< draft-hoffman-pkcs-crypt-msg-01.txt   draft-hoffman-pkcs-crypt-msg-02.txt >
Internet Draft RSA Laboratories Internet Draft Burt Kaliski
Expires 11/5/97 Expires March 16, 1998
<draft-hoffman-pkcs-crypt-msg-01.txt> <draft-hoffman-pkcs-crypt-msg-02.txt>
PKCS #7: Cryptographic Message Syntax PKCS #7: Cryptographic Message Syntax
Version 1.5 Version 1.5
Status of this Memo Status of this Memo
This document is an Internet-Draft. Internet-Drafts are working This document is an Internet-Draft. Internet-Drafts are working
documents of the Internet Engineering Task Force (IETF), its areas, documents of the Internet Engineering Task Force (IETF), its areas,
and its working groups. Note that other groups may also distribute and its working groups. Note that other groups may also distribute
working documents as Internet-Drafts. working documents as Internet-Drafts.
skipping to change at page 1, line 34 skipping to change at page 1, line 34
Directories on ftp.is.co.za (Africa), nic.nordu.net (Europe), Directories on ftp.is.co.za (Africa), nic.nordu.net (Europe),
munnari.oz.au (Pacific Rim), ds.internic.net (US East Coast), or munnari.oz.au (Pacific Rim), ds.internic.net (US East Coast), or
ftp.isi.edu (US West Coast). ftp.isi.edu (US West Coast).
This memo provides information for the Internet community. This memo This memo provides information for the Internet community. This memo
does not specify an Internet standard of any kind. Distribution of does not specify an Internet standard of any kind. Distribution of
this memo is unlimited. this memo is unlimited.
Overview Overview
This standard describes a general syntax for data that may have This document describes a general syntax for data that may have
cryptography applied to it, such as digital signatures and digital cryptography applied to it, such as digital signatures and digital
envelopes. The syntax admits recursion, so that, for example, one envelopes. The syntax admits recursion, so that, for example, one
envelope can be nested inside another, or one party can sign some envelope can be nested inside another, or one party can sign some
previously enveloped digital data. It also allows arbitrary previously enveloped digital data. It also allows arbitrary
attributes, such as signing time, to be authenticated along with the attributes, such as signing time, to be authenticated along with the
content of a message, and provides for other attributes such as content of a message, and provides for other attributes such as
countersignatures to be associated with a signature. A degenerate countersignatures to be associated with a signature. A degenerate
case of the syntax provides a means for disseminating certificates case of the syntax provides a means for disseminating certificates
and certificate-revocation lists. and certificate-revocation lists.
Please note: The information in this document is historical material
being published for the public record. It is not an IETF standard.
The use of the word "standard" in this document indicates a standard
for RSA Laboratories and its customers, not an IETF standard.
PKCS #7: Cryptographic Message Syntax
1. Scope 1. Scope
This standard is compatible with Privacy-Enhanced Mail (PEM) in that This document is compatible with Privacy-Enhanced Mail (PEM) in that
signed-data and signed-and-enveloped-data content, constructed in a signed-data and signed-and-enveloped-data content, constructed in a
PEM-compatible mode, can be converted into PEM messages without any PEM-compatible mode, can be converted into PEM messages without any
cryptographic operations. PEM messages can similarly be converted cryptographic operations. PEM messages can similarly be converted
RFC nnn PKCS #7: Cryptographic Message Syntax November 1993
into the signed-data and signed-and-enveloped data content types. into the signed-data and signed-and-enveloped data content types.
This standard can support a variety of architectures for certificate- This document can support a variety of architectures for certificate-
based key management, such as the one proposed for Privacy-Enhanced based key management, such as the one proposed for Privacy-Enhanced
Mail in RFC 1422. Architectural decisions such as what certificate Mail in RFC 1422. Architectural decisions such as what certificate
issuers are considered "top-level," what entities certificate issuers issuers are considered "top-level," what entities certificate issuers
are authorized to certify, what distinguished names are considered are authorized to certify, what distinguished names are considered
acceptable, and what policies certificate issuers must follow (such acceptable, and what policies certificate issuers must follow (such
as signing only with secure hardware, or requiring entities to as signing only with secure hardware, or requiring entities to
present specific forms of identification) are left outside the present specific forms of identification) are left outside the
standard. document.
The values produced according to this standard are intended to be The values produced according to this document are intended to be
BER-encoded, which means that the values would typically be BER-encoded, which means that the values would typically be
represented as octet strings. While many systems are capable of represented as octet strings. While many systems are capable of
transmitting arbitrary octet strings reliably, it is well known that transmitting arbitrary octet strings reliably, it is well known that
many electronic-mail systems are not. This standard does not address many electronic-mail systems are not. This document does not address
mechanisms for encoding octet strings as (say) strings of ASCII mechanisms for encoding octet strings as (say) strings of ASCII
characters or other techniques for enabling reliable transmission by characters or other techniques for enabling reliable transmission by
re- encoding the octet string. RFC 1421 suggests one possible re- encoding the octet string. RFC 1421 suggests one possible
solution to this problem. solution to this problem.
2. References 2. References
FIPS PUB 46-1 National Bureau of Standards. FIPS PUB 46-1: FIPS PUB 46-1 National Bureau of Standards. FIPS PUB 46-1:
Data Encryption Standard. January 1988. Data Encryption Standard. January 1988.
PKCS #1 RSA Laboratories. PKCS #1: RSA Encryption PKCS #1 RSA Laboratories. PKCS #1: RSA Encryption.
Standard. Version 1.5, November 1993. Version 1.5, November 1993.
PKCS #6 RSA Laboratories. PKCS #6: Extended-Certificate PKCS #6 RSA Laboratories. PKCS #6: Extended-Certificate
Syntax Standard. Version 1.5, November 1993. Syntax. Version 1.5, November 1993.
PKCS #9 RSA Laboratories. PKCS #9: Selected Attribute PKCS #9 RSA Laboratories. PKCS #9: Selected Attribute
Types. Version 1.1, November 1993. Types. Version 1.1, November 1993.
RFC 1421 J. Linn. RFC 1421: Privacy Enhancement for RFC 1421 J. Linn. RFC 1421: Privacy Enhancement for
Internet Electronic Mail: Part I: Message Internet Electronic Mail: Part I: Message
Encryption and Authentication Procedures. February Encryption and Authentication Procedures. February
1993. 1993.
RFC 1422 S. Kent. RFC 1422: Privacy Enhancement for RFC 1422 S. Kent. RFC 1422: Privacy Enhancement for
PKCS #7: Cryptographic Message Syntax
Internet Electronic Mail: Part II: Certificate- Internet Electronic Mail: Part II: Certificate-
Based Key Management. February 1993. Based Key Management. February 1993.
