTMe88nrh/PUuL9BCx2Yfmu/UOq6enkK6zhGGw2hY0zMACnCBtdAcaXBCsdXDd0rJQdD8lvXE8GlR0VIdUAo2KVmww6dD0XpyChiJccDCCG04GCSqGSIb3DQEHATAdBglghkgBZQMEAQIEEML/LZyVd/Cgei/l+M1kHF2Aghsg1TX6aXgTAJEAbBbbnV1Af5NLxsxal9GZ9AKi4pWk+1lOjzvfxxAOpeMH5z4jH+3r+mss2RN+DVdfItsa72lXat6FdC6+RFU5RziCGJdbHIvRzw29BWRQW/eem+RXhi4tVST7l6ND87C+BbWwVZ0JDj3yHXWxYGSgzNNHb2Ix4wnf2DWbWqtHl+7SNiAh7QgE8wlv9KM6Qi4OEwyAEPBxtkGnrGYgChBrchvcjsV/TtQx8WeK/0z1uNDwbVtUPaepUIMOuIf2vCcp27FkWyh6OJdwWVeRg3af81vxfaStN2GbKATt9fh8RwNACtGfVc+uNpjL4Qf8FMGbfuextkmlq0U1nsGZP3O1JO+VDrpkLRPoLk4bjh6Wk0mEbvjRFeNXZUVMWVbnDH4Z5+t0IXNV3T59fsJ7QqnHOKqGL1y09fZTIc6lNA3bELXM0nSgDP5ZiDQLyTcs0nk7YooEIUXOlUMt3FBS1SR+ieABPj7lzCn/6bg43QS6tbtvx/12bJxCC8ZE+dq08TDiWGSn3vPfADBt+7reZaKXNAH+tFVcW9Q6GbgAVwvwNynjRySTfzK8HearG5r9F8ZtgV/Fmedod4s8/VxGdq9gl+zOR0nmE8P3k2PY6pAWbBRb1DGfDMwmA62aiLzM5cc4Ikri1jexndSQDowQpnllD+RYLWYEni0NhE8ueM0iN7Vfv4b8BxtsiisQ7M/lcbrCTQQjR2GNpq3WD756ARlaCIO5zqXMkE6I1HxsJFYGjQWYo/bRqdK18nzEbRL0vcNSIr0jcH6lbizm1otU3bDdqBXlteKW/4CONB61hXYwMaoG59z3YVaEGoazwiiAXaFZDIZ/so1sQAHuy7Liwodd0MY/FxOrgCQkN4E0CMYxhW+3Zv/lSpli2IDnyaMZOBoIIzLw8uJvHw5XeI6B7vr0LKgd/JyEuhqtHNU+q4fW1hUWF6rFmP+588I5LlTmKYHAs5wNdI4RnhZ96nFdjz2sG2Mxv3aChuzrfYmCM+/88NSB8QdZB5XdH5FTwjizYdFoAaobAIyme8x5HRqjd+GTY/sqq5aUgs388CCQE22F8qExCE74bL0YYT2NX28Sp6C4i9ULMxV1YnlBy5WFdBz+3kd0vI/+c7nkxjgfmDCZeOVlrzlJM9yJaDvcOIRrPjn7XlPYOaquxzBgE9wz4zrS7IUcnezipoNiunEYHpVIj7LU0T6zuE0oFu/dcXmeb7njOs/R09hm7kipEpM75kz00cYEvlNBfsH7llPMoKpqoTK3K+c9GXyAwBbXL++MzgRfNubhSqOOuaaXRLYiqkpGfmvFkUYzNGsgyq6+Bkwjit0XG1WgySo13uoQ7GDzmxE9VNlSVKPDSPiuDPQccdfN+BlD2lVjrSS5Koon+vl3McJm8zlX+UaRwAOdhVjsOJJvpyoMI6Vvlh26oYMqpPdwvp/eBBiZREuDpDdIyefd9aMnYokY7iuaKucdGoryEc+wnBTsnTryfOtU6UwmjqQexZFeLrce9FJ65SAr0zlln9plNjloUauEYpIQWtwfwlNHG7VEwjvKdO7llfc7zJCfUZUCHogMoo3rl6WsK6QSKNf/kl8/FUjO/iccHsKVWRWcNn9MuXchhEwR+QvI26f5/CD5ErXSy/wxk0mm6V2fbd5Oei+HlTz9hIDYGHxJPjAq83YVPQ4r1Ndy682QNDL9oNz4ENFgYRj8Q8G2OF4IDG6MDOxSBNuuuRcjTvE5bl8OhZvqOF45NyKQZh47XtF6ESrYI45DkqpHDxNeIQG5Fowfzz25SCy4CNQcibLe4cYNylTqfAHa9FHDMBW3kJJDHtmaX17Zbtyz126S9QvJiIR8x7W81lSBIEbOMmZ6rNCok+7P5JB565//+T18y8dNxZPLtSbBx7XO3b9REiTR2s7M8jYOjKja/7CWWX/fAQeivjy+9jFk/fD5x3w/Sn1uFQCBUmf5YflkzEqqr0jq0ZjxbzawgNkxQmtG4GtUr3K49MaC/XJ13/iOONRng4Y3q1h+4mdE6c1n+CpG/BrRBb5bxZrGcqJJswlvoUelHwyKXoXloc/RholYC1NB7NKJASm8+JO9ugcKDfQBREg/4dIV3SQufftGxJyoESXAoG5TuW6a2vDhfLZ45WDDuVBuId4uiZX0E/5xT5SzW1ZWfZZi2ZHkRWDqF15PIfOXXfHXh1PUJOBlx+fwKC6mrQV7oRMRVWunWPwk0tSxuPolCIKtRuodS1Ee9RzI2Xy9QLX0AjUSr1iAjvCmcfIfvxnyX4KRvwHuAxOFTNJUxR7pYRwJz7xbUeW6JjjjCb+52/jmC6WmLr/aSsNq7PyaWHBR/N01Kt0Z3T/fWdQ3+cYgnDTw0wmvqR55xJ6a9qiYytowff0YaDGwaWEUpgisrfFVNei9sVYLo+4pzT1OXx2pQ31NweMn17rmA/9xue4vauFZ/FPQ1G1ys5FemIO5z0COpXrceLejBb+5ZozQdHSKmxuaEHaReu4vjR7j4NYDfP7LFB3nRB6I+QbjuxHy+xl0bESB7iALO7P72Y/4dR+6gbHZLngirHQE2RktRXo++8uJ4jqfmLBVzszG1C5R2AG90hA7VLZs7LU7V6E3nzwZllcgxCSSR+gNe4f6d261oCkJ+pT4JdCM0ZbrpfxFBitm9R7QuTkrd3dTbQ7OVU8t+3rzY2MeIt8RWNgTc58ThYo3OABAGB4DspLRIywR7Dr1osj1du90vIWnS1LWWSqKQdEu7E9Oha4MqvwrtktLmGgKVijKI0PgxuxXWsFS98Na292l9ZYtbtxptKpWI1G/rNarBetgNVG4J0ohqzOZd06F4CQHfI+1dE/a8g4xDcdZmnDDS4/fr1GhhS3HZVm4csjIyB+YSHmzcMIt1LW6aFj1/PS/ofQJ7eEjme5lSlRsY3CjAeM1EMJdXn9SLXtntPDaAm9Q62WqrgE+NSeWtyQyj37let2DerOY+rWwGtpx9hD3v/np/VWEIwSopORrnbNXb9VU6ILI1kfRe2mjEgtU93OE/4d9l1HNEu3JFe1+l3d2m04NrU0QQOx2bwIT9TCWVjYDqawOOP7C7/DyxgkfE8f+BKsaRkoJ54h2OgA7uboeXBEjEeHwsIdZkM32vQg/tP4ftAOd4Hkl4ZxHqJF4ETuQv1KHUhT2aJQmQJJWpB5UoIe3/eiqKvHLujFsBsT0vidaeeqKx/QSDxYAYVCByJmcfutA4fJbC7AJvkJPTyYdgYqWFIMDCgu2QmtX8nuwDZchRfYKBGBze0Pdcr4coEh/9d7fqlo6AtcIZKg/9ofWnzPRqA4zgL/Q0JP0mGQYWUf6G4n2aUNyAZRbfoPlNXWDY3cKy7kAHGZO7qU3QMeqpIffSDHHbaZ6CtarFBcDEwrLvk/8Cap0aBGX7BxatCLjbb4iZpQvKKyPMZzyRD5oIgW8t74Yc1KnLsTKkp4JDDKcMQLok8h75c088PDo09secT3kqCkA+2a7I4PS3l7eTNjxa4HmGMDQa7ulso3O/LHmHKHGTyilXA1Q0qluw/QmyVx8jA0EkDHsrVTA1KvF9O+kA1+9Zf8zg2riX3RrAaGXBCFzw4M3JosnZVCMRhEAXi0DNJfwlZ87MfrsvDtwLHzHayajuDaaCfbcPs0CARxHtTmH8qxz75U6nL2PNTB36aoiMWMhUxA0d9J+e413A7Cl3NtSye9B6hwxUj1m1ik/ENrvMa2xbwJFeQKyT51pm4Dg1C2ptRbrka7/33XHNhmh8WWk6VbWLNf/jlKoFxs2qTff5j098PdbTSIuKBYh5CRSClv4NbsFZt17Vp9QVWRuK1rT8SCeA/Ev4HVgdX1lBTcX2phDUZmWU2pi4A2Bsj/bYQHkaaxhGNSF6drlcRNfRzKExdZLK7ybaFQtJPnzzQVLHOU0mzMMOS2rktQghpqwDrm9cnFjNn+7ZYfrqYq8pZ7I7wllMBRfnzC3emmNbabNXQh+mm1LudlDoiO/F5KFV5g1lPdjrB/+dMjifWIVo6HqiXSYS7VwQTgUwPuPxZwfUKYoMQqJfZ5VfIOWiBV+lpxF77Ihxp54To5BtpTI2asTSs0CtfRhpGamp6Vug59aL4GtPFutrR1x8W6nv+YJkg8d7bWgebF45xL1Da/NNr47rF79bzieUR/kvnvNwMRRHIWqYaWcMoGV/RIYLK7lmVWVIn4tdkXX/pnefaQj1r/swA5ZG9cq+maBzyA7zq8SnKhasKLuBnWuPYeqkZyXgaaxIwWVJnKw+YYRCGXvJNYhh91FNK0NXvrAk/TPQ3Th9skjLzc8TQggBQ+0K3GZ/+oz5U96F5kf2FJj1hAnA31TDOtqp5sWLUkjcFWXMJMTHtLwuI7xpViD7HRpV+YmpuCdrjwBel5ylhMb1yVj/Fm/sBx6Ta4hcf0zybJsro5QKmIroLxeBUDet/aE/GUw8rK7/4eS9IintAoZbng2eLTIRBnecieXGXzjCP1pswTK4ynBMzZCsrN/kFltskTGCbA2j3PGUyiPWYvtZCTEBSlD0LWlfkluXifCvugYtPnBfnsDYBw3pM4oi1Y+CO8LsnGou2aqEyVUkxwX5ow8UriHbrtntNOfUYybUJZ4l4ZP9UE4Ow0Yava+QPV1y8mJlhqidgWMygJF0v7lFgjjiX2tM5T781pjGgxj7gMEKYYnv4t/De+30UgprRwpEPZ91DySE6y5XD1cKzrjzaUU6kMJ3ttyK4rDd0IYqn83V8zQWXuONNqZzF49SzC6RInvoooW2ipvs3/ZDwgVwhDYgDHtFqIvj8ROewB/ZiUVMiBS/NZbdV5ArfWTum2s54sCVEi3+1ACeLiQoylQQc5mjI9lVQvqwjpzMOp13EQj1tTbrCU4jZj+nRCqj6c9oe/SduEVxfGBZQ40vGOPoQf6EUY/S/yBBX5eiUA13HNj6tJSN5uV6LehKQuuN3+OxKH0A53c+AlGJePocc8L8XUCS5XxutQEWf78Blp5IWxElNIs5lnG8xMR4XpcIOK7H1b/KWYJ4szYN/+tXGo8vCy8azYZDT155MRzOdBKiCj1+HQWT4gkpK3/uzxitiioEeQbvhDN9LQEX6xpb0vok9MVPBh1nImm5pQIBB+G8X9cb3xONb1P7Qu5qdp3LJQMm+ME2eTV2dKGSrffe2botW9LgYbq8DuRO0iC5dGjkSNYx4+8GHyB84Fox0a/7o2w0+1n+ujCGgEOKjvBtgMLfy1WGw1s4xktp/OrqYdit80QLV7dkPJhCkpS6MdFeEtn4UOvSh+2DWFNtvXqkJWww1CNN2qupeKhA3afYAt6W3HkUHvrDhgawnJz+0Q/iRlrzbu1pe7r3udX7zxQl6eV1k4RlkLJ6+v6zxhn12fjRjjL7UfheuwO8zxtyLvbwq6HW+9iKmc08nxGhitj0Uwm0mOWMA3sASsuMT6FefSiQpu9nt93TzaNiS1fn9zLlSr+6D9sLwcobNz6Hgtq1/d8u3hIXHJxH0ZTRbh3KmB40HyrFsEBDrxf9Brn6DxMOeGg2VEgzoiE3dn4nvdHNVs6GqgAjQ8pWCzFrWijTJ11zUYa3aT4CFpz2no5GsnXFfCVyDdXwNuDIhhf+Yke+PJ6ss5YdujZoRux1+C4l9hyoRTnYF1z0LE20LdFUPBqDMoPSjJyOoxncdF/vCqVaBcbMuAFypxsiPYLSA46RWjdOPasPTfNZalwzps/loBuMHnUmX0Zkw62fF81BzuO4Eqld3Gg0wwn4Gy1EATQGC3TfnDlNGzvmps8qen5F9ER8xv2gyUtsxwLY3RMbSlQp0KMk4uqa6SMq5cw1u6aCPy7wHkRRJviY46Iax6rMcZOWmcuGqEotZMo00wkCF9dQPFkTIMtacpFqMqoPpDtOw6MnHm8TC2J/Tb1X6o1tpNDRzwglI1HNIOKT+c83eVPfnd5FRqLK3FZqHXKkeGwP8YnQkrLCO8Lom3dcdznc+giDxhkVjNnG7jtflm3ytUK3aouJqGgVO9sZ5EVzps1LiTJSgbQYoQTNIKMi/ZQXf8xoffhv7tAGQA9tfRpmq/BNu5FoA08jucgw5EjPqqX1NIIvv2ce/wr7eULcsBUCgnT5/apRBZBb/fV+uZbVRtXajaf+r3dsrfYZwVGeHr59X90slEY6kEJqsSPGhR2iMJBUSj6haTGWbx8dsyodtQrGjtnO7uy29oJ4i5eX7e0aOaz2fuAfdoXJkxmKxYCGJIq5SVmfjynb6rNE938KGQu3kwPDIPzamZ5e295y6Z/BLi6zLe8myCiRGHm/1mx5jX0scQL9s7p+UZPGdQhpfgZQeXmMgSQtS48cBGMdDdXrnuWBOFVMQ8EgjrDRsVd4hMCKvOMh2bPUNq8/FPAPNRDN2thRts9ZZTz6/ug86wUu07a5GkdLLmuuFc5Qtu+3kj6FhmjZuFJ3IMExKzQsl5T3aUEL5YJpOSfUrY3ir4CEcZ9Q0jEpffB3Xs52uHXP8QcdtENvNX5K1ZlXNBkpJW8fWmuYcLMzHVQ8072kEEz287GoqqZgRMCwG26oS+yTRMHbPF2Jc+qeNFwi8nfcuA2SJx2Gw83eXGRABvxBspdrjFFc+pJLJcwRnU0QfVa4IoSr6xCg3e4+ZfveKS3BSQ79ubHoD3cTo2/W1PFXhHH3x5vmL8gVXZozAFrrhDfVp63SmqbCngwkdLZr/myoN6oMWh/EyvNiWgRfxpL8d/JZBw6rdm0smyawJ9k8BzEg9a5nvHPjwwG932xyOHR3eevzuqH95H8vi1ZLnag3UaCgXBQrO6DyOgzPnAwG4hjOTzO/Cxn0FMQYr1ZxgeTgSdhtJblh5TxrfSsjFEXLWYguB+KBgoryMtKZ8Q6B9jtVLNjAAcowjpyhFuqZsMk4diKco6xx7gOaeN8WcOoapIgOtifZ2YLHzk7zHOvQ0MHLiFKIBUyBQWrtPrhp1k6hBwuCBCjsDYSbRfVtroeDemOZLz5eBd79hJo3J2uN7kQHjKEPmCAPMpqzPBRbLrzx+C77cBjImtOzQXZC7pRmwqUUKfC6Hht9pz8AanfaaO6H9z8ShHB0GewOhYf12M8mmx1Hb2FEla5VsU8knQO7hRav9lP6Q5+MPN7P3vF/fXy2RpdiGEEo2PirlQ9Dnyrtp60voy/31QNp7ntj5tic2ywV0+QAn4OEx/8ewy5zUJAe9Z8qGsExZh8opjsjoXCThnpcU43vgYwHLPGcSVxodhMrKA42YS4xPEgv1wU4VpTbjE/Xx4oNKWiC7ppJsceDIDrT2iNIiri1hjy6qVgsNh2ViCMAnyIxhQKa8kpg0R7EF4ChPkP2SZO1qMgju7IItOzch4fLxel3rKR9AKKH1xi+rXsovbti34khbxaQCESEHIKkGgXW3Pi6o47N3rvTCZMfQUOVBMyAbxVykaE44kdLp33w525g7msHXo6I6BV5pIP5LzKgqC+grcFKaslHNgx/Ulc0xdYR87eB0pjrvu8Km0AabzMqaIUc2MaZiZx1p081hpkwxq49kE/gqzRUeTm2gCSlpiR6qEvDuUjetmeCaBH+b4dvVRU8J6orGOhKFp5yNv8pTxmVYHl05JcjfQ0enjbCnlVt14ro+yuYcpBhjwYlHjJNOsKyd3ceuRRKbwH0i5OTbK3TwG19I+1JnUrTq6rYKk/FUanQ35DWjpPavdhBcTDgSWQzqJJlQ/ohh14T1KMvzC7hVHiAWOIGAnlkgHF0I5uUoz6exhrN+iFg7fkCkxJAjsqKlT6lXlv/eLwmJ9yYcbYAlU9DfJISIBScD0AmY45Q1Y3rQsfHPSB37Cjam5M1eQYq3cc1lbskiaMeOSEHHdxdofyTTN5gDCHMOUBgTsFn6nr+LZVj15xECpjxgTigBCuDa7i6FlcOyCPDNX/ktG46PFzMCvov+IisDm3E1GMkH7bjQeIpjJ5OzyzAlNKhpsLwtr5PSW66oTqeF64dOegwlJDNvoa8NzN5hMzD++Gy2YkijQ/WeYhkWTDAQMch7Sqks0kVKvNzx1T8nfCO/QDU6a8E+UnejBAQi6wS1BU5nQ1B3Xiy6Cda76PNppslyjpaY0hifDuxfhLfUl8jftimCOm8WkX6iGtobaemLcq6hi1rAN5c2GwaNu2uYPcKMo9iSTTGAfgHHbfp5LsZy7J6bUBRG3lWrp16zFJ9vhNWJ3Y9ppkOeMZEsmwrINNaU+SaO+Kx6Qae1b2cT7W6CfMUgFl5zsxyXt5MHDLIPsjaRb1C613ajjLeirCT2p82U19zPqw7+YxLEp5RfAQrUJ46N41crO9mr5Jzf9EyFqZMPXjwhK8Bn7qSHM+3lTkOqWvQWrDc84Nh54ZV267GbL1VK+Y2IzmDGu/gOs8FWo8MOtiMhOBDjPVO+H78yjJV3dkV+SkImA9OVxjMCjdj7OPUDYpzaTKfs+7D+UH7MGCGFUVj7aHwYFaapX3f5H8ZCoyN2sa2UQ3O240J62YV9hOFunyciSOrv58c5JwWO/clMEUy6uh6rEcOGTiO+glS+I+M1W8R1srDKScPyJ90l2VOtvFMqkIGKce1E7k/GwkkxlzT8o0SEKJt+XQk7p8APwudkeH0UyqxgoPrbKjhDkwzaK8+8e9yDY0PYWxRATikaXqEZtJ3M2Yy/KVY/epiFPf5k+INNrDLe57zvP1Kg0c0Nr5mql2QT2jcr2rdGEWM0/1oNLlesmKqm7sCxp9Yky43pagPWZ41X2CHJ06xJ/fsnlIUNTBYpdzSHtg7DNd+AWVkMpvge/JwZaRjoakoRAnPrSvDF7QrLu2hKNTq2L+akOlAULqET5wMRoih/h4PWf5JNziJDSHnmNY3jmR+e7KrW0SeczSjg/3dwx0Z2jl48TjPqQaleBZ9/cakgSaxY4nsH4jB1m5VHRyCNmCVMNkiykfrVnCdEIYIRI7gdECvO6yGKCzwXTZtHAdQCOBkpzrLF8OzQF9wKwTG7x/nGkilJR0WcwUtZyUI6e5sT92lPG2QOQOpcAtqFmz3/GMxrT/18L5GHIM6ynAsqJ6JH16J57gixKv8spUkYT2bzJQWbSdq92fp+olwM/AAVurRqOhqOtVFuAnpK/xWzcDBO/iD11Y1BU3GUk0Yya2RFHA24hmDJdfPgT/7DiCG13y64EQ3WUo8vz7KnYp2UKSLqAnN3/2Vx0wpnuE7SwMUCQPlKz+Q3fZZZkKtgW739NT5OV63zPblvzWMBUjV+KYByoFhp7RNLoN0UKRGy5/vX88/DDyoSs2DOi2NZb/A/tqNTQ=
C.3.13.1.S/MIME Signed-and-Encrypted Reply over a Complex Message, Header Protection with hcp_baseline, Decrypted

The S/MIME enveloped-data layer unwraps to this signed-data part:

Content-Transfer-Encoding: base64Content-Type: application/pkcs7-mime; name="smime.p7m"; smime-type="signed-data"MIITWwYJKoZIhvcNAQcCoIITTDCCE0gCAQExDTALBglghkgBZQMEAgEwggmEBgkqhkiG9w0BBwGgggl1BIIJcU1JTUUtVmVyc2lvbjogMS4wDQpTdWJqZWN0OiBzbWltZS1zaWduZWQtZW5jLWNvbXBsZXgtaHAtYmFzZWxpbmUtcmVwbHkNCk1lc3NhZ2UtSUQ6IDxzbWltZS1zaWduZWQtZW5jLWNvbXBsZXgtaHAtYmFzZWxpbmUtcmVwbHlAZXhhbXBsZT4NCkZyb206IEFsaWNlIDxhbGljZUBzbWltZS5leGFtcGxlPg0KVG86IEJvYiA8Ym9iQHNtaW1lLmV4YW1wbGU+DQpEYXRlOiBTYXQsIDIwIEZlYiAyMDIxIDEyOjE1OjAyIC0wNTAwDQpVc2VyLUFnZW50OiBTYW1wbGUgTVVBIFZlcnNpb24gMS4wDQpJbi1SZXBseS1UbzogPHNtaW1lLXNpZ25lZC1lbmMtY29tcGxleC1ocC1iYXNlbGluZUBleGFtcGxlPg0KUmVmZXJlbmNlczogPHNtaW1lLXNpZ25lZC1lbmMtY29tcGxleC1ocC1iYXNlbGluZUBleGFtcGxlPg0KSFAtT3V0ZXI6IFN1YmplY3Q6IFsuLi5dDQpIUC1PdXRlcjogTWVzc2FnZS1JRDoNCiA8c21pbWUtc2lnbmVkLWVuYy1jb21wbGV4LWhwLWJhc2VsaW5lLXJlcGx5QGV4YW1wbGU+DQpIUC1PdXRlcjogRnJvbTogQWxpY2UgPGFsaWNlQHNtaW1lLmV4YW1wbGU+DQpIUC1PdXRlcjogVG86IEJvYiA8Ym9iQHNtaW1lLmV4YW1wbGU+DQpIUC1PdXRlcjogRGF0ZTogU2F0LCAyMCBGZWIgMjAyMSAxMjoxNTowMiAtMDUwMA0KSFAtT3V0ZXI6IFVzZXItQWdlbnQ6IFNhbXBsZSBNVUEgVmVyc2lvbiAxLjANCkhQLU91dGVyOg0KIEluLVJlcGx5LVRvOiA8c21pbWUtc2lnbmVkLWVuYy1jb21wbGV4LWhwLWJhc2VsaW5lQGV4YW1wbGU+DQpIUC1PdXRlcjoNCiBSZWZlcmVuY2VzOiA8c21pbWUtc2lnbmVkLWVuYy1jb21wbGV4LWhwLWJhc2VsaW5lQGV4YW1wbGU+DQpDb250ZW50LVR5cGU6IG11bHRpcGFydC9taXhlZDsgYm91bmRhcnk9IjhlYyI7IGhwPSJjaXBoZXIiDQoNCi0tOGVjDQpNSU1FLVZlcnNpb246IDEuMA0KQ29udGVudC1UeXBlOiBtdWx0aXBhcnQvYWx0ZXJuYXRpdmU7IGJvdW5kYXJ5PSJiY2UiDQoNCi0tYmNlDQpDb250ZW50LVR5cGU6IHRleHQvcGxhaW47IGNoYXJzZXQ9InVzLWFzY2lpIg0KTUlNRS1WZXJzaW9uOiAxLjANCkNvbnRlbnQtVHJhbnNmZXItRW5jb2Rpbmc6IDdiaXQNCg0KVGhpcyBpcyB0aGUNCnNtaW1lLXNpZ25lZC1lbmMtY29tcGxleC1ocC1iYXNlbGluZS1yZXBseQ0KbWVzc2FnZS4NCg0KVGhpcyBpcyBhIHNpZ25lZC1hbmQtZW5jcnlwdGVkIFMvTUlNRSBtZXNzYWdlIHVzaW5nIFBLQ1MjNw0KZW52ZWxvcGVkRGF0YSBhcm91bmQgc2lnbmVkRGF0YS4gIFRoZSBwYXlsb2FkIGlzIGENCm11bHRpcGFydC9hbHRlcm5hdGl2ZSBtZXNzYWdlIHdpdGggYW4gaW5saW5lIGltYWdlL3BuZw0KYXR0YWNobWVudC4gSXQgdXNlcyB0aGUgSGVhZGVyIFByb3RlY3Rpb24gc2NoZW1lIGZyb20gUkZDIDk3ODgNCndpdGggdGhlIGBoY3BfYmFzZWxpbmVgIEhlYWRlciBDb25maWRlbnRpYWxpdHkgUG9saWN5Lg0KDQotLSANCkFsaWNlDQphbGljZUBzbWltZS5leGFtcGxlDQotLWJjZQ0KQ29udGVudC1UeXBlOiB0ZXh0L2h0bWw7IGNoYXJzZXQ9InVzLWFzY2lpIg0KTUlNRS1WZXJzaW9uOiAxLjANCkNvbnRlbnQtVHJhbnNmZXItRW5jb2Rpbmc6IDdiaXQNCg0KPGh0bWw+PGhlYWQ+PHRpdGxlPjwvdGl0bGU+PC9oZWFkPjxib2R5Pg0KPHA+VGhpcyBpcyB0aGUNCjxiPnNtaW1lLXNpZ25lZC1lbmMtY29tcGxleC1ocC1iYXNlbGluZS1yZXBseTwvYj4NCm1lc3NhZ2UuPC9wPg0KPHA+VGhpcyBpcyBhIHNpZ25lZC1hbmQtZW5jcnlwdGVkIFMvTUlNRSBtZXNzYWdlIHVzaW5nIFBLQ1MjNw0KZW52ZWxvcGVkRGF0YSBhcm91bmQgc2lnbmVkRGF0YS4gIFRoZSBwYXlsb2FkIGlzIGENCm11bHRpcGFydC9hbHRlcm5hdGl2ZSBtZXNzYWdlIHdpdGggYW4gaW5saW5lIGltYWdlL3BuZw0KYXR0YWNobWVudC4gSXQgdXNlcyB0aGUgSGVhZGVyIFByb3RlY3Rpb24gc2NoZW1lIGZyb20gUkZDIDk3ODgNCndpdGggdGhlIGBoY3BfYmFzZWxpbmVgIEhlYWRlciBDb25maWRlbnRpYWxpdHkgUG9saWN5LjwvcD4NCjxwPjx0dD4tLSA8YnIvPkFsaWNlPGJyLz5hbGljZUBzbWltZS5leGFtcGxlPC90dD48L3A+PC9ib2R5PjwvaHRtbD4NCi0tYmNlLS0NCg0KLS04ZWMNCkNvbnRlbnQtVHlwZTogaW1hZ2UvcG5nDQpDb250ZW50LVRyYW5zZmVyLUVuY29kaW5nOiBiYXNlNjQNCkNvbnRlbnQtRGlzcG9zaXRpb246IGlubGluZQ0KDQppVkJPUncwS0dnb0FBQUFOU1VoRVVnQUFBQlFBQUFBVUNBWUFBQUNOaVIwTkFBQUFjRWxFUVZSNDJ1VlRPeGJBDQpNQWdTNzM5bk8zVHBSdzIwZHFwYmZBUlFFak95d2l3WW5DdGtES25iY0xrNjZzcWxUK3p0OWNpZGtFKzZLd2taDQpzZ3J6ZmNxVk1wTDJqbzA0NDdnWURwZUFyaytPbkpIa0loQWZUUFJpY2loQWY1WUpydzd2anYwWldSV00vdWxpDQp2ZFBmMVFaMmtERDl4cHBkOHdBQUFBQkpSVTVFcmtKZ2dnPT0NCg0KLS04ZWMtLQ0KoIIHpjCCA88wggK3oAMCAQICEw8tJb0ROZdKzkJUh6HuPTQGirQwDQYJKoZIhvcNAQENBQAwVTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNhbXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwIBcNMTkxMTIwMDY1NDE4WhgPMjA1MjA5MjcwNjU0MThaMDsxDTALBgNVBAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMRcwFQYDVQQDEw5BbGljZSBMb3ZlbGFjZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJqVKfqLwaLjj+gBUCfkacKTg8cc2OtJ9ZSed6U3jUoiZVpMLcP3MUKtLeLg9r1mAfIDlB/wlbdmadXPmrszyidmbuZmOpB5voVQfiLYYy3iOx7YOqzXrl6udP07k0sV+UdSNRFxrfKeoQEFXgOaGdmnx4OG/e3p1fIKM0dPzZLoOAJF5m5O0xzXPL74zFCWp2f1ZkuE4A6l41koaZXCN5XL7wWTLMLeNf9Byb5ksKqUuqEHAMd1nmoNMgjY9VfVfcrv9w43GG8FtpSX+TWzB2zNS2OF+XIVnzRG5DeoULq8v88Z5bLpIJ/nx26r8A4SSwIBaVv4wPxAf1iPsIVKarUCAwEAAaOBrzCBrDAMBgNVHRMBAf8EAjAAMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATAeBgNVHREEFzAVgRNhbGljZUBzbWltZS5leGFtcGxlMBMGA1UdJQQMMAoGCCsGAQUFBwMEMA4GA1UdDwEB/wQEAwIFIDAdBgNVHQ4EFgQUolNB1UQ8gCkVfAEj8OeOr83zdw8wHwYDVR0jBBgwFoAUkTCOfAcXDKfxCShlNhpnHGh29FkwDQYJKoZIhvcNAQENBQADggEBAIFJeKCcsTKcFqQMpTryujRGzJdYA+R9eBAuDLsatbtKtl4FzkgRyOg31/+Cw7H8e30iLrPIFlWN1qjHrjgOyIs5AQ/hgxLvLir3hEUV2Z3MRsMtjH2x9SG91PEM046gfPnc9gMGHjMTg1qvaKcLQP5UzpEYPLror2X4P5uXxaP0LIZRzWmkw1RF7FOD7PfB5v94M5274XYxW2W4uKGd7QGnUZROSvSYkGiWDp1JhqXwfDz8A0enITGXnoEkAFvvjiCqh64P1hIeMorj36pgL19oWZD6YrzSWHUz1F00juyuOfQsqm6hvrDTqNpHNZ015fOURza1SkCvi9GFmNUPoVgwggPPMIICt6ADAgECAhM3QQV57XV/QqmiXDr0+GrOmqnXMA0GCSqGSIb3DQEBDQUAMFUxDTALBgNVBAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFNUFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MCAXDTE5MTEyMDA2NTQxOFoYDzIwNTIwOTI3MDY1NDE4WjA7MQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBXRzEXMBUGA1UEAxMOQWxpY2UgTG92ZWxhY2UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC09InoWDgWPk2af0+StijSNOR8K/hN8D+l078oullsk4ASvSwjsCNo7sHUa4xQUl5JO6VqY18LANwORjrc9BaX4MguzsbFXBe6uFh1mVpXmFxSpUByQ+950MFz/evPgP96wV+z4TtAwW2Z34rTiz4DxMI07XYNFUEOls/gkUP2GxzymsO2kaYWTut3SryCqeHEFbZFkB4urMk4xrIJC3CzWruS2Q0FHbBlfkgKN5wXVgkWFfiOucfCn+IQsaqpo1d3f9jSkbtAV5w3vzfog8919MxKI9H6l4KuElnAtJ7BtZcsl7dUy9u9COgEykRiVokFQgqQ7XNDU+r3SeOWwks7AgMBAAGjga8wgawwDAYDVR0TAQH/BAIwADAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwHgYDVR0RBBcwFYETYWxpY2VAc21pbWUuZXhhbXBsZTATBgNVHSUEDDAKBggrBgEFBQcDBDAOBgNVHQ8BAf8EBAMCBsAwHQYDVR0OBBYEFLv2zLItHQYSHJeuKWqQENMgZmZzMB8GA1UdIwQYMBaAFJEwjnwHFwyn8QkoZTYaZxxodvRZMA0GCSqGSIb3DQEBDQUAA4IBAQBziaI2p86poGkjd/4KkkOHG25nY/0eNARD6/oF0/sYonX2doizcGMk53riugAocCn5zbzhW/JVdYn30UxfyrZlRAzEf7GHqgB/NyjOad3pdpVYeDh4ciNKjbs+aEoTWgAkoqENt1sRxlcvb7HVX524bKZa1oPTUNlm6QpivtqDIdqGJdGf8L1zLfXBuo2zL3HR+M9CDr4Opq2JCkzP0Qhp7poIccGE6I9Tsg+RrOA9iCQsPn1+Tg8YedjGzUWF07rNmT0TzPCVzUAuBlr+JJtzOKypyQ3eoZ6EPazXqMyHAVcsm0GI364IOA0b8PSrJNtjh+AqJ5QfH+0e7NSzNnEmMYICADCCAfwCAQEwbDBVMQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBXRzExMC8GA1UEAxMoU2FtcGxlIExBTVBTIFJTQSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eQITN0EFee11f0Kpolw69Phqzpqp1zALBglghkgBZQMEAgGgaTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0yMTAyMjAxNzE1MDJaMC8GCSqGSIb3DQEJBDEiBCDqxAGgS+1eHkWHxwhKH54BovlMmxx6FJnth3m1aP2z+DANBgkqhkiG9w0BAQEFAASCAQAFsIpGZtBsgrjVl9N6sQu/kUOdnbGSU9JKm6bXL+1vef+4jDckomzjYI5A1sKXxfsKnBWwgEsEv9V03839X1gMAUc09cx1wwcg4LAUEDWgscC/iNJQo6Xm8fTs8yBMiM/+0yMrreXIgeXR2ikTG5ub9mPrnxOxaefdnx6HMTh6jGmIodN2BAPIW2KahYYS0BQZg74NYeBJX1euT3/ZUqLmupQ0bephgj14pNcslj0qPSRmBf8pZv/9tzYOuSj5CwK4pzvzfqRN6Lsz3AgFpXd0m7RiYCEwcAkgLLgJ4brnvtASUAmKuSRJaePB7Qcbewy34DJRpBBHfebD7Zg7DtDN
C.3.13.2.S/MIME Signed-and-Encrypted Reply over a Complex Message, Header Protection with hcp_baseline, Decrypted and Unwrapped

The inner signed-data layer unwraps to:

MIME-Version: 1.0Subject: smime-signed-enc-complex-hp-baseline-replyMessage-ID: <smime-signed-enc-complex-hp-baseline-reply@example>From: Alice <alice@smime.example>To: Bob <bob@smime.example>Date: Sat, 20 Feb 2021 12:15:02 -0500User-Agent: Sample MUA Version 1.0In-Reply-To: <smime-signed-enc-complex-hp-baseline@example>References: <smime-signed-enc-complex-hp-baseline@example>HP-Outer: Subject: [...]HP-Outer: Message-ID: <smime-signed-enc-complex-hp-baseline-reply@example>HP-Outer: From: Alice <alice@smime.example>HP-Outer: To: Bob <bob@smime.example>HP-Outer: Date: Sat, 20 Feb 2021 12:15:02 -0500HP-Outer: User-Agent: Sample MUA Version 1.0HP-Outer: In-Reply-To: <smime-signed-enc-complex-hp-baseline@example>HP-Outer: References: <smime-signed-enc-complex-hp-baseline@example>Content-Type: multipart/mixed; boundary="8ec"; hp="cipher"--8ecMIME-Version: 1.0Content-Type: multipart/alternative; boundary="bce"--bceContent-Type: text/plain; charset="us-ascii"MIME-Version: 1.0Content-Transfer-Encoding: 7bitThis is thesmime-signed-enc-complex-hp-baseline-replymessage.This is a signed-and-encrypted S/MIME message using PKCS#7envelopedData around signedData.  The payload is amultipart/alternative message with an inline image/pngattachment. It uses the Header Protection scheme from RFC 9788with the `hcp_baseline` Header Confidentiality Policy.--Alicealice@smime.example--bceContent-Type: text/html; charset="us-ascii"MIME-Version: 1.0Content-Transfer-Encoding: 7bit<html><head><title></title></head><body><p>This is the<b>smime-signed-enc-complex-hp-baseline-reply</b>message.</p><p>This is a signed-and-encrypted S/MIME message using PKCS#7envelopedData around signedData.  The payload is amultipart/alternative message with an inline image/pngattachment. It uses the Header Protection scheme from RFC 9788with the `hcp_baseline` Header Confidentiality Policy.</p><p><tt>-- <br/>Alice<br/>alice@smime.example</tt></p></body></html>--bce----8ecContent-Type: image/pngContent-Transfer-Encoding: base64Content-Disposition: inlineiVBORw0KGgoAAAANSUhEUgAAABQAAAAUCAYAAACNiR0NAAAAcElEQVR42uVTOxbAMAgS739nO3TpRw20dqpbfARQEjOywiwYnCtkDKnbcLk66sqlT+zt9cidkE+6KwkZsgrzfcqVMpL2jo0447gYDpeArk+OnJHkIhAfTPRicihAf5YJrw7vjv0ZWRWM/ulivdPf1QZ2kDD9xppd8wAAAABJRU5ErkJggg==--8ec--

C.3.14.S/MIME Signed-and-Encrypted Reply over a Complex Message, Header Protection with hcp_baseline (+ Legacy Display)

This is a signed-and-encrypted S/MIME message using PKCS#7 envelopedData around signedData. The payload is a multipart/alternative message with an inline image/png attachment. It uses the Header Protection scheme from RFC 9788 with thehcp_baseline Header Confidentiality Policy with a "Legacy Display" element.

It has the following structure:

└┬╴application/pkcs7-mime [smime.p7m] 11205 bytes ╧ (decrypts to) └┬╴application/pkcs7-mime [smime.p7m] 7286 bytes  ┴ (unwraps to)  └┬╴multipart/mixed 2668 bytes   ├┬╴multipart/alternative 1427 bytes   │├─╴text/plain 482 bytes   │└─╴text/html 642 bytes   └─╴image/png inline 236 bytes

Its contents are:

Content-Transfer-Encoding: base64Content-Type: application/pkcs7-mime; name="smime.p7m"; smime-type="enveloped-data"Subject: [...]Message-ID: <smime-signed-enc-complex-hp-baseline-lgc-rpl@example>From: Alice <alice@smime.example>To: Bob <bob@smime.example>Date: Sat, 20 Feb 2021 12:16:02 -0500User-Agent: Sample MUA Version 1.0In-Reply-To: <smime-signed-enc-complex-hp-baseline-legacy@example>References: <smime-signed-enc-complex-hp-baseline-legacy@example>MIIgTAYJKoZIhvcNAQcDoIIgPTCCIDkCAQAxggMQMIIBhAIBADBsMFUxDTALBgNVBAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFNUFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhMPLSW9ETmXSs5CVIeh7j00Boq0MA0GCSqGSIb3DQEBAQUABIIBADQPkIuGlBhlGBvHWV+5XhSHz6YEXDsOGhxolwaqsHHut09RMi+VovM7fasvln4F4tpKCfYbV5kAkFrNFB7fY2thHH58YpkABzF4oA0kDcWHqVho/AVV1n0Kf7kplDCR0uPfibSgWjJQcsRARuwB0aRAkUMJKl9EcZgXKWz54wcwkZkcKGn2SxhWSea6HqhB1no0Q0Iexgzl4LdEWlcZWkQYfWZ6VAY8r5tph0txgujzFUFuYLebbKS8LC2G2jurs+ktsSGDwnLzOqSeQyN17rlDnEC+aQMmTsRIS0DMwKAb/P3z5u6jk3Ryu2HRBIZsTsJhIhgkuoZqEFG5/ZS91I0wggGEAgEAMGwwVTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNhbXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzB8R0APhiY6HGLS64MvlsDXhpQwDQYJKoZIhvcNAQEBBQAEggEAR0Pqih31TIW6ROhwnDGcMz2i5f9z+HpFsjLj6EJ5LU3DXhsdT+6XcF2fqtCJUjvIgqVBj/5ixRYR1wPzypgz/QI5MYBi2hrr6ch/tWyUDSV5R2FKLD58u5ZLlt5KKW6oyW3L30zB+hl1NEaIjUFyMSJmUp6/JEPDeJwg3fAygH9XHUxE1ocTgWuVyVqFsjyzAja3S2cvUOvm6smEGdPYcBxcLr1zALPmct3Dikn/pTZizIDA1zQR78mwbPYJ2mJsLYxGAjoPhEh5X8y9PrzJNGsOgQW1UtLI9dDSjrijLV1vKWWaV2coMcsXxQiLAVoVWDJxjEDM2UoY2ymQAX39HzCCHR4GCSqGSIb3DQEHATAdBglghkgBZQMEAQIEEGhYozFbuzK33IcI4CwfeAuAghzweiwNUm6ghKAi3x/wM+7u99irte7m5KiQwuC/6W88BVZk+Xu8rGHeHgl8Py8Sdfxxe0MvM1Bdc8NwsUAJK4PphSZkK8FPKczvKF7kV1+XzBTQRflesQido0IOKfLHDBMSNKbvK8haTRiB/4EBAPh2C7evfTYfKeN6Wd7GKkzphO58dB8t9ABpJP+mCG+hvuhvv3iLc+oYLfFCbaI0c4//GUXOG1a0209Y96m463rYQyfneKlKN29UysTC4ziEAtgwPhZPf3kjlEaSfxjicrEjR6d7kTlRDhEyH4QOexadosQYTXo+Fg/2m2NZc539z0SxDXSy4eyDDI85wWQIsLQ2fh599Vhag0tXk4+ElCzdSy+UqXwmX8hMBHZoWU0j65NoPgWcZQ4IT7qctJd9NDBi3a3R6OFYJSPjNEu1TmW6kEQlE+I0PtlxiqTDDJu9odKtuQzHsQBEG+kDFTvtPIu3OcZniFN1Xhm4cc1iZMdc+fvwom9SXl8R3fiK3zFbOZbTC+/DQWjxrjsbCdukOfXqI1o72SQwgLuHDpfs2Kmz0bHrMlORN/RAhKKem2Kb7s7glPBbmp9zkvErc85RU06EXRsI5SVGOfIfpC6B49tXJhr1k8Dmm9v+vsQytrco+jX4H4Sl38a+9o6hJBQT09l2hBdD0g/q80z8a1V40hGwlR4H50jMVXlEJp+ksfIS2HVl/HVEe6BNkxhD6q9ti7Lg3dDODkh8meLgkaXirmSC/IDwY4IzVepKWnENn5iMemf38/nZ6g8m7xph0riq9NLXLqecLqQrhJfUEvBtxw0bm+OxZGkPel/5ib941dSNKexkDZ2cq4gAifNoAWu9q9S9bz7+ODD68hRdoQQuUvDyV2FzB6cyOBeoB2tWLnknl3FNrYiqz/1S76XP9duGIf5rmb4rhfAJlnrvKipWfGJ5cUSm641Dr63ou+HaOMaXf7wSp3Mm594E+vI9Z0ri2A5bmbEV3dC1l121YFX5xfbU346akePA9V/KzkHPNJi0k0j92RUVtRA5FmXizcTRi2rdY38uIEvBOj7jNLzGErG6F/li4OEm7SiwovzvuUsVSSONtswvOz2xkJb+WaTc6obJCWycUUm9Dfdmcl+SGwCMf+i6zMgCNUf4TBuLw0HBpCdozXbBmbiBRn9UD0aZknlxwOVevKqORyPVO/u9zRcSgHzSPM5KASpLO417prcfZhL4FcrmPDisDWYS3WN67eyXyWtM2aM7LnoUl5kPNYlwBe7qIaxwch8i9k0KBVcU52gYmfJnMP8okcU0FauGPZBN1M96/M35mrj/IRiQJod0xM0XaqJlZu3A8TlRLfaGnleoJZ+a5r1Rx2gJ5/QMUV5yd+Bsv67DYu2l/TEtvElnfJmm2/3kFN3bmHKb2ibpkIMPPNF9LWD+7D3qr1vzKl+jp3eLYsskDs/i7cd+MIZ+z4T3I8WAmpBP75LnSHk/V6rYnWyC3MaB4OxKWBsu7iURIv+hoD8wqGenoiG4NsEPNsuhyuPz0BVPkEFm1aVh8XzZqbg4yh7g3IlXlJPMW4QChsPo6lKOUPhaqExZucEgKQye7OHA7u1DIOsmiUZBNSz6Mc6HqKO3lU7akhQrKNZjOI7pqR2CK9pQVVUW66DYSV6wI/Ms7mnr04G3Hl7Nvt2QJD0pLEGGEBDcT2SibcXxrRgls9CWPrV2+lbjG6tgwDRwq/lFaFQMt16SHB6z22U8ZLmlk3Awi8m21EoEiIMJwandgQ8kURItgba2XRgiuE7R0b0XqODRT15+au9At6b5RP8NZ6qlpmIEVT6bCZloyQbMT1pPpdM6FXW4fGZzQI9kd73gbhg3kMnqmEuxqLvVe6jsqTr1a7BH2vYTMFQXfqYSoof6WTac7IqmC7Wcu7Ydkb1liCJ/Ne4FJ0mlx1Sq9Poz/zpgjgbTLQ5QLjvMqkdVJAQpQa0QWh4htOSkgrMbWbybZHoEYTHwaXudlw6hTmaPxrDL1bFYRPf5l35e9VoHufhjE9wAEwU08adShmvxPbGzYSSWCU20zQ6F5GdEO7L/OwtFl+f7b95uv8M2FT4HDNPRK8LrdqvFYow6++1/2QsEgGZny/lTOzbcZl8KHaGT3rheElAD2sr6vvCALasiXWmJ15cZfpn0rYQS9V+cYo2X+wi7vZ4SWQsGhoK2yLMK+M3V2Et/4gfSCKN5uBg4TtgHSFYn1TQuEvTjcLiBPZTL+JZdi5YhBhkhSNwI8Ka8O8TE7aYrkBlU2SLT3RaTFU0NP7uOdCSxTudwShB6yeBPySDcv8U+CYnlzuwoGAr6Db9leTk5Wjzd4+1KcP5mQ9hT9X11qgqobfGxSCfzLLkSoJ9PvBwNoFn1FwPy08GlAm/rJNZI8VKNILQhGfiEazumOlmE0IiI/0GxT6oqQrX+OKQfmqAUg20VMXEGLQRRu9W2QzXlfcFOlDjzM1PjtwGpsM5so+yLfV/vKiFnZfQUgUholBq/cJX2ISy5TbmljK7/zCwzGoBjQrJxykFGD1xHZwWY3TEhpQoewduLE1nX3lZtHBHvV6bt2CMDld639Jczp5QSAq4yGtZjZYUqHqYGIgNqov8GyLfiNaLUhneojo2V41SL1kRIsF5UEYfjDYXv/MSorcMCI0x8/B+0qxtyd0R05QE1RZnSftQ+appE8XKLVPcFzQ8x+P9g1yW/+CumfKFKZAkp12qpIIPJ6kAe7Ig0Zd3uFgd6FtXbVMUFHqBHGN7ZFC0JwlhJNQBjvZbqAymfdlcsDgqAm6e3Fi1uhg7i29iuryC15icudXoGhdzR41vvqJu/hIjBtvNW23j19JZuJtu7IJn/J6eqw5nu4UFG5LlhiqjsKx16Ae2r2kK8Nl4EZ9hMhMv+UOMldoHTno6dsbXkCA0HI5+Uy5ZbweOLOP0gi5ZemoyECyWJTWsCLd22N+EHbdx+0+G/WAX9y2av+0VXTPqCs6PacoeCg7Dbah0hp/5Amw36ADIWYKjsa6jUFdZtxi12KDqY69q6dCZm/Ctfn6FVOPhft/jhl4bqGlmRTy7YtxHM8aqoC3bPz4/x9/WuffQG4zhj8TXva4QHmQnJ/bhLemNz4b6SJWnulNcDvkTetwUrcI6X6/UWpMROLqKmJWbHZfC2siIAPZRWsovSNbq4VENFWiP3NUwUUa0AHVZkldg/sNJxbiZvAUBCrMsIDKlS4RuMY5M//5Zc7AyFiCfmUSn/l9G/Jhxoc6jQhyZQGAK+eOP2WdCrybn4dPeNP2CvczxU90kFJwnyre8eN37GL46o7cECX33d60hgL4hPBlwYowczrW+VUdNUbpUlRTGnRj+rcHVRgEVjeGsasFb3S5Lb0aY75Wy/pOumQYxc/5Lm4IeF+i2sJuMvJQxuPbcxgw/J0y0H3VZXOcLbin6GEqC0rkANi3thkU/LjtOUzXHm5vkmfaNXMvXQMKuK/gXWUP/W2924d7VWajoidXXE1S8XHEllhrT4xkxZ+3Lx8oB8AycEUw8AeGfXx8rdOsriVVeG3x/Yi5Prvr1gJxFeNv6Sbwq2RDLep/GJBxIY+tcuTy4Pd7CtBmokIOHCUySBq1KR6WuhB8/rdfcUa9oooJUPr2nB6EToNAUvNRFdhqzWvvuxT4l4CurGUwc7pM3wPFaeW5xxadBIDTehRXmoUc4blfa7BAfM9H0IH3r968njQWUfC2XgUh7wpfOAD9NJyYUMxfy8RRRwmBwBMA5ja0SZr0myCvEHkK2LOhFFhKLFtw1tocNVP3unRY9UjrgET+FAgqqhZEWgPvaKJFDzl7la/T9DVfvpXyTAEX2n1jvL2UYpyV+0bjP1/7cEnvTDQ/KvrQMszNS8Ams2VZiqQfrV9odGf+OXGO0cCXNdbWJtRC8TV4+mSnfPO7f3dHvsfOkeN7ArJmiZIUevxsgQe1mCFGp6+L4/XPalGV6LzIUY7kS4HNW7gpn8lDYw6JwvTMwvJ5gUJw7cAV4zm+8Syx3IdhyT844J4e8s1nxiBwYDSgfMDa3tJVxWZk7CVaFQlSH2e3j7hlWDL2gZ0BZemstT/snE3UgSlQYOy39HohGIffuwVxKMkcRpYk1ADHU8GB8wfDAsSDQ0s452ucbdaY1k6iG2XxjBiovNUiJs/IYgj3n+Lq3MH1WpkRgDRj8D4vd59gm9YzXa2lrielU2I+qdxTf94P7QhwQitrsvmpmxA5NAG9ola6bXAvUJqilOq0wrlB7l0tiahXlKIHQEVdQB2rTSNZQ5EtcEgAYGs/Lh3FL/pm4Rcv+DrBuFormkYVTElDSNesh8Q2EmOPD8zaUU86bYboz0bDtA6Ry/H7RpYzirBr1ymwvGSeCnLSnWKcbbXS2ntv5ohU/Ksn27t5pJJ1n7bVbTrwoeJ2J4kev54vbjupoR2am97I2GzlcsG+1K8vJ5L/ECkdZQx+4BU/5a5be3eMe5TpNDmMfT0WRkSC5CLfj1/YqXAIjmxVDoCJD25BaX0SwSooHrl7hQEvax9oAEjgsG1xJTYU0C9gEUF6abW9hravxxEYgWvu+z11q0rwhWavVshkk07DPjpcZP6FOvsEJNLfmw+Ob9RcOpaQUJh9xpw7avQSkeQ/hkK7LElcxUXZJYGEKlu2Ou1vuczdFrJob3xPn/3DE+vfopaQl1XFxFhdkFtk630JX73gouMVNfdmBgsniIoe7CutNayFoNiCeSbUNDPsOFNiWR/PGiwUsF0pOs2fK64yhldCwHijMoBLN39jj+LJSnzMpBB+lxiqTAFrcBTc29CDK94VOACLHs9fhUdMmWMu6qMs9eTzWZ7cHZpPZTVNnXlVIKx/NfKFl/QMr9ZYYHX5/sxxMXNjjiSM4zvnxvysafzOB1YzVgKdc47IvsXYuvN6+jZXoYzNZN65yEKu6ZS51TpOyvl+WyA3JWYGm4EZ/EIIJhnxhmlhJfD18GztEvTzLkqY183BkxPdsi01j4i23uxWIhX6WBUUph8hcjq7+fX0KdAA/ObVcE1QQW8yYbKagulN+WJDU2LENgPeNbX217JDgmWgX0pZHt/fIzBucDEt6r+leFWvbezdNAnCj0JeqRshjz/wwaz9u7gckF9YBR1XEqNM8fePXeYGNznlbZqQYyXivDvFmIgXwebiLTyR14OA4y6ZmbQPut9ne26a5r+tmzpD6/Ehl6EaH4z2YgIYIGnwRy3Ri8u7AuAZTEvv4hzsUj7MpIV35mbQNKpKslDgfD1jFsWAlLo8SJ25iAWvKuYJAXFqBkksL0ZIMuG37O/HjVHESyaahCBy5M2I+BblReyH4dxdZB4kdWBuJWjwoN964SEpypk+tP9OR1IBHpIuu+Oxvg8iZri8JG8sWjqFOlLSSdG5V9An3/nX1PhpGa7sFpQUIxRuV3RH8VuhXVRqeu3M1cIiX53W+Iyuonjlv82HvS9bN44uE3sO2hPT0NOgPZMqG9Letybzt78iwXS1qQl76oMDFfx1iHS8n5y1nSkzzedvnGNKzlHqdFV3QclzBW6T8mPrqGp95uTBTDSC6EPFZ5QG7E8fw+8d8GJjCHQah/DHeEo3fRQAL4GOz+KLHmkjocKZTWVLTVw2sHmo3k0wCk0TSUEjjfSQE2n7QOdsOXQLaAMYvyfw5xRGfPCPyjMSeZxosnGftHp3u6ZlA8QW2CV/WLYai+Qy22z5jvhN+duvQbEI+6p4RUBMdDZH4xGF06aPfpeD5f0eH9vsXoRIUG9TUB1xZ3yYLrpQh+AXjmEWzG7b2pa5ZtfNC6J0c9aKvdLY+HMtdQ35Gq+wYVMMtyZLDRDcs9sDnzubxP5loaePKahPARYhU907/cKG0AHZPl2ffWGC0Xr9ayOT41LVL+Q8TM5syz6c1ZAanK6nDCWf2iksIrkQQt/ko3R8s401/ajye3AW9lWrW5eUOE6/dF41Ec+znHd8GGk9wH/rG6uVeet1TfsrkZOO4v8Sy/bgs/KFDZH9p1Tw7skDdFl3ER5202JrVgcBrVTTjrsw1PIFb6lFCyoguFz0jOaBRgGkd13IhezPlrr8t1fPppZvUKCYxgv/JPoRAxnTrjTtGv6z0R6POV0vZ/MZBPDnm0lPa1mFidN7lRAmI0VGhgvY/1+tWKWdBbeV4NtoOheRXZgqGYK57qTkMS1CglYPADZvwyvVcGtNhO+qVwvjuIYhRSL+kthY6pxDRrFwerzyOw8wGCJXpl3Swm8Tjip93eMjniZ6k8e187E2iW5ykgZWheSrKjQKFVj/zUjbwxiwfw9WlTUY16O+FuNkm+qWTz0lhxmm4PoKSTeTn3uMBaFh25Vc463RGTiBdj43Mtm4/SMWfKEJ93kFgCbISYo3n3MfXJZsO/AuCDnHMvy1DmpdsG+zKbR5+YS+RgiK4Vf+i418xempcJUfP7zPlNzSrRt0lncnHij1mWSmQuSR7nAOQtqYWdsasx52Jk8o0XPdixWcutEQVc5vEMMdaYHqvy/cRXBC3tm0B/JKnbDO+OzaHgUcgUW4GJyKxf3iRoK5CIZlBdW88L8rXhK+xxjyTes9alqza9rFB/YaBOZiz7PCZ8mgYIfe+BlDH23KfXtaZVLAQ9CQfFO9vX3Ydu5U2HSCcSmt/+KcWWP5B8RVg8a8ycoF/ZEeTp72Uafx6FFKbJi1LuLOIr7JqJVkn/9wjq+NVOzDN4+bYI9kPFi1LzqTE953xLm4UfBhGFStMeGqCmdK+KOYcA4iZxMxIhLDtCbOrKsPVxguaom7iDNnkL8klJigpw5qr9SuHv8cTcYpmgY/KlxDcDcV8R1V5WYamz6KPwdfh1BiigRU6dHBrvNY+fBHEV18PelTqm5TWD/ryP/KebvIsLgQhfVVF1sWZHB5ZSTFiGmXU088isDjJSjtQ27m0Ux5JS07G1U7RTK9N1ZQwmqg90rXrMEntLIfVAGwTg10cX8ZV1IwojAPTB1DFYLeYjzDdkZFR6c8pKDtrKqx1ExdUrmj4Ec0gIjbnnnwpgNbQXhfYU25F6opEipOCsTQ/HhOeQjpbwnqaDsqht67NNouKMWco+T1gKXuaEF5VFMPeIo9YTwOPRtcqtsMullE9vP5jA6QKn0+1zX69ytxwMUy3fe4S0FefRP6E3taViJv10oWqifzJtyNcsBLn13619yxOug5WBvA8UKWXLaFf5BR1ZYMJpKG+hrREh2o0cojLooFgL82H5bJYIqiCnv8pb124aghXsMWapot6JcQjjoG66Ni9eJrfixhUMDKqBMHvhKTIocysMLjAZs3fUlkZyByexP4/DceJ2YLmD0tTD50Zx15avkh9jGBrkYDadsGfunLFfyi+aDhDtC3I4kDYXWE4dLUvVwjjn31sBz7qzICYfly8w2OgZy7Ao63BHTHX3tGjNer2I4Z5HdYlv3NeCIxAKjcFVuWERF3OOi1r54nfcboVyp5HVP4ZYZGKqcTaXNTuuCtkTBwYt3SBXe/dbcn7PCwkgW9Q2uwQk2z4/+3Frq4YP8lcjwimFTo1QODAaQNzaQAzMK0OAAxLDmxZLQdN6NAwgcF0ieoG69uu5fgZGO0NYqQyP4aWoY7WfXllAeVoDiwWcl+N5WMviK9uBbI+gTem3AiE70dr3roxFlHcArQS9UZHGS50tTI/4xf5qerK/B9rkU750sQKdvbAJZkXaxg0so1r4qpSRIvsHGfBTZjP80OH+7T2VRaBQSb8vGTcONqmzhvWrkf2HUswPFjLtlcWszbHgnhusb1dOPPWkr8DDCjElwQcg0m+6WPQqIH3QBXt+aOndZ4kHEdurcjwa/AcVHykc/aR8mR0+bP7KRsv7SVG+hD6hOL2cBVL3HCWF7z/K4f+YSQ9KTF/efP/Kbr2o98zrQ1IhKDIPZ8sJVPVzWcK+GU0JUDreuVmVnWrvDM3Pk2/3K1/23xGzfDF0S/gF9OPHX1jH/KTnz0KHQxFEsTNJox/80sTqIsuTiw3b16bG5KAGgeiLWSAzUO7eOU5goB9QWT+QSblMmdumGhzFjQFGmNL0aaxJa1U/kq6T2NoiLetQPJDEdr6UHloASF/mZtbPlQlgyKxbeS3y468itVQWEHyePSzvIYfknfnCeeJtQNaABfICfYBedlzxk4zuyRUSlrenW0RCuCMuIOQLuRXdnuB2aC3Gnb1KVcWilRO2C+O6HhodXqDNwWSQjku0o2mhbCZ5TAL87GzVSdI69FgMsfD4GyH3LnHQDr9jjFqhbARBWqhCJoy62ES8LlLg3E41b1/TEeP6c1IJ54uzj3H3nhzCPeUA7w7jc324lioLT9QtiWnKSE4OkNarGwxGq+lJxAZ3qafimRe/DGC0ysAysJQTLN4MgsAr1RDvnXY+UD/J2HrZZlYguTLc6Qz8NclJO0eHYGec8hbWw4JiOvpVNpqSKi6aW9atAWONoQ0c6YJqetNab1lSWXSYlZTwZnf3iSlgC5x2k2zrQOkvkipyixPl+BK0cP2gzXZihacodnfL8QJVZuNdCzfM31skCehMV4moXBmQeOGU/z+Jy2jFdZk3APNq8Jc0fDpqtGedriwbRnmG8RysfS5vaa2pdZdtpLb+TK9OyGcDBLb92anQNQnafUXz4AKY5j8C7+eTiWt5bfUtN9zqVUcMxcjpPitaldyG0xMrXMThftq6PaUFS6pEnw3Rurz67gp0zBIa+ajmwFj09LqPC95JH+PJttnrztgc3B4eD7xuWiW4AWybu1vWGY9bEzwNHr6Jn2XMx4T5CadOXGzid0JcoIu+/SpME1fWLBNr9H9hCC+Wdrz/lwkYijOvw6RPdsp2Go10W8/DXRdcses32WZyfr1RZ9S+BfJs01hQmVh8cs15/aQhCPIxtmWQUKXHCzWwKI6J7LJyugfpImWGL3Xt9dvwIz62Ma3AECrPx3SsOLMAy5Mb03lft3FXOD+ZQs6kxcS/E7NfM2bch3BjY/3jOk5b/YxZeUxvXAWJ+W6l1hvaD2fyDbAfCZTtIJGEc1vxO/7MxzDyYnLuFavEPhh0YWB5S4tbz/2nWQ23SzoWazo3s4RIO3aPl9ogTraNAtkrB0BPgxdFzUCbAEf7guX816wSPeW72Iess7TUyt1TK9wVoCOlTEfuggTROFX7/VGfduLQCjI/8xvfQguvYDt4NwUAdeIu70a5TnO1DOxPioz8wwBrXOhzXEd1oZ4Xmc9rxqdCsq5s7bI7M/0FpSs53nuQrlZDqTrJMI+rW4jhIrb/xJmDE2/0i6fUy1eZWMpoDDcD2Om7S5vbOquhsuyV8RbiPXnoCJsNMbJIIIotkVMR5yEhltLdD33cwnqKKqWcHKUO5fWtegP+ZIVxIG226U5itJbiU+uj0TUZsbCu52uI9RQp3Q8gMwkQ3PAaXqHmknVAUeTKSU34RV9kn/rlN+1mFC49ribsHUVaPzlG1sMgCg3rt243Q2zMmdwdokmUT5euga4Abw9xhTRgoSCEGoQhlMW1PO3ZVs+Nmr5QQW71ITfHV2UGUm/F+b6iZWA+TQ8RgHTVzHWrUSlJuCqpcFxxY/ezzeB0iappZTkGN2E977owuDPHV8CyTQvJs+v2YcP+rgBXtCzIPxVjz0v/mfNvo7fXo6y+709LXj6hhAroxBPAaVxvnB395oaa+1ZMCDOzxmSYnpMj1qP0pnwYdvGsFeUFWZa20O4gveQ2qMc1r6WYj/48a7roSpjBTI+ZFQ/5EnkdLBJ0DoXi1zncQYPnHl9VdXDuucegLlkEhF7WdhiRCnLWywqM9o5+WwAFrUq7IQZy+g5Ar93Ymwitawv7XsMw2SIeR0Nisf1r23AiOqFSKIhOajCncNFAGCv9fC6/m66B7gGba5y4SAOqm7qWpPuVAZvc/kO41v2gAPl6GpZyX492SC9oN3dOJZELsQ==
C.3.14.1.S/MIME Signed-and-Encrypted Reply over a Complex Message, Header Protection with hcp_baseline (+ Legacy Display), Decrypted

