Pkcs 7
Pkcs 7
Pkcs 7
Syntax Standard
An RSA Laboratories Technical Note
Version 1.5
Revised November 1, 1993*
1. Scope
This standard describes a general syntax for data that may have cryptography applied
to it, such as digital signatures and digital envelopes. The syntax admits recursion, so
that, for example, one envelope can be nested inside another, or one party can sign some
previously enveloped digital data. It also allows arbitrary attributes, such as signing
time, to be authenticated along with the content of a message, and provides for other
attributes such as countersignatures to be associated with a signature. A degenerate case
of the syntax provides a means for disseminating certificates and certificate-revocation
lists.
This standard is compatible with Privacy-Enhanced Mail (PEM) in that signed-data and
signed-and-enveloped-data content, constructed in a PEM-compatible mode, can be
converted into PEM messages without any cryptographic operations. PEM messages
can similarly be converted into the signed-data and signed-and-enveloped data content
types.
*Supersedes June 3, 1991 version, which was also published as NIST/OSI Implementors' Workshop document SEC-
SIG-91-22. PKCS documents are available by electronic mail to <pkcs@rsa.com>.
Copyright 1991–1993 RSA Laboratories, a division of RSA Data Security, Inc. License to copy this
document is granted provided that it is identified as "RSA Data Security, Inc. Public-Key Cryptography
Standards (PKCS)" in all material mentioning or referencing this document.
003-903022-150-000-000
Page 2 PKCS #7: CRYPTOGRAPHIC MESSAGE SYNTAX STANDARD
The values produced according to this standard are intended to be BER-encoded, which
means that the values would typically be represented as octet strings. While many
systems are capable of transmitting arbitrary octet strings reliably, it is well known that
many electronic-mail systems are not. This standard does not address mechanisms for
encoding octet strings as (say) strings of ASCII characters or other techniques for
enabling reliable transmission by re-encoding the octet string. RFC 1421 suggests one
possible solution to this problem.
2. References
FIPS PUB 46–1 National Bureau of Standards. FIPS PUB 46–1: Data Encryption Standard. January 1988.
PKCS #1 RSA Laboratories. PKCS #1: RSA Encryption Standard. Version 1.5, November 1993.
PKCS #6 RSA Laboratories. PKCS #6: Extended-Certificate Syntax Standard. Version 1.5, November
1993.
PKCS #9 RSA Laboratories. PKCS #9: Selected Attribute Types. Version 1.1, November 1993.
RFC 1421 J. Linn. RFC 1421: Privacy Enhancement for Internet Electronic Mail: Part I: Message
Encryption and Authentication Procedures. February 1993.
RFC 1422 S. Kent. RFC 1422: Privacy Enhancement for Internet Electronic Mail: Part II: Certificate-Based
Key Management. February 1993.
RFC 1423 D. Balenson. RFC 1423: Privacy Enhancement for Internet Electronic Mail: Part III: Algorithms,
Modes, and Identifiers. February 1993.
RFC 1424 B. Kaliski. RFC 1424: Privacy Enhancement for Internet Electronic Mail: Part IV: Key
Certification and Related Services. February 1993.
RFC 1319 B. Kaliski. RFC 1319: The MD2 Message-Digest Algorithm. April 1992.
RFC 1321 R. Rivest. RFC 1321: The MD5 Message-Digest Algorithm. April 1992.
X.208 CCITT. Recommendation X.208: Specification of Abstract Syntax Notation One (ASN.1). 1988.
X.209 CCITT. Recommendation X.209: Specification of Basic Encoding Rules for Abstract Syntax
Notation One (ASN.1). 1988.
X.500 CCITT. Recommendation X.500: The Directory—Overview of Concepts, Models and Services.
1988.
[NIST91] NIST. Special Publication 500-202: Stable Implementation Agreements for Open Systems
Interconnection Protocols. Version 5, Edition 1, Part 12. December 1991.