RFC 1423 D. Balenson. RFC 1423: Privacy Enhancement for RFC 1423 D. Balenson. RFC 1423: Privacy Enhancement for
Internet Electronic Mail: Part III: Algorithms, Internet Electronic Mail: Part III: Algorithms,
Modes, and Identifiers. February 1993. Modes, and Identifiers. February 1993.
RFC nnn PKCS #7: Cryptographic Message Syntax November 1993
RFC 1424 B. Kaliski. RFC 1424: Privacy Enhancement for RFC 1424 B. Kaliski. RFC 1424: Privacy Enhancement for
Internet Electronic Mail: Part IV: Key Internet Electronic Mail: Part IV: Key
Certification and Related Services. February 1993. Certification and Related Services. February 1993.
RFC 1319 B. Kaliski. RFC 1319: The MD2 Message-Digest RFC 1319 B. Kaliski. RFC 1319: The MD2 Message-Digest
Algorithm. April 1992. Algorithm. April 1992.
RFC 1321 R. Rivest. RFC 1321: The MD5 Message-Digest RFC 1321 R. Rivest. RFC 1321: The MD5 Message-Digest
Algorithm. April 1992. Algorithm. April 1992.
skipping to change at page 3, line 53 skipping to change at page 3, line 46
Interconnection Protocols. Version 5, Edition 1, Interconnection Protocols. Version 5, Edition 1,
Part 12. December 1991. Part 12. December 1991.
[RSA78] R.L. Rivest, A. Shamir, and L. Adleman. A method [RSA78] R.L. Rivest, A. Shamir, and L. Adleman. A method
for obtaining digital signatures and public-key for obtaining digital signatures and public-key
cryptosystems. Communications of the ACM, cryptosystems. Communications of the ACM,
21(2):120-126, February 1978. 21(2):120-126, February 1978.
3. Definitions 3. Definitions
For the purposes of this standard, the following definitions apply. For the purposes of this document, the following definitions apply.
PKCS #7: Cryptographic Message Syntax
AlgorithmIdentifier: A type that identifies an algorithm (by object AlgorithmIdentifier: A type that identifies an algorithm (by object
identifier) and associated parameters. This type is defined in X.509. identifier) and associated parameters. This type is defined in X.509.
ASN.1: Abstract Syntax Notation One, as defined in X.208. ASN.1: Abstract Syntax Notation One, as defined in X.208.
Attribute: A type that contains an attribute type (specified by Attribute: A type that contains an attribute type (specified by
object identifier) and one or more attribute values. This type is object identifier) and one or more attribute values. This type is
RFC nnn PKCS #7: Cryptographic Message Syntax November 1993
defined in X.501. defined in X.501.
BER: Basic Encoding Rules, as defined in X.209. BER: Basic Encoding Rules, as defined in X.209.
Certificate: A type that binds an entity's distinguished name to a Certificate: A type that binds an entity's distinguished name to a
public key with a digital signature. This type is defined in X.509. public key with a digital signature. This type is defined in X.509.
This type also contains the distinguished name of the certificate This type also contains the distinguished name of the certificate
issuer (the signer), an issuer- specific serial number, the issuer's issuer (the signer), an issuer- specific serial number, the issuer's
signature algorithm identifier, and a validity period. signature algorithm identifier, and a validity period.
CertificateSerialNumber: A type that uniquely identifies a CertificateSerialNumber: A type that uniquely identifies a
certificate (and thereby an entity and a public key) among those certificate (and thereby an entity and a public key) among those
signed by a particular certificate issuer. This type is defined in signed by a particular certificate issuer. This type is defined in
X.509. X.509.
CertificateRevocationList: A type that contains information about CertificateRevocationList: A type that contains information about
certificates whose validity an issuer has prematurely revoked. The certificates whose validity an issuer has prematurely revoked. The
information consists of an issuer name, the time of issue, the next information consists of an issuer name, the time of issue, the next
scheduled time of issue, and a list of certificate serial numbers and scheduled time of issue, and a list of certificate serial numbers and
their associated revocation times. The CRL is signed by the issuer. their associated revocation times. The CRL is signed by the issuer.
The type intended by this standard is the one defined RFC 1422. The type intended by this document is the one defined RFC 1422.
DER: Distinguished Encoding Rules for ASN.1, as defined in X.509, DER: Distinguished Encoding Rules for ASN.1, as defined in X.509,
Section 8.7. Section 8.7.
DES: Data Encryption Standard, as defined in FIPS PUB 46-1. DES: Data Encryption Standard, as defined in FIPS PUB 46-1.
desCBC: The object identifier for DES in cipher-block chaining (CBC) desCBC: The object identifier for DES in cipher-block chaining (CBC)
mode, as defined in [NIST91]. mode, as defined in [NIST91].
ExtendedCertificate: A type that consists of an X.509 public- key ExtendedCertificate: A type that consists of an X.509 public- key
certificate and a set of attributes, collectively signed by the certificate and a set of attributes, collectively signed by the
issuer of the X.509 public-key certificate. This type is defined in issuer of the X.509 public-key certificate. This type is defined in
PKCS #6. PKCS #6.
MD2: RSA Data Security, Inc.'s MD2 message-digest algorithm, as MD2: RSA Data Security, Inc.'s MD2 message-digest algorithm, as
defined in RFC 1319. defined in RFC 1319.
md2: The object identifier for MD2, as defined in RFC 1319. md2: The object identifier for MD2, as defined in RFC 1319.
MD5: RSA Data Security, Inc.'s MD5 message-digest algorithm, as MD5: RSA Data Security, Inc.'s MD5 message-digest algorithm, as
PKCS #7: Cryptographic Message Syntax
defined in RFC 1321. defined in RFC 1321.
md5: The object identifier for MD5, as defined in RFC 1321. md5: The object identifier for MD5, as defined in RFC 1321.
Name: A type that uniquely identifies or "distinguishes" objects in Name: A type that uniquely identifies or "distinguishes" objects in
an X.500 directory. This type is defined in X.501. In an X.509 an X.500 directory. This type is defined in X.501. In an X.509
certificate, the type identifies the certificate issuer and the certificate, the type identifies the certificate issuer and the
RFC nnn PKCS #7: Cryptographic Message Syntax November 1993
entity whose public key is certified. entity whose public key is certified.
PEM: Internet Privacy-Enhanced Mail, as defined in RFCs 1421-1424. PEM: Internet Privacy-Enhanced Mail, as defined in RFCs 1421-1424.