The S/MIME enveloped-data layer unwraps to this signed-data part:

Content-Transfer-Encoding: base64Content-Type: application/pkcs7-mime; name="smime.p7m"; smime-type="signed-data"MIIUrgYJKoZIhvcNAQcCoIIUnzCCFJsCAQExDTALBglghkgBZQMEAgEwggrXBgkqhkiG9w0BBwGgggrIBIIKxE1JTUUtVmVyc2lvbjogMS4wDQpTdWJqZWN0OiBzbWltZS1zaWduZWQtZW5jLWNvbXBsZXgtaHAtYmFzZWxpbmUtbGdjLXJwbA0KTWVzc2FnZS1JRDoNCiA8c21pbWUtc2lnbmVkLWVuYy1jb21wbGV4LWhwLWJhc2VsaW5lLWxnYy1ycGxAZXhhbXBsZT4NCkZyb206IEFsaWNlIDxhbGljZUBzbWltZS5leGFtcGxlPg0KVG86IEJvYiA8Ym9iQHNtaW1lLmV4YW1wbGU+DQpEYXRlOiBTYXQsIDIwIEZlYiAyMDIxIDEyOjE2OjAyIC0wNTAwDQpVc2VyLUFnZW50OiBTYW1wbGUgTVVBIFZlcnNpb24gMS4wDQpJbi1SZXBseS1UbzoNCiA8c21pbWUtc2lnbmVkLWVuYy1jb21wbGV4LWhwLWJhc2VsaW5lLWxlZ2FjeUBleGFtcGxlPg0KUmVmZXJlbmNlczoNCiA8c21pbWUtc2lnbmVkLWVuYy1jb21wbGV4LWhwLWJhc2VsaW5lLWxlZ2FjeUBleGFtcGxlPg0KSFAtT3V0ZXI6IFN1YmplY3Q6IFsuLi5dDQpIUC1PdXRlcjogTWVzc2FnZS1JRDoNCiA8c21pbWUtc2lnbmVkLWVuYy1jb21wbGV4LWhwLWJhc2VsaW5lLWxnYy1ycGxAZXhhbXBsZT4NCkhQLU91dGVyOiBGcm9tOiBBbGljZSA8YWxpY2VAc21pbWUuZXhhbXBsZT4NCkhQLU91dGVyOiBUbzogQm9iIDxib2JAc21pbWUuZXhhbXBsZT4NCkhQLU91dGVyOiBEYXRlOiBTYXQsIDIwIEZlYiAyMDIxIDEyOjE2OjAyIC0wNTAwDQpIUC1PdXRlcjogVXNlci1BZ2VudDogU2FtcGxlIE1VQSBWZXJzaW9uIDEuMA0KSFAtT3V0ZXI6IEluLVJlcGx5LVRvOg0KIDxzbWltZS1zaWduZWQtZW5jLWNvbXBsZXgtaHAtYmFzZWxpbmUtbGVnYWN5QGV4YW1wbGU+DQpIUC1PdXRlcjogUmVmZXJlbmNlczoNCiA8c21pbWUtc2lnbmVkLWVuYy1jb21wbGV4LWhwLWJhc2VsaW5lLWxlZ2FjeUBleGFtcGxlPg0KQ29udGVudC1UeXBlOiBtdWx0aXBhcnQvbWl4ZWQ7IGJvdW5kYXJ5PSJiZWQiOyBocD0iY2lwaGVyIg0KDQotLWJlZA0KTUlNRS1WZXJzaW9uOiAxLjANCkNvbnRlbnQtVHlwZTogbXVsdGlwYXJ0L2FsdGVybmF0aXZlOyBib3VuZGFyeT0iODI4Ig0KDQotLTgyOA0KTUlNRS1WZXJzaW9uOiAxLjANCkNvbnRlbnQtVHJhbnNmZXItRW5jb2Rpbmc6IDdiaXQNCkNvbnRlbnQtVHlwZTogdGV4dC9wbGFpbjsgY2hhcnNldD0idXMtYXNjaWkiOw0KIGhwLWxlZ2FjeS1kaXNwbGF5PSIxIg0KDQpTdWJqZWN0OiBzbWltZS1zaWduZWQtZW5jLWNvbXBsZXgtaHAtYmFzZWxpbmUtbGdjLXJwbA0KDQpUaGlzIGlzIHRoZQ0Kc21pbWUtc2lnbmVkLWVuYy1jb21wbGV4LWhwLWJhc2VsaW5lLWxnYy1ycGwNCm1lc3NhZ2UuDQoNClRoaXMgaXMgYSBzaWduZWQtYW5kLWVuY3J5cHRlZCBTL01JTUUgbWVzc2FnZSB1c2luZyBQS0NTIzcNCmVudmVsb3BlZERhdGEgYXJvdW5kIHNpZ25lZERhdGEuICBUaGUgcGF5bG9hZCBpcyBhDQptdWx0aXBhcnQvYWx0ZXJuYXRpdmUgbWVzc2FnZSB3aXRoIGFuIGlubGluZSBpbWFnZS9wbmcNCmF0dGFjaG1lbnQuIEl0IHVzZXMgdGhlIEhlYWRlciBQcm90ZWN0aW9uIHNjaGVtZSBmcm9tIFJGQyA5Nzg4DQp3aXRoIHRoZSBgaGNwX2Jhc2VsaW5lYCBIZWFkZXIgQ29uZmlkZW50aWFsaXR5IFBvbGljeSB3aXRoIGENCiJMZWdhY3kgRGlzcGxheSIgZWxlbWVudC4NCg0KLS0gDQpBbGljZQ0KYWxpY2VAc21pbWUuZXhhbXBsZQ0KLS04MjgNCk1JTUUtVmVyc2lvbjogMS4wDQpDb250ZW50LVRyYW5zZmVyLUVuY29kaW5nOiA3Yml0DQpDb250ZW50LVR5cGU6IHRleHQvaHRtbDsgY2hhcnNldD0idXMtYXNjaWkiOw0KIGhwLWxlZ2FjeS1kaXNwbGF5PSIxIg0KDQo8aHRtbD48aGVhZD48dGl0bGU+PC90aXRsZT48L2hlYWQ+PGJvZHk+DQo8ZGl2IGNsYXNzPSJoZWFkZXItcHJvdGVjdGlvbi1sZWdhY3ktZGlzcGxheSI+DQo8cHJlPg0KU3ViamVjdDogc21pbWUtc2lnbmVkLWVuYy1jb21wbGV4LWhwLWJhc2VsaW5lLWxnYy1ycGwNCjwvcHJlPg0KPC9kaXY+PHA+VGhpcyBpcyB0aGUNCjxiPnNtaW1lLXNpZ25lZC1lbmMtY29tcGxleC1ocC1iYXNlbGluZS1sZ2MtcnBsPC9iPg0KbWVzc2FnZS48L3A+DQo8cD5UaGlzIGlzIGEgc2lnbmVkLWFuZC1lbmNyeXB0ZWQgUy9NSU1FIG1lc3NhZ2UgdXNpbmcgUEtDUyM3DQplbnZlbG9wZWREYXRhIGFyb3VuZCBzaWduZWREYXRhLiAgVGhlIHBheWxvYWQgaXMgYQ0KbXVsdGlwYXJ0L2FsdGVybmF0aXZlIG1lc3NhZ2Ugd2l0aCBhbiBpbmxpbmUgaW1hZ2UvcG5nDQphdHRhY2htZW50LiBJdCB1c2VzIHRoZSBIZWFkZXIgUHJvdGVjdGlvbiBzY2hlbWUgZnJvbSBSRkMgOTc4OA0Kd2l0aCB0aGUgYGhjcF9iYXNlbGluZWAgSGVhZGVyIENvbmZpZGVudGlhbGl0eSBQb2xpY3kgd2l0aCBhDQoiTGVnYWN5IERpc3BsYXkiIGVsZW1lbnQuPC9wPg0KPHA+PHR0Pi0tIDxicj5BbGljZTxicj5hbGljZUBzbWltZS5leGFtcGxlPC90dD48L3A+PC9ib2R5PjwvaHRtbD4NCi0tODI4LS0NCg0KLS1iZWQNCkNvbnRlbnQtVHlwZTogaW1hZ2UvcG5nDQpDb250ZW50LVRyYW5zZmVyLUVuY29kaW5nOiBiYXNlNjQNCkNvbnRlbnQtRGlzcG9zaXRpb246IGlubGluZQ0KDQppVkJPUncwS0dnb0FBQUFOU1VoRVVnQUFBQlFBQUFBVUNBWUFBQUNOaVIwTkFBQUFjRWxFUVZSNDJ1VlRPeGJBDQpNQWdTNzM5bk8zVHBSdzIwZHFwYmZBUlFFak95d2l3WW5DdGtES25iY0xrNjZzcWxUK3p0OWNpZGtFKzZLd2taDQpzZ3J6ZmNxVk1wTDJqbzA0NDdnWURwZUFyaytPbkpIa0loQWZUUFJpY2loQWY1WUpydzd2anYwWldSV00vdWxpDQp2ZFBmMVFaMmtERDl4cHBkOHdBQUFBQkpSVTVFcmtKZ2dnPT0NCg0KLS1iZWQtLQ0KoIIHpjCCA88wggK3oAMCAQICEw8tJb0ROZdKzkJUh6HuPTQGirQwDQYJKoZIhvcNAQENBQAwVTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNhbXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwIBcNMTkxMTIwMDY1NDE4WhgPMjA1MjA5MjcwNjU0MThaMDsxDTALBgNVBAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMRcwFQYDVQQDEw5BbGljZSBMb3ZlbGFjZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJqVKfqLwaLjj+gBUCfkacKTg8cc2OtJ9ZSed6U3jUoiZVpMLcP3MUKtLeLg9r1mAfIDlB/wlbdmadXPmrszyidmbuZmOpB5voVQfiLYYy3iOx7YOqzXrl6udP07k0sV+UdSNRFxrfKeoQEFXgOaGdmnx4OG/e3p1fIKM0dPzZLoOAJF5m5O0xzXPL74zFCWp2f1ZkuE4A6l41koaZXCN5XL7wWTLMLeNf9Byb5ksKqUuqEHAMd1nmoNMgjY9VfVfcrv9w43GG8FtpSX+TWzB2zNS2OF+XIVnzRG5DeoULq8v88Z5bLpIJ/nx26r8A4SSwIBaVv4wPxAf1iPsIVKarUCAwEAAaOBrzCBrDAMBgNVHRMBAf8EAjAAMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATAeBgNVHREEFzAVgRNhbGljZUBzbWltZS5leGFtcGxlMBMGA1UdJQQMMAoGCCsGAQUFBwMEMA4GA1UdDwEB/wQEAwIFIDAdBgNVHQ4EFgQUolNB1UQ8gCkVfAEj8OeOr83zdw8wHwYDVR0jBBgwFoAUkTCOfAcXDKfxCShlNhpnHGh29FkwDQYJKoZIhvcNAQENBQADggEBAIFJeKCcsTKcFqQMpTryujRGzJdYA+R9eBAuDLsatbtKtl4FzkgRyOg31/+Cw7H8e30iLrPIFlWN1qjHrjgOyIs5AQ/hgxLvLir3hEUV2Z3MRsMtjH2x9SG91PEM046gfPnc9gMGHjMTg1qvaKcLQP5UzpEYPLror2X4P5uXxaP0LIZRzWmkw1RF7FOD7PfB5v94M5274XYxW2W4uKGd7QGnUZROSvSYkGiWDp1JhqXwfDz8A0enITGXnoEkAFvvjiCqh64P1hIeMorj36pgL19oWZD6YrzSWHUz1F00juyuOfQsqm6hvrDTqNpHNZ015fOURza1SkCvi9GFmNUPoVgwggPPMIICt6ADAgECAhM3QQV57XV/QqmiXDr0+GrOmqnXMA0GCSqGSIb3DQEBDQUAMFUxDTALBgNVBAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFNUFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MCAXDTE5MTEyMDA2NTQxOFoYDzIwNTIwOTI3MDY1NDE4WjA7MQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBXRzEXMBUGA1UEAxMOQWxpY2UgTG92ZWxhY2UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC09InoWDgWPk2af0+StijSNOR8K/hN8D+l078oullsk4ASvSwjsCNo7sHUa4xQUl5JO6VqY18LANwORjrc9BaX4MguzsbFXBe6uFh1mVpXmFxSpUByQ+950MFz/evPgP96wV+z4TtAwW2Z34rTiz4DxMI07XYNFUEOls/gkUP2GxzymsO2kaYWTut3SryCqeHEFbZFkB4urMk4xrIJC3CzWruS2Q0FHbBlfkgKN5wXVgkWFfiOucfCn+IQsaqpo1d3f9jSkbtAV5w3vzfog8919MxKI9H6l4KuElnAtJ7BtZcsl7dUy9u9COgEykRiVokFQgqQ7XNDU+r3SeOWwks7AgMBAAGjga8wgawwDAYDVR0TAQH/BAIwADAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwHgYDVR0RBBcwFYETYWxpY2VAc21pbWUuZXhhbXBsZTATBgNVHSUEDDAKBggrBgEFBQcDBDAOBgNVHQ8BAf8EBAMCBsAwHQYDVR0OBBYEFLv2zLItHQYSHJeuKWqQENMgZmZzMB8GA1UdIwQYMBaAFJEwjnwHFwyn8QkoZTYaZxxodvRZMA0GCSqGSIb3DQEBDQUAA4IBAQBziaI2p86poGkjd/4KkkOHG25nY/0eNARD6/oF0/sYonX2doizcGMk53riugAocCn5zbzhW/JVdYn30UxfyrZlRAzEf7GHqgB/NyjOad3pdpVYeDh4ciNKjbs+aEoTWgAkoqENt1sRxlcvb7HVX524bKZa1oPTUNlm6QpivtqDIdqGJdGf8L1zLfXBuo2zL3HR+M9CDr4Opq2JCkzP0Qhp7poIccGE6I9Tsg+RrOA9iCQsPn1+Tg8YedjGzUWF07rNmT0TzPCVzUAuBlr+JJtzOKypyQ3eoZ6EPazXqMyHAVcsm0GI364IOA0b8PSrJNtjh+AqJ5QfH+0e7NSzNnEmMYICADCCAfwCAQEwbDBVMQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBXRzExMC8GA1UEAxMoU2FtcGxlIExBTVBTIFJTQSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eQITN0EFee11f0Kpolw69Phqzpqp1zALBglghkgBZQMEAgGgaTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0yMTAyMjAxNzE2MDJaMC8GCSqGSIb3DQEJBDEiBCCYUuDiqUQkX8Y6z7GoBK5oZgbF9o0kqfOxpi4tDaKThTANBgkqhkiG9w0BAQEFAASCAQAPvlBItCWJNdtkeHveM0hBpLsosoAUG3bMHg0JNi89kzV02YK9YDjFSG2nX2WjpYuKJVi7UH1aGCmyA0D20umbcIuBqtWXX+W4SRhzNGR3P+lxlVKMe//qPlTgdZTRt9Eg+vmJwrIuJVcZk6+tagnOinCl5watJ0BDEnCQcgywe+5EvT7+kRrIV8eZWj1f7e2ut4xOMYVOKwWBOpBFtY27rlu8rMjqf6JT1wpvGvaXllsTsBPqxfOPe0x321maHGAO/tnCcM7FXtFChgFR6rfpRDvTBvFtR81lDbK/vPYo/PevKjR8mX5lgO0GcFwg30JDp0rABngu4wItcNYBsHNP
C.3.14.2.S/MIME Signed-and-Encrypted Reply over a Complex Message, Header Protection with hcp_baseline (+ Legacy Display), Decrypted and Unwrapped

The inner signed-data layer unwraps to:

MIME-Version: 1.0Subject: smime-signed-enc-complex-hp-baseline-lgc-rplMessage-ID: <smime-signed-enc-complex-hp-baseline-lgc-rpl@example>From: Alice <alice@smime.example>To: Bob <bob@smime.example>Date: Sat, 20 Feb 2021 12:16:02 -0500User-Agent: Sample MUA Version 1.0In-Reply-To: <smime-signed-enc-complex-hp-baseline-legacy@example>References: <smime-signed-enc-complex-hp-baseline-legacy@example>HP-Outer: Subject: [...]HP-Outer: Message-ID: <smime-signed-enc-complex-hp-baseline-lgc-rpl@example>HP-Outer: From: Alice <alice@smime.example>HP-Outer: To: Bob <bob@smime.example>HP-Outer: Date: Sat, 20 Feb 2021 12:16:02 -0500HP-Outer: User-Agent: Sample MUA Version 1.0HP-Outer: In-Reply-To: <smime-signed-enc-complex-hp-baseline-legacy@example>HP-Outer: References: <smime-signed-enc-complex-hp-baseline-legacy@example>Content-Type: multipart/mixed; boundary="bed"; hp="cipher"--bedMIME-Version: 1.0Content-Type: multipart/alternative; boundary="828"--828MIME-Version: 1.0Content-Transfer-Encoding: 7bitContent-Type: text/plain; charset="us-ascii"; hp-legacy-display="1"Subject: smime-signed-enc-complex-hp-baseline-lgc-rplThis is thesmime-signed-enc-complex-hp-baseline-lgc-rplmessage.This is a signed-and-encrypted S/MIME message using PKCS#7envelopedData around signedData.  The payload is amultipart/alternative message with an inline image/pngattachment. It uses the Header Protection scheme from RFC 9788with the `hcp_baseline` Header Confidentiality Policy with a"Legacy Display" element.--Alicealice@smime.example--828MIME-Version: 1.0Content-Transfer-Encoding: 7bitContent-Type: text/html; charset="us-ascii"; hp-legacy-display="1"<html><head><title></title></head><body><div><pre>Subject: smime-signed-enc-complex-hp-baseline-lgc-rpl</pre></div><p>This is the<b>smime-signed-enc-complex-hp-baseline-lgc-rpl</b>message.</p><p>This is a signed-and-encrypted S/MIME message using PKCS#7envelopedData around signedData.  The payload is amultipart/alternative message with an inline image/pngattachment. It uses the Header Protection scheme from RFC 9788with the `hcp_baseline` Header Confidentiality Policy with a"Legacy Display" element.</p><p><tt>-- <br>Alice<br>alice@smime.example</tt></p></body></html>--828----bedContent-Type: image/pngContent-Transfer-Encoding: base64Content-Disposition: inlineiVBORw0KGgoAAAANSUhEUgAAABQAAAAUCAYAAACNiR0NAAAAcElEQVR42uVTOxbAMAgS739nO3TpRw20dqpbfARQEjOywiwYnCtkDKnbcLk66sqlT+zt9cidkE+6KwkZsgrzfcqVMpL2jo0447gYDpeArk+OnJHkIhAfTPRicihAf5YJrw7vjv0ZWRWM/ulivdPf1QZ2kDD9xppd8wAAAABJRU5ErkJggg==--bed--

C.3.15.S/MIME Signed-and-Encrypted Reply over a Complex Message, Header Protection with hcp_shy

This is a signed-and-encrypted S/MIME message using PKCS#7 envelopedData around signedData. The payload is a multipart/alternative message with an inline image/png attachment. It uses the Header Protection scheme from RFC 9788 with thehcp_shy Header Confidentiality Policy.