3. DEFINITIONS Page 3
[RSA78] R.L. Rivest, A. Shamir, and L. Adleman. A method for obtaining digital signatures and
public-key cryptosystems. Communications of the ACM, 21(2):120–126, February 1978.
3. Definitions
Attribute: A type that contains an attribute type (specified by object identifier) and
one or more attribute values. This type is defined in X.501.
Certificate: A type that binds an entity's distinguished name to a public key with a
digital signature. This type is defined in X.509. This type also contains the distinguished
name of the certificate issuer (the signer), an issuer-specific serial number, the issuer's
signature algorithm identifier, and a validity period.
DER: Distinguished Encoding Rules for ASN.1, as defined in X.509, Section 8.7.
desCBC: The object identifier for DES in cipher-block chaining (CBC) mode, as defined
in [NIST91].
MD2: RSA Data Security, Inc.'s MD2 message-digest algorithm, as defined in RFC 1319.
Page 4 PKCS #7: CRYPTOGRAPHIC MESSAGE SYNTAX STANDARD
MD5: RSA Data Security, Inc.'s MD5 message-digest algorithm, as defined in RFC 1321.
rsaEncryption: The object identifier for RSA encryption, as defined in PKCS #1.
5. General overview
The following nine sections specify useful types, general syntax, six content types, and
object identifiers.
The syntax is general enough to support many different content types. This standard
defines six: data, signed data, enveloped data, signed-and-enveloped data, digested
data, and encrypted data. Other content types may be added in the future. The use of
content types defined outside this standard is possible, but is subject to bilateral
agreement between parties exchanging content.
This standard exports one type, ContentInfo, as well as the various object identifiers.
There are two classes of content types: base and enhanced. Content types in the base
class contain "just data," with no cryptographic enhancements. Presently, one content
type is in this class, the data content type. Content types in the enhanced class contain
content of some type (possibly encrypted), and other cryptographic enhancements. For
example, enveloped-data content can contain (encrypted) signed-data content, which
can contain data content. The four non-data content types fall into the enhanced class.
The content types in the enhanced class thus employ encapsulation, giving rise to the
terms "outer" content (the one containing the enhancements) and "inner" content (the
one being enhanced).
6. USEFUL TYPES Page 5
The standard is designed such that the enhanced content types can be prepared in a
single pass using indefinite-length BER encoding, and processed in a single pass in any
BER encoding. Single-pass operation is especially helpful if content is stored on tapes, or
is "piped" from another process. One of the drawbacks of single-pass operation,
however, is that it is difficult to output a DER encoding in a single pass, since the
lengths of the various components may not be known in advance. Since DER encoding
is required by the signed-data, signed-and-enveloped data, and digested-data content
types, an extra pass may be necessary when a content type other than data is the inner
content of one of those content types.
6. Useful types
This section defines types that are useful in at least two places in the standard.
6.1 CertificateRevocationLists
CertificateRevocationLists ::=
SET OF CertificateRevocationList
6.2 ContentEncryptionAlgorithmIdentifier
ContentEncryptionAlgorithmIdentifier ::=
AlgorithmIdentifier
6.3 DigestAlgorithmIdentifier
6.4 DigestEncryptionAlgorithmIdentifier
DigestEncryptionAlgorithmIdentifier ::=
AlgorithmIdentifier
6.5 ExtendedCertificateOrCertificate
6.6 ExtendedCertificatesAndCertificates
ExtendedCertificatesAndCertificates ::=
SET OF ExtendedCertificateOrCertificate
Note. The precise meaning of a "chain" is outside the scope of this standard. Some
applications of this standard may impose upper limits on the length of a chain; others
may enforce certain relationships between the subjects and issuers of certificates in a
chain. An example of such relationships has been proposed for Privacy-Enhanced Mail
in RFC 1422.
7. GENERAL SYNTAX Page 7
6.7 IssuerAndSerialNumber
6.8 KeyEncryptionAlgorithmIdentifier
KeyEncryptionAlgorithmIdentifier ::=
AlgorithmIdentifier
6.9 Version
The Version type gives a syntax version number, for compatibility with future
revisions of this standard.