RSA: The RSA public-key cryptosystem, as defined in [RSA78]. RSA: The RSA public-key cryptosystem, as defined in [RSA78].
rsaEncryption: The object identifier for RSA encryption, as defined rsaEncryption: The object identifier for RSA encryption, as defined
in PKCS #1. in PKCS #1.
4. Symbols and abbreviations 4. Symbols and abbreviations
No symbols or abbreviations are defined in this standard. No symbols or abbreviations are defined in this document.
5. General overview 5. General overview
The following nine sections specify useful types, general syntax, six The following nine sections specify useful types, general syntax, six
content types, and object identifiers. content types, and object identifiers.
The syntax is general enough to support many different content types. The syntax is general enough to support many different content types.
This standard defines six: data, signed data, enveloped data, signed- This document defines six: data, signed data, enveloped data, signed-
and-enveloped data, digested data, and encrypted data. Other content and-enveloped data, digested data, and encrypted data. Other content
types may be added in the future. The use of content types defined types may be added in the future. The use of content types defined
outside this standard is possible, but is subject to bilateral outside this document is possible, but is subject to bilateral
agreement between parties exchanging content. agreement between parties exchanging content.
This standard exports one type, ContentInfo, as well as the various This document exports one type, ContentInfo, as well as the various
object identifiers. object identifiers.
There are two classes of content types: base and enhanced. Content There are two classes of content types: base and enhanced. Content
types in the base class contain "just data," with no cryptographic types in the base class contain "just data," with no cryptographic
enhancements. Presently, one content type is in this class, the data enhancements. Presently, one content type is in this class, the data
content type. Content types in the enhanced class contain content of content type. Content types in the enhanced class contain content of
some type (possibly encrypted), and other cryptographic enhancements. some type (possibly encrypted), and other cryptographic enhancements.
For example, enveloped-data content can contain (encrypted) signed- For example, enveloped-data content can contain (encrypted) signed-
data content, which can contain data content. The four non-data data content, which can contain data content. The four non-data
content types fall into the enhanced class. The content types in the content types fall into the enhanced class. The content types in the
enhanced class thus employ encapsulation, giving rise to the terms enhanced class thus employ encapsulation, giving rise to the terms
"outer" content (the one containing the enhancements) and "inner" "outer" content (the one containing the enhancements) and "inner"
content (the one being enhanced). content (the one being enhanced).
The standard is designed such that the enhanced content types can be The document is designed such that the enhanced content types can be
PKCS #7: Cryptographic Message Syntax
prepared in a single pass using indefinite- length BER encoding, and prepared in a single pass using indefinite- length BER encoding, and
processed in a single pass in any BER encoding. Single-pass operation processed in a single pass in any BER encoding. Single-pass operation
is especially helpful if content is stored on tapes, or is "piped" is especially helpful if content is stored on tapes, or is "piped"
from another process. One of the drawbacks of single-pass operation, from another process. One of the drawbacks of single-pass operation,
however, is that it is difficult to output a DER encoding in a single however, is that it is difficult to output a DER encoding in a single
pass, since the lengths of the various components may not be known in pass, since the lengths of the various components may not be known in
advance. Since DER encoding is required by the signed-data, signed- advance. Since DER encoding is required by the signed-data, signed-
RFC nnn PKCS #7: Cryptographic Message Syntax November 1993
and-enveloped data, and digested- data content types, an extra pass and-enveloped data, and digested- data content types, an extra pass
may be necessary when a content type other than data is the inner may be necessary when a content type other than data is the inner
content of one of those content types. content of one of those content types.
6. Useful types 6. Useful types
This section defines types that are useful in at least two places in This section defines types that are useful in at least two places in
the standard. the document.
6.1 CertificateRevocationLists 6.1 CertificateRevocationLists
The CertificateRevocationLists type gives a set of certificate- The CertificateRevocationLists type gives a set of certificate-
revocation lists. It is intended that the set contain information revocation lists. It is intended that the set contain information
sufficient to determine whether the certificates with which the set sufficient to determine whether the certificates with which the set
is associated are "hot listed," but there may be more certificate- is associated are "hot listed," but there may be more certificate-
revocation lists than necessary, or there may be fewer than revocation lists than necessary, or there may be fewer than
necessary. necessary.
skipping to change at page 7, line 5 skipping to change at page 6, line 48
ContentEncryptionAlgorithmIdentifier ::= ContentEncryptionAlgorithmIdentifier ::=
AlgorithmIdentifier AlgorithmIdentifier
6.3 DigestAlgorithmIdentifier 6.3 DigestAlgorithmIdentifier
The DigestAlgorithmIdentifier type identifies a message- digest The DigestAlgorithmIdentifier type identifies a message- digest
algorithm. Examples include MD2 and MD5. A message- digest algorithm algorithm. Examples include MD2 and MD5. A message- digest algorithm
maps an octet string (the message) to another octet string (the maps an octet string (the message) to another octet string (the
message digest). message digest).
PKCS #7: Cryptographic Message Syntax
DigestAlgorithmIdentifier ::= AlgorithmIdentifier DigestAlgorithmIdentifier ::= AlgorithmIdentifier
6.4 DigestEncryptionAlgorithmIdentifier 6.4 DigestEncryptionAlgorithmIdentifier
The DigestEncryptionAlgorithmIdentifier type identifies a digest- The DigestEncryptionAlgorithmIdentifier type identifies a digest-
encryption algorithm under which a message digest can be encrypted. encryption algorithm under which a message digest can be encrypted.
One example is PKCS #1's rsaEncryption. A digest-encryption algorithm One example is PKCS #1's rsaEncryption. A digest-encryption algorithm
RFC nnn PKCS #7: Cryptographic Message Syntax November 1993
supports encryption and decryption operations. The encryption supports encryption and decryption operations. The encryption
operation maps an octet string (the message digest) to another octet operation maps an octet string (the message digest) to another octet
string (the encrypted message digest) under control of a digest- string (the encrypted message digest) under control of a digest-
encryption key. The decryption operation is the inverse of the encryption key. The decryption operation is the inverse of the
encryption operation. Context determines which operation is intended. encryption operation. Context determines which operation is intended.
DigestEncryptionAlgorithmIdentifier ::= DigestEncryptionAlgorithmIdentifier ::=
AlgorithmIdentifier AlgorithmIdentifier
6.5 ExtendedCertificateOrCertificate 6.5 ExtendedCertificateOrCertificate
skipping to change at page 7, line 47 skipping to change at page 7, line 40
certificates and X.509 certificates. It is intended that the set be certificates and X.509 certificates. It is intended that the set be
sufficient to contain chains from a recognized "root" or "top-level sufficient to contain chains from a recognized "root" or "top-level
certification authority" to all of the signers with which the set is certification authority" to all of the signers with which the set is
associated, but there may be more certificates than necessary, or associated, but there may be more certificates than necessary, or
there may be fewer than necessary. there may be fewer than necessary.
