Enrico Rossi

View p7m file with openssl

How to view the content of a .p7m file

Normally a .p7m file is what in openssl terms is a DER file 1 (note: it work also with cms command).

openssl smime -verify -in smime.p7m -inform der -noverify -signer cert.pem -out textdata


  • -verify to tell openssl that you will feed a signed mail message on input and outputs the signed data.
  • -noverify do not verify the signers certificate of a signed message.
  • -signer output the signer cert to the cert.pem file.

and textdata is what you are looking for. If the embedded file is a pdf for example you can call it textdata.pdf (if your O.S. is sensible to extensions).

or in al longer way 2:

openssl asn1parse -in smime.p7m -inform der -offset XX -length YYYY | tail --quiet --bytes=+61 | xxd -r -p >out.bin


openssl asn1parse -in smime.p7m -inform der

dump the content of the p7m file structure to search for the OCTECT STRING [HEX DUMP] sequence, that is the signed content (encrypted or not) we want to extract. XX and YYYY are the offset and length of the sequence. You have to grab the EOF at the end meaning increment length by 5.

Try to isolate that sequence:

openssl asn1parse -in smime.p7m -inform der -offset XX -length YYYY -dump

If length is wrong you have an error. Try to guess it with:

openssl asn1parse -in smime.p7m -inform der -offset XX

and see where the next sequence starts. That’s the length.

Save the content in HEX format:

openssl asn1parse -in smime.p7m -inform der -offset XX -length YYYY >out.hex

Remove the header that openssl left, ex. using an editor remove everything to [HEX DUMP]:

cat out.hex | tail --quiet --bytes=+61

finally convert the hex back to binary with:

cat out.hex | tail --quiet --bytes=+61 | xxd -r -p >out.bin

Note: This has been tested only once with a pdf file. Different encoding probably need some adjustment.