7. General syntax
The general syntax for content exchanged between entities according to this standard
associates a content type with content. The syntax shall have ASN.1 type ContentInfo:
• content is the content. The field is optional, and if the field is not present,
its intended value must be supplied by other means. Its type is defined
along with the object identifier for contentType.
Notes.
1. The methods below assume that the type of content can be determined
uniquely by contentType, so the type defined along with the object
identifier should not be a CHOICE type.
The data content type is just an octet string. It shall have ASN.1 type Data:
The data content type is intended to refer to arbitrary octet strings, such as ASCII text
files; the interpretation is left to the application. Such strings need not have any internal
structure (although they may; they could even be DER encodings).
9. SIGNED-DATA CONTENT TYPE Page 9
The signed-data content type consists of content of any type and encrypted message
digests of the content for zero or more signers. The encrypted digest for a signer is a
"digital signature" on the content for that signer. Any type of content can be signed by
any number of signers in parallel. Furthermore, the syntax has a degenerate case in
which there are no signers on the content. The degenerate case provides a means for
disseminating certificates and certificate-revocation lists.
It is expected that the typical application of the signed-data content type will be to
represent one signer's digital signature on content of the data content type. Another
typical application will be to disseminate certificates and certificate-revocation lists.
The process by which signed data is constructed involves the following steps:
2. For each signer, the message digest and associated information are
encrypted with the signer's private key.
3. For each signer, the encrypted message digest and other signer-specific
information are collected into a SignerInfo value, defined in Section 9.2.
Certificates and certificate-revocation lists for each signer, and those not
corresponding to any signer, are collected in this step.
4. The message-digest algorithms for all the signers and the SignerInfo
values for all the signers are collected together with the content into a
SignedData value, defined in Section 9.1.
A recipient verifies the signatures by decrypting the encrypted message digest for each
signer with the signer's public key, then comparing the recovered message digest to an
independently computed message digest. The signer's public key is either contained in a
certificate included in the signer information, or is referenced by an issuer distinguished
name and an issuer-specific serial number that uniquely identify the certificate for the
public key.
This section is divided into five parts. The first part describes the top-level type
SignedData, the second part describes the per-signer information type SignerInfo,
Page 10 PKCS #7: CRYPTOGRAPHIC MESSAGE SYNTAX STANDARD
and the third and fourth parts describe the message-digesting and digest-encryption
processes. The fifth part summarizes compatibility with Privacy-Enhanced Mail.
DigestAlgorithmIdentifiers ::=
SET OF DigestAlgorithmIdentifier
• version is the syntax version number. It shall be 1 for this version of the
standard.
• contentInfo is the content that is signed. It can have any of the defined
content types.
Notes.
3. In the degenerate case where there are no signers on the content, the
ContentInfo value being "signed" is irrelevant. It is recommended in
that case that the content type of the ContentInfo value being "signed"
be data, and the content field of the ContentInfo value be omitted.
• version is the syntax version number. It shall be 1 for this version of the
standard.
Other attribute types that might be useful here, such as signing time, are
also defined in PKCS #9.
Notes.
The message-digesting process computes a message digest on either the content being
signed or the content together with the signer's authenticated attributes. In either case,
the initial input to the message-digesting process is the "value" of the content being
signed. Specifically, the initial input is the contents octets of the DER encoding of the
content field of the ContentInfo value to which the signing process is applied. Only
the contents octets of the DER encoding of that field are digested, not the identifier
octets or the length octets.
The result of the message-digesting process (which is called, informally, the "message
digest") depends on whether the authenticatedAttributes field is present. When
the field is absent, the result is just the message digest of the content. When the field is
present, however, the result is the message digest of the complete DER encoding of the
Page 14 PKCS #7: CRYPTOGRAPHIC MESSAGE SYNTAX STANDARD
When the content being signed has content type data and the
authenticatedAttributes field is absent, then just the value of the data (e.g., the
contents of a file) is digested. This has the advantage that the length of the content being
signed need not be known in advance of the encryption process. This method is
compatible with Privacy-Enhanced Mail.