ExtendedCertificatesAndCertificates ::= ExtendedCertificatesAndCertificates ::=
SET OF ExtendedCertificateOrCertificate SET OF ExtendedCertificateOrCertificate
Note. The precise meaning of a "chain" is outside the scope of this Note. The precise meaning of a "chain" is outside the scope of this
standard. Some applications of this standard may impose upper limits document. Some applications of this document may impose upper limits
on the length of a chain; others may enforce certain relationships on the length of a chain; others may enforce certain relationships
between the subjects and issuers of certificates in a chain. An between the subjects and issuers of certificates in a chain. An
example of such relationships has been proposed for Privacy-Enhanced example of such relationships has been proposed for Privacy-Enhanced
Mail in RFC 1422. Mail in RFC 1422.
6.7 IssuerAndSerialNumber 6.7 IssuerAndSerialNumber
PKCS #7: Cryptographic Message Syntax
The IssuerAndSerialNumber type identifies a certificate (and thereby The IssuerAndSerialNumber type identifies a certificate (and thereby
an entity and a public key) by the distinguished name of the an entity and a public key) by the distinguished name of the
certificate issuer and an issuer-specific certificate serial number. certificate issuer and an issuer-specific certificate serial number.
IssuerAndSerialNumber ::= SEQUENCE { IssuerAndSerialNumber ::= SEQUENCE {
issuer Name, issuer Name,
serialNumber CertificateSerialNumber } serialNumber CertificateSerialNumber }
RFC nnn PKCS #7: Cryptographic Message Syntax November 1993
6.8 KeyEncryptionAlgorithmIdentifier 6.8 KeyEncryptionAlgorithmIdentifier
The KeyEncryptionAlgorithmIdentifier type identifies a key- The KeyEncryptionAlgorithmIdentifier type identifies a key-
encryption algorithm under which a content-encryption key can be encryption algorithm under which a content-encryption key can be
encrypted. One example is PKCS #1's rsaEncryption. A key-encryption encrypted. One example is PKCS #1's rsaEncryption. A key-encryption
algorithm supports encryption and decryption operations. The algorithm supports encryption and decryption operations. The
encryption operation maps an octet string (the key) to another octet encryption operation maps an octet string (the key) to another octet
string (the encrypted key) under control of a key-encryption key. The string (the encrypted key) under control of a key-encryption key. The
decryption operation is the inverse of the encryption operation. decryption operation is the inverse of the encryption operation.
Context determines which operation is intended. Context determines which operation is intended.
KeyEncryptionAlgorithmIdentifier ::= KeyEncryptionAlgorithmIdentifier ::=
AlgorithmIdentifier AlgorithmIdentifier
6.9 Version 6.9 Version
The Version type gives a syntax version number, for compatibility The Version type gives a syntax version number, for compatibility
with future revisions of this standard. with future revisions of this document.
Version ::= INTEGER Version ::= INTEGER
7. General syntax 7. General syntax
The general syntax for content exchanged between entities according The general syntax for content exchanged between entities according
to this standard associates a content type with content. The syntax to this document associates a content type with content. The syntax
shall have ASN.1 type ContentInfo: shall have ASN.1 type ContentInfo:
ContentInfo ::= SEQUENCE { ContentInfo ::= SEQUENCE {
contentType ContentType, contentType ContentType,
content content
[0] EXPLICIT ANY DEFINED BY contentType OPTIONAL } [0] EXPLICIT ANY DEFINED BY contentType OPTIONAL }
ContentType ::= OBJECT IDENTIFIER ContentType ::= OBJECT IDENTIFIER
The fields of type ContentInfo have the following meanings: The fields of type ContentInfo have the following meanings:
o contentType indicates the type of content. It is o contentType indicates the type of content. It is
an object identifier, which means it is a unique an object identifier, which means it is a unique
string of integers assigned by the authority that string of integers assigned by the authority that
defines the content type. This standard defines defines the content type. This document defines
PKCS #7: Cryptographic Message Syntax
six content types (see Section 14): data, six content types (see Section 14): data,
signedData, envelopedData, signedAndEnvelopedData, signedData, envelopedData, signedAndEnvelopedData,
digestedData, and encryptedData. digestedData, and encryptedData.
o content is the content. The field is optional, and o content is the content. The field is optional, and
if the field is not present, its intended value if the field is not present, its intended value
must be supplied by other means. Its type is must be supplied by other means. Its type is
defined along with the object identifier for defined along with the object identifier for
RFC nnn PKCS #7: Cryptographic Message Syntax November 1993
contentType. contentType.
Notes. Notes.
1. The methods below assume that the type of content 1. The methods below assume that the type of content
can be determined uniquely by contentType, so the can be determined uniquely by contentType, so the
type defined along with the object identifier type defined along with the object identifier
should not be a CHOICE type. should not be a CHOICE type.
2. When a ContentInfo value is the inner content of 2. When a ContentInfo value is the inner content of
skipping to change at page 10, line 4 skipping to change at page 9, line 46
8. Data content type 8. Data content type
The data content type is just an octet string. It shall have ASN.1 The data content type is just an octet string. It shall have ASN.1
type Data: type Data:
Data ::= OCTET STRING Data ::= OCTET STRING
The data content type is intended to refer to arbitrary octet The data content type is intended to refer to arbitrary octet
strings, such as ASCII text files; the interpretation is left to the strings, such as ASCII text files; the interpretation is left to the
application. Such strings need not have any internal structure application. Such strings need not have any internal structure
PKCS #7: Cryptographic Message Syntax
(although they may; they could even be DER encodings). (although they may; they could even be DER encodings).
9. Signed-data content type 9. Signed-data content type
The signed-data content type consists of content of any type and The signed-data content type consists of content of any type and
encrypted message digests of the content for zero or more signers. encrypted message digests of the content for zero or more signers.
The encrypted digest for a signer is a "digital signature" on the The encrypted digest for a signer is a "digital signature" on the
content for that signer. Any type of content can be signed by any content for that signer. Any type of content can be signed by any
RFC nnn PKCS #7: Cryptographic Message Syntax November 1993
number of signers in parallel. Furthermore, the syntax has a number of signers in parallel. Furthermore, the syntax has a
degenerate case in which there are no signers on the content. The degenerate case in which there are no signers on the content. The
degenerate case provides a means for disseminating certificates and degenerate case provides a means for disseminating certificates and
certificate-revocation lists. certificate-revocation lists.