It has the following structure:

└┬╴application/pkcs7-mime [smime.p7m] 10445 bytes ╧ (decrypts to) └┬╴application/pkcs7-mime [smime.p7m] 6720 bytes  ┴ (unwraps to)  └┬╴multipart/mixed 2273 bytes   ├┬╴multipart/alternative 1118 bytes   │├─╴text/plain 380 bytes   │└─╴text/html 475 bytes   └─╴image/png inline 236 bytes

Its contents are:

Content-Transfer-Encoding: base64Content-Type: application/pkcs7-mime; name="smime.p7m"; smime-type="enveloped-data"Subject: [...]Message-ID: <smime-signed-enc-complex-hp-shy-reply@example>From: alice@smime.exampleTo: bob@smime.exampleDate: Sat, 20 Feb 2021 17:18:02 +0000User-Agent: Sample MUA Version 1.0In-Reply-To: <smime-signed-enc-complex-hp-shy@example>References: <smime-signed-enc-complex-hp-shy@example>MIIeHAYJKoZIhvcNAQcDoIIeDTCCHgkCAQAxggMQMIIBhAIBADBsMFUxDTALBgNVBAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFNUFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhMPLSW9ETmXSs5CVIeh7j00Boq0MA0GCSqGSIb3DQEBAQUABIIBAI9iPH5/b2KLsDbl+Gv6Q/yOjrEsmu76WuOArQu6BKFkeKtgemTUgvvcbc//DMQLqFXrciCBw2LNPzq6pxpgaaS8xFcvHttAtd4jpci1n9SJvAggSTzU+vaHUEdgf/PTP5mBDy82PbZx4cZbuIM4prBq6/haUnmxARs4xSEbfQliaYCSFRt+3GAhXLSI2y+6odiA/0DxltHq+PiTc2SGn1BVyNyxeNpxbAkmG38L96SPP3lgeb1oV2F6aEmwBKUeMoHoFPfGz3L7aCKCcbaXgp+phC+8qlMPJxolsPgSToVMCakQBk/OaveXL5HaMHYd63p2G5vBUcjvUsEsyP5N0j4wggGEAgEAMGwwVTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNhbXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzB8R0APhiY6HGLS64MvlsDXhpQwDQYJKoZIhvcNAQEBBQAEggEAnQrNiuXf9Kn9FiuopsfQYQT0L6euHqh4ENdEQeBLZUsvmaO98nqF0Sc6Pe9QKlIJbnFFBHLGD/52Sv5vZH5aLUghBCeM5YiBg6J5Di8EmE207ltptn1+mDColCceMsCpiBiSohczFNY4ME0Yd30NsYcYqEr1TbT8/CqmSBtJrkVVNAi+XCYPYo4yQTlRjneBR066DaPvMsR4G1YZSb/xcKih5w49gwQO4qf7N7CH3t79Fo+OPRwRDF1MwVMTK3L4BAZzH//M4+h3w3u8XzM2djUK/4YQ9EyFfhoTGrbi1o7KsZV/fMlmGxaIdtdQ+zny1ZzGijJG0GjKbJ7fxjCHkzCCGu4GCSqGSIb3DQEHATAdBglghkgBZQMEAQIEECpxXzqAYIhfW/zQN9X1OhiAghrAgmLziupytMbQFUjii3dvaXG3GoyMPL4f+eEcPVkk+YShdVj5yKdvuD+Ck4hz7YAwGxVYDWVflW5ofL+YdOiW5/OYwJ/6Q1i8gEmfl3JTnjSA3vIx9wP1bu8K5hS4eyd8dNbb2AwprX/Fwd1hSiTsnJ0eov9RcdmmTLhyD7yG6VVMZ85ZhJE7i6IygHxq8MlFCef4x0QJf7XHmd02Hi4t/7yjSf/HsaSNct2jp+XB43tNtYpl1r3acsibOvP4lAp/XZuR3tvUNeXL/NTp5ulMqfIQlLKC9Ah0znPX8H7g9ccTPig09nm8qWeaOMyiJ9Vm/jPJPN6xPTJT3jxEMXj9V0DmlkG4aHhkf74vfQKPNt/lx5Tl79Cit73Sw0ajCqgFIOPeyvUww7u4kGXhTxlv+CirX6W7wPGPdQku7PXwl5r2I8iBWFaOiqPhuoluaWnKCRN9QQOA0PAScDZxyHB+Z0E4JMgzt7rwDiGChcZn/OwYMYEgZW75N6kA2Ptc2pfw+9l9AXkRIJcU0t3p3Kk9JiFC/AinLP2XfseuQYvtEUviBlD6snMquAkdkvlsI1poSjJNHyPqC1+x/0jVqquEpDVhHQ7JYci4CfzTaEGxvtpGMtAYgHXOlTe34+xqvg7/Vwjs+NJOQVT1Oj+bQAu1IbtAdg1hE6PHcWy2Sl2Ej5wWvbrtoyi/9b8hBoGGnLIimRDKj2PiA0dGKiOq0d4tIzmKnzRUPugVwjLEpW9BBP6p0BcNYBbBKdOQvmOdhlkbV2rggBQdIUeDvb9bgM7O9oCZIokmJqUDVrD75VTWPel1hPv4ab8XM09y8lC/+4R28X8NJyLf2RLGmRhvvAYi4LYRaP4db7pEDCK3cEZ+hB0MG20Lfuzoe1RmOtU5Eu+48DUuW+7aOM+72/px1p3v2Yruf4vX9EZJJidWnqOXNcopts5oIMjwvKfpW17fzrBXJUhpTgaycis/SAHAPdomO2aS6tDMYSlhv9hLTCrsTnyFB04AOV+j8R834An3VRZVS+Qw8M3jlWD1TurHPGpQAdmvRUjKzXOnXA/Ior2MdEvkOObluFHTvCqC3HRx1+eVIwuHNTcWedC5EYfIzIfKgjkKf3gq6MRd5wfjqPCCN/WVDIHGCMs3BZJVAX+1aXqU5GXgij0n9l3vliknqGz+FqPBRNS2kGjeW+6A/3fq2+T6R7xbMl0wwcziXZAEWIYQMmhqOpy4FqGKh8Xd9RMZ/w+XEOLFY56FzvlkWoL1tF5gvpcNtInyfszUdvyyyWB9mT4O8LwdgZap/bvHOeU2JsfcxLd2E51ssXhqYaE89mRl1BZ2hhyU1KRwbsALwJhrF6jEyqtWAKnlv55ZyoHBKLmvCRkvi8iQ6lVOKZ787sCmVduFEieMzzw40hupwpqXnyKAdiFZca44nw60vHSUiALT9umlq5mGnomqI/Ka13/fzjz9dKJ6NcCi6C56ty+pZhoOCuMQ2n90474Re5t1qlQjwVZwAPnSKBchQUW+tjbn0TWZ/QnnpCuKTdQqqkdLiLQJZZk02qE55zybR/PFELI53Xj+RqL3Zzcv+FHuOu9Ykv+fmRMiVon0Fdlh/G5C/je2+oFF8mmcKd2Rbm8Jh+xcRAvXeXJRkNSz2NVfOofMrCzydb+WeKF4cO4xIRi2fhbQiqcW7WcDpBVg5XtLJKLGGkx4speDOf4HQ6RatuKfm0VfHcHnRDTzahdLtdoJuiQDBbn4ymQFbVTR9h21VcncUz1M0BeCTYVh9BA6kUbVxoctzKUonhl0r6pKWsTDMODLU1RJUi0R5EsFbMkA9nRaMflcvkDOFRY27PPqwWAjgnBNUIZeO4gMXw/yM1gchmTw6iWgPREtmAXfoS/rDay3sH5GKzY+Be7kdVInlGFQjEaLnaLuedI3tOZQ5cfFrLpAM6rD8to2o+Kcd0hRF3US/kPTV0cXxVJhL5/k4HpPL8bmnls+qzoQojJCfFkRzt0GEUVlnxohyrPfEjr2UQ9s/+edUwXwTaDbWA+JPaaDkxC5X9Asbxain9tj322c8uO8kROdqCMtVo4ihyABJhk8dlhETuzYAegeSXT7/UPoWO1POf0OO6pVn2/TG+osv736v8ty7ytVOyR1XVRaTmxSHOZhamStm81R1mwIgqbYcYT2ljrp5pTSth4GpyVdave/jH0GXIe5R6Rljm3kzmkWHii9Z5FKBpHgMksUHm0mtlWAGa/DrsFqFuG4tNVUFRIpgZbGXPgTVgMzfnh0/C0BjnBuFMggGpYSX8MTu8rznuiSfSoRffSLMP3VRD8Pn+nCqncj9Z+k0c9y58Sg61ice7iiBgsjFzh49HH04h4ft19xtySOLmIXpCVR+cY+SIAqgRgXNnx+jMPCKf0DQMqAE0C5XmztiSG7XWlE3ufS0Gw9zSWxoHFbPinbU8nc8vokU2Jk7rJujoNjwNeLc6UgnsixtpQlUlNhC9apAZo/6QzUiVkyZh30I7E3GNZpIlvBhD1pGbbxBkewC7L3rfA5TbAci7tNNX46beoEfbI73HqtN7+EnAkxCVsE6mH6JUNSPJI7RJu3/sFyq8KyV2EzYfwhb+ww9tPYhKCaokeluvmEqzb1qMw4atpSBWU0lnyku3ffndauOW0MVpMmbtlVMqz2NFJcfAm132PQdHSs5Hxc4XiStJBZ6/EeGn/albhjdpYf5Df73zb1icUxU/El5Gkws+S2oloCa2d0XbjY0ngr/9l28xJJLEyBQDV9GxlsULqjM+ipoQb1PfhH9UQOH3HGTdd7Ko3YcoiGhN2Fx/mddOvbROJWbx1OsV49aLxozsMx7/CTXNB5IQz0VvyF/8B3ChncqJTfBETRfU02mlp8MehfP4ZKSVCSnRmJ9gasdKFk7m3etaqc6Vd0XOdeV0AAl6AvGv0/cXymmyN9Xdw1+Aet4StR12YzlmuRSkXmXmOUWIZls1jqCz5plFuKKDaPTMFdqE5MIUBewJ2E1RIzKjkgW62YUm9tToGDz9uaIpxFdl7Y6/kmeLrVjiesHDpvA4dfkCtIekOu+HpOzjVOruI6rJC6aOC6nURW/qyQZ459RU0A1brtE9//7aBqhXAUzzgZ5COu0OPgFeNikBhlUJNeCceypG7kFDn5EynDYo7WAGhOOEaurGB0F+Zb6QBWMGIYQpaueSEl8BZcXMwVKGeGdVA9oW/X5pvPnvQDvgJ2TZmBUpZ4bIHgi2dtMAb+oXnkYREqAYqc+nxqFh51M+gdVstRL248njRWP5y3NAXRxnkGb4lp4rUQnb5i9hrtqeJruqWFK1bQ78rNc5qjbyFN2LARRmDDtXDZUgC2553rSgZycEO5OJkC7JVDOl6V4qGftBx1npXrXS3WEJjNyP8ZkwvHKXEG9xyQhgYf27vBcss2SPws633HkXmyCRpturu5J/AQGzfjb2kvnHh3s7usQkiUqcP0/AD0uQPaEXqLhqfRsXkw4m4ZD3YJQbVNQ3ICal34CqA7bwjfpOQrosgzpx67QG9+ksTHWyd4hk8GfceC0MiB8vPNcg4j9vBliOxw5Ip1WFBy6TL4PUAx1RnUQeUDlv5lXbt/EzviUnnBaPsnZsMrMYZmj3PRsCKLr118BAXgWgZjrS4b7wsahkTZiVKRc+/bXMv77Ta16UYQ2mTLM9qPGOv9gJFZtQEs+HQdJ0HG3on47coqxudJclPSLvK4Gvlux0iO0GyIagZXndQkWaXGy4KHcyM8nqmwhAbmhLtTX70egiI88pkj3i1dOX3Gi3KEXL7D6zHlQUYQ6bVeq2NB6byFKGiSZz+9i4J3vgfW2l/lMwu26fukAslL7cBsXyREjTLwtYGbw5EWoHOxr8Mgj7HrhGPLXX/gmjYmg7YRds9WWte+9FsRYnUTc9oVEGoIcE9bJPxUpluje2b0eqz4dG20LSdk6UELU7ZrKZGItOTGKgLzNb4Vag4z1d2RD105w4wQCzBtH8nERPO9Idx8IabEpLd8t/E/W7hVjWj6pJEqPB9Wp4Q3gGts6xiZ8IIs5Ihvx9NMrWrtpg6nuTZ93lPakPyVeZKepmvQgKkOLpmdKXwn57W3IS3YXG6JvufaatsbtCi14KxiMbPBpEBz5vNzuUzMUjFl2GLii3AlRvMNJNAkbRc4T4KV2cK08LZtk5c+sY68S2ZsRrPjKNpSiI70MRpSBfaQ1L7gGzCNUdG86geJ9kUUw0Ri+wv/PCyXmYQX7P0xtHU6WwLnxKdViVpfT2juSOQ2+LD/pOwag5FaPsBsSm4b4a8kLAZfNyFyrdGLSnzL0CipUe09mfbCscMtAJEyh6zvETUbiMOuRCC3iZDprXPU3TDUVT9Vmfba881chCwKk+4Rz2QUlEjdaUJwsbW3SUftO2U231x7lBRf/D+LDZmUy/BhSe9+6x+Z7upOv5BCrvEb4F1MTyenODG+JU+Vev7rZp4A6eJT0GNDpq9AkI3rIlGrtVFGg18cga7PEQgqUWIstSL2B9HpZrTCuor3g1kzQNFcCDpo3KvbmJ0FcLG3N1m3YSFcXrAipbhTuz+4gmThKBi1ncX1Kp1p5NXXbnCD7JF9h0vfdVMA+eIYGufu/YjaVrm0jfhkcESkk8rhAae91JqXKD+tUXkRPV36lLpXVAhnohPQnbWwnVdJ+gPchJS3RyABFzvni2Lz309Sjg2r4N0bt4xJm2F7T42373w60JpHJO8RFnSNppqyVX3AD/3llgAb9kTB4xy/n1O+je8faJ2zvoD3BZqDF2/8gacvEBU3xBUBJi68AaBlhhciNY7SicG/SS/wRgRinNjlhHX/2SRf5vGb64/4RvN4WqUCEMG4m1Zs1e9352A9Mi7gsl7ITMwDKCrCSQs5d3fbhcniS/29E1rxMxu3LNXAzebs1bY4+NYeROp79rQwGFFH11vJw6hwdLxjhE+HHjJ3F0lmIwj/TSD56JVDrdzASZEFWoTQ0j4Wb+dnvLRFYQJAuLgJUc4But5/rYPZBDSbuGRmstkzJmgp3bPX9QhWscGoDxFTYvFWZsG0Z2A/Q6sBC4qMmTxuxUfQA7AlLsjZoTjRQLjIN6jkQ0n3hjW7oF1aX5ZbL1hE2YrBei5K8K/32Xxh9rU36kn+mdyUfcFdCSBm8Jw+4utPG0PcC913tEP/apykXIU0EN3NFMmuQC4wXgLEQSprqFWIZrKqOHD0TB+ORlATKGHvzJHnVUhBw76t+MUi0DpnOLl9eQuuBbABWLvSbX+z/JVCy4753LxsIxrLohS95MgkpzqtCrjCAW8vawfLDOHSJNAMxlYg+9WESc8INI4YGzrJP77A8L39Js0zxij98Wj6T8QK+/MrLj7paOcVMMvVVB2fyUHl+91171UOCNHS1NMFVvYuuTptL82CogEZcYawyMMyV0Brfeqj9RkBG3uGJdo5h+mn1jtXqKxFVpOt3gYaylXMAp7yZpZivcQ3cs/uVCaDX7/ohHm8JZaSrpzCeTe3N7yUu8RjcThYptJweNutNxCmolh+n4mWcSWLaXs9suKqeCReWfJhNfeeGgJsxRNDcbxm2/Pj0p8dSWcdsKIe7KdFPuFApDm3vtsDpEyvX60cfS8J6xyQnJdzIqyW0c1d8FU4/dYJIzNFNHtEmoC+ViesssW5H7zPZFPuEsMzGfJtnuEHhkWNhNavbsVo2jK+LPXfQN0Z+c89Bc2d85pyFNeQkyAw5tlOYMoav0WqBrb+rs4dXSOA17WKJcPypn7c2tZjoz87qFYmre+3frC+oegcWQyMEP048xuFqRB7J3+usCv+7p0Ur90Mnvb1364N9hxfdJtJ3cgDoIigx5sssp1nZ8GyaDmqGqo0uvneIys9+wbYDjNYFQLXUwL6Fgzj/qldPoF/YdrMBnSRSUm/a5E2CPGOJgJc/krcLOYkSF3gJ3verbcoycX99kU1o/HlGL5DLro1A9olD9HaUg1oKPY2pA2k+yAIv5zoj/4es6UndtxnLj2CEunOojzEGQy46kVkfgYVfx76UnWcx16k/E1CZKu4gOL4N+jbDwu0Pw3j8eW3Q/3esPTfE0AJzRTtgkGdI6UbrNkNXVWxfKDLchqW18U5RMrvD+zfV4yyK/jjy7YDd508ildX4R3lLcnzSFJeDF5mSnhePCBmWSEr0z6u62/LoPj5HHNlU/LESRAzNuQLwlWe9DzaGaeyfBHBYvFvUn/BLxPifGPsBZKbEPg/9q8UPNh+vPFRdQp9YAU0UV3VQZXhQxRNIiaoFF2x+6MEA+VoKH1ANo9zbzkPsCtBEdeK4Dw9t2KXJlmM/fB0C7EdYX5UbqVr8VM9GPt7DUndG4WaxGH/7OrVA4uOMtDGYS/eHjpHEkhxv81pguuEuV3pXEQw4h5I/DUCeMhYt3zEhxPPCXRKOqCDNfZVaiygGjOV+wDYTg0y7SpHdXNxfA7Khsc8NFK5w4Cx9PLGQpg310c4HNxCSdT88O/+pBsreTIs5Ym9NZLqzXFPnc8ixFCHXvg/eZEP9iEbzEw2pMDePzOCwHGlouYpgHmlGUfr/gn72roI+uT/gYH8Lc2SYNR7gOQqEUmZ79MzziePg8fyvxd8IiOSpUHMlkLbQdjCYislsKmjjSWQYJrsSXKB/jomZuv4V8Ix68odD6nAlT2/FLxH7hq7YFfdFaTeUaU9vCEugvwN5Z1+VdXAWp3egdU3fY3yDgrIDqTfkH8mlk/Sk8XEhhMnYFeYPQ8sDmkT8ZwI+P8D5RfP0fMRAAg11rCPm9woeXA9JEGNfBtKpEMEez2am99nKfIbkL0xvj+eyZTOEkjDVXtugIbUf7RMmGoFj4oHQa69cDWDfMXPJoXtF99LUI62Dr4rDGrSPVUtdgVwS8IWPahbRPn09NixO1rb+Q1+3UyUcovJuNwia8RT8jH5z11SL4s5CwC77jLbPCzez5nGqm6tuFLQ48togUaMbkwmGxhxE3mLVDlOh/rQ2cndcvHNwkhUJpo3A9Dcmn5wb5OYXknZBjqv9Zi+6xufiTKUpoFXG7YvyKp2Wj3xNSBDDLi2ovA6BVCNsRnljjWeVtjcCg2cmm8nKEix2KXb7VbiYkzV6selYCZC2LTprlJxIwzRH8oKM5mmR0UE0mXtEhiUbSPrIYEJKgBS9x/541nFj6zPR8VDWPBC/z+Jz/+pQGjO1tn8Cw3yaZoHaNAg6NWu9Z94WdiOras+rAXsrccFofWL7NDC8YhQO7a4o4cLz9Y+sG99CxMrdOOGL6iachPXuUyjpTxqE1g5U9bIGqoZkrmDkv9ZjGxidFA/ofjXZ/kV0zfQ0R1TZ8g7/EMhFMLtcWu+SCPl7IxBgGK14wEUN4gJdBvWbNvXItyOSSngCEBwlG+cqZxtzHvOS+lrIEtuFP1ziPKXisDekRlJ2n9ySsGz3ff4SQYHvv2f5OJpjK3niOtzXrhzjqQRE7LXJlAYxc/SdKkB2N8ajOG7vld5ydA5dDZM1cbdNkeGgxaCZd6hDb08Lc52Hlj6B9NQgygtF0INFnEUvrVsI3SJKSrQAeafppe7/RrC9FsuwDe2582BKbX9NnCXQamIND3HDvVFLi7tnaJ7luGtQvqV4BHsF6WNbJTisWxTJtuhqQ3N7LvyBGO8DJnwzUFjD0vaWHTdeMmsvkQz8JO/fMxq1GxGnHkjjg8BmmkymS2sA/RXLPJ4FIGgPg1eNymY6IphFEpTwyoW1IYFIROIW6KiVArA4N8lYpoMeprzO08I8MA5Gf9XoRJRpLMo2zOfhJ6UCYO2rgunUaa4kMbpSW+l+7wUPEgbxM47UQKZ6FRjU0lMnmYNxHnoJIOCHJ4R0nPO2O0dEYk8qYe+YSGsVa6d/dGskOBK5YrZeXmSiTHiZemAyahE38rZJIZrwC6nKjm1MDaTiS0QhtNSVctjNYqJzkesSJr7ihxP7M8uvBONV9hs3dpiJr7oXFKPR3gUmE/Jj6gtBe+xcuhluqPvwLPRiM6rZEHisjct8KYVzSFhXMZ/LqM/r4SAnDTHoMlpPJOQzqUqUSDrZp6FefbzrHMKvmh/BjCPYVYrtRhnCyeq90h6D7pUjsdKV81MzX40TeIfRAlpv5VVJlN9A7QItE9sCvT63b9M19YIHltZLrZI6oAuRLVux0TphgJnuH9QnrDVlhFYzmcIIz5zeHcSRLAnE4xhHY9eNbBkfr+0kSmzYO1lj/z0kWs82ZxFsCv/X8m9r88mMAO8UjvSSdaXaU4QMpgyjQjdIDYp8bzX/sySZsSwue6Xfz8+HV18Km0/aurM5Cnt4pPCyecHh6d3ktp0atLFfAgkvXRy1qeB/HQ2FpH6WbZTxdq0AKKsPHpJQ9E9KwXmooTajSKyLamS/eO72pQ5G715KDaEkaG/O7LRXS/gmKhk+yrfULj2uMAF3Z1f/irjt2aDlYOOfpQtkO396ZjRlpTb5Z0YwA9Z/h8nDiKils7wm7aOr4MFU86364FshXZDst8UhD2fg+FErcxLn0cBsgBAwoQ/dVyAThn5yg2/RdQUXb+lbUdoWQsaKjA2/fCE+MWIvNI/7kVOJu1oF/kIhKb2GMS4qP+mL7iyGRexfKuXg9t2ZPcrzDVQDJ+U8ShhTwbwxKow+MYEa6tyNr5n//R3X0PqWEh2Nm4i3RHsHAiyT5y4XAFV4bqw8A+j/IsOYb6YOnXSmPcAqapvfpBkmFYVmKeKEnX0qvurU9WnWIPUVex2lZORXWpmZ0rJpkGeJ0Qzl+lUTlyzDv3F0OYfu2YM087UwDjusFXkZx4q0us0RRlHOivRhsSmfVPvCEJpPP+IkbKC9rnTNDRYHZXe0fwL0BayXeP5vzu0xhTPj2scw7xGGQXSV/K7rXZIyp21dUgWPvtC6GsnaqqB60ulY7Z4RyGIROF+dpIqGPa7cT5DWaxFZxA28zCemy2SjL2+P8CiOO0cynhFSW+RkxwemTxUIcorFeRbwY/QGJPxOt3zYd8Ac3xMUpl65e8lO5xVK4nonot1XfxBEb3KLU5szkNM1KzoXNFxjvnfiwrSX8UNGWAvmDWiGWut7D7b2mazbiAoTMEOmX43as1FHeco3oDjeoEiYyc8b/6nLj9/SMSkxzgncrxvEEAGamhJ49wnRgOUWYkZzyOOaCQqA4xnGl84Dj3tQy0afpE=
C.3.15.1.S/MIME Signed-and-Encrypted Reply over a Complex Message, Header Protection with hcp_shy, Decrypted

The S/MIME enveloped-data layer unwraps to this signed-data part:

Content-Transfer-Encoding: base64Content-Type: application/pkcs7-mime; name="smime.p7m"; smime-type="signed-data"MIITEgYJKoZIhvcNAQcCoIITAzCCEv8CAQExDTALBglghkgBZQMEAgEwggk7BgkqhkiG9w0BBwGgggksBIIJKE1JTUUtVmVyc2lvbjogMS4wDQpTdWJqZWN0OiBzbWltZS1zaWduZWQtZW5jLWNvbXBsZXgtaHAtc2h5LXJlcGx5DQpNZXNzYWdlLUlEOiA8c21pbWUtc2lnbmVkLWVuYy1jb21wbGV4LWhwLXNoeS1yZXBseUBleGFtcGxlPg0KRnJvbTogQWxpY2UgPGFsaWNlQHNtaW1lLmV4YW1wbGU+DQpUbzogQm9iIDxib2JAc21pbWUuZXhhbXBsZT4NCkRhdGU6IFNhdCwgMjAgRmViIDIwMjEgMTI6MTg6MDIgLTA1MDANClVzZXItQWdlbnQ6IFNhbXBsZSBNVUEgVmVyc2lvbiAxLjANCkluLVJlcGx5LVRvOiA8c21pbWUtc2lnbmVkLWVuYy1jb21wbGV4LWhwLXNoeUBleGFtcGxlPg0KUmVmZXJlbmNlczogPHNtaW1lLXNpZ25lZC1lbmMtY29tcGxleC1ocC1zaHlAZXhhbXBsZT4NCkhQLU91dGVyOiBTdWJqZWN0OiBbLi4uXQ0KSFAtT3V0ZXI6DQogTWVzc2FnZS1JRDogPHNtaW1lLXNpZ25lZC1lbmMtY29tcGxleC1ocC1zaHktcmVwbHlAZXhhbXBsZT4NCkhQLU91dGVyOiBGcm9tOiBhbGljZUBzbWltZS5leGFtcGxlDQpIUC1PdXRlcjogVG86IGJvYkBzbWltZS5leGFtcGxlDQpIUC1PdXRlcjogRGF0ZTogU2F0LCAyMCBGZWIgMjAyMSAxNzoxODowMiArMDAwMA0KSFAtT3V0ZXI6IFVzZXItQWdlbnQ6IFNhbXBsZSBNVUEgVmVyc2lvbiAxLjANCkhQLU91dGVyOiBJbi1SZXBseS1UbzogPHNtaW1lLXNpZ25lZC1lbmMtY29tcGxleC1ocC1zaHlAZXhhbXBsZT4NCkhQLU91dGVyOiBSZWZlcmVuY2VzOiA8c21pbWUtc2lnbmVkLWVuYy1jb21wbGV4LWhwLXNoeUBleGFtcGxlPg0KQ29udGVudC1UeXBlOiBtdWx0aXBhcnQvbWl4ZWQ7IGJvdW5kYXJ5PSIyMzAiOyBocD0iY2lwaGVyIg0KDQotLTIzMA0KTUlNRS1WZXJzaW9uOiAxLjANCkNvbnRlbnQtVHlwZTogbXVsdGlwYXJ0L2FsdGVybmF0aXZlOyBib3VuZGFyeT0iNGM4Ig0KDQotLTRjOA0KQ29udGVudC1UeXBlOiB0ZXh0L3BsYWluOyBjaGFyc2V0PSJ1cy1hc2NpaSINCk1JTUUtVmVyc2lvbjogMS4wDQpDb250ZW50LVRyYW5zZmVyLUVuY29kaW5nOiA3Yml0DQoNClRoaXMgaXMgdGhlDQpzbWltZS1zaWduZWQtZW5jLWNvbXBsZXgtaHAtc2h5LXJlcGx5DQptZXNzYWdlLg0KDQpUaGlzIGlzIGEgc2lnbmVkLWFuZC1lbmNyeXB0ZWQgUy9NSU1FIG1lc3NhZ2UgdXNpbmcgUEtDUyM3DQplbnZlbG9wZWREYXRhIGFyb3VuZCBzaWduZWREYXRhLiAgVGhlIHBheWxvYWQgaXMgYQ0KbXVsdGlwYXJ0L2FsdGVybmF0aXZlIG1lc3NhZ2Ugd2l0aCBhbiBpbmxpbmUgaW1hZ2UvcG5nDQphdHRhY2htZW50LiBJdCB1c2VzIHRoZSBIZWFkZXIgUHJvdGVjdGlvbiBzY2hlbWUgZnJvbSBSRkMgOTc4OA0Kd2l0aCB0aGUgYGhjcF9zaHlgIEhlYWRlciBDb25maWRlbnRpYWxpdHkgUG9saWN5Lg0KDQotLSANCkFsaWNlDQphbGljZUBzbWltZS5leGFtcGxlDQotLTRjOA0KQ29udGVudC1UeXBlOiB0ZXh0L2h0bWw7IGNoYXJzZXQ9InVzLWFzY2lpIg0KTUlNRS1WZXJzaW9uOiAxLjANCkNvbnRlbnQtVHJhbnNmZXItRW5jb2Rpbmc6IDdiaXQNCg0KPGh0bWw+PGhlYWQ+PHRpdGxlPjwvdGl0bGU+PC9oZWFkPjxib2R5Pg0KPHA+VGhpcyBpcyB0aGUNCjxiPnNtaW1lLXNpZ25lZC1lbmMtY29tcGxleC1ocC1zaHktcmVwbHk8L2I+DQptZXNzYWdlLjwvcD4NCjxwPlRoaXMgaXMgYSBzaWduZWQtYW5kLWVuY3J5cHRlZCBTL01JTUUgbWVzc2FnZSB1c2luZyBQS0NTIzcNCmVudmVsb3BlZERhdGEgYXJvdW5kIHNpZ25lZERhdGEuICBUaGUgcGF5bG9hZCBpcyBhDQptdWx0aXBhcnQvYWx0ZXJuYXRpdmUgbWVzc2FnZSB3aXRoIGFuIGlubGluZSBpbWFnZS9wbmcNCmF0dGFjaG1lbnQuIEl0IHVzZXMgdGhlIEhlYWRlciBQcm90ZWN0aW9uIHNjaGVtZSBmcm9tIFJGQyA5Nzg4DQp3aXRoIHRoZSBgaGNwX3NoeWAgSGVhZGVyIENvbmZpZGVudGlhbGl0eSBQb2xpY3kuPC9wPg0KPHA+PHR0Pi0tIDxici8+QWxpY2U8YnIvPmFsaWNlQHNtaW1lLmV4YW1wbGU8L3R0PjwvcD48L2JvZHk+PC9odG1sPg0KLS00YzgtLQ0KDQotLTIzMA0KQ29udGVudC1UeXBlOiBpbWFnZS9wbmcNCkNvbnRlbnQtVHJhbnNmZXItRW5jb2Rpbmc6IGJhc2U2NA0KQ29udGVudC1EaXNwb3NpdGlvbjogaW5saW5lDQoNCmlWQk9SdzBLR2dvQUFBQU5TVWhFVWdBQUFCUUFBQUFVQ0FZQUFBQ05pUjBOQUFBQWNFbEVRVlI0MnVWVE94YkENCk1BZ1M3MzluTzNUcFJ3MjBkcXBiZkFSUUVqT3l3aXdZbkN0a0RLbmJjTGs2NnNxbFQrenQ5Y2lka0UrNkt3a1oNCnNncnpmY3FWTXBMMmpvMDQ0N2dZRHBlQXJrK09uSkhrSWhBZlRQUmljaWhBZjVZSnJ3N3ZqdjBaV1JXTS91bGkNCnZkUGYxUVoya0REOXhwcGQ4d0FBQUFCSlJVNUVya0pnZ2c9PQ0KDQotLTIzMC0tDQqgggemMIIDzzCCAregAwIBAgITDy0lvRE5l0rOQlSHoe49NAaKtDANBgkqhkiG9w0BAQ0FADBVMQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBXRzExMC8GA1UEAxMoU2FtcGxlIExBTVBTIFJTQSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAgFw0xOTExMjAwNjU0MThaGA8yMDUyMDkyNzA2NTQxOFowOzENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxFzAVBgNVBAMTDkFsaWNlIExvdmVsYWNlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmpUp+ovBouOP6AFQJ+RpwpODxxzY60n1lJ53pTeNSiJlWkwtw/cxQq0t4uD2vWYB8gOUH/CVt2Zp1c+auzPKJ2Zu5mY6kHm+hVB+IthjLeI7Htg6rNeuXq50/TuTSxX5R1I1EXGt8p6hAQVeA5oZ2afHg4b97enV8gozR0/Nkug4AkXmbk7THNc8vvjMUJanZ/VmS4TgDqXjWShplcI3lcvvBZMswt41/0HJvmSwqpS6oQcAx3Weag0yCNj1V9V9yu/3DjcYbwW2lJf5NbMHbM1LY4X5chWfNEbkN6hQury/zxnlsukgn+fHbqvwDhJLAgFpW/jA/EB/WI+whUpqtQIDAQABo4GvMIGsMAwGA1UdEwEB/wQCMAAwFwYDVR0gBBAwDjAMBgpghkgBZQMCATABMB4GA1UdEQQXMBWBE2FsaWNlQHNtaW1lLmV4YW1wbGUwEwYDVR0lBAwwCgYIKwYBBQUHAwQwDgYDVR0PAQH/BAQDAgUgMB0GA1UdDgQWBBSiU0HVRDyAKRV8ASPw546vzfN3DzAfBgNVHSMEGDAWgBSRMI58BxcMp/EJKGU2GmccaHb0WTANBgkqhkiG9w0BAQ0FAAOCAQEAgUl4oJyxMpwWpAylOvK6NEbMl1gD5H14EC4Muxq1u0q2XgXOSBHI6DfX/4LDsfx7fSIus8gWVY3WqMeuOA7IizkBD+GDEu8uKveERRXZncxGwy2MfbH1Ib3U8QzTjqB8+dz2AwYeMxODWq9opwtA/lTOkRg8uuivZfg/m5fFo/QshlHNaaTDVEXsU4Ps98Hm/3gznbvhdjFbZbi4oZ3tAadRlE5K9JiQaJYOnUmGpfB8PPwDR6chMZeegSQAW++OIKqHrg/WEh4yiuPfqmAvX2hZkPpivNJYdTPUXTSO7K459CyqbqG+sNOo2kc1nTXl85RHNrVKQK+L0YWY1Q+hWDCCA88wggK3oAMCAQICEzdBBXntdX9CqaJcOvT4as6aqdcwDQYJKoZIhvcNAQENBQAwVTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNhbXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwIBcNMTkxMTIwMDY1NDE4WhgPMjA1MjA5MjcwNjU0MThaMDsxDTALBgNVBAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMRcwFQYDVQQDEw5BbGljZSBMb3ZlbGFjZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALT0iehYOBY+TZp/T5K2KNI05Hwr+E3wP6XTvyi6WWyTgBK9LCOwI2juwdRrjFBSXkk7pWpjXwsA3A5GOtz0FpfgyC7OxsVcF7q4WHWZWleYXFKlQHJD73nQwXP968+A/3rBX7PhO0DBbZnfitOLPgPEwjTtdg0VQQ6Wz+CRQ/YbHPKaw7aRphZO63dKvIKp4cQVtkWQHi6syTjGsgkLcLNau5LZDQUdsGV+SAo3nBdWCRYV+I65x8Kf4hCxqqmjV3d/2NKRu0BXnDe/N+iDz3X0zEoj0fqXgq4SWcC0nsG1lyyXt1TL270I6ATKRGJWiQVCCpDtc0NT6vdJ45bCSzsCAwEAAaOBrzCBrDAMBgNVHRMBAf8EAjAAMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATAeBgNVHREEFzAVgRNhbGljZUBzbWltZS5leGFtcGxlMBMGA1UdJQQMMAoGCCsGAQUFBwMEMA4GA1UdDwEB/wQEAwIGwDAdBgNVHQ4EFgQUu/bMsi0dBhIcl64papAQ0yBmZnMwHwYDVR0jBBgwFoAUkTCOfAcXDKfxCShlNhpnHGh29FkwDQYJKoZIhvcNAQENBQADggEBAHOJojanzqmgaSN3/gqSQ4cbbmdj/R40BEPr+gXT+xiidfZ2iLNwYyTneuK6AChwKfnNvOFb8lV1iffRTF/KtmVEDMR/sYeqAH83KM5p3el2lVh4OHhyI0qNuz5oShNaACSioQ23WxHGVy9vsdVfnbhsplrWg9NQ2WbpCmK+2oMh2oYl0Z/wvXMt9cG6jbMvcdH4z0IOvg6mrYkKTM/RCGnumghxwYToj1OyD5Gs4D2IJCw+fX5ODxh52MbNRYXTus2ZPRPM8JXNQC4GWv4km3M4rKnJDd6hnoQ9rNeozIcBVyybQYjfrgg4DRvw9Ksk22OH4ConlB8f7R7s1LM2cSYxggIAMIIB/AIBATBsMFUxDTALBgNVBAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFNUFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhM3QQV57XV/QqmiXDr0+GrOmqnXMAsGCWCGSAFlAwQCAaBpMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTIxMDIyMDE3MTgwMlowLwYJKoZIhvcNAQkEMSIEIJqUXzqD6DHL5QxaWDH8cjQd+BnWEDsqfNBB2TB1TAOkMA0GCSqGSIb3DQEBAQUABIIBACXiU0FE8dQ6qbdByg97uCGlmOthKkgEMr5ORkpoX6ntzZW8Bzj3xOt6fe6wwhxExszASuxN0STebics6GRcN/EzXV/SUDEOW7Y6gK8c4LiuNfD76ZQLHbPhIMYDidhYb5lDO4MZCJosGPFCgGitf5V089h6WjZMY26FYpL5lQfXgVAP0A4Y+2f8RaEP4Fsh8SLcV/EzniT2xCNCEuZwsETA65OnGJ6A6ktMljaEywaYkm0bVFuJ2ml4x0YDd/pZpr7CIgDtzh/97x39apqnNOnzTGnGgZi2T6yK4flYxBHvYI53lUd/ub1SQMH/+X4zL0sbfb5+idTt10u1pN0Qcb8=
C.3.15.2.S/MIME Signed-and-Encrypted Reply over a Complex Message, Header Protection with hcp_shy, Decrypted and Unwrapped

The inner signed-data layer unwraps to:

MIME-Version: 1.0Subject: smime-signed-enc-complex-hp-shy-replyMessage-ID: <smime-signed-enc-complex-hp-shy-reply@example>From: Alice <alice@smime.example>To: Bob <bob@smime.example>Date: Sat, 20 Feb 2021 12:18:02 -0500User-Agent: Sample MUA Version 1.0In-Reply-To: <smime-signed-enc-complex-hp-shy@example>References: <smime-signed-enc-complex-hp-shy@example>HP-Outer: Subject: [...]HP-Outer: Message-ID: <smime-signed-enc-complex-hp-shy-reply@example>HP-Outer: From: alice@smime.exampleHP-Outer: To: bob@smime.exampleHP-Outer: Date: Sat, 20 Feb 2021 17:18:02 +0000HP-Outer: User-Agent: Sample MUA Version 1.0HP-Outer: In-Reply-To: <smime-signed-enc-complex-hp-shy@example>HP-Outer: References: <smime-signed-enc-complex-hp-shy@example>Content-Type: multipart/mixed; boundary="230"; hp="cipher"--230MIME-Version: 1.0Content-Type: multipart/alternative; boundary="4c8"--4c8Content-Type: text/plain; charset="us-ascii"MIME-Version: 1.0Content-Transfer-Encoding: 7bitThis is thesmime-signed-enc-complex-hp-shy-replymessage.This is a signed-and-encrypted S/MIME message using PKCS#7envelopedData around signedData.  The payload is amultipart/alternative message with an inline image/pngattachment. It uses the Header Protection scheme from RFC 9788with the `hcp_shy` Header Confidentiality Policy.--Alicealice@smime.example--4c8Content-Type: text/html; charset="us-ascii"MIME-Version: 1.0Content-Transfer-Encoding: 7bit<html><head><title></title></head><body><p>This is the<b>smime-signed-enc-complex-hp-shy-reply</b>message.</p><p>This is a signed-and-encrypted S/MIME message using PKCS#7envelopedData around signedData.  The payload is amultipart/alternative message with an inline image/pngattachment. It uses the Header Protection scheme from RFC 9788with the `hcp_shy` Header Confidentiality Policy.</p><p><tt>-- <br/>Alice<br/>alice@smime.example</tt></p></body></html>--4c8----230Content-Type: image/pngContent-Transfer-Encoding: base64Content-Disposition: inlineiVBORw0KGgoAAAANSUhEUgAAABQAAAAUCAYAAACNiR0NAAAAcElEQVR42uVTOxbAMAgS739nO3TpRw20dqpbfARQEjOywiwYnCtkDKnbcLk66sqlT+zt9cidkE+6KwkZsgrzfcqVMpL2jo0447gYDpeArk+OnJHkIhAfTPRicihAf5YJrw7vjv0ZWRWM/ulivdPf1QZ2kDD9xppd8wAAAABJRU5ErkJggg==--230--

C.3.16.S/MIME Signed-and-Encrypted Reply over a Complex Message, Header Protection with hcp_shy (+ Legacy Display)

This is a signed-and-encrypted S/MIME message using PKCS#7 envelopedData around signedData. The payload is a multipart/alternative message with an inline image/png attachment. It uses the Header Protection scheme from RFC 9788 with thehcp_shy Header Confidentiality Policy with a "Legacy Display" element.

It has the following structure:

└┬╴application/pkcs7-mime [smime.p7m] 11530 bytes ╧ (decrypts to) └┬╴application/pkcs7-mime [smime.p7m] 7520 bytes  ┴ (unwraps to)  └┬╴multipart/mixed 2834 bytes   ├┬╴multipart/alternative 1629 bytes   │├─╴text/plain 580 bytes   │└─╴text/html 752 bytes   └─╴image/png inline 236 bytes

Its contents are:

Content-Transfer-Encoding: base64Content-Type: application/pkcs7-mime; name="smime.p7m"; smime-type="enveloped-data"Subject: [...]Message-ID: <smime-signed-enc-complex-hp-shy-legacy-reply@example>From: alice@smime.exampleTo: bob@smime.exampleDate: Sat, 20 Feb 2021 17:19:02 +0000User-Agent: Sample MUA Version 1.0In-Reply-To: <smime-signed-enc-complex-hp-shy-legacy@example>References: <smime-signed-enc-complex-hp-shy-legacy@example>MIIhPAYJKoZIhvcNAQcDoIIhLTCCISkCAQAxggMQMIIBhAIBADBsMFUxDTALBgNVBAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFNUFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhMPLSW9ETmXSs5CVIeh7j00Boq0MA0GCSqGSIb3DQEBAQUABIIBAAI/dYMbzc3zEiYx+UrTZSpSeDOwGmzAeujCjAZv5gFxjb62n5NLr9K9d+shGjdaYbpCxj8JfQmFg2jOB1MlEkf06RXo/3A8M+lYDTEbcZxJSVsoxWD5GFybNQm1kCUSaPtWJd0PdXv27sdv4ylWZOw2AW1ecaUnK70fLz5ge+Uz8gSOU+nHnxESOAMqUAsg8lgk16IWSnm+Vnt6YVeaVfiA+DL/+lG3Ijf8+KvkwSasTh0Bg8lRJ3QepmHqyZcJopJz/TOsn/6zp+wk4VEezqF19ofdlOO4Eyckh8PN2ksrWuj+8xts5CxdYBnAn8kAiA5yusP1O6xJz22AWQY8oo0wggGEAgEAMGwwVTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNhbXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzB8R0APhiY6HGLS64MvlsDXhpQwDQYJKoZIhvcNAQEBBQAEggEAQDa6AeSZzIQh8pQjClWUIK5aFNESnV+b49enYnj4vuGEHnnB0TM5btNCYLoI62CvyDsSMyCWdLBiFPBn2w8H2IiLm2XbWwXDPUlikcO1CGEmSmJJI/7GYScU0naGyrKxTOBefjovgQwFqJmBFIAgo/xcDyS3betIuuvZ3PTlQPYLQrTHIke7WfymJw80dcgP6bY4JQp5Pf9ErW3GvdKx7wN4gGyqFvCm1PGuc0OeHO0jb40GcglfzqabBQXax3Vr+XxDiiwwa50R1nPgIhf/mYOU07B+4GH30ogzveQ8KRQ1Ry2By41b+nFO42U/nO9bC6FAebCGj7qNq1x9G4dpETCCHg4GCSqGSIb3DQEHATAdBglghkgBZQMEAQIEEHdJN4l0uotCGn4QEUsJjjWAgh3g30f/pefDZUamG+tfMmvMOPZZOznkpv2sR6nXwJGpqMzgnUv35t8MatduIQvjL/vj1wkZ1W8XgKKrC+PI1cz2HaJioFVglFMp6lVuzep4gZZ6coK/oq/0eZfm466TIaXtkUaja40Fs7B/BzyWI8LzzjRuZFWJeiLfh4HHEXFFNJ9n6aTaNCUW1AsFCyi1y3H+dP0Y35mB9o9N06LO/B95yjJ5cJcfOf3clANxMBZWvrbof94epVrOputl9dQMCNiBaGdlvI1lg2pXDyeNYWR5jpdTBAN7Bfmg9MPQBWzRT6Deq9qkD6aLwOJW96dMW4hhfLCOEWGuMe6UEh8hvsx3gVF7A5wZ/fbs9pZvrHSDDU49+Hkf9RBvBepPtqXt1dxCkEXd1sXae1z/ZrUVkBjWLoZ8HHPyEhoEQz6GtxRl9yffDA3eRBoaaTPUJJaU62OLoJwlGb9efDum6jmbG5cHTBcEjWAja3NK7ZX0RmG+kxa4nDZuKOw57DhbtVJhHsTUOcz0vZK/EqRDHXiPnxXysHM3V092vmW1Y2GKhNCqFGl+5AGiGcZ9SxgZ3tbMWVMiYkSSf/pU4h+MCPYKIgXs8suP8XaLyvk+nWnAitf+emaI8bootKazlEWSGtIqC2M86DwNaRI2aZc9RkgwFd3MU7uYhM5qhp5cvgLxWc/Rg30Ly0m0V+GLza+3AhiMVPo9YNuo02TxfaStJeC5jaEd2212Zm/0ZOgbvDw+lAD8DC3i3uDgui3xtc0Ljc5DziqA/usC5pl2hjw9vcG1puqDWOz2OiDwvtasiR9m7k5CN+ViSSKt2brNAx4aqbUO321fUcsxeDZ8pUDs+SAm+zuHMUcbWczHW1bRYlo0DehOvaPbOX8qxhJ98JnNdNooG2ko5U31iT23s9rTH6/Ebcsn5BJeOvHk9DFX+Mzl9+k9phWiihxn4zTRXvgDC+L3GBylEIhWRE2hgG32fKmGeAaOptLW35RPYZDNidMQzD9eEcO4Gn9kNO1Jq3E1vwLixx+7PcgTdVuyPJvmRpJ2TaLJFM3bN+ywyUY8bVFsweaaAXzr4onnC2HJShKaUGuOTbnORPJOgpZOB0ujNdqZsJjnyeUTlkwg8IxzsfIP6UljfJNrHR78quPmNJwgRN+9ycEo2GuHtfYixeBVucNptDx7O8p/+K21MgGFcDtCmubVzQzm82QW3xvBaU0mVQuE0mqDxnC8pc6UvVnXK6LBqyDzbBWk6UxqHDIwimtst4P12KOZ/MJVmMBOWyyef3PcIgSz5D5seDL/ZkzEmnypKFcMYPQMrrLWwcSiYuCXKKqjh0eKWkt2ioPrrdPUDNs12aU1U7LUrqviOb+ajNQ/uBOBmqSwGlsot7Tz9+x8sM4ywWhJ/9kAZt0zZO1VoIIcbX6yXW8oNC+AOk/nSyHX5vbQ5c9paHif3s0lDxalcn4T5PmZ7vsG3TkR97N7Bbas64rzzjL3YlsY2sxSVhM15E+RzF1bcJXT9vqS2n6tZmQdLIK2r3xEa2MQmj1D0281FDF24ckMsHxmhw+IdwS9JHG7mdmOLHYMt9QLMsxdb9ptfUqZw8jpwIxZ5gjCIw9PLGgQn7ZTm5eNRzfyCi37prI3oR6j8s8H5NS4OeygduGjkSUEnsap8iovsRmb+SX1y67kTi7Pvtqc750/1FelnnWudpnbSd4ZTnfHi+D6Qe7UUmz8OJKF8B6Z69+Y+v6qCS/qjF+6JxVz3SoJU6yMJQY/EXCwd5Ft+kyYVbCpc/YK4Rjg5XGAZrIdHqorqXJDLs7+3DPx65mIeyIkFoJRsh2U0HWGOwlW+e722h2lx/gyG0roN1ltcDqfhIZJHvTEr8LYwO2qWpWMZXoSRHXyyfcdJ3kUmdjXUHCmVMoKAp5zuBNiTlH6Fn0+iux4qQMSM6sgnTt1rRuH/9hc7hBKfHbCdXVj+TJzs74ChtNCHPzZqsdPup36y9YUTQ/CC/pLUOHXFEcIR+PayJIszHa//x9OkL+gzhRf4HD+vTUc51M2hpScoZyj15yFZz58LWkAG/1FfYB/upejDYznMlO+bNwYh3pJ1NpPfciWVZ2DajxMS5g71T3JJfJKem6FxAWno0AKvgCjghD5rIIEfhD2gn0FZphYMbakpDcijFFIkmSMzcAWLBJn6IWlBQrJZs+S2q0nxdR/d5CS0lSNtSSQVE9KqwpiD7nt2Ux2CDJRXI1csLhowgDM9GQ+iEHwlRT7JzcPDeminbPXOgGmE6LUmgKhNY8wWUxc+HUTenvHw9/x3+Owcg31aptvoIjexN9kkLMx8U854Za+/o8+3f+Im6gpz5orRWsl+EFDrH8ChCMl8OvuT44HwIvW828zMxTcBfU9/Pb8dSZNnNB63zJbx39PDH9aN5FROXQNLODfVfQ6Rn149NGMqvaHiNuJ7y5ZUVqKS6HTusbIujitQ0KJo91qEu7wQxHLP7STTFO+slJpST/zm7H0L1uZd0/vGZrzz0JpWzP8OUNAk2U2kc5kkc/dhsmTIQdxN1GmN0Kdv7L6XbWqHt+JjuK80C5WGnCYgrLWfOIfkyLdwTOOP+vflQJoY5c9ACvHr6m/mrzHDDai2xxrilQRdxuFcoMFOpGO1Cw1IcucA8FD04z+F/De4bsVxf89HUauVFIPMpv2QFfF576IS8/VpJlMtUHbl6R/I5QVUcAPa4+CbT8Ldm/mKDdH8JfH2tK4x/c7i0tSojz+vJ8kFBOwi/rF9PAsaA0XfCDL9zhdoEYBogXtPggzOfpWRi/ksW3P2SyBEZKHHn9mvyyLSFKpqNKSqRxJqAb6o8/HOyM7mTiIWZtZM84Wk1raN0TCFvkHGTOsMIlxf7+ukicoNevX6ZVHjzu6jl68MSOETjLMUzZlhXFLVOeEsPBkSlP/auYqKaj1c0g0xSyAvjoyE7O3zMurfxNjoGBGsaRhI0lwL/DeDypkNfpcTnyqBK8PbrozDSuSZOQ6zVSurHvq5PQs0fb8yKcKkg4yztPAstv1geh/ZI1loQZprXVK7WE9OHLhg9z0a8AWiyvi4tMfDwul4P00XyX/HzK257kAOwtLZQXUfrfj5PK6u4QZsfaURH0d/87S8fhIyskmAjzjFbd0VSQQyFuECW5RWwnj5+q0almwJV4yRPSm44bcdPXHBiZHKqq2v/wW8YfzTWSIM62VX+VUZMYriyIXxq8dVJKPfy/177Jfnf0vLshhlDLwt87nZCrkjXlEazUtcZOkbgXb6VJw1Wt6CY6fsTjyYtVUNaPuw4u+0qiFyIYdHLfIEF7ERvqEN9HcQZpIVJ+txy0lyExLViz6MYVLGMEaEvKkDX/aFNQb501wi7sDivcL6M2c8hAuZYzF0x8DuPiuEovicWQASsS/odhsfEVptKMqB2woHSX6J4aOQDfQ4SUDUrXHqcTyqDiygX1cYi1pHZ/vCN1MQ7OVrgDyCql35zisTrvcI1KX6Hu9T4UnyeK5HPP5SB6KfHp2Br7VPe1GARo0WXGmR7FnI+hjo++YZABKQRj4ky8iq2uzbonTgmuQNtM0MN5c4sez4xPfJE/zFk57NM6VXvt9Ya7Q+2p3RUbz5QzI1/1M/FLf0KN2LDyL/FxdHxl5t99dwoIieDJDo12V6xvpQC0ZhgoGGuMQRJLuXzkR+0KzaWmV6dSNVHOCW+yrvwg4oyZqoiRaCZsECxYe3ur+coIz0MPbOiOfRnKYVn24AqTZ1rTcuBUxj7OeSLGCFvZKLGZli8bUabyCKr54gwaxrQRy9UZxTXal1XsyDz1fm5XkcciUZn6rFlwvNxbYDmis14sl9R/7w0Uhw87kOZ9Bt1sDg4zpOr9X+UsbTySGkWS/NTh6BaYrAeNuJz6ThXTghrW7NhNn5gcPht4jwbAajgcF/tIBmwZnad6OhuhtoK35b5EoNI+xYgAsntzccPCmKbQ3wHn2oaziQQ5pTGb+XYAOfmlUwUWScWuemvYfDQntdcEGYleE4U0dWpszd9bXzodgzH0ghzI8RnpxDQ5heYbWdcsNCkKmHcduBeUegEBnMgSzIC+ae5DNs57kqQGFah0l/JMQ+ek+MdrXcqEfHIcuJcE8D9CbWX4UpITxyQ7lF4/BPd/Wxc1eK7OyGSCGEYSG366ywtkB9DHVzJmyAtqxAcPPJkpuDcJ9kIKqtGzOz9qmNrYopT+hztesZTNwfiXd96bUyd67ny07dedM9epPxdSiDtnOPtedT/epOTrN/wkX6N5uyY7uE53m0XwQRUCCVS7cTAdHRPAZ7pp7l8FzAwnM/9p/vk1dsafHwL5IpbfBUTTX052WIRiXqXYPfeFVO2TkmCwFv0QLtK6H88DRzVDUF+IADVDlQrVZ5EBKopm/AF/cNqfkWDwSp2hMA0I5BHFu9nhLRQqzRL6TZol0OXAN0UDe17AKdmHgSUwFuIwocdpPULqKV18eIwOtUKSZre8uqhLPYu5SsGQ8V+4jitMD+EquctdTPsTafX/8v+l86NO05XDKbnxMTNelYbyMETw4HQmeaYGzjbFqoc4LzQhKh5W1VjeQ0ZxKtzUgtKuQkI2rinI+lWPd56XbsCJ2lH+pa4tAB7thMYiinf91v86GTyCtnzzeLdHiW6F/19WGmiKBNk6aMG+C85Bk/GbMmHcC+Xdi94NKO12kPyIE084N6BNqkdCN8z0f2kYQLCwnhCV6t9cEsq6XsIIfzL5ULbaPY7DqOl7XWH5T2+2DZluEII9NLDYO0ocZhiCHp0GeiEy4sX8b5tWSgZvj8U3uV05PfcMePCXpvuFlxf3SWswElhEJLAqpWlClsCS7nFSxH7M3FVALw/egqd+TSZ3hPEu1QaGY5EZ4T9gdF65MCEihsC67U0yS5C8BKXZkmsL++E4J9QkjnAnRSj1Poxvi9ZUvmIiTD0Dx3Mn7Gkprqm/WJwmKKbazwoQtBSYpooNXcJQAut3lHhl5erm5sGwtRZb63uA5kNBty6/1tVsPDVntVrQuPlLlAQ/XUuOlNAlV2LOQck6YwF3HusBeCjZ1xNZWJC3jbUhsXkwxx2IffNcfJREhfuANjE/GytAK1Z3VdJFqKGPD3qlG8t8xGWLGrA1T/oQdsqAKhTVR0rWShj5NKaoZP4MBQz8tWc1VlL36tlirD93YIcqqu0fVJvHSV65MCZMnoe67ke1pdcYKB0Wzvd+rRBuOe4vbvGI5YstRAKLSLdcQBXxqfiVqChxKPQdeXfEjKoyL64vymFuHibrENpaPl7IOXz0NKoluj55xyTUzdzBT0e/WKJRpDpal12ZknrUkcXIzLRpnqC53EmNRJ4Qvs2BlhFpYrC4VWSBppu2Du2B1TtVDOxqad2woWordPIiex6dGb5+dqaOLSV6DH+WuIRc7gCfT07KGHVTZ+JkCZaoXG4qGFiRqEob8MwydAKToS5L47BVxgPZxJW2Tlm5Hnz1W9CJrJ3kM1IdagWUweiCjqnhgC4W175qoRvh5DxV3DhM429YVR4+0oS3FwDxh/1JgNTWq4ROZRI5drPfjUdaS1XopMJ4GJPn6Dm7tQMuoGd3Sk+2Vni5fEgyjMw4aen79UkQz9x6KD29nOm0bpN0zNhjBfps13bYGxqMIZMWAwpy2yq8DR3QWo6Z2BMoZTsbs5THzpRb0Rl7slX4rmjg/X+1SAFzTxhxpyrULS3VF4n9NYBlgKyyNWUI9S46GF6rXrxZaxZlR9EvpXUlATo3ZV94BhP9of5zOdrytS3zAXwT7E4ajJWsSGL9rvdx883PvvVisD4AhqzfHS3DPhgJd9bXLMAA0t+bLtQqUT56d7R97AOfgnM4L1C2xRT9Kpobr29Nt7bQuKluMoh4NHjexc4QiU2DZIy79G880AuUDf53z3NYcbY93foyKXhYk/WfJD33tao1cjFbCcrJR3/LY8FTdtYOAPjPQwfmp967y/98yvrPqvJvHeuUFW01rQmaCVLgwKEG0D3q+hs14APAWMBHc519UMJBq61ObMmsMCw7VMKpq3oCghXabyctqWJ1akVeBo6usYSnnknLN9+6WMsqiNmeb15MO52iYyZaU77jeDFRfIs7+B+yyycdZ3x9N7XyTbqGZr6UUJYubInE6UclBO0XSRiBsm2/VVFLBJRfckFMvPkK7IccmY4NL2e6quWMl2fadmB0JaMOztUjfRCDdoaBBOSw24fh4zfHyyGJYzbLoznuCPeCgOB7bE4fJg5tIADSJivl36YIyOCGqpj4768yvjzzjg+rz14lTVe4si5GhFgXADW7LtkFbo8EGRwDDAOxCG5st4HMz/1YEjm90jyqRJe0V9lDt4rWjzmADiOT5BZnbVoso5Ie7+hB4WqaP3lN2eipERlOSGHiMN0sibXgQyvz3IMmstq5u7OU5Qe1qPIOYjNFi9dv3tcxIz3mOpaTMQRzIBxOQdF5421AUxljPC3dGktjROPE1pdgPzpfPHX3LDda26ibD9c12AZFCsxap68AFiGNPpx9e2EzrAk8BM3L+T3DszTAM4jb+rpOgljEJH/pLnT4HhRYhCU0PTMUXxmf3b2WJU5UMuf6OM2ZPT0woWYBCKRO5LPoBu0gDQdCpkHrDEDtBUojQaiAjJ2But/ox1qM4PREt+1Bw6JTvkZOZdttDbmTA2nKFbVUFXH2Nh3VykRN85O917c++CZX7Gg3F3p6YBCzkqIIC0VVS3bkP1P5ZimETngRSTJ5DWE6/5N5zhM3JsUKfM0BaGQGm3D4cTrYpcZaomPrnFmkKyrUvlBkGt3oyJM2EENfX6z01kod3dZ9OkH9OBLRjR3siJfUulodi5iF0Pn0gZeHzqHKMlNknAwVVg20Vnpxuujy42NYNwnx7askd28OvZAgF24osGkrZCX/zQXfqLhNEFseKtGQEqZhy6/Ew+rkk/w2Z7gkF00b4xr2rcyYW2JsyMtErWp6KQPVNEdYzXi+qJBwWPXas3pzH16hMjHD4d2Q8pCfUYK0SYGW1xU69cEMtgSs8Qc9VCIowLttDKBQOBU2eH1MVRGO6BgowKqC/WgtmA9rRanmA3x+rEAxPncGrdFOUOEmXEN/Maw61V3RWZec2oSe9geH/AYj5QOTDmHLp0j3iiQyjg3CJIsUXhKPgjSRnxPYqYOFUUACNaoAXD9PYRZqem7G6zHIiRqGCx7iMjpiSBND4IUVWKWiuC2rvSqBmB6ohuTRt+tWshZ5Ksvi31eCCJSDB48XY7pU5N5Itfo1kB8VlF9j1bhzuAnCczqy6PHi7H05+ulWLbehlS2EMlzIqM+MziEiFUHoMuh+isfM48o3CJs0v2oOyUz6XhmXxQesMMz2pM9Y2Lc+tcXh6QSX+RXcDMHZY5I1aNUk0g0V1o2csO+h6v/W/nRzSiB3f8YZJr2c2hUt9EAUj9TvCQa8SrPTen6K9WFNHOQWdd+bqbdL3QiMh+8pLNbIiQfonsPgW7UXi8M7r5K5PewR1+VHFU89UVNU1hnu+JAbhOCVF3LCbYi+jFiM9uSeovg0ytMrqa9qUtcNonoKP3Q8GHh0ZQrXOOF8S7jG9E1le0Y1RqJ4J0Ys8sscjyYYF515irOV7t9R5wRDf4Syr/rhZeHBUANGevqyHkH91nTUDs33FAqucnCPUGEThKi3+pEoV9eIcobGjSIcWd+sh4M5akRrquUXvcbOl+6VeI/yZrUfC+tL8Z+RE+qzLsGUfkfOhwbwEprtuyaSQPIpfe6v7GlHMYtS7W9NAOSZbJ7KJIbKtdOcOCMtiWxcAszutTu1sst5ac1syV8TwgsPSkitp5qlJW7rHl9vaf3A+wLcDrn9kxCAf/IzwKfGqKjbRc5OvN6CZwD2wGS2e/AaQn8XVHXNLz7t/SuBiPlOBpJmvtRtnEsE8zWivISOrTh5qpdDbp3Gylec/8ltglYu9c+NL53R3KEq6AkzPRwC44yTz0OPBLk+MHkPCnWorX7rMGy2NPWaUa4OmeEnHeAQYVRF3I3KdKIEi9i1IM+hpjjftq9+8SqhMOVQ3l5+s1C0y5RdsowbOZZDF/MISYHa9loTGX6Dry0W6c39g4yzn2tyf6carMycqRqQYR7FnBMGvbhQWhbNn1joKBkQoI2kiTrdn3QA7yhbeoLO2fug64A0l7VtdR6v6d1FXKTcNFBJiTkNim1X9Evk3F7E8/FOwKQqRNdW+2wsiKCyFcBGu1LM1rjJDBdnVxh1RGzz/LRz66skHMLnOgsNM2V3TblE28PZQNrmNqcSIv5eK+CXTlO8q2yp1MeR5KeupsCiu/2ARCmTHePcO4ZoQllXzQwquc19p5jca+1kIQwFsNpM41cI0XCPzMVCKfT6OWJNL41TYzPK3rHqN67GrugV98BBY6KfpAosxtMgZ1KoelrCAlD68BaIJJbCWsXy4FnXgslZLs3b+R9yOuKbrWEli45/UUIW9e8zvB5pceNxWSg70WgykOvnBmvcCsgISnVgTD1odlMa8gJwohbrryLzFbtpb6dbp5tBMP9tESizLizWre9UkBPtx9Q+Pp7MT2kne9Bx2XB2kZqb2uqhTo5vjFgsVRwzjImJ9wfs12XZGChkeGqKTyKOQ859GWJxGUJCoLt74RLLPOJTJEgBibmGvs/fc4PmQcqxucp2Fs0kMZ5WYItF0DzpMbdcXwaNzhg+MauksASn2tm7D5a5yd7uTaSoTL09gFBr35gRBdKmg8lz4ux3bttYYSQTF9ioY7srsLj4QbHLLCfTqh0+MVvifbizFmNDuR29KuATR1391X9OenKKpIm0S9ipHaLaY41RR7PDA+qjtypnNr0N0ramUOP7MeAaEPPczIarmrz1K5KbJrcUzOqiEDLoAZggjdwIpYYlAbpCY3FYksI8l8Wo75sPSo7scdUTIfl6FwhwIJ6nqLIG3QG28ovpNXCBdcdSvc3Ixt4wsoCJxguuUA7twFZHfoGDu7f7Dc7bdwm9UBJ38QL7frr8/UYQQLtb2xTiZKsMFEc7q3KiH8y2Z1pjRUf+0ylkb5XI/5mClpr96L/ldErMb6nn221qgPldLvNA47EWriCXnvbCuf4ikKoh+h7F7LpmDpEmEj7JPgLjDE8X3ShdTzZOBNOeW1JucBZVnMsVseOlddvc30X+BqiizXsNQ9c3atc9A0avuhslocANQoH9x08VRkZkym2iHfeL1HbjRw+PchbdVfXxwlgO/+AfiOCEVKMHkB03mbbmFa9oFh9e8zQ0Uia9L43TQolX67p6s6KpI9o1r5/bUzNYtNrO2jVd8TjCmg7m6JkusTBXktJDs/iwCJWCnZQI/ghEtYaBtDGHfal8xiY/B/g6v8YkezPf8VXxlIUOrGTfzk3zk/PD3TnbRLy3Not49sr1uKpYYdofnGfleclXBVbvAVZsm3I58MpjdOCQsLCxYNgxVPIhFkptUUjKf/4nQ/X8kdmH5gSs97JF7P2+pw6EimubVOvHTX+gKbp1rHzWUEUtH4JQLssH+8v+HhoJtKrmhoEPysT+tjPJtbWMsptslap14bwHCfNrtlQnhsE6jrrPFIUB7a7DNL7D8FDfRazcq1w0JGs4un6GaJ7d1CYzHrOVKR0c1T201uIwzJOyXU3+YgMYfWqIYViW1AGwZj1PPXM8aICmdOyVpWomBq2tUa0fCSHSD//lltDpr3sTGahPvbV8clhQZhHkFjyYq5D83dsNKFbcSnsctx4SP71LMaKZw9ttsEzHRRU0duUI149uKpRU0ciGPsSEcgHhBEgKruGdxX9zWeGEFuBzrgpu3C3LXRbhlGNS7RbFlIIR8WZoD0cMPEVrOt4Y9pOGMl1/8LiwQFeznZhQVIjLbjWcjDcqzqxscBh1TJKrjl26Le1tFMmHaY147SfiOPORZOLmnvQxdAaFeN4c+U9pU8DZPMZFa3f3EmoMgi/t16vnw0F/eFywz4GjNLqEtd27PzhPuqYPupgCu95ZLVo3727BMwF0+Z+Noqv/X5RFA8W3wXX6Cw0JsSYBp6Xn0/HP6a5LoHU3yku+sC2C9EvVuPVEY/51uk7oIyTO0pC6T83oa/mQ7xMMSfuzVcsKKYLvHwwvXZK6kbkyNS0ryODE0wwXoC1UnJ5PEX7V+0ondyRxe0D5SnIGAIR/SyllMqzSYcMRUGBmK56IirKZ0XmoM34Gv92Z7TNMUZLReIAO1qUHMiOIfaZ1Tp7gbgBZq5P6nHYB/zZ7qHM/LPSZdWA==
C.3.16.1.S/MIME Signed-and-Encrypted Reply over a Complex Message, Header Protection with hcp_shy (+ Legacy Display), Decrypted

