I've got a .p7m file (identified by the UNIX file command as DER Encoded PKCS#7 Signed Data), and I would like to extract unwrap its contents.
I don't have the signing (public) key, since I don't need to verify its signature: I just need to unwrap it.
How can I achieve that, preferably with a command-line tool like OpenSSL?
The OpenSSL S/MIME command can extract the contents of a .p7m CAdES file.
If your signed file is named MyDocument.pdf.p7m, to extract its contents as MyDocument.pdf, run:
openssl smime -verify -noverify -binary -in MyDocument.pdf.p7m -inform DER -out MyDocument.pdf
Each of the given options is needed for the following reasons:
-verify to extract the signed data;-noverify instructs -verify to only extract the contents, skipping the signature verification; without it, the command would fail and print: Verification failure;-binary is required if the contained document is not a plain text file, otherwise the output may be corrupted;-inform DER tells the tool about the input file format; otherwise, the command fails with: Error reading S/MIME message;and, finally:
-in and -out specify respectively the input .p7m file (which must exist) and the output contents file (which will be created).Update
A more suitable command is OpenSSL CMS, specifically designed for CAdES.
It supports the same options:
openssl cms -verify -noverify -binary -in MyDocument.pdf.p7m -inform DER -out MyDocument.pdf
If you’re on Windows and prefer a script, I’ve built P7M Fast Extractor, a PowerShell script to automate batch extraction of .p7m files: https://github.com/marco-zorzi/p7m-fast-extractor-powershell
This script leverages .NET’s System.Security assemblies for speedy, automated decoding of signed and encrypted files.
Maybe, you have to allow script execution in PowerShell for the current session (no permanent policy change):
Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass
Then run the script in the same PowerShell session:
.\extract_content_from_p7m_file.ps1 "C:\Path\P7M_Files" "C:\Path\Extracted_Content"