It is expected that the typical application of the signed- data It is expected that the typical application of the signed- data
content type will be to represent one signer's digital signature on content type will be to represent one signer's digital signature on
content of the data content type. Another typical application will be content of the data content type. Another typical application will be
to disseminate certificates and certificate-revocation lists. to disseminate certificates and certificate-revocation lists.
skipping to change at page 11, line 5 skipping to change at page 10, line 47
into a SignerInfo value, defined in Section 9.2. into a SignerInfo value, defined in Section 9.2.
Certificates and certificate-revocation lists for Certificates and certificate-revocation lists for
each signer, and those not corresponding to any each signer, and those not corresponding to any
signer, are collected in this step. signer, are collected in this step.
4. The message-digest algorithms for all the signers 4. The message-digest algorithms for all the signers
and the SignerInfo values for all the signers are and the SignerInfo values for all the signers are
collected together with the content into a collected together with the content into a
SignedData value, defined in Section 9.1. SignedData value, defined in Section 9.1.
PKCS #7: Cryptographic Message Syntax
A recipient verifies the signatures by decrypting the encrypted A recipient verifies the signatures by decrypting the encrypted
message digest for each signer with the signer's public key, then message digest for each signer with the signer's public key, then
comparing the recovered message digest to an independently computed comparing the recovered message digest to an independently computed
message digest. The signer's public key is either contained in a message digest. The signer's public key is either contained in a
certificate included in the signer information, or is referenced by certificate included in the signer information, or is referenced by
an issuer distinguished name and an issuer-specific serial number an issuer distinguished name and an issuer-specific serial number
that uniquely identify the certificate for the public key. that uniquely identify the certificate for the public key.
RFC nnn PKCS #7: Cryptographic Message Syntax November 1993
This section is divided into five parts. The first part describes the This section is divided into five parts. The first part describes the
top-level type SignedData, the second part describes the per-signer top-level type SignedData, the second part describes the per-signer
information type SignerInfo, and the third and fourth parts describe information type SignerInfo, and the third and fourth parts describe
the message-digesting and digest-encryption processes. The fifth part the message-digesting and digest-encryption processes. The fifth part
summarizes compatibility with Privacy-Enhanced Mail. summarizes compatibility with Privacy-Enhanced Mail.
9.1 SignedData type 9.1 SignedData type
The signed-data content type shall have ASN.1 type SignedData: The signed-data content type shall have ASN.1 type SignedData:
skipping to change at page 11, line 45 skipping to change at page 11, line 37
DigestAlgorithmIdentifiers ::= DigestAlgorithmIdentifiers ::=
SET OF DigestAlgorithmIdentifier SET OF DigestAlgorithmIdentifier
SignerInfos ::= SET OF SignerInfo SignerInfos ::= SET OF SignerInfo
The fields of type SignedData have the following meanings: The fields of type SignedData have the following meanings:
o version is the syntax version number. It shall be o version is the syntax version number. It shall be
1 for this version of the standard. 1 for this version of the document.
o digestAlgorithms is a collection of message-digest o digestAlgorithms is a collection of message-digest
algorithm identifiers. There may be any number of algorithm identifiers. There may be any number of
elements in the collection, including zero. Each elements in the collection, including zero. Each
element identifies the message-digest algorithm element identifies the message-digest algorithm
(and any associated parameters) under which the (and any associated parameters) under which the
content is digested for a some signer. The content is digested for a some signer. The
collection is intended to list the message-digest collection is intended to list the message-digest
algorithms employed by all of the signers, in any algorithms employed by all of the signers, in any
PKCS #7: Cryptographic Message Syntax
order, to facilitate one-pass signature order, to facilitate one-pass signature
verification. The message-digesting process is verification. The message-digesting process is
described in Section 9.3. described in Section 9.3.
o contentInfo is the content that is signed. It can o contentInfo is the content that is signed. It can
have any of the defined content types. have any of the defined content types.
o certificates is a set of PKCS #6 extended o certificates is a set of PKCS #6 extended
RFC nnn PKCS #7: Cryptographic Message Syntax November 1993
certificates and X.509 certificates. It is certificates and X.509 certificates. It is
intended that the set be sufficient to contain intended that the set be sufficient to contain
chains from a recognized "root" or "top-level chains from a recognized "root" or "top-level
certification authority" to all of the signers in certification authority" to all of the signers in
the signerInfos field. There may be more the signerInfos field. There may be more
certificates than necessary, and there may be certificates than necessary, and there may be
certificates sufficient to contain chains from two certificates sufficient to contain chains from two
or more independent top-level certification or more independent top-level certification
authorities. There may also be fewer certificates authorities. There may also be fewer certificates
than necessary, if it is expected that those than necessary, if it is expected that those
skipping to change at page 13, line 5 skipping to change at page 12, line 46
1. The fact that the digestAlgorithms field comes 1. The fact that the digestAlgorithms field comes
before the contentInfo field and the signerInfos before the contentInfo field and the signerInfos
field comes after it makes it possible to process field comes after it makes it possible to process
a SignedData value in a single pass. (Single-pass a SignedData value in a single pass. (Single-pass
processing is described in Section 5.) processing is described in Section 5.)
2. The differences between version 1 SignedData and 2. The differences between version 1 SignedData and
version 0 SignedData (defined in PKCS #7, Version version 0 SignedData (defined in PKCS #7, Version
1.4) are the following: 1.4) are the following:
PKCS #7: Cryptographic Message Syntax
o the digestAlgorithms and signerInfos o the digestAlgorithms and signerInfos
fields may contain zero elements in fields may contain zero elements in
version 1, but not in version 0 version 1, but not in version 0
o the crls field is allowed in version 1, o the crls field is allowed in version 1,
but not in version 0 but not in version 0
Except for the difference in version number, Except for the difference in version number,
RFC nnn PKCS #7: Cryptographic Message Syntax November 1993
version 0 SignedData values are acceptable as version 0 SignedData values are acceptable as
version 1 values. An implementation can therefore version 1 values. An implementation can therefore
process SignedData values of either version as process SignedData values of either version as
though they were version 1 values. It is suggested though they were version 1 values. It is suggested
that PKCS implementations generate only version 1 that PKCS implementations generate only version 1
SignedData values, but be prepared to process SignedData values, but be prepared to process
SignedData values of either version. SignedData values of either version.