The S/MIME enveloped-data layer unwraps to this signed-data part:

Content-Transfer-Encoding: base64Content-Type: application/pkcs7-mime; name="smime.p7m"; smime-type="signed-data"MIIVWAYJKoZIhvcNAQcCoIIVSTCCFUUCAQExDTALBglghkgBZQMEAgEwgguBBgkqhkiG9w0BBwGgggtyBIILbk1JTUUtVmVyc2lvbjogMS4wDQpTdWJqZWN0OiBzbWltZS1zaWduZWQtZW5jLWNvbXBsZXgtaHAtc2h5LWxlZ2FjeS1yZXBseQ0KTWVzc2FnZS1JRDoNCiA8c21pbWUtc2lnbmVkLWVuYy1jb21wbGV4LWhwLXNoeS1sZWdhY3ktcmVwbHlAZXhhbXBsZT4NCkZyb206IEFsaWNlIDxhbGljZUBzbWltZS5leGFtcGxlPg0KVG86IEJvYiA8Ym9iQHNtaW1lLmV4YW1wbGU+DQpEYXRlOiBTYXQsIDIwIEZlYiAyMDIxIDEyOjE5OjAyIC0wNTAwDQpVc2VyLUFnZW50OiBTYW1wbGUgTVVBIFZlcnNpb24gMS4wDQpJbi1SZXBseS1UbzogPHNtaW1lLXNpZ25lZC1lbmMtY29tcGxleC1ocC1zaHktbGVnYWN5QGV4YW1wbGU+DQpSZWZlcmVuY2VzOiA8c21pbWUtc2lnbmVkLWVuYy1jb21wbGV4LWhwLXNoeS1sZWdhY3lAZXhhbXBsZT4NCkhQLU91dGVyOiBTdWJqZWN0OiBbLi4uXQ0KSFAtT3V0ZXI6IE1lc3NhZ2UtSUQ6DQogPHNtaW1lLXNpZ25lZC1lbmMtY29tcGxleC1ocC1zaHktbGVnYWN5LXJlcGx5QGV4YW1wbGU+DQpIUC1PdXRlcjogRnJvbTogYWxpY2VAc21pbWUuZXhhbXBsZQ0KSFAtT3V0ZXI6IFRvOiBib2JAc21pbWUuZXhhbXBsZQ0KSFAtT3V0ZXI6IERhdGU6IFNhdCwgMjAgRmViIDIwMjEgMTc6MTk6MDIgKzAwMDANCkhQLU91dGVyOiBVc2VyLUFnZW50OiBTYW1wbGUgTVVBIFZlcnNpb24gMS4wDQpIUC1PdXRlcjoNCiBJbi1SZXBseS1UbzogPHNtaW1lLXNpZ25lZC1lbmMtY29tcGxleC1ocC1zaHktbGVnYWN5QGV4YW1wbGU+DQpIUC1PdXRlcjoNCiBSZWZlcmVuY2VzOiA8c21pbWUtc2lnbmVkLWVuYy1jb21wbGV4LWhwLXNoeS1sZWdhY3lAZXhhbXBsZT4NCkNvbnRlbnQtVHlwZTogbXVsdGlwYXJ0L21peGVkOyBib3VuZGFyeT0iMjQyIjsgaHA9ImNpcGhlciINCg0KLS0yNDINCk1JTUUtVmVyc2lvbjogMS4wDQpDb250ZW50LVR5cGU6IG11bHRpcGFydC9hbHRlcm5hdGl2ZTsgYm91bmRhcnk9ImRhNyINCg0KLS1kYTcNCk1JTUUtVmVyc2lvbjogMS4wDQpDb250ZW50LVRyYW5zZmVyLUVuY29kaW5nOiA3Yml0DQpDb250ZW50LVR5cGU6IHRleHQvcGxhaW47IGNoYXJzZXQ9InVzLWFzY2lpIjsNCiBocC1sZWdhY3ktZGlzcGxheT0iMSINCg0KU3ViamVjdDogc21pbWUtc2lnbmVkLWVuYy1jb21wbGV4LWhwLXNoeS1sZWdhY3ktcmVwbHkNCkZyb206IEFsaWNlIDxhbGljZUBzbWltZS5leGFtcGxlPg0KVG86IEJvYiA8Ym9iQHNtaW1lLmV4YW1wbGU+DQpEYXRlOiBTYXQsIDIwIEZlYiAyMDIxIDEyOjE5OjAyIC0wNTAwDQoNClRoaXMgaXMgdGhlDQpzbWltZS1zaWduZWQtZW5jLWNvbXBsZXgtaHAtc2h5LWxlZ2FjeS1yZXBseQ0KbWVzc2FnZS4NCg0KVGhpcyBpcyBhIHNpZ25lZC1hbmQtZW5jcnlwdGVkIFMvTUlNRSBtZXNzYWdlIHVzaW5nIFBLQ1MjNw0KZW52ZWxvcGVkRGF0YSBhcm91bmQgc2lnbmVkRGF0YS4gIFRoZSBwYXlsb2FkIGlzIGENCm11bHRpcGFydC9hbHRlcm5hdGl2ZSBtZXNzYWdlIHdpdGggYW4gaW5saW5lIGltYWdlL3BuZw0KYXR0YWNobWVudC4gSXQgdXNlcyB0aGUgSGVhZGVyIFByb3RlY3Rpb24gc2NoZW1lIGZyb20gUkZDIDk3ODgNCndpdGggdGhlIGBoY3Bfc2h5YCBIZWFkZXIgQ29uZmlkZW50aWFsaXR5IFBvbGljeSB3aXRoIGEgIkxlZ2FjeQ0KRGlzcGxheSIgZWxlbWVudC4NCg0KLS0gDQpBbGljZQ0KYWxpY2VAc21pbWUuZXhhbXBsZQ0KLS1kYTcNCk1JTUUtVmVyc2lvbjogMS4wDQpDb250ZW50LVRyYW5zZmVyLUVuY29kaW5nOiA3Yml0DQpDb250ZW50LVR5cGU6IHRleHQvaHRtbDsgY2hhcnNldD0idXMtYXNjaWkiOw0KIGhwLWxlZ2FjeS1kaXNwbGF5PSIxIg0KDQo8aHRtbD48aGVhZD48dGl0bGU+PC90aXRsZT48L2hlYWQ+PGJvZHk+DQo8ZGl2IGNsYXNzPSJoZWFkZXItcHJvdGVjdGlvbi1sZWdhY3ktZGlzcGxheSI+DQo8cHJlPg0KU3ViamVjdDogc21pbWUtc2lnbmVkLWVuYy1jb21wbGV4LWhwLXNoeS1sZWdhY3ktcmVwbHkNCkZyb206IEFsaWNlICZsdDthbGljZUBzbWltZS5leGFtcGxlJmd0Ow0KVG86IEJvYiAmbHQ7Ym9iQHNtaW1lLmV4YW1wbGUmZ3Q7DQpEYXRlOiBTYXQsIDIwIEZlYiAyMDIxIDEyOjE5OjAyIC0wNTAwDQo8L3ByZT4NCjwvZGl2PjxwPlRoaXMgaXMgdGhlDQo8Yj5zbWltZS1zaWduZWQtZW5jLWNvbXBsZXgtaHAtc2h5LWxlZ2FjeS1yZXBseTwvYj4NCm1lc3NhZ2UuPC9wPg0KPHA+VGhpcyBpcyBhIHNpZ25lZC1hbmQtZW5jcnlwdGVkIFMvTUlNRSBtZXNzYWdlIHVzaW5nIFBLQ1MjNw0KZW52ZWxvcGVkRGF0YSBhcm91bmQgc2lnbmVkRGF0YS4gIFRoZSBwYXlsb2FkIGlzIGENCm11bHRpcGFydC9hbHRlcm5hdGl2ZSBtZXNzYWdlIHdpdGggYW4gaW5saW5lIGltYWdlL3BuZw0KYXR0YWNobWVudC4gSXQgdXNlcyB0aGUgSGVhZGVyIFByb3RlY3Rpb24gc2NoZW1lIGZyb20gUkZDIDk3ODgNCndpdGggdGhlIGBoY3Bfc2h5YCBIZWFkZXIgQ29uZmlkZW50aWFsaXR5IFBvbGljeSB3aXRoIGEgIkxlZ2FjeQ0KRGlzcGxheSIgZWxlbWVudC48L3A+DQo8cD48dHQ+LS0gPGJyPkFsaWNlPGJyPmFsaWNlQHNtaW1lLmV4YW1wbGU8L3R0PjwvcD48L2JvZHk+PC9odG1sPg0KLS1kYTctLQ0KDQotLTI0Mg0KQ29udGVudC1UeXBlOiBpbWFnZS9wbmcNCkNvbnRlbnQtVHJhbnNmZXItRW5jb2Rpbmc6IGJhc2U2NA0KQ29udGVudC1EaXNwb3NpdGlvbjogaW5saW5lDQoNCmlWQk9SdzBLR2dvQUFBQU5TVWhFVWdBQUFCUUFBQUFVQ0FZQUFBQ05pUjBOQUFBQWNFbEVRVlI0MnVWVE94YkENCk1BZ1M3MzluTzNUcFJ3MjBkcXBiZkFSUUVqT3l3aXdZbkN0a0RLbmJjTGs2NnNxbFQrenQ5Y2lka0UrNkt3a1oNCnNncnpmY3FWTXBMMmpvMDQ0N2dZRHBlQXJrK09uSkhrSWhBZlRQUmljaWhBZjVZSnJ3N3ZqdjBaV1JXTS91bGkNCnZkUGYxUVoya0REOXhwcGQ4d0FBQUFCSlJVNUVya0pnZ2c9PQ0KDQotLTI0Mi0tDQqgggemMIIDzzCCAregAwIBAgITDy0lvRE5l0rOQlSHoe49NAaKtDANBgkqhkiG9w0BAQ0FADBVMQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBXRzExMC8GA1UEAxMoU2FtcGxlIExBTVBTIFJTQSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAgFw0xOTExMjAwNjU0MThaGA8yMDUyMDkyNzA2NTQxOFowOzENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxFzAVBgNVBAMTDkFsaWNlIExvdmVsYWNlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmpUp+ovBouOP6AFQJ+RpwpODxxzY60n1lJ53pTeNSiJlWkwtw/cxQq0t4uD2vWYB8gOUH/CVt2Zp1c+auzPKJ2Zu5mY6kHm+hVB+IthjLeI7Htg6rNeuXq50/TuTSxX5R1I1EXGt8p6hAQVeA5oZ2afHg4b97enV8gozR0/Nkug4AkXmbk7THNc8vvjMUJanZ/VmS4TgDqXjWShplcI3lcvvBZMswt41/0HJvmSwqpS6oQcAx3Weag0yCNj1V9V9yu/3DjcYbwW2lJf5NbMHbM1LY4X5chWfNEbkN6hQury/zxnlsukgn+fHbqvwDhJLAgFpW/jA/EB/WI+whUpqtQIDAQABo4GvMIGsMAwGA1UdEwEB/wQCMAAwFwYDVR0gBBAwDjAMBgpghkgBZQMCATABMB4GA1UdEQQXMBWBE2FsaWNlQHNtaW1lLmV4YW1wbGUwEwYDVR0lBAwwCgYIKwYBBQUHAwQwDgYDVR0PAQH/BAQDAgUgMB0GA1UdDgQWBBSiU0HVRDyAKRV8ASPw546vzfN3DzAfBgNVHSMEGDAWgBSRMI58BxcMp/EJKGU2GmccaHb0WTANBgkqhkiG9w0BAQ0FAAOCAQEAgUl4oJyxMpwWpAylOvK6NEbMl1gD5H14EC4Muxq1u0q2XgXOSBHI6DfX/4LDsfx7fSIus8gWVY3WqMeuOA7IizkBD+GDEu8uKveERRXZncxGwy2MfbH1Ib3U8QzTjqB8+dz2AwYeMxODWq9opwtA/lTOkRg8uuivZfg/m5fFo/QshlHNaaTDVEXsU4Ps98Hm/3gznbvhdjFbZbi4oZ3tAadRlE5K9JiQaJYOnUmGpfB8PPwDR6chMZeegSQAW++OIKqHrg/WEh4yiuPfqmAvX2hZkPpivNJYdTPUXTSO7K459CyqbqG+sNOo2kc1nTXl85RHNrVKQK+L0YWY1Q+hWDCCA88wggK3oAMCAQICEzdBBXntdX9CqaJcOvT4as6aqdcwDQYJKoZIhvcNAQENBQAwVTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNhbXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwIBcNMTkxMTIwMDY1NDE4WhgPMjA1MjA5MjcwNjU0MThaMDsxDTALBgNVBAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMRcwFQYDVQQDEw5BbGljZSBMb3ZlbGFjZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALT0iehYOBY+TZp/T5K2KNI05Hwr+E3wP6XTvyi6WWyTgBK9LCOwI2juwdRrjFBSXkk7pWpjXwsA3A5GOtz0FpfgyC7OxsVcF7q4WHWZWleYXFKlQHJD73nQwXP968+A/3rBX7PhO0DBbZnfitOLPgPEwjTtdg0VQQ6Wz+CRQ/YbHPKaw7aRphZO63dKvIKp4cQVtkWQHi6syTjGsgkLcLNau5LZDQUdsGV+SAo3nBdWCRYV+I65x8Kf4hCxqqmjV3d/2NKRu0BXnDe/N+iDz3X0zEoj0fqXgq4SWcC0nsG1lyyXt1TL270I6ATKRGJWiQVCCpDtc0NT6vdJ45bCSzsCAwEAAaOBrzCBrDAMBgNVHRMBAf8EAjAAMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATAeBgNVHREEFzAVgRNhbGljZUBzbWltZS5leGFtcGxlMBMGA1UdJQQMMAoGCCsGAQUFBwMEMA4GA1UdDwEB/wQEAwIGwDAdBgNVHQ4EFgQUu/bMsi0dBhIcl64papAQ0yBmZnMwHwYDVR0jBBgwFoAUkTCOfAcXDKfxCShlNhpnHGh29FkwDQYJKoZIhvcNAQENBQADggEBAHOJojanzqmgaSN3/gqSQ4cbbmdj/R40BEPr+gXT+xiidfZ2iLNwYyTneuK6AChwKfnNvOFb8lV1iffRTF/KtmVEDMR/sYeqAH83KM5p3el2lVh4OHhyI0qNuz5oShNaACSioQ23WxHGVy9vsdVfnbhsplrWg9NQ2WbpCmK+2oMh2oYl0Z/wvXMt9cG6jbMvcdH4z0IOvg6mrYkKTM/RCGnumghxwYToj1OyD5Gs4D2IJCw+fX5ODxh52MbNRYXTus2ZPRPM8JXNQC4GWv4km3M4rKnJDd6hnoQ9rNeozIcBVyybQYjfrgg4DRvw9Ksk22OH4ConlB8f7R7s1LM2cSYxggIAMIIB/AIBATBsMFUxDTALBgNVBAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFNUFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhM3QQV57XV/QqmiXDr0+GrOmqnXMAsGCWCGSAFlAwQCAaBpMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTIxMDIyMDE3MTkwMlowLwYJKoZIhvcNAQkEMSIEIEUN8MCE/gE8VaUWOZYNyiuSDKZahJObCB59LQgqpUl1MA0GCSqGSIb3DQEBAQUABIIBAEk7y6K+3YZB+tri+EVQFLmb1N5KCUsnwbyLwl9bH3bv+8MFEYqYmiATHzimOxdQNBl8c6HR7GqnMQVJIZ+OEYiL1fz/Ej7Up3VQzyR1KvblL4Xt1W7+ITh/6iAx1j1W48US9pMR+05Rz+cfVATn77voVNs3fN0B8EsjPoVM708f/xKD5lwHv/72Mg1fUTs3YMaqabplXdABkdp1lQhZ6za+N3/kyEYSmxz0Owd4JRKuAIdbzdFIC57BIGFICQX0Nr1c3aZ/wHvNvH2xOAp1cQ7M6Nu3KImZs86OBQmc0Kdk8AzE4s0o8mtf3uhU+eJ/23FWjMYpGdgHaUu90GMnKnM=
C.3.16.2.S/MIME Signed-and-Encrypted Reply over a Complex Message, Header Protection with hcp_shy (+ Legacy Display), Decrypted and Unwrapped

The inner signed-data layer unwraps to:

MIME-Version: 1.0Subject: smime-signed-enc-complex-hp-shy-legacy-replyMessage-ID: <smime-signed-enc-complex-hp-shy-legacy-reply@example>From: Alice <alice@smime.example>To: Bob <bob@smime.example>Date: Sat, 20 Feb 2021 12:19:02 -0500User-Agent: Sample MUA Version 1.0In-Reply-To: <smime-signed-enc-complex-hp-shy-legacy@example>References: <smime-signed-enc-complex-hp-shy-legacy@example>HP-Outer: Subject: [...]HP-Outer: Message-ID: <smime-signed-enc-complex-hp-shy-legacy-reply@example>HP-Outer: From: alice@smime.exampleHP-Outer: To: bob@smime.exampleHP-Outer: Date: Sat, 20 Feb 2021 17:19:02 +0000HP-Outer: User-Agent: Sample MUA Version 1.0HP-Outer: In-Reply-To: <smime-signed-enc-complex-hp-shy-legacy@example>HP-Outer: References: <smime-signed-enc-complex-hp-shy-legacy@example>Content-Type: multipart/mixed; boundary="242"; hp="cipher"--242MIME-Version: 1.0Content-Type: multipart/alternative; boundary="da7"--da7MIME-Version: 1.0Content-Transfer-Encoding: 7bitContent-Type: text/plain; charset="us-ascii"; hp-legacy-display="1"Subject: smime-signed-enc-complex-hp-shy-legacy-replyFrom: Alice <alice@smime.example>To: Bob <bob@smime.example>Date: Sat, 20 Feb 2021 12:19:02 -0500This is thesmime-signed-enc-complex-hp-shy-legacy-replymessage.This is a signed-and-encrypted S/MIME message using PKCS#7envelopedData around signedData.  The payload is amultipart/alternative message with an inline image/pngattachment. It uses the Header Protection scheme from RFC 9788with the `hcp_shy` Header Confidentiality Policy with a "LegacyDisplay" element.--Alicealice@smime.example--da7MIME-Version: 1.0Content-Transfer-Encoding: 7bitContent-Type: text/html; charset="us-ascii"; hp-legacy-display="1"<html><head><title></title></head><body><div><pre>Subject: smime-signed-enc-complex-hp-shy-legacy-replyFrom: Alice &lt;alice@smime.example&gt;To: Bob &lt;bob@smime.example&gt;Date: Sat, 20 Feb 2021 12:19:02 -0500</pre></div><p>This is the<b>smime-signed-enc-complex-hp-shy-legacy-reply</b>message.</p><p>This is a signed-and-encrypted S/MIME message using PKCS#7envelopedData around signedData.  The payload is amultipart/alternative message with an inline image/pngattachment. It uses the Header Protection scheme from RFC 9788with the `hcp_shy` Header Confidentiality Policy with a "LegacyDisplay" element.</p><p><tt>-- <br>Alice<br>alice@smime.example</tt></p></body></html>--da7----242Content-Type: image/pngContent-Transfer-Encoding: base64Content-Disposition: inlineiVBORw0KGgoAAAANSUhEUgAAABQAAAAUCAYAAACNiR0NAAAAcElEQVR42uVTOxbAMAgS739nO3TpRw20dqpbfARQEjOywiwYnCtkDKnbcLk66sqlT+zt9cidkE+6KwkZsgrzfcqVMpL2jo0447gYDpeArk+OnJHkIhAfTPRicihAf5YJrw7vjv0ZWRWM/ulivdPf1QZ2kDD9xppd8wAAAABJRU5ErkJggg==--242--

C.3.17.S/MIME Signed-and-Encrypted over a Complex Message, Legacy RFC 8551 Header Protection with hcp_baseline

This is a signed-and-encrypted S/MIME message using PKCS#7 envelopedData around signedData. The payload is a multipart/alternative message with an inline image/png attachment. It uses the legacy RFC 8551 Header Protection (RFC8551HP) scheme with thehcp_baseline Header Confidentiality Policy.

