Cryptographic Message Syntax Services

Cryptographically sign and encrypt S/MIME messages.


When you want to exchange data securely using the Multipurpose Internet Mail Extensions (MIME) protocol, you use the version of the protocol known as S/MIME defined in RFC 3851. This allows you to, among other things, ensure data integrity through digital signatures and data confidentiality through encryption. S/MIME in turn relies on the Cryptographic Message Syntax (CMS) protocol defined in RFC 3852 to carry out these operations.

Cryptographic message syntax services provides encoder objects that perform encryption using the CMS protocol's enveloped-data content type and sign using the signed-data content type. When a message is both signed and encrypted, the enveloped data content contains the signed data content. That is, the message is first signed and then the signed content is encrypted.


The Encoder

class CMSEncoder

Opaque reference to a CMS encoder object.

func CMSEncoderGetTypeID() -> CFTypeID

Returns the type identifier for the CMSEncoder opaque type.

Message Creation

func CMSEncoderAddRecipients(CMSEncoder, CFTypeRef) -> OSStatus

Specifies a message is to be encrypted and specifies the recipients of the message.

func CMSEncoderSetHasDetachedContent(CMSEncoder, Bool) -> OSStatus

Specifies whether the signed data is to be separate from the message.

func CMSEncoderSetEncapsulatedContentTypeOID(CMSEncoder, CFTypeRef) -> OSStatus

Specifies an object identifier for the encapsulated data of a signed message.

struct CMSSignedAttributes

Optional attributes you can add to a signed message.

func CMSEncoderSetCertificateChainMode(CMSEncoder, CMSCertificateChainMode) -> OSStatus

Specifies which certificates to include in a signed CMS message.

enum CMSCertificateChainMode

Constants that can be set to specify what certificates to include in a signed message.

func CMSEncoderSetSignerAlgorithm(CMSEncoder, CFString) -> OSStatus

Sets the digest algorithm to use for the signer.

Message Characteristics

func CMSEncoderCopySigners(CMSEncoder, UnsafeMutablePointer<CFArray?>) -> OSStatus

Obtains the array of signers specified with the CMSEncoderAddSigners function.

func CMSEncoderCopyRecipients(CMSEncoder, UnsafeMutablePointer<CFArray?>) -> OSStatus

Obtains the array of recipients specified with the CMSEncoderAddRecipients function.

func CMSEncoderCopyEncapsulatedContentType(CMSEncoder, UnsafeMutablePointer<CFData?>) -> OSStatus

Obtains the object identifier for the encapsulated data of a signed message.

func CMSEncoderCopySupportingCerts(CMSEncoder, UnsafeMutablePointer<CFArray?>) -> OSStatus

Obtains the certificates added to a message with CMSEncoderAddSupportingCerts.

func CMSEncoderGetCertificateChainMode(CMSEncoder, UnsafeMutablePointer<CMSCertificateChainMode>) -> OSStatus

Obtains a constant that indicates which certificates are to be included in a signed CMS message.

The Decoder

class CMSDecoder

An opaque reference to a CMS decoder object.

func CMSDecoderGetTypeID() -> CFTypeID

Returns the type identifier for the CMSDecoder opaque type.


func CMSDecoderUpdateMessage(CMSDecoder, UnsafeRawPointer, Int) -> OSStatus

Feeds raw bytes of the message to be decoded into the decoder.

func CMSDecoderFinalizeMessage(CMSDecoder) -> OSStatus

Indicates that there is no more data to decode.

func CMSDecoderSetDetachedContent(CMSDecoder, CFData) -> OSStatus

Specifies the message’s detached content, if any.

func CMSDecoderCopyDetachedContent(CMSDecoder, UnsafeMutablePointer<CFData?>) -> OSStatus

Obtains the detached content specified with the CMSDecoderSetDetachedContent function.

Signature Verification

func CMSDecoderSetSearchKeychain(CMSDecoder, CFTypeRef) -> OSStatus

Specifies the keychains to search for intermediate certificates to be used in verifying a signed message's signer certificates.

func CMSDecoderCopySignerEmailAddress(CMSDecoder, Int, UnsafeMutablePointer<CFString?>) -> OSStatus

Obtains the email address of the specified signer of a CMS message.

func CMSDecoderCopySignerCert(CMSDecoder, Int, UnsafeMutablePointer<SecCertificate?>) -> OSStatus

Obtains the certificate of the specified signer of a CMS message.

enum CMSSignerStatus

The constants that indicate the status of the signature and signer information in a signed message.

See Also


Complying with Encryption Export Regulations

Declare the use of encryption in your app to streamline the app submission process.

Certificate, Key, and Trust Services

Establish trust using certificates and cryptographic keys.

Randomization Services

Generate cryptographically secure random numbers.

Security Transforms

Perform cryptographic functions like encoding, encryption, signing, and signature verification.


Encode and decode Distinguished Encoding Rules (DER) and Basic Encoding Rules (BER) data streams.