3. In the degenerate case where there are no signers 3. In the degenerate case where there are no signers
on the content, the ContentInfo value being on the content, the ContentInfo value being
skipping to change at page 13, line 51 skipping to change at page 13, line 43
DigestEncryptionAlgorithmIdentifier, DigestEncryptionAlgorithmIdentifier,
encryptedDigest EncryptedDigest, encryptedDigest EncryptedDigest,
unauthenticatedAttributes unauthenticatedAttributes
[1] IMPLICIT Attributes OPTIONAL } [1] IMPLICIT Attributes OPTIONAL }
EncryptedDigest ::= OCTET STRING EncryptedDigest ::= OCTET STRING
The fields of type SignerInfo have the following meanings: The fields of type SignerInfo have the following meanings:
o version is the syntax version number. It shall be o version is the syntax version number. It shall be
1 for this version of the standard. 1 for this version of the document.
o issuerAndSerialNumber specifies the signer's o issuerAndSerialNumber specifies the signer's
certificate (and thereby the signer's certificate (and thereby the signer's
PKCS #7: Cryptographic Message Syntax
distinguished name and public key) by issuer distinguished name and public key) by issuer
distinguished name and issuer-specific serial distinguished name and issuer-specific serial
number. number.
o digestAlgorithm identifies the message-digest o digestAlgorithm identifies the message-digest
algorithm (and any associated parameters) under algorithm (and any associated parameters) under
which the content and authenticated attributes (if which the content and authenticated attributes (if
present) are digested. It should be among those in present) are digested. It should be among those in
RFC nnn PKCS #7: Cryptographic Message Syntax November 1993
the digestAlgorithms field of the superior the digestAlgorithms field of the superior
SignerInfo value. The message-digesting process is SignerInfo value. The message-digesting process is
described in Section 9.3. described in Section 9.3.
o authenticatedAttributes is a set of attributes o authenticatedAttributes is a set of attributes
that are signed (i.e., authenticated) by the that are signed (i.e., authenticated) by the
signer. The field is optional, but it must be signer. The field is optional, but it must be
present if the content type of the ContentInfo present if the content type of the ContentInfo
value being signed is not data. If the field is value being signed is not data. If the field is
present, it must contain, at a minimum, two present, it must contain, at a minimum, two
skipping to change at page 15, line 5 skipping to change at page 14, line 47
o encryptedDigest is the result of encrypting the o encryptedDigest is the result of encrypting the
message digest and associated information with the message digest and associated information with the
signer's private key. signer's private key.
o unauthenticatedAttributes is a set of attributes o unauthenticatedAttributes is a set of attributes
that are not signed (i.e., authenticated) by the that are not signed (i.e., authenticated) by the
signer. The field is optional. Attribute types signer. The field is optional. Attribute types
that might be useful here, such as that might be useful here, such as
countersignatures, are defined in PKCS #9. countersignatures, are defined in PKCS #9.
PKCS #7: Cryptographic Message Syntax
Notes. Notes.
1. It is recommended in the interest of PEM 1. It is recommended in the interest of PEM
compatibility that the authenticatedAttributes compatibility that the authenticatedAttributes
field be omitted whenever the content type of the field be omitted whenever the content type of the
ContentInfo value being signed is data and there ContentInfo value being signed is data and there
are no other authenticated attributes. are no other authenticated attributes.
RFC nnn PKCS #7: Cryptographic Message Syntax November 1993
2. The difference between version 1 SignerInfo and 2. The difference between version 1 SignerInfo and
version 0 SignerInfo (defined in PKCS #7, Version version 0 SignerInfo (defined in PKCS #7, Version
1.4) is in the message-digest encryption process 1.4) is in the message-digest encryption process
(see Section 9.4). Only the PEM-compatible (see Section 9.4). Only the PEM-compatible
processes are different, reflecting changes in processes are different, reflecting changes in
Privacy-Enhanced Mail signature methods. There is Privacy-Enhanced Mail signature methods. There is
no difference in the non-PEM-compatible message- no difference in the non-PEM-compatible message-
digest encryption process. digest encryption process.
It is suggested that PKCS implementations generate It is suggested that PKCS implementations generate
skipping to change at page 16, line 4 skipping to change at page 15, line 47
authenticatedAttributes field is present. When the field is absent, authenticatedAttributes field is present. When the field is absent,
the result is just the message digest of the content. When the field the result is just the message digest of the content. When the field
is present, however, the result is the message digest of the complete is present, however, the result is the message digest of the complete
DER encoding of the Attributes value containted in the DER encoding of the Attributes value containted in the
authenticatedAttributes field. (For clarity: The IMPLICIT [0] tag in authenticatedAttributes field. (For clarity: The IMPLICIT [0] tag in
the authenticatedAttributes field is not part of the Attributes the authenticatedAttributes field is not part of the Attributes
value. The Attributes value's tag is SET OF, and the DER encoding of value. The Attributes value's tag is SET OF, and the DER encoding of
the SET OF tag, rather than of the IMPLICIT [0] tag, is to be the SET OF tag, rather than of the IMPLICIT [0] tag, is to be
digested along with the length and contents octets of the Attributes digested along with the length and contents octets of the Attributes
value.) Since the Attributes value, when the field is present, must value.) Since the Attributes value, when the field is present, must
PKCS #7: Cryptographic Message Syntax
contain as attributes the content type and the message digest of the contain as attributes the content type and the message digest of the
content, those values are indirectly included in the result. content, those values are indirectly included in the result.
When the content being signed has content type data and the When the content being signed has content type data and the
authenticatedAttributes field is absent, then just the value of the authenticatedAttributes field is absent, then just the value of the
data (e.g., the contents of a file) is digested. This has the data (e.g., the contents of a file) is digested. This has the
advantage that the length of the content being signed need not be advantage that the length of the content being signed need not be
known in advance of the encryption process. This method is compatible known in advance of the encryption process. This method is compatible
RFC nnn PKCS #7: Cryptographic Message Syntax November 1993
with Privacy-Enhanced Mail. with Privacy-Enhanced Mail.
Although the identifier octets and the length octets are not Although the identifier octets and the length octets are not
digested, they are still protected by other means. The length octets digested, they are still protected by other means. The length octets
are protected by the nature of the message- digest algorithm since it are protected by the nature of the message- digest algorithm since it
is by assumption computationally infeasible to find any two distinct is by assumption computationally infeasible to find any two distinct
messages of any length that have the same message digest. messages of any length that have the same message digest.
Furthermore, assuming that the content type uniquely determines the Furthermore, assuming that the content type uniquely determines the
identifier octets, the identifier octets are protected implicitly in identifier octets, the identifier octets are protected implicitly in
one of two ways: either by the inclusion of the content type in the one of two ways: either by the inclusion of the content type in the
authenticated attributes, or by the use of the PEM- compatible authenticated attributes, or by the use of the PEM- compatible
alternative in Section 9.4 which implies that the content type is alternative in Section 9.4 which implies that the content type is
data. data.