It has the following structure:

└┬╴application/pkcs7-mime [smime.p7m] 9580 bytes ╧ (decrypts to) └┬╴application/pkcs7-mime [smime.p7m] 6082 bytes  ┴ (unwraps to)  └┬╴message/rfc822 1876 bytes   └┬╴multipart/mixed 1828 bytes    ├┬╴multipart/alternative 1168 bytes    │├─╴text/plain 393 bytes    │└─╴text/html 491 bytes    └─╴image/png inline 232 bytes

Its contents are:

Content-Transfer-Encoding: base64Content-Type: application/pkcs7-mime; name="smime.p7m"; smime-type="enveloped-data"Subject: [...]Message-ID: <smime-enc-signed-complex-rfc8551hp-baseline@example>From: Alice <alice@smime.example>To: Bob <bob@smime.example>Date: Sat, 20 Feb 2021 12:28:02 -0500User-Agent: Sample MUA Version 1.0MIIbnAYJKoZIhvcNAQcDoIIbjTCCG4kCAQAxggMQMIIBhAIBADBsMFUxDTALBgNVBAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFNUFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhMPLSW9ETmXSs5CVIeh7j00Boq0MA0GCSqGSIb3DQEBAQUABIIBAANFe+QhN1IuF/acKoQk/CrT7s6ncIXk72bZyqANUj5IWD/YQPJMczB4khaPZRacFIWSbcn3RHR8H9kaincGgB0F3pw+Ju1CaD5xLj8pX3ry1b2BNFPEMhbHQy4RsrZpwmL6qSc5X/qWbJNvA83xnnE+avEzW4JFwH1lRRABOCiNe+lRF7L+X/kqJL0oALwBWLn1OsfK5AwCg3Vao4uyRUtRbC8P4Q7v+KPi6qYEwXAe6gz1LCwD/EPyiDnMBlbNBid0g8nC8pt2Ymbz+SljAW9FDv9Xyv8iJuXT+OXOgl8pfBA1a4zKGiRZrKN0PDf0NUh13p/0h7Wd/322eR+FTuwwggGEAgEAMGwwVTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNhbXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzB8R0APhiY6HGLS64MvlsDXhpQwDQYJKoZIhvcNAQEBBQAEggEAHNOf6aUb4tfH2tb0OWz678eYtSslVolgGLYIrJcX3Xz0ZVEg7EHJfwMMrfzuvaXtMu3VR26TZpJxJrUQy5bplIKfrb4ZF95XeC1KMC5E88kpOX3qb+ALpsnRbUvldPfaG17GQl1LXRML16Xvw2BdQ/p3O3EhpITTSdzFYJOjW8J58JGe1M6sjsymI0KJZdEtvG77dNhNAXZfmbf+fBUZ+237Kc0nbd3dWtNmriJONPKwK5qF1UO1JHhGX8/UquWY7bjXYv/kH9YYZUnR3VCNFQZnKndxvfG/jJ3HofDM6XgEZf+hogg9JVg9LN5IGmdmau7/YSt/7q8k53AL3YS7ADCCGG4GCSqGSIb3DQEHATAdBglghkgBZQMEAQIEENLhBGpw6GdtyReA3vbppXaAghhAyG+aQIQUVygKLkRUL7c+MZNMnUhD+I7X9lWOHMlTQnrHagQoCxlKw9b3v7LCUbCLSabxdNhhBnQwFpgec8aHPFojjM592Zg/7AnYYDqMAttYhoabFG7wSg7+ntlJB/AXCGFWd1ILOTHr/PghR4rgOmO5/FosuV0PdfBrshG2CoOWzeLtFhzUle1iVtqxq+1zVaryg1qLwtxMAkMP052WmVhqNw9WSsvIxXVYcjWdbn7g+lJ5N1BfcjHXnjn8AjL91IzHmuHh4ZW9C8S95gdrn8ipd0oee1Ubpu7KP5C/W1H9MDU8cesFcMmUt/WLNxeb09fV0ILaXDbnLIVTQ3xHdoQzg+TQCB4300i2Wvp6UhPnlE6Ap5mexGvObWlIIwEFRKO4lWVNxEoGB223n10LH6mqJxpiqUK9SYIhNCfo8uxIdZ5R49B2jbzC8e1Owefmi1QII6ZVnwPltALSvxiL97GSHG/32YmITrsZBpTitY7Q4tcDgzfFGRV23R89yorpAuseNYbGJ5Mb1qFtbQZKycW+2RX16qt4hlcsf6wYBCzI9xOzsSCHJW4KVZc9GuIu0Cmc3M5mFgrWwKhCvdJBo6fLwSqTTj6moGmqBLIZ1ouiamOOzxY+VBrpLNSrnnKfSdEUgsHuJKo+A+oy0vhHYZqusnoE4o6vE5Sd/R11q655O/jI6ngCE70yZpcCxKV50JgsFeUSjBLtIqGVGPwKRAreug/2rcRWDBlW4QTZ0Yuw7Zu/xVPkAevp8Hn6v0C2rxEpaXnhzITeCsS0qLN+G+vuQAzDxz4SlpWxx6HajBToje79ZtuF/YzAZfJTWsKOMzxO8hOCxEl/7z355AmXrKF0ubZj+/Y9UTXlSqUUXV/5b0L98xU5NoAaAhzssysbfXLHgi1CXMNZBUL6Ukv2ovWz/9ICXHd3GdmNUW1OIFRmPdY4obnMtCN0Jpkrbz8l2Uilu0BVtsvsAmhfzgo/v7MMAoeFLkc+idCOexM3v4H2tQlJ1V8MB+yz3IbM4RMAUvnAn1fxjsR7Scsg0txauodFltdywA+FnjPJwT9if73HZ2/Lb8bs8ri5iv5Jl+XOFjsmhyKMUeEmlUXbJ2omjDnnYmYzogYXTs5XSmrZrjvoIbQAKtmxSKywQRNfHjei81VcyyWadLUCZn7PdoQ5qtxSHPRr7upARLAHHljWAL08MHfJSNyN93jK1Ktxkefk9/k7WAWsYvkynhGBBolvydzUpK8GwS06+at+UGgUHOTs69RrwNWPwJjuw2sS9hX8DHy0eGAKKAIrhMcNNJqjnQ3aEP5imIVhTlh9ZEKQzF3ywpnlpAfGdBh0Qkq4cn0pNVpG+cLWt/ccY/ROFY3bMAuvxYOr14fJNcTRbBY6uTpgSKEoQzY77NZ0fk4IlVcUNA1PMf9+ZysrYblQB70TggQSb5R3Ik+Xr+BzS7x+pXiBuFlU7qSnxXmLIzyK5ElUHfHkeAIAC8ReUSsomobYl+2mmyvvWCLqIR9K3FtGtweZ9bQ3NY3lOuONJAldB9GecH2MdHvckaTJNx12aDKA4bm0gHEx6XXDzKARPbcbHDeu+eJ3SbGJ1C8XBqrXxgLJMxUxTVa3uc+Dk7ZY4jzZbGoRVLsUFvCnJklk64GbzydMGplEPH2gR2fjecRbFknq6DWdaM1z5J13GJbi3g2mXo2JiWuUBQCLnbdKTAbXdNDBFbU1oVVqMK5PDrQ0cExWDnxa3r3ae2W6Pfvk6sS6LzpvMJUhGfQzhdkgBRfGrMaM7FG8hdr0ZAqJxhu+vS0cts3hiS77m/KQhyeEPzdNkVXAUHAsaHQ9PgEc3E6ZHvUiDJAYBeQ3e4kXhZZN/NaVfAlGKplZjWc3RYQK0h2f6ADxcdG3GHAE/vHa9QkrWHUS4QuX/h0aFYDX/bwAg036wsYK8WUVTtpItYfV3jTMbfAuLL8En8qYgJNPQcb1SOOC9Sv8qBg0PSlSRQhpG+oWlkWTWEKOn4X0hfV2uo4XMIf93SMvRss8vmmB0Kjryr92tGX3CdjWJTjFJAtcNBVO7Oz5lD84LLJW8vyGMvZ4trxnbVlg9REopeDVq2BJeznYHzOQoawXVM4n8Z0vgp4mxlleVprwb8nmVUyOvxozr09V/ki9aSwZIFnHdMaVX3qwXUZ/1eu0AJJ395Ea6M4ohM+Iqv30A19496kpHp8sfYeZsHtNNwQG4WbhpnXAdR5pJ1+CMjliLFgpkfmWXn/JKIF2OSew31/v7JtxUUOHBNNvs+SxLwDqFK4RjuOUBJNEA0EgCvkfpdyAbqCS15g6fx6do36Gz4mxXNMJRqP4qunv3MVxEb+igwEPOeSxWpw9vP7XaFiit91Euoj9/UIcROq0Vo3JuB9XM925T7erNHhkhdlUW2utiSjUrHOU0PIZqzbCaB/L+Sb1HhnAKFDJRg2uD55Mwv5BdpBTnPmq4Wz3kzvuIop7hUzoCVDhcM4a6OIRXgyGeKHOs//ca439zoy7aNurEjQSKjFs4dfj5z64b1GIu33X/Gpg634bowErRXGQ1FpOy6oGnD8LIkOVn+VODMvu5HTDcYmmNtWLRBImmdq4Er8gUN8LjZIoh/z/F+QSGWoW44pHPwvCV6/k6RFcaQKsPx3PHPqRhM9yAmhTWobMOnJBTLccFsxYQWXe2t022B7Ecdoa9QjT7OkF+9KpNTPFPlYPMKi1F+IGf/g9KgVd6UHSQoTQOmunONXjuKcebamy4kRwP72qOqj+jDMBlG+jC7I9neZ1/f50DT26av9B8HfyxVuzTBg0mDSCYvrA+yxHFxiyEO9zH5fvoq5JRT2rXTyq2RZ/EUyOa5Ye0HUI2/veje9C7yOQMyJcqOFWukw6y/BHOo6M6q//y+S9yMevzh8oxjkjCsx/lrM8kueF2klUxG/Xzm+uR3Peijqlus961Lx5d4qY2XQkgIVsKphv1I47AYxtDTPx+mXRlm14NVl1skrcOppwfAvXwUBiEuxBrVrrBafj4l6MVszKHsELw6Ub1/6NjEkp/C72s0bqRkDna0Q4ls3s1N23wylOkWooujWI+w1r9E1QRT8u4kWJtgBJYGmiBRWN9jMxaOpcf4VrU0HpxNpY7hITQ4b6/KB/28UE8EB+cFp/NmC6+vx0jKPgGsLYGe0eaZoUUVXW19PmV+tbvRbRSxcLDSzsBRvCsEoeK+KBc+r37/n9Z5BVH50RQx31KlAEadF1LXVVANh/ZHBrC4TBTaFMGvgJjQZJ3Eax/RKkS5oN/APYHw3zDNFWyhtXRtL0tEG2oyppspUmfG1ZwlAlrMa9dBOkRr3iKlVlyW91tOQu8Q8gDHcdNahMDHdTAIeb5bU5nd7Qr/2uyHIg8sswxWHOjI+l37Qq6sg6wNfq6Xhuto1/MHofcQlMiQGVucZIaQR82TjNzo99ezyu9ZAbu3J4pm2pLmHeQjg2m1+TO9NAjdctddks6cbw/bL2yFGw3juupSLTYtYGK9uWqvHSp3O6zLS2b2ihEPBhe5V2UgLhXc/CvGAWbLTJgqM64FuUPsDjXByGcGreSA3bIG4AU5hhD+SwSoaFE53Qw6FETH4KBVcGedXnmvkDZrDxwSoRpAqHAkPdrxY+yt7lFiv/dGtfQtMCYv8flAP/bVtWNungwZODrmwI6rJj1Ooub+PIT31MXmm+FbM6yFq3EtfZbq2bKivzHUZpiwL7afe8s+RDrlZoz4y2vOJwi/REMIDLk1q4RnFcc+FH/ZaG+gMdfkduY0iGfyqIIJeQx5HXhTDVgxoy356pQ7QCVdAUoyP/7xp9gKqHbaNFt77ZM+68KGPKuEi6byYJki1gXrB9oJL4JmF1jQSZMYqj+FgZBbrc9G8t7vTiF+8Oxfxxs3G+GVdCGAEjhz4dQww1o4vIBmdymrsTEs205qD7Asl0du43DZrXSBt0ppfTxTEjrosTzRD8Skd9AvhFGKhtSFGePNL38UqnQE6jmbHHKQt7Z4DJTQ/ZyheYUawAPLLbpX4COwUHDo8YawF+vghitdt8K2+v4dkQh9BdyFXpfqXSBDa6XcQPscLxHwjFJPczCeATuycA7/bNguS47InBGg5n+Z2/nebOemWFiOd9Fg5uMOBruCHeHCNPN9BZ66RQ7FL+jbXO39Tq+QX/NnzW3WBnoTDJGEzULm2VjTn18gMlflVRjNENOC1yUH3E9jWMn8LEuTnUXTqfEfkkj9lwUXQxNeYfuVvJ95gDas8aC/O/MmHLc6CFfq0l9MGu4FYXMfRon6cfJZCpgfXQnJAqxlxMb4wIqMUyCSzZ3umKCD+UAf7MIMyCMEdOMLFoO6LoNofFjNooK011sR4qJcM/zXiFZQaOeCoxyIBESCv2h/LeGRW6Sx7iacntg4Se12zPlaG7ckuiz6PCY92g3WGj9E4ARWIBVDIkJo74MDUSn1osHHojKd13lqdAH7Am2UjoIVogx8cE9cSEnmZfwZBf2Pb2TxwFFTWG7TqheJzJxWzj14sjMPwBZRJQCdmscn8XWEeEk7BBUEGbZi/3Y+PIMe9G1ZYF3bu9GNmM4JcSdH9FX0NSUdQQrgqDey+C+UCjFD1GWY1Ja18vHK1C3ssWd3wWFBLFe3/Vg4GZhYPSgmTVRk0l0pGR7XgMEBbGGZgloknFBetlJ8F6qIXylDNsMTQ9tNJ6rBy0Ite6Qcvma+bz4CSR+y/FWcy93BFKVFC6y/izfdK5InHlrgBEZugR2rR0oPsJwXaoSHrkza1TiW/CsghAx1bjQ4Z1YtMaSfCO03nKQ4z32hFcxm/de3ZUJWlaEp5Ow0c7kqIzfD2w+UvtcceDo8uc7weRtiYi99K8x0ZtXTfSjWwcJcH5Unpcd3dOXVkox+ag8enG3DfmVmBvXxsyCboqXJj7FWhFyLcPkZXe+OGDj5Ms3wno8JH8aKVdrSYRXmNzsJP9a2CMSEDhaXfaWHQqYSrV3Eg2WXeCbGHUHPCUF5f0uc9RXNN0Wtb/MBuvdcCNytFxYNgT21vpQ9VxLvFjw7Tt0NjLa9URRObzZrd9I9g0MJrmw59DJm2kbBoX3qcIq4B693ajEaJC2qpBAszTCEq0AcUzAaf4KunE5LwGY/iYzxngRiW1EljyPY+FwYGgIY8hMkQsZfgwBnzZvr9jhq0s715VEIAmJY4cdlMhRVUf+nViVTxHqSOraXlRI886EZmgNqMIXoJQinAaitUNiUcxft+vrfXBhBnGOnvIQI807wY2CHQhcrTbLX5vhgNnKY2Hd6EQyYnWRXGL59jgACyfj0dbdEsWtva20reWMx5fcPkVQ500H0E2hdfayBzIJxvOvkSLLwsLwPxcbu0S92YnFr2FrO7+G0w99FjGT/xnOhVEwkvzHjFzzzlofhSumEUFU6gdYi6fdjngVQxqdz/rfCWqCj9IEUrJxKUnsU322RV6vutgOjQ8ENkzzqdY/TOS/2onRIIsaE/ul1P6Cvc2XezmZI4819aARPsqrTzeH5nVE3D6EWrieDHhLOmvIEkE64ZIKwUfG8J2hs2ALyraD1ECpQKBakW+f7RgFrZNui/4LIW6Hxwe58A8/SQvMf/OJS7dtwX3a3Z4w2nnnp2oXV1MgWvXnuEIPYDQdaIqh1CRJwk1fu+Su7Ys2kfOs+Czz+nBq6CRDD20YpP3rBurR+JmdBfyvR10a+pwlWqWaADYfzmvKNXcikYCh8xCp23xL7p62XgVwVtUEkbrQJBbCShBjZZxBx+RmAoYcThcsggLLLl/RHKGRqQpXI3gFKEy27HV6X4G4qMkJhzuCAvHASoSQj4g/KLwaYf+njxeRSzwPRkjCn7Z0MenEQreLcqvHQaoR4Exo8qFJFizkMrEr1uTRtyxFcvqJcLUffPhfUWAuPwzS+CeiK4FY+hLYxzieVmP4lpxu1spWJfQgUlO5/6pj0051nMwjpfJpB3tjFFYKhKrmjHqRSHXowguPcxkPMI/SwpRZWRROOMSzh/ph6lR9E/KyeaWGTjDCDD6tdCjsLGHCuX3UzZe+AMiDhW1AWw+HkmkLEOym4hbQnQhwuzYLUS6Cab/oN/UvBnjhrIdG8s3YF71PvY+yPcq8AsmysxxVvL7Q205BeX8nRNhFeJc3asMBvSijuo1VMiGY/0wzzjasWZH5D5bKTBJIqXP57aNaW/BG6eIiaSxVoLnsbgW57P0mpP5JxK4f6cvMPihO9rNItSqESuK6oDyXjXzJaYblhrOJkOkVp4gjpHMmcsc1oruQDzWXMUNpdvPUnYnZ0yYKhmdbHoOn+AKgwh3tmqItejAdRLthS3bwMdwgEEx2sfnnnKwEy6Xqdu5oaB8rVRtKcMxFIvANVefdCft4+2brFXPQv2HsQWYdVcdZMdUT8WLL7VUJ2mXiVP5422LEspTxFgBb6cVjbfKu6btpQOdIEux9YkD9zH5ye54Dk/FcElFQah9MGZOGS2P3AKFLcLLxmprHWFv2SE2EEkTQzp25c67nzd3/r8LNAmupkqTVHuuIvuMZgP9xIiOuYUzGrUL7k5EJTWkOMPRQeYS8iv9v3QEarSPCJLyeUpZjXVu50u1kKgLAuA/s32/aVwGuTCUMNgGQx2qjpozo5jYDAUv3l9EitrcM9X9WxvYP30rsVs4kNvRM08RR2wfs6sHb//t49xOL3hWmbpAXbFz1WXIE+VvVoO9ZCsXx3JBRkWxyxoUpDibijBQirYkwWx+TdDm4DP27KdMw70bRhM5jVqsYUgIfA756WFIpoaXrRpCHja1ZXyaFs8pyoSr7XZIZ380A8kexEB7XsKfB3vBf0gcJsYVn3ebojEpFSjC4ayUxJxiNZVtluyIcz0gGdo5AWGo/0BstflInFbx+4D7xH2SwPC2XQIXrYJnsawqEb0H4+hPVg0C5fnqK7QrjVWLKx2b64z+VowIxHyiHfWrcAfMygh5YBAQp/XoLzDL65VWKYbCVOUzFy2iwfoTs1RbqcAPRhjjdMJSU/ep/EBPa8bF5KNKdq8G8OhcT0Y3iFEW45kO6E6kXs2w3NgHKhrU1wY3FLDD/w1uf7SjMtPVN1HEhrQoEUGP14fztUBRuC6I2vyOjiJ0RaJG+TU2ZlKs2sE5ey1EUKnkdvETYA8Qjso3JYb7WWMRKTtiaXj/tPMVGvqfD5OQxNLGcvS1qjds5eNMuXHuoflCfyubtOU6FmS2oThM6r6/K17GXjg7Usui1XtL8ATuKMKn7nQG0zQJpFeDawJER6KB8vTrjgYlZQkni25eIiOLH1XpaJXUIDWIyOeDxYCrl9BQHuKfOalo5f7WQ56cp2M7if3rUpGk+50tx2RWBlWvzVJtF5HEB+1xbaaEaMCqS8OexHWQUcZApzhnQC9NeniN8oeLZkojmOPHUNZti4lzBwqJvVj4Ag455hWXFMzy8lqlzOivvfYzIquQOYaxozXSmlPRhaYLW4WkYUnM1+J40IZAecidJQ5iEEaYwdobd2LL39eURvA0aPdSQw09sZTGCLhkZY/8LkshqjQaYGghQpnpGsdTUTvXqWoDW3cGZmk6neKVFtkwK/JmxT55kkCwjig7s8ksL+8f/sOsI0I83n8EEO7ymicvVuYrAMxy3bYXeh+nsrQYgbrNwJxdU9CSoPJGXqnV9iXVHbTXevXGyccoq7whEJeE1q8E9Yi1VlFSctOd63f3BsZ7Or8qKAYWA7hG5SUmKYqajYlDwPqFJmX72sOofNh8qdn4K1P7zzfOjzi0Zs9mBqmAzG6U+CiupYwRzQALIHdR2u5oHhnGU4sqIXXyN+RrRL4Z8zaX7ECij4TuD1Fiu/rGoarnirn9oMFF1LZvBGlweg8kIBNPCbEZyO03EQBBjUhqSuXdo5MNHlZRfGtV0ea1pUKOMZE+2syqcOT0iR4itBy2uqxReGVDpOVI8YM3iY+CLf4d+cZXTR1+ep27QWAEzz865yRf4d1sRczE/iqpjcXuERcgLN7fr+21Ob3JFSq51iTs568sVnLyX6JtZCi4DLxtSSDJLXh0bYnUw7+x30zmP9zNMTK+6fsalN46iD/+MmnSC4h2/aCYBHplYPyFzPMUbSDk+0uS/NB34PyjK+ZX0ouEo+fSvM/TFWNBHVlbiFZZL58/+F7Jk2f+ojtViMTrgHZtj+vEd4UwxKLV/jgAT5ktM3WYSGDzlqLxVXgFAST6TYzGhGaxNkLUWBXfuNP0klNzPwSS2ychxCl+jUgjtHtenhfVfQtyG/NzKnx0s5vazdSRe4bnVBmqm8i+dsUqyPCdFYDZOpfnljZ1ywCw30yaeA==
C.3.17.1.S/MIME Signed-and-Encrypted over a Complex Message, Legacy RFC 8551 Header Protection with hcp_baseline, Decrypted

The S/MIME enveloped-data layer unwraps to this signed-data part:

Content-Transfer-Encoding: base64Content-Type: application/pkcs7-mime; name="smime.p7m"; smime-type="signed-data"MIIRQgYJKoZIhvcNAQcCoIIRMzCCES8CAQExDTALBglghkgBZQMEAgEwggdrBgkqhkiG9w0BBwGgggdcBIIHWE1JTUUtVmVyc2lvbjogMS4wDQpDb250ZW50LVR5cGU6IG1lc3NhZ2UvcmZjODIyDQoNCk1JTUUtVmVyc2lvbjogMS4wCkNvbnRlbnQtVHlwZTogbXVsdGlwYXJ0L21peGVkOyBib3VuZGFyeT0iMTQ0IgpTdWJqZWN0OiBzbWltZS1lbmMtc2lnbmVkLWNvbXBsZXgtcmZjODU1MWhwLWJhc2VsaW5lCk1lc3NhZ2UtSUQ6CiA8c21pbWUtZW5jLXNpZ25lZC1jb21wbGV4LXJmYzg1NTFocC1iYXNlbGluZUBleGFtcGxlPgpGcm9tOiBBbGljZSA8YWxpY2VAc21pbWUuZXhhbXBsZT4KVG86IEJvYiA8Ym9iQHNtaW1lLmV4YW1wbGU+CkRhdGU6IFNhdCwgMjAgRmViIDIwMjEgMTI6Mjg6MDIgLTA1MDAKVXNlci1BZ2VudDogU2FtcGxlIE1VQSBWZXJzaW9uIDEuMAoKLS0xNDQKTUlNRS1WZXJzaW9uOiAxLjAKQ29udGVudC1UeXBlOiBtdWx0aXBhcnQvYWx0ZXJuYXRpdmU7IGJvdW5kYXJ5PSI1NzkiCgotLTU3OQpDb250ZW50LVR5cGU6IHRleHQvcGxhaW47IGNoYXJzZXQ9InVzLWFzY2lpIgpNSU1FLVZlcnNpb246IDEuMApDb250ZW50LVRyYW5zZmVyLUVuY29kaW5nOiA3Yml0CgpUaGlzIGlzIHRoZQpzbWltZS1lbmMtc2lnbmVkLWNvbXBsZXgtcmZjODU1MWhwLWJhc2VsaW5lCm1lc3NhZ2UuCgpUaGlzIGlzIGEgc2lnbmVkLWFuZC1lbmNyeXB0ZWQgUy9NSU1FIG1lc3NhZ2UgdXNpbmcgUEtDUyM3CmVudmVsb3BlZERhdGEgYXJvdW5kIHNpZ25lZERhdGEuICBUaGUgcGF5bG9hZCBpcyBhCm11bHRpcGFydC9hbHRlcm5hdGl2ZSBtZXNzYWdlIHdpdGggYW4gaW5saW5lIGltYWdlL3BuZwphdHRhY2htZW50LiBJdCB1c2VzIHRoZSBsZWdhY3kgUkZDIDg1NTEgSGVhZGVyIFByb3RlY3Rpb24KKFJGQzg1NTFIUCkgc2NoZW1lIHdpdGggdGhlIGBoY3BfYmFzZWxpbmVgIEhlYWRlcgpDb25maWRlbnRpYWxpdHkgUG9saWN5LgoKLS0gCkFsaWNlCmFsaWNlQHNtaW1lLmV4YW1wbGUKLS01NzkKQ29udGVudC1UeXBlOiB0ZXh0L2h0bWw7IGNoYXJzZXQ9InVzLWFzY2lpIgpNSU1FLVZlcnNpb246IDEuMApDb250ZW50LVRyYW5zZmVyLUVuY29kaW5nOiA3Yml0Cgo8aHRtbD48aGVhZD48dGl0bGU+PC90aXRsZT48L2hlYWQ+PGJvZHk+CjxwPlRoaXMgaXMgdGhlCjxiPnNtaW1lLWVuYy1zaWduZWQtY29tcGxleC1yZmM4NTUxaHAtYmFzZWxpbmU8L2I+Cm1lc3NhZ2UuPC9wPgo8cD5UaGlzIGlzIGEgc2lnbmVkLWFuZC1lbmNyeXB0ZWQgUy9NSU1FIG1lc3NhZ2UgdXNpbmcgUEtDUyM3CmVudmVsb3BlZERhdGEgYXJvdW5kIHNpZ25lZERhdGEuICBUaGUgcGF5bG9hZCBpcyBhCm11bHRpcGFydC9hbHRlcm5hdGl2ZSBtZXNzYWdlIHdpdGggYW4gaW5saW5lIGltYWdlL3BuZwphdHRhY2htZW50LiBJdCB1c2VzIHRoZSBsZWdhY3kgUkZDIDg1NTEgSGVhZGVyIFByb3RlY3Rpb24KKFJGQzg1NTFIUCkgc2NoZW1lIHdpdGggdGhlIGBoY3BfYmFzZWxpbmVgIEhlYWRlcgpDb25maWRlbnRpYWxpdHkgUG9saWN5LjwvcD4KPHA+PHR0Pi0tIDxici8+QWxpY2U8YnIvPmFsaWNlQHNtaW1lLmV4YW1wbGU8L3R0PjwvcD48L2JvZHk+PC9odG1sPgotLTU3OS0tCgotLTE0NApDb250ZW50LVR5cGU6IGltYWdlL3BuZwpDb250ZW50LVRyYW5zZmVyLUVuY29kaW5nOiBiYXNlNjQKQ29udGVudC1EaXNwb3NpdGlvbjogaW5saW5lCgppVkJPUncwS0dnb0FBQUFOU1VoRVVnQUFBQlFBQUFBVUNBWUFBQUNOaVIwTkFBQUFjRWxFUVZSNDJ1VlRPeGJBCk1BZ1M3MzluTzNUcFJ3MjBkcXBiZkFSUUVqT3l3aXdZbkN0a0RLbmJjTGs2NnNxbFQrenQ5Y2lka0UrNkt3a1oKc2dyemZjcVZNcEwyam8wNDQ3Z1lEcGVBcmsrT25KSGtJaEFmVFBSaWNpaEFmNVlKcnc3dmp2MFpXUldNL3VsaQp2ZFBmMVFaMmtERDl4cHBkOHdBQUFBQkpSVTVFcmtKZ2dnPT0KCi0tMTQ0LS0KoIIHpjCCA88wggK3oAMCAQICEw8tJb0ROZdKzkJUh6HuPTQGirQwDQYJKoZIhvcNAQENBQAwVTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNhbXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwIBcNMTkxMTIwMDY1NDE4WhgPMjA1MjA5MjcwNjU0MThaMDsxDTALBgNVBAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMRcwFQYDVQQDEw5BbGljZSBMb3ZlbGFjZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJqVKfqLwaLjj+gBUCfkacKTg8cc2OtJ9ZSed6U3jUoiZVpMLcP3MUKtLeLg9r1mAfIDlB/wlbdmadXPmrszyidmbuZmOpB5voVQfiLYYy3iOx7YOqzXrl6udP07k0sV+UdSNRFxrfKeoQEFXgOaGdmnx4OG/e3p1fIKM0dPzZLoOAJF5m5O0xzXPL74zFCWp2f1ZkuE4A6l41koaZXCN5XL7wWTLMLeNf9Byb5ksKqUuqEHAMd1nmoNMgjY9VfVfcrv9w43GG8FtpSX+TWzB2zNS2OF+XIVnzRG5DeoULq8v88Z5bLpIJ/nx26r8A4SSwIBaVv4wPxAf1iPsIVKarUCAwEAAaOBrzCBrDAMBgNVHRMBAf8EAjAAMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATAeBgNVHREEFzAVgRNhbGljZUBzbWltZS5leGFtcGxlMBMGA1UdJQQMMAoGCCsGAQUFBwMEMA4GA1UdDwEB/wQEAwIFIDAdBgNVHQ4EFgQUolNB1UQ8gCkVfAEj8OeOr83zdw8wHwYDVR0jBBgwFoAUkTCOfAcXDKfxCShlNhpnHGh29FkwDQYJKoZIhvcNAQENBQADggEBAIFJeKCcsTKcFqQMpTryujRGzJdYA+R9eBAuDLsatbtKtl4FzkgRyOg31/+Cw7H8e30iLrPIFlWN1qjHrjgOyIs5AQ/hgxLvLir3hEUV2Z3MRsMtjH2x9SG91PEM046gfPnc9gMGHjMTg1qvaKcLQP5UzpEYPLror2X4P5uXxaP0LIZRzWmkw1RF7FOD7PfB5v94M5274XYxW2W4uKGd7QGnUZROSvSYkGiWDp1JhqXwfDz8A0enITGXnoEkAFvvjiCqh64P1hIeMorj36pgL19oWZD6YrzSWHUz1F00juyuOfQsqm6hvrDTqNpHNZ015fOURza1SkCvi9GFmNUPoVgwggPPMIICt6ADAgECAhM3QQV57XV/QqmiXDr0+GrOmqnXMA0GCSqGSIb3DQEBDQUAMFUxDTALBgNVBAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFNUFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MCAXDTE5MTEyMDA2NTQxOFoYDzIwNTIwOTI3MDY1NDE4WjA7MQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBXRzEXMBUGA1UEAxMOQWxpY2UgTG92ZWxhY2UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC09InoWDgWPk2af0+StijSNOR8K/hN8D+l078oullsk4ASvSwjsCNo7sHUa4xQUl5JO6VqY18LANwORjrc9BaX4MguzsbFXBe6uFh1mVpXmFxSpUByQ+950MFz/evPgP96wV+z4TtAwW2Z34rTiz4DxMI07XYNFUEOls/gkUP2GxzymsO2kaYWTut3SryCqeHEFbZFkB4urMk4xrIJC3CzWruS2Q0FHbBlfkgKN5wXVgkWFfiOucfCn+IQsaqpo1d3f9jSkbtAV5w3vzfog8919MxKI9H6l4KuElnAtJ7BtZcsl7dUy9u9COgEykRiVokFQgqQ7XNDU+r3SeOWwks7AgMBAAGjga8wgawwDAYDVR0TAQH/BAIwADAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwHgYDVR0RBBcwFYETYWxpY2VAc21pbWUuZXhhbXBsZTATBgNVHSUEDDAKBggrBgEFBQcDBDAOBgNVHQ8BAf8EBAMCBsAwHQYDVR0OBBYEFLv2zLItHQYSHJeuKWqQENMgZmZzMB8GA1UdIwQYMBaAFJEwjnwHFwyn8QkoZTYaZxxodvRZMA0GCSqGSIb3DQEBDQUAA4IBAQBziaI2p86poGkjd/4KkkOHG25nY/0eNARD6/oF0/sYonX2doizcGMk53riugAocCn5zbzhW/JVdYn30UxfyrZlRAzEf7GHqgB/NyjOad3pdpVYeDh4ciNKjbs+aEoTWgAkoqENt1sRxlcvb7HVX524bKZa1oPTUNlm6QpivtqDIdqGJdGf8L1zLfXBuo2zL3HR+M9CDr4Opq2JCkzP0Qhp7poIccGE6I9Tsg+RrOA9iCQsPn1+Tg8YedjGzUWF07rNmT0TzPCVzUAuBlr+JJtzOKypyQ3eoZ6EPazXqMyHAVcsm0GI364IOA0b8PSrJNtjh+AqJ5QfH+0e7NSzNnEmMYICADCCAfwCAQEwbDBVMQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBXRzExMC8GA1UEAxMoU2FtcGxlIExBTVBTIFJTQSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eQITN0EFee11f0Kpolw69Phqzpqp1zALBglghkgBZQMEAgGgaTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0yMTAyMjAxNzI4MDJaMC8GCSqGSIb3DQEJBDEiBCBeode6D2+XFP+H82l34jEbYjlqU5Tgru11NftjsHf5ojANBgkqhkiG9w0BAQEFAASCAQCPddNTo2dMep9SUx9R61FJylyqjA4n22MbI3haUrxVOgk1+FAacmva+eo8weKDd+FR3fYuy4C+PkIjwoclAH4Hb7QkNHQgv5DSuvqN1/QoIHpGvF0atF0NXKOirYFGIZmeytKJJ9WR67A1Myuh/Yi8aaUDheliEIPsD+59pFRHDZIcM1MkNuSJGw6LHMCHSA9p7WggrLrD8trCrR/xL2ZWbswb5sr3Y6NucbZS51e0UAy2fKzxK/CUFG/M4VhFQF1UgUZU/6hwXHMgffr7xEDPeco1Tq7/fCLCVYz5Ixf+RfCOid7Gps07qsQlMIV/awPSekvMyg93nqDvES1xMiED
C.3.17.2.S/MIME Signed-and-Encrypted over a Complex Message, Legacy RFC 8551 Header Protection with hcp_baseline, Decrypted and Unwrapped

The inner signed-data layer unwraps to:

MIME-Version: 1.0Content-Type: message/rfc822MIME-Version: 1.0Content-Type: multipart/mixed; boundary="144"Subject: smime-enc-signed-complex-rfc8551hp-baselineMessage-ID: <smime-enc-signed-complex-rfc8551hp-baseline@example>From: Alice <alice@smime.example>To: Bob <bob@smime.example>Date: Sat, 20 Feb 2021 12:28:02 -0500User-Agent: Sample MUA Version 1.0--144MIME-Version: 1.0Content-Type: multipart/alternative; boundary="579"--579Content-Type: text/plain; charset="us-ascii"MIME-Version: 1.0Content-Transfer-Encoding: 7bitThis is thesmime-enc-signed-complex-rfc8551hp-baselinemessage.This is a signed-and-encrypted S/MIME message using PKCS#7envelopedData around signedData.  The payload is amultipart/alternative message with an inline image/pngattachment. It uses the legacy RFC 8551 Header Protection(RFC8551HP) scheme with the `hcp_baseline` HeaderConfidentiality Policy.--Alicealice@smime.example--579Content-Type: text/html; charset="us-ascii"MIME-Version: 1.0Content-Transfer-Encoding: 7bit<html><head><title></title></head><body><p>This is the<b>smime-enc-signed-complex-rfc8551hp-baseline</b>message.</p><p>This is a signed-and-encrypted S/MIME message using PKCS#7envelopedData around signedData.  The payload is amultipart/alternative message with an inline image/pngattachment. It uses the legacy RFC 8551 Header Protection(RFC8551HP) scheme with the `hcp_baseline` HeaderConfidentiality Policy.</p><p><tt>-- <br/>Alice<br/>alice@smime.example</tt></p></body></html>--579----144Content-Type: image/pngContent-Transfer-Encoding: base64Content-Disposition: inlineiVBORw0KGgoAAAANSUhEUgAAABQAAAAUCAYAAACNiR0NAAAAcElEQVR42uVTOxbAMAgS739nO3TpRw20dqpbfARQEjOywiwYnCtkDKnbcLk66sqlT+zt9cidkE+6KwkZsgrzfcqVMpL2jo0447gYDpeArk+OnJHkIhAfTPRicihAf5YJrw7vjv0ZWRWM/ulivdPf1QZ2kDD9xppd8wAAAABJRU5ErkJggg==--144--

Appendix D.Composition Examples

This section offers step-by-step examples of message composition.

D.1.New Message Composition

A typical MUA composition interface offers the user a place to indicate the message recipients, subject, and content of the message.Consider a composition window filled out by the user like so:

ComposingNewMessageSendTo:Alice<alice@example.net>Subject:HandlingtheJonescontractPleasereviewandapproveordeclinebyThursday,it'scritical!Thanks,Bob--BobGonzalezACME,Inc.
Figure 1:Example Message Composition Interface

When Bob clicks "Send", his MUA generates values for theMessage-ID,From, andDate Header Fields and converts the message content into the appropriate format.

D.1.1.Unprotected Message

The resulting message would look something like this if it was sent without cryptographic protections:

Date: Wed, 11 Jan 2023 16:08:43 -0500From: Bob <bob@example.net>To: Alice <alice@example.net>Subject: Handling the Jones contractMessage-ID: <20230111T210843Z.1234@lhp.example>Content-Type: text/plain; charset="us-ascii"MIME-Version: 1.0Please review and approve or decline by Thursday, it's critical!Thanks,Bob--Bob GonzalezACME, Inc.

D.1.2.Encrypted withhcp_baseline and Legacy Display

Now consider the message to be generated if it is to be cryptographically signed and encrypted, using HCPhcp_baseline, and thelegacy variable is set.

For each Header Field, Bob's MUA passes its name and value throughhcp_baseline.This returns the same value for every Header Field, except that:

hcp_baseline("Subject", "Handling the Jones contract") yields "[...]".

D.1.2.1.Cryptographic Payload

The Cryptographic Payload that will be signed and then encrypted is very similar to the unprotected message inAppendix D.1.1.Note the addition of:

  • thehp="cipher" parameter for theContent-Type

  • the appropriateHP-Outer Header Field forSubject

  • thehp-legacy-display="1" parameter for theContent-Type

  • the Legacy Display Element (the simple pseudo-header and its trailing newline) in the Main Body Part

Date: Wed, 11 Jan 2023 16:08:43 -0500From: Bob <bob@example.net>To: Alice <alice@example.net>Subject: Handling the Jones contractMessage-ID: <20230111T210843Z.1234@lhp.example>Content-Type: text/plain; charset="us-ascii"; hp-legacy-display="1"; hp="cipher"MIME-Version: 1.0HP-Outer: Date: Wed, 11 Jan 2023 16:08:43 -0500HP-Outer: From: Bob <bob@example.net>HP-Outer: To: Alice <alice@example.net>HP-Outer: Subject: [...]HP-Outer: Message-ID: <20230111T210843Z.1234@lhp.example>Subject: Handling the Jones contractPlease review and approve or decline by Thursday, it's critical!Thanks,Bob--Bob GonzalezACME, Inc.
D.1.2.2.Outer Header Section

The Cryptographic Payload fromAppendix D.1.2.1 is then wrapped in the appropriate Cryptographic Layers.For this example using S/MIME, it is wrapped in anapplication/pkcs7-mime; smime-type="signed-data" layer, which is in turn wrapped in anapplication/pkcs7-mime; smime-type="enveloped-data" layer.

Then, an Outer Header Section is applied to the outer MIME object, which looks like this:

Date: Wed, 11 Jan 2023 16:08:43 -0500From: Bob <bob@example.net>To: Alice <alice@example.net>Subject: [...]Message-ID: <20230111T210843Z.1234@lhp.example>Content-Transfer-Encoding: base64Content-Type: application/pkcs7-mime; name="smime.p7m"; smime-type="enveloped-data"MIME-Version: 1.0

Note that theSubject Header Field has been obscured appropriately byhcp_baseline.The output of the CMS enveloping operation is base64 encoded and forms the Body of the message.

D.2.Composing a Reply

Next, we consider a typical MUA reply interface, where we see Alice replying to Bob's message fromAppendix D.1.

When Alice clicks "Reply" to Bob's signed-and-encrypted message with Header Protection, she might see something like this:

ReplyingtoBob("HandlingtheJonesContract")SendTo:Bob<bob@example.net>Subject:Re:HandlingtheJonescontractOnWed,11Jan202316:08:43-0500,Bobwrote:>PleasereviewandapproveordeclinebyThursday,>it'scritical!>>Thanks,>Bob>>-->BobGonzalez>ACME,Inc.--AliceJenkinsACME,Inc.
Figure 2:Example Message Reply Interface (Unedited)

Note that because Alice's MUA is aware of Header Protection, it knows what the correctSubject Header Field is, even though it was obscured.It also knows to avoid including the Legacy Display Element in the quoted/attributed text that it includes in the draft reply.

Once Alice has edited the reply message, it might look something like this:

ReplyingtoBob("HandlingtheJonesContract")SendTo:Bob<bob@example.net>Subject:Re:HandlingtheJonescontractOnWed,11Jan202316:08:43-0500,Bobwrote:>PleasereviewandapproveordeclinebyThursday,>it'scritical!I'llgetrightonit,Bob!Regards,Alice--AliceJenkinsACME,Inc.
Figure 3:Example Message Reply Interface (Edited)

When Alice clicks "Send", the MUA generates values for theMessage-ID,From, andDate Header Fields, populates theIn-Reply-To andReferences Header Fields, and also converts the reply content into the appropriate format.

D.2.1.Unprotected Message

The resulting message would look something like this if it were to be sent without any cryptographic protections:

Date: Wed, 11 Jan 2023 16:48:22 -0500From: Alice <alice@example.net>To: Bob <bob@example.net>Subject: Re: Handling the Jones contractMessage-ID: <20230111T214822Z.5678@lhp.example>In-Reply-To: <20230111T210843Z.1234@lhp.example>References: <20230111T210843Z.1234@lhp.example>Content-Type: text/plain; charset="us-ascii"MIME-Version: 1.0On Wed, 11 Jan 2023 16:08:43 -0500, Bob wrote:> Please review and approve or decline by Thursday,> it's critical!I'll get right on it, Bob!Regards,Alice--Alice JenkinsACME, Inc.

Of course, this would leak not only the contents of Alice's message but also the contents of Bob's initial message, as well as theSubject Header Field!So Alice's MUA won't do that; it is going to create a signed-and-encrypted message to submit to the network.

D.2.2.Encrypted withhcp_no_confidentiality and Legacy Display

This example assumes that Alice's MUA useshcp_no_confidentiality, nothcp_baseline.That is, by default, it does not obscure or remove any Header Fields, even when encrypting.

However, it follows the guidance inSection 6.1 and will make use of theHP-Outer field in the Cryptographic Payload of Bob's original message (Appendix D.1.2.1) to determine what to obscure.

When crafting the Cryptographic Payload, its baseline HCP (hcp_no_confidentiality) leaves each field untouched.To uphold the confidentiality of the composer's values when replying, the MUA executes the following steps (for brevity, onlySubject andMessage-ID/In-Reply-To are shown):

  • Extract the referenced Header Fields (seeSection 4.2):

    • refouter contains:

      • Date: Wed, 11 Jan 2023 16:08:43 -0500

      • From: Bob <bob@example.net>

      • To: Alice <alice@example.net>

      • Subject: [...]

      • Message-ID: <20230111T210843Z.1234@lhp.example>

    • refprotected contains:

      • Date: Wed, 11 Jan 2023 16:08:43 -0500

      • From: Bob <bob@example.net>

      • To: Alice <alice@example.net>

      • Subject: Handling the Jones contract

      • Message-ID: <20230111T210843Z.1234@lhp.example>

  • Apply the response function:

    • respond(refouter) contains:

      • From: Alice <alice@example.net>

      • To: Bob <bob@example.net>

      • Subject: Re: [...]

      • In-Reply-To: <20230111T210843Z.1234@lhp.example>

      • References: <20230111T210843Z.1234@lhp.example>

    • respond(refprotected) contains:

      • From: Alice <alice@example.net>

      • To: Bob <bob@example.net>

      • Subject: Re: Handling the Jones contract

      • In-Reply-To: <20230111T210843Z.1234@lhp.example>

      • References: <20230111T210843Z.1234@lhp.example>

  • Compute the ephemeralresponse_hcp (seeSection 6.1):

    • Note that all Header Fields exceptSubject are the same.

    • confmap contains only("Subject", "Re: Handling the Jones contract") -> "Re: [...]"

Thus, all Header Fields that weresigned are passed through untouched.The reply'sSubject is obscured asSubject: Re: [...] if and only if the user does not edit the Subject line from that initially proposed by the MUA's reply interface.If the user edits the Subject line, e.g., toSubject: Re: Handling the Jones contract ASAP, theresponse_hcp willnot obscure it and instead pass it through in the clear.

For stronger header confidentiality, the replying MUA should use a reasonable HCP (nothcp_no_confidentiality).Also recall that the local HCP is applied first and thatresponse_hcp is only applied to what is left unchanged by the local HCP.

D.2.2.1.Cryptographic Payload

Consequently, the Cryptographic Payload for Alice's reply looks like this:

Date: Wed, 11 Jan 2023 16:48:22 -0500From: Alice <alice@example.net>To: Bob <bob@example.net>Subject: Re: Handling the Jones contractMessage-ID: <20230111T214822Z.5678@lhp.example>In-Reply-To: <20230111T210843Z.1234@lhp.example>References: <20230111T210843Z.1234@lhp.example>Content-Type: text/plain; charset="us-ascii"; hp-legacy-display="1"; hp="cipher"MIME-Version: 1.0HP-Outer: Date: Wed, 11 Jan 2023 16:48:22 -0500HP-Outer: From: Alice <alice@example.net>HP-Outer: To: Bob <bob@example.net>HP-Outer: Subject: Re: [...]HP-Outer: Message-ID: <20230111T214822Z.5678@lhp.example>HP-Outer: In-Reply-To: <20230111T210843Z.1234@lhp.example>HP-Outer: References: <20230111T210843Z.1234@lhp.example>Subject: Re: Handling the Jones contractOn Wed, 11 Jan 2023 16:08:43 -0500, Bob wrote:> Please review and approve or decline by Thursday,> it's critical!I'll get right on it, Bob!Regards,Alice--Alice JenkinsACME, Inc.

Note the following features:

  • thehp="cipher" parameter toContent-Type

  • the appropriateHP-Outer Header Field forSubject

  • thehp-legacy-display="1" parameter for theContent-Type

  • the Legacy Display Element (the simple pseudo-header and its trailing newline) in the Main Body Part

D.2.2.2.Outer Header Section

The Cryptographic Payload fromAppendix D.2.2.1 is then wrapped in the appropriate Cryptographic Layers.For this example using S/MIME, it is wrapped in anapplication/pkcs7-mime; smime-type="signed-data" layer, which is in turn wrapped in anapplication/pkcs7-mime; smime-type="enveloped-data" layer.

Then, an Outer Header Section is applied to the outer MIME object, which looks like this:

Date: Wed, 11 Jan 2023 16:48:22 -0500From: Alice <alice@example.net>To: Bob <bob@example.net>Subject: Re: [...]Message-ID: <20230111T214822Z.5678@lhp.example>In-Reply-To: <20230111T210843Z.1234@lhp.example>References: <20230111T210843Z.1234@lhp.example>Content-Transfer-Encoding: base64Content-Type: application/pkcs7-mime; name="smime.p7m"; smime-type="enveloped-data"MIME-Version: 1.0

Note that theSubject Header Field has been obscured appropriately even thoughhcp_no_confidentiality would not have touched it by default.The output of the CMS enveloping operation is base64 encoded and forms the Body of the message.

Appendix E.Rendering Examples

This section offers example Cryptographic Payloads (the content within the Cryptographic Envelope) that contain Legacy Display Elements.

E.1.Example text/plain Cryptographic Payload with Legacy Display Elements

Here is a simple one-part Cryptographic Payload (Header Section and Body) of a message that includes Legacy Display Elements:

Date: Fri, 21 Jan 2022 20:40:48 -0500From: Alice <alice@example.net>To: Bob <bob@example.net>Subject: Dinner plansMessage-ID: <text-plain-legacy-display@lhp.example>MIME-Version: 1.0Content-Type: text/plain; charset="us-ascii"; hp-legacy-display="1"; hp="cipher"HP-Outer: Date: Fri, 21 Jan 2022 20:40:48 -0500HP-Outer: From: Alice <alice@example.net>HP-Outer: To: Bob <bob@example.net>HP-Outer: Subject: [...]HP-Outer: Message-ID: <text-plain-legacy-display@lhp.example>Subject: Dinner plansLet's meet at Rama's Roti Shop at 8pm and go to the parkfrom there.

A compatible MUA will recognize thehp-legacy-display="1" parameter and render the Body of the message as:

Let's meet at Rama's Roti Shop at 8pm and go to the parkfrom there.

A legacy decryption-capable MUA that is unaware of this mechanism will ignore thehp-legacy-display="1" parameter and instead render the Body including the Legacy Display Elements:

Subject: Dinner plansLet's meet at Rama's Roti Shop at 8pm and go to the parkfrom there.

E.2.Example text/html Cryptographic Payload with Legacy Display Elements

Here is a modern one-part Cryptographic Payload (Header Section and Body) of a message that includes Legacy Display Elements:

Date: Fri, 21 Jan 2022 20:40:48 -0500From: Alice <alice@example.net>To: Bob <bob@example.net>Subject: Dinner plansMessage-ID: <text-html-legacy-display@lhp.example>MIME-Version: 1.0Content-Type: text/html; charset="us-ascii"; hp-legacy-display="1"; hp="cipher"HP-Outer: Date: Fri, 21 Jan 2022 20:40:48 -0500HP-Outer: From: Alice <alice@example.net>HP-Outer: To: Bob <bob@example.net>HP-Outer: Subject: [...]HP-Outer: Message-ID: <text-html-legacy-display@lhp.example><html><head><title></title></head><body><div><pre>Subject: Dinner plans</pre></div><p>Let's meet at Rama's Roti Shop at 8pm and go to the parkfrom there.</p></body></html>

A compatible MUA will recognize thehp-legacy-display="1" parameter and mask out the Legacy Displaydiv, rendering the Body of the message as a simple paragraph:

Let's meet at Rama's Roti Shop at 8pm and go to the parkfrom there.

A legacy decryption-capable MUA that is unaware of this mechanism will ignore thehp-legacy-display="1" parameter and instead render the Body including the Legacy Display Elements:

Subject: Dinner plansLet's meet at Rama's Roti Shop at 8pm and go to the parkfrom there.

Appendix F.Other Header Protection Schemes

Other Header Protection schemes have been proposed in the past.However, those typically have drawbacks such as sparse implementation, known problems with legacy interoperability (in particular with rendering), lack of clear signaling of composer intent, and/or incomplete cryptographic protections.This section lists such schemes known at the time of the publication of this document out of historical interest.

F.1.Original RFC 8551 Header Protection

S/MIME[RFC8551] (as well as its predecessors[RFC5751] and[RFC3851]) defined a form of cryptographic Header Protection that has never reached wide adoption and has significant drawbacks compared to the mechanism in this document.SeeSection 1.1.1 for more discussion of the differences andSection 4.10 for guidance on how to handle such a message.

F.2.Pretty Easy Privacy (pEp)

The pretty Easy privacy (pEp)[PEP-GENERAL] project specifies two different MIME schemes that include Header Protection for Signed-and-Encrypted email messages in[PEP-EMAIL]:One scheme -- referred as pEp Email Format 1 (PEF-1) -- is generated towards MUAs not known to be pEp-capable, while the other scheme -- referred as PEF-2 -- is used between MUAs discovered to be compatible with pEp.Signed-only messages are not recommended in pEp.

Although the PEF-2 scheme is only meant to be used between MUAs compatible with PEF-2, a PEF-2 message may end up at an MUA unaware of PEF-2 (in which case, it typically renders badly).This is due to signaling mechanism limitations.

As the PEF-2 scheme is an enhanced variant of the RFC8551HP scheme (with an additional MIME Layer), it is similar to the RFC8551HP scheme (seeSection 4.10).The basic PEF-2 MIME structure looks as follows:

A └┬╴multipart/encrypted [Outer Message]B  ├─╴application/pgp-encryptedC  └┬╴application/octet-stream inline [Cryptographic Payload]D   ╧ (decrypts to)E   └┬╴multipart/mixedF    ├─╴text/plainG    ├┬╴message/rfc822H    │└─╴[Inner Message]I    └─╴application/pgp-keys

The MIME structure at partH contains the Inner Message to be rendered to the user.

It is possible for a normal MUA to accidentally produce a message that happens to have the same MIME structure as used for PEF-2 messages.Therefore, a PEF-2 message cannot be identified by the MIME structure alone.

The lack of a mechanism comparable toHP-Outer (seeSection 2.2) makes it impossible for the recipient of a PEF-2 message to safely determine which Header Fields are confidential or not while forwarding or replying to a message (seeSection 6).

Note: As this document is not normative for PEF-2 messages, it does not provide any guidance for handling them.Please see[PEP-EMAIL] for more guidance.

F.3."draft-autocrypt" Protected Headers

[PROTECTED-HEADERS] describes a scheme similar to the Header Protection scheme specified in this document.However, instead of adding Legacy Display Elements to existing MIME parts (seeSection 5.2.2),[PROTECTED-HEADERS] suggests injecting a new MIME element "Legacy Display Part", thus modifying the MIME structure of the Cryptographic Payload.These modified Cryptographic Payloads cause significant rendering problems on some common Legacy MUAs.

The lack of a mechanism comparable tohp="cipher" andhp="clear" (seeSection 2.1.1) means the recipient of an encrypted message as described in[PROTECTED-HEADERS] cannot be cryptographically certain whether the composer intended for the message to be confidential or not.The lack of a mechanism comparable toHP-Outer (seeSection 2.2) makes it impossible for the recipient of an encrypted message as described in[PROTECTED-HEADERS] to safely determine which Header Fields are confidential or not while forwarding or replying to a message (seeSection 6).

Acknowledgements

Alexander Krotov identified the risk ofFrom address spoofing (seeSection 10.1) and helped provide guidance to MUAs.

Thore Göbel identified significant gaps in earlier draft versions of this document and proposed concrete, substantial improvements. Thanks to his contributions, the document is clearer, and the protocols described herein are more useful.

Additionally, the authors would like to thank the following people who have provided helpful comments and suggestions for this document:Berna Alp,Bernhard E. Reiter,Bron Gondwana,Carl Wallace,Claudio Luck,Daniel Huigens,David Wilson,Éric Vyncke,Hernani Marques,juga,Kelly Bristol,Krista Bennett,Lars Rohwedder,Michael StJohns,Nicolas Lidzborski,Orie Steele,Paul Wouters,Peter Yee,Phillip Tao,Robert Williams,Rob Sayre,Rohan Mahy,Roman Danyliw,Russ Housley,Sofia Balicka,Steve Kille,Volker Birk,Warren Kumari, andWei Chuang.

Authors' Addresses

Daniel Kahn Gillmor
American Civil Liberties Union
125 Broad St.
New York,NY10004
United States of America
Email:dkg@fifthhorseman.net
Bernie Hoeneisen
pEp Project
Oberer Graben 4
CH-8400Winterthur
Switzerland
Email:bernie@ietf.hoeneisen.ch
URI:https://pep-project.org/
Alexey Melnikov
Isode Ltd
14 Castle Mews
Hampton, Middlesex
TW12 2NP
United Kingdom
Email:alexey.melnikov@isode.com
[8]ページ先頭
©2009-2026 Movatter.jp