Is it possible to change S/MIME Content-Type header info with openssl?

Question

I'm trying to verify against the NIST Transport Testing Tool. I'm using OpenSSL (patched, of course) to generate the S/MIME using the following command:

openssl smime -sign -in CCDA_Inpatient.xml -out signed.msg -signer my.crt -inkey my.key -text

Which generates a signed email that starts off looking like this:

MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha1"; boundary="----405E0406EDC1940F520C0423E0C587FA"

This is an S/MIME signed message

------405E0406EDC1940F520C0423E0C587FA
Content-Type: text/plain

The problem is with that Content-Type: text/plain. I need it to be Content-Type: text/xml - and adding a few other headers is nice, too. But the problem is that when I add these other headers I get an error from the TTT telling me that my signature is invalid and that the

message-digest attribute value does not match calculated value

Which leads me to believe that the signature is based on the entire part, and not just the content.

So basically I'm looking for one of two options:

1. Is there any way that I can modify the headers and keep my same signature using this same command?
2. How can I create my own smime.p7s signature file using the message that I'm actually trying to generate?

Answer 1

Turns out it's the -text parameter. If you omit that, then openssl will treat whatever the heck you throw at it as the MIME email (which means you probably should put some headers on it).

So add the headers you want, for example:

CCDA_Inpatient.xml

Content-Type: text/xml

<?xml version="1.0"?>
<!-- the rest of the document here -->

And then sign it without -text:

openssl smime -sign -in CCDA_Inpatient.xml -out signed.msg -signer my.crt -inkey my.key

And voila! Your headers will be your own.