Note. The fact that the message digest is computed on part of a DER Note. The fact that the message digest is computed on part of a DER
encoding does not mean that DER is the required method of encoding does not mean that DER is the required method of
representing that part for data transfer. Indeed, it is expected that representing that part for data transfer. Indeed, it is expected that
some implementations of this standard may store objects in other than some implementations of this document may store objects in other than
their DER encodings, but such practices do not affect message-digest their DER encodings, but such practices do not affect message-digest
computation. computation.
9.4 Digest-encryption process 9.4 Digest-encryption process
The input to the digest-encryption process--the value supplied to the The input to the digest-encryption process--the value supplied to the
signer's digest-encryption algorithm--includes the result of the signer's digest-encryption algorithm--includes the result of the
message-digesting process (informally, the "message digest") and the message-digesting process (informally, the "message digest") and the
digest algorithm identifier (or object identifier). The result of the digest algorithm identifier (or object identifier). The result of the
digest-encryption process is the encryption with the signer's private digest-encryption process is the encryption with the signer's private
skipping to change at page 17, line 4 skipping to change at page 16, line 47
DigestInfo ::= SEQUENCE { DigestInfo ::= SEQUENCE {
digestAlgorithm DigestAlgorithmIdentifier, digestAlgorithm DigestAlgorithmIdentifier,
digest Digest } digest Digest }
Digest ::= OCTET STRING Digest ::= OCTET STRING
The fields of type DigestInfo have the following meanings: The fields of type DigestInfo have the following meanings:
o digestAlgorithm identifies the message-digest o digestAlgorithm identifies the message-digest
algorithm (and any associated parameters) under algorithm (and any associated parameters) under
PKCS #7: Cryptographic Message Syntax
which the content and authenticated attributes are which the content and authenticated attributes are
digested. It should be the same as the digested. It should be the same as the
digestAlgorithm field of the superior SignerInfo digestAlgorithm field of the superior SignerInfo
value. value.
o digest is the result of the message-digesting o digest is the result of the message-digesting
process. process.
RFC nnn PKCS #7: Cryptographic Message Syntax November 1993
Notes. Notes.
1. The only difference between the signature process 1. The only difference between the signature process
defined here and the signature algorithms defined defined here and the signature algorithms defined
in PKCS #1 is that signatures there are in PKCS #1 is that signatures there are
represented as bit strings, for consistency with represented as bit strings, for consistency with
the X.509 SIGNED macro. Here, encrypted message the X.509 SIGNED macro. Here, encrypted message
digests are octet strings. digests are octet strings.
2. The input to the encryption process typically will 2. The input to the encryption process typically will
skipping to change at page 18, line 4 skipping to change at page 17, line 46
previously used MD2, since the DigestInfo value previously used MD2, since the DigestInfo value
contains the message-digest algorithm. If a signer contains the message-digest algorithm. If a signer
never trusted the MD2 algorithm and always used never trusted the MD2 algorithm and always used
MD5, then the compromise of MD2 would not affect MD5, then the compromise of MD2 would not affect
the signer. If the DigestInfo value contained only the signer. If the DigestInfo value contained only
the message digest, however, the compromise of MD2 the message digest, however, the compromise of MD2
would affect signers that use any message-digest would affect signers that use any message-digest
algorithm. algorithm.
4. There is potential for ambiguity due to the fact 4. There is potential for ambiguity due to the fact
PKCS #7: Cryptographic Message Syntax
that the DigestInfo value does not indicate that the DigestInfo value does not indicate
whether the digest field contains just the message whether the digest field contains just the message
digest of the content or the message digest of the digest of the content or the message digest of the
complete DER encoding of the complete DER encoding of the
authenticatedAttributes field. In other words, it authenticatedAttributes field. In other words, it
is possible for an adversary to transform a is possible for an adversary to transform a
signature on authenticated attributes to one that signature on authenticated attributes to one that
appears to be just on content by changing the appears to be just on content by changing the
content to be the DER encoding of the content to be the DER encoding of the
RFC nnn PKCS #7: Cryptographic Message Syntax November 1993
authenticatedAttributes field, and then removing authenticatedAttributes field, and then removing
the authenticatedAttributes field. (The reverse the authenticatedAttributes field. (The reverse
transformation is possible, but requires that the transformation is possible, but requires that the
content be the DER encoding of an authenticated content be the DER encoding of an authenticated
attributes value, which is unlikely.) This attributes value, which is unlikely.) This
ambiguity is not a new problem, nor is it a ambiguity is not a new problem, nor is it a
significant one, as context will generally prevent significant one, as context will generally prevent
misuse. Indeed, it is also possible for an misuse. Indeed, it is also possible for an
adversary to transform a signature on a adversary to transform a signature on a
certificate or certificate-revocation list to one certificate or certificate-revocation list to one
skipping to change at page 18, line 38 skipping to change at page 18, line 29
9.5 Compatibility with Privacy-Enhanced Mail 9.5 Compatibility with Privacy-Enhanced Mail
Compatibility with the MIC-ONLY and MIC-CLEAR process types in PEM Compatibility with the MIC-ONLY and MIC-CLEAR process types in PEM
occurs when the content type of the ContentInfo value being signed is occurs when the content type of the ContentInfo value being signed is
data, there are no authenticated attributes, the message-digest data, there are no authenticated attributes, the message-digest
algorithm is md2 or md5, and the digest- encryption algorithm is PKCS algorithm is md2 or md5, and the digest- encryption algorithm is PKCS
#1's rsaEncryption. Under all those conditions, the encrypted message #1's rsaEncryption. Under all those conditions, the encrypted message
digest produced here matches the one produced in PEM because: digest produced here matches the one produced in PEM because:
1. The value input to the message-digest algorithm in 1. The value input to the message-digest algorithm in
PEM is the same as in this standard when there are PEM is the same as in this document when there are
no authenticated attributes. MD2 and MD5 in PEM no authenticated attributes. MD2 and MD5 in PEM
are the same as md2 and md5. are the same as md2 and md5.
2. The value encrypted with the signer's private key 2. The value encrypted with the signer's private key
in PEM (as specified in RFC 1423) is the same as in PEM (as specified in RFC 1423) is the same as
in this standard when there are no authenticated in this document when there are no authenticated
attributes. RSA private-key encryption in PEM is attributes. RSA private-key encryption in PEM is
the same as PKCS #1's rsaEncryption. the same as PKCS #1's rsaEncryption.