Although the identifier octets and the length octets are not digested, they are still
protected by other means. The length octets are protected by the nature of the message-
digest algorithm since it is by assumption computationally infeasible to find any two
distinct messages of any length that have the same message digest. Furthermore,
assuming that the content type uniquely determines the identifier octets, the identifier
octets are protected implicitly in one of two ways: either by the inclusion of the content
type in the authenticated attributes, or by the use of the PEM-compatible alternative in
Section 9.4 which implies that the content type is data.
Note. The fact that the message digest is computed on part of a DER encoding does not
mean that DER is the required method of representing that part for data transfer.
Indeed, it is expected that some implementations of this standard may store objects in
other than their DER encodings, but such practices do not affect message-digest
computation.
The input to the digest-encryption process—the value supplied to the signer's digest-
encryption algorithm—includes the result of the message-digesting process (informally,
the "message digest") and the digest algorithm identifier (or object identifier). The result
of the digest-encryption process is the encryption with the signer's private key of the
BER encoding of a value of type DigestInfo:
1For clarity: The IMPLICIT [0] tag in the authenticatedAttributes field is not part of the Attributes value.
The Attributes value's tag is SET OF, and the DER encoding of the SET OF tag, rather than of the IMPLICIT [0]
tag, is to be digested along with the length and contents octets of the Attributes value.
9. SIGNED-DATA CONTENT TYPE Page 15
Notes.
1. The only difference between the signature process defined here and the
signature algorithms defined in PKCS #1 is that signatures there are
represented as bit strings, for consistency with the X.509 SIGNED macro.
Here, encrypted message digests are octet strings.
2. The input to the encryption process typically will have 30 or fewer octets.
If digestEncryptionAlgorithm is PKCS #1's rsaEncryption, then
this means that the input can be encrypted in a single block as long as the
length of the RSA modulus is at least 328 bits, which is reasonable and
consistent with security recommendations.
4. There is potential for ambiguity due to the fact that the DigestInfo value
does not indicate whether the digest field contains just the message
digest of the content or the message digest of the complete DER encoding
of the authenticatedAttributes field. In other words, it is possible
for an adversary to transform a signature on authenticated attributes to
one that appears to be just on content by changing the content to be the
DER encoding of the authenticatedAttributes field, and then
removing the authenticatedAttributes field. (The reverse
Page 16 PKCS #7: CRYPTOGRAPHIC MESSAGE SYNTAX STANDARD
Compatibility with the MIC-ONLY and MIC-CLEAR process types in PEM occurs when
the content type of the ContentInfo value being signed is data, there are no
authenticated attributes, the message-digest algorithm is md2 or md5, and the digest-
encryption algorithm is PKCS #1's rsaEncryption. Under all those conditions, the
encrypted message digest produced here matches the one produced in PEM because:
2. The value encrypted with the signer's private key in PEM (as specified in
RFC 1423) is the same as in this standard when there are no authenticated
attributes. RSA private-key encryption in PEM is the same as PKCS #1's
rsaEncryption.
The other parts of the signed-data content type (certificates, CRLs, algorithm identifiers,
etc.) are easily translated to and from their corresponding PEM components.
The enveloped-data content type consists of encrypted content of any type and
encrypted content-encryption keys for one or more recipients. The combination of
encrypted content and encrypted content-encryption key for a recipient is a "digital
envelope" for that recipient. Any type of content can be enveloped for any number of
recipients in parallel.
It is expected that the typical application of the enveloped-data content type will be to
represent one or more recipients' digital envelopes on content of the data, digested-data,
or signed-data content types.
The process by which enveloped data is constructed involves the following steps:
5. The RecipientInfo values for all the recipients are collected together
with the encrypted content into a EnvelopedData value, defined in
Section 10.1.
