This is a “Hazardous Materials” module. You should ONLY use it if you’re 100% absolutely sure that you know what you’re doing because this module is full of land mines, dragons, and dinosaurs with laser guns.


S/MIME provides a method to send and receive signed MIME messages. It is commonly used in email. S/MIME has multiple versions, but this module implements a subset of RFC 2632, also known as S/MIME Version 3.

class cryptography.hazmat.primitives.smime.SMIMESignatureBuilder[source]

New in version 3.2.

>>> from cryptography.hazmat.primitives import hashes, serialization, smime
>>> from cryptography import x509
>>> cert = x509.load_pem_x509_certificate(ca_cert)
>>> key = serialization.load_pem_private_key(ca_key, None)
>>> options = [smime.SMIMEOptions.DetachedSignature]
>>> smime.SMIMESignatureBuilder().set_data(
...     b"data to sign"
... ).add_signer(
...     cert, key, hashes.SHA256()
... ).sign(
...     serialization.Encoding.PEM, options
... )
Parameters:data (bytes-like) – The data to be hashed and signed.
add_signer(certificate, private_key, hash_algorithm)[source]
sign(encoding, options, backend=None)[source]
  • encodingPEM or DER.
  • options – A list of SMIMEOptions.
  • backend – An optional backend.
Return bytes:

The signed S/MIME message.

class cryptography.hazmat.primitives.smime.SMIMEOptions[source]

New in version 3.2.

An enumeration of options for S/MIME signature creation.


The text option adds text/plain headers to the S/MIME message when serializing to PEM. This option is disallowed with DER serialization.


S/MIME signing normally converts line endings (LF to CRLF). When passing this option the data will not be converted.


Don’t embed the signed data within the ASN.1. When signing with PEM this also results in the data being added as clear text before the PEM encoded structure.


S/MIME structures contain a MIMECapabilities section inside the authenticatedAttributes. Passing this as an option removes MIMECapabilities.


S/MIME structures contain an authenticatedAttributes section. Passing this as an option removes that section. Note that if you pass NoAttributes you can’t pass NoCapabilities since NoAttributes removes MIMECapabilities and more.