Decrypt and verify an enveloped CMS/PKCS #7 message.

This plugin uses the decryption routines in Bouncy Castle.

If you get a "Bad Key" error during decryption it's most likely that the PKCS#12 pfx file does not have the "KeySpec" flag set to "AT_KEYEXCHANGE". This flag needs to be set correctly for the pfx file to be usable for decryption. The "certutil.exe" program can be used to change the "KeySpec" flag:

- Dump the pfx file to see what the KeySpec flag is set to:
certutil -dump -v filename.pfx

- Set the KeySpec flag to AT_KEYEXCHANGE and import the certificate into the current user "My" store:
certutil -user -importPFX filename.pfx AT_KEYEXCHANGE

Once the new certificate is imported into the current user My store it can be exported again to a PKCS#12 .pfx file which will have the KeySpec flag set correctly. This pfx file can be used for decryption.


Datafile to decrypt/verify

The enveloped CMS/PKCS #7 file to decrypt and verify.
The decrypted and verified outputfile.
Decryption Private-Key file

Optional. The PKCS#12 private-key file (pfx) used to decrypt the message.

Note-1: the current user and my computer "My" stores are always first searched for a matching certificate and private-key and if no match is found, the specified .pfx file is used.

Note-2: Note-1 means that if a matching certificate is found which is of the wrong type or has no private-key the decrypt will fail, even if the configured .pfx certificate may be correct! In this case remove the certificate from the "My" store using the certmgr.exe utility.

The password required to access the X.509 certificate data.
Verify Signer Certificate
If enabled, verifies the digital signature on the signed CMS/PKCS #7 message and validates the signers' certificate.


Release notes