A recipient opens the envelope by decrypting the one of the encrypted content-
encryption keys with the recipient's private key and decrypting the encrypted content
with the recovered content-encryption key. The recipient's private key is referenced by
an issuer distinguished name and an issuer-specific serial number that uniquely identify
the certificate for the corresponding public key.
This section is divided into four parts. The first part describes the top-level type
EnvelopedData, the second part describes the per-recipient information type
RecipientInfo, and the third and fourth parts describe the content-encryption and
key-encryption processes.
This content type is not compatible with Privacy-Enhanced Mail (although some
processes it defines are compatible with their PEM counterparts), since Privacy-
Enhanced Mail always involves digital signatures, never digital envelopes alone.
encryptedContent
[0] IMPLICIT EncryptedContent OPTIONAL }
• version is the syntax version number. It shall be 0 for this version of the
standard.
Note. The fact that the recipientInfos field comes before the
encryptedContentInfo field makes it possible to process an EnvelopedData value
in a single pass. (Single-pass processing is described in Section 5.)
• version is the syntax version number. It shall be 0 for this version of the
standard.
The input to the content-encryption process is the "value" of the content being
enveloped. Specifically, the input is the contents octets of a definite-length BER
encoding of the content field of the ContentInfo value to which the enveloping
process is applied. Only the contents octets of the BER encoding are encrypted, not the
identifier octets or length octets; those other octets are not represented at all.
When the content being enveloped has content type data, then just the value of the data
(e.g., the contents of a file) is encrypted. This has the advantage that the length of the
content being encrypted need not be known in advance of the encryption process. This
method is compatible with Privacy-Enhanced Mail.
The identifier octets and the length octets are not encrypted. The length octets may be
protected implicitly by the encryption process, depending on the encryption algorithm.
The identifier octets are not protected at all, although they can be recovered from the
content type, assuming that the content type uniquely determines the identifier octets.
Explicit protection of the identifier and length octets requires that the signed-and-
enveloped-data content type be employed, or that the digested-data and enveloped-data
content types be applied in succession.
Notes.
1. The reason that a definite-length BER encoding is required is that the bit
indicating whether the length is definite or indefinite is not recorded
anywhere in the enveloped-data content type. Definite-length encoding is
more appropriate for simple types such as octet strings, so definite-length
encoding is chosen.
Page 20 PKCS #7: CRYPTOGRAPHIC MESSAGE SYNTAX STANDARD
01 — if l mod k = k-1
02 02 — if l mod k = k-2
⋅
⋅
⋅
k k … k k — if l mod k = 0
The padding can be removed unambiguously since all input is padded and
no padding string is a suffix of another. This padding method is well-
defined if and only if k < 256; methods for larger k are an open issue for
further study.
The input to the key-encryption process—the value supplied to the recipient's key-
encryption algorithm—is just the "value" of the content-encryption key.
This section defines the signed-and-enveloped-data content type. For brevity, much of
this section is expressed in terms of material in Sections 9 and 10.
5. For each signer, the message digest and associated information are
encrypted with the signer's private key, and the result is encrypted with
the content-encryption key. (The second encryption may require that the
result of the first encryption be padded to a multiple of some block size;
see Section 10.3 for discussion.)
6. For each signer, the doubly encrypted message digest and other signer-
specific information are collected into a SignerInfo value, defined in
Section 9.2.
7. The content is encrypted with the content-encryption key. (See Section 10.3
for discussion.)
8. The message-digest algorithms for all the signers, the SignerInfo values
for all the signers and the RecipientInfo values for all the recipients are
collected together with the encrypted content into a
SignedAndEnvelopedData value, defined in Section 11.1.
A recipient opens the envelope and verifies the signatures in two steps. First, the one of
the encrypted content-encryption keys is decrypted with the recipient's private key, and
the encrypted content is decrypted with the recovered content-encryption key. Second,
the doubly encrypted message digest for each signer is decrypted with the recovered
Page 22 PKCS #7: CRYPTOGRAPHIC MESSAGE SYNTAX STANDARD
content-encryption key, the result is decrypted with the signer's public key, and the
recovered message digest is compared to an independently computed message digest.
Recipient private keys and signer public keys are contained or referenced as discussed
in Sections 9 and 10.
This section is divided into three parts. The first part describes the top-level type
SignedAndEnvelopedData and the second part describes the digest-encryption
process. Other types and processes are the same as in Sections 9 and 10. The third part
summarizes compatibility with Privacy-Enhanced Mail.
• version is the syntax version number. It shall be 1 for this version of the
standard.
Notes.
The input to the digest-encryption process is the same as in Section 9, but the process
itself is different. Specifically, the process involves two steps. First, the input to the
process is supplied to the signer's digest-encryption algorithm, as in Section 9. Second,
the result of the first step is encrypted with the content-encryption key. There is no DER
encoding between the two steps; the "value" output by the first step is input directly to
the second step. (See Section 10.3 for discussion.)
Page 24 PKCS #7: CRYPTOGRAPHIC MESSAGE SYNTAX STANDARD
This process is compatible with the ENCRYPTED process type in Privacy-Enhanced Mail.
Note. The purpose of the second step is to prevent an adversary from recovering the
message digest of the content. Otherwise, an adversary would be able to determine
which of a list of candidate contents (e.g., "Yes" or "No") is the actual content by
comparing the their message digests to the actual message digest.
Compatibility with the ENCRYPTED process type of PEM occurs when the content type
of the ContentInfo value being signed and enveloped is data, the message-digest
algorithm is md2 or md5, the content-encryption algorithm is DES in CBC mode, the
digest-encryption algorithm is PKCS #1's rsaEncryption, and the key-encryption
algorithm is PKCS #1's rsaEncryption. Under all those conditions, the doubly
encrypted message digest and the encrypted content encryption key match the ones
produced in PEM because of reasons similar to those given in Section 9.5, as well as the
following:
The digested-data content type consists of content of any type and a message digest of
the content.
It is expected that the typical application of the digested-data content type will be to add
integrity to content of the data content type, and that the result would become the
content input to the enveloped-data content type.
• version is the syntax version number. It shall be 0 for this version of the
standard.
Note. The fact that the digestAlgorithm field comes before the contentInfo field
and the digest field comes after it makes it possible to process a DigestedData value
in a single pass. (Single-pass processing is described in Section 5.)
The encrypted-data content type consists of encrypted content of any type. Unlike the
enveloped-data content type, the encrypted-data content type has neither recipients nor
encrypted content-encryption keys. Keys are assumed to be managed by other means.
Page 26 PKCS #7: CRYPTOGRAPHIC MESSAGE SYNTAX STANDARD
It is expected that the typical application of the encrypted-data content type will be to
encrypt content of the data content type for local storage, perhaps where the encryption
key is a password.
• version is the syntax version number. It shall be 0 for this version of the
standard.
These object identifiers are intended to be used in the contentType field of a value of
type ContentInfo (see Section 5). The content field of that type, which has the
content-type-specific syntax ANY DEFINED BY contentType, would have ASN.1
14. OBJECT IDENTIFIERS Page 27
Revision history
Versions 1.0–1.3
Versions 1.0–1.3 were distributed to participants in RSA Data Security, Inc.'s Public-Key
Cryptography Standards meetings in February and March 1991.
Version 1.4
Version 1.4 is part of the June 3, 1991 initial public release of PKCS. Version 1.4 was
published as NIST/OSI Implementors' Workshop document SEC-SIG-91-22.
Version 1.5
Version 1.5 incorporates several editorial changes, including updates to the references
and the addition of a revision history. The following substantive changes were made:
• Section 9.1: SignedData syntax is revised. The new version allows for the
dissemination of certificate-revocation lists along with signatures. It also
allows for the dissemination of certificates and certificate-revocation lists
alone, without any signatures.
Author's address