The other parts of the signed-data content type (certificates, CRLs, The other parts of the signed-data content type (certificates, CRLs,
algorithm identifiers, etc.) are easily translated to and from their algorithm identifiers, etc.) are easily translated to and from their
corresponding PEM components. corresponding PEM components.
10. Enveloped-data content type 10. Enveloped-data content type
The enveloped-data content type consists of encrypted content of any The enveloped-data content type consists of encrypted content of any
PKCS #7: Cryptographic Message Syntax
type and encrypted content-encryption keys for one or more type and encrypted content-encryption keys for one or more
recipients. The combination of encrypted content and encrypted recipients. The combination of encrypted content and encrypted
content-encryption key for a recipient is a "digital envelope" for content-encryption key for a recipient is a "digital envelope" for
that recipient. Any type of content can be enveloped for any number that recipient. Any type of content can be enveloped for any number
of recipients in parallel. of recipients in parallel.
It is expected that the typical application of the enveloped- data It is expected that the typical application of the enveloped- data
content type will be to represent one or more recipients' digital content type will be to represent one or more recipients' digital
envelopes on content of the data, digested-data, or signed-data envelopes on content of the data, digested-data, or signed-data
RFC nnn PKCS #7: Cryptographic Message Syntax November 1993
content types. content types.
The process by which enveloped data is constructed involves the The process by which enveloped data is constructed involves the
following steps: following steps:
1. A content-encryption key for a particular content- 1. A content-encryption key for a particular content-
encryption algorithm is generated at random. encryption algorithm is generated at random.
2. For each recipient, the content-encryption key is 2. For each recipient, the content-encryption key is
encrypted with the recipient's public key. encrypted with the recipient's public key.
skipping to change at page 20, line 4 skipping to change at page 19, line 46
encryption key. The recipient's private key is referenced by an encryption key. The recipient's private key is referenced by an
issuer distinguished name and an issuer-specific serial number that issuer distinguished name and an issuer-specific serial number that
uniquely identify the certificate for the corresponding public key. uniquely identify the certificate for the corresponding public key.
This section is divided into four parts. The first part describes the This section is divided into four parts. The first part describes the
top-level type EnvelopedData, the second part describes the per- top-level type EnvelopedData, the second part describes the per-
recipient information type RecipientInfo, and the third and fourth recipient information type RecipientInfo, and the third and fourth
parts describe the content- encryption and key-encryption processes. parts describe the content- encryption and key-encryption processes.
This content type is not compatible with Privacy-Enhanced Mail This content type is not compatible with Privacy-Enhanced Mail
PKCS #7: Cryptographic Message Syntax
(although some processes it defines are compatible with their PEM (although some processes it defines are compatible with their PEM
counterparts), since Privacy-Enhanced Mail always involves digital counterparts), since Privacy-Enhanced Mail always involves digital
signatures, never digital envelopes alone. signatures, never digital envelopes alone.
10.1 EnvelopedData type 10.1 EnvelopedData type
The enveloped-data content type shall have ASN.1 type EnvelopedData: The enveloped-data content type shall have ASN.1 type EnvelopedData:
EnvelopedData ::= SEQUENCE { EnvelopedData ::= SEQUENCE {
RFC nnn PKCS #7: Cryptographic Message Syntax November 1993
version Version, version Version,
recipientInfos RecipientInfos, recipientInfos RecipientInfos,
encryptedContentInfo EncryptedContentInfo } encryptedContentInfo EncryptedContentInfo }
RecipientInfos ::= SET OF RecipientInfo RecipientInfos ::= SET OF RecipientInfo
EncryptedContentInfo ::= SEQUENCE { EncryptedContentInfo ::= SEQUENCE {
contentType ContentType, contentType ContentType,
contentEncryptionAlgorithm contentEncryptionAlgorithm
ContentEncryptionAlgorithmIdentifier, ContentEncryptionAlgorithmIdentifier,
encryptedContent encryptedContent
[0] IMPLICIT EncryptedContent OPTIONAL } [0] IMPLICIT EncryptedContent OPTIONAL }
EncryptedContent ::= OCTET STRING EncryptedContent ::= OCTET STRING
The fields of type EnvelopedData have the following meanings: The fields of type EnvelopedData have the following meanings:
o version is the syntax version number. It shall be o version is the syntax version number. It shall be
0 for this version of the standard. 0 for this version of the document.
o recipientInfos is a collection of per-recipient o recipientInfos is a collection of per-recipient
information. There must be at least one element in information. There must be at least one element in
the collection. the collection.
o encryptedContentInfo is the encrypted content o encryptedContentInfo is the encrypted content
information. information.
The fields of type EncryptedContentInfo have the following meanings: The fields of type EncryptedContentInfo have the following meanings:
o contentType indicates the type of content. o contentType indicates the type of content.
o contentEncryptionAlgorithm identifies the content- o contentEncryptionAlgorithm identifies the content-
encryption algorithm (and any associated encryption algorithm (and any associated
parameters) under which the content is encrypted. parameters) under which the content is encrypted.
The content-encryption process is described in The content-encryption process is described in
Section 10.3. This algorithm is the same for all Section 10.3. This algorithm is the same for all
recipients. recipients.
o encryptedContent is the result of encrypting the o encryptedContent is the result of encrypting the
PKCS #7: Cryptographic Message Syntax
content. The field is optional, and if the field content. The field is optional, and if the field
is not present, its intended value must be is not present, its intended value must be
supplied by other means. supplied by other means.
Note. The fact that the recipientInfos field comes before the Note. The fact that the recipientInfos field comes before the
encryptedContentInfo field makes it possible to process an encryptedContentInfo field makes it possible to process an
EnvelopedData value in a single pass. (Single-pass processing is EnvelopedData value in a single pass. (Single-pass processing is
described in Section 5.) described in Section 5.)
RFC nnn PKCS #7: Cryptographic Message Syntax November 1993
10.2 RecipientInfo type 10.2 RecipientInfo type
Per-recipient information is represented in the type RecipientInfo: Per-recipient information is represented in the type RecipientInfo:
RecipientInfo ::= SEQUENCE { RecipientInfo ::= SEQUENCE {
version Version, version Version,
issuerAndSerialNumber IssuerAndSerialNumber, issuerAndSerialNumber IssuerAndSerialNumber,
keyEncryptionAlgorithm keyEncryptionAlgorithm
KeyEncryptionAlgorithmIdentifier, KeyEncryptionAlgorithmIdentifier,
encryptedKey EncryptedKey } encryptedKey EncryptedKey }
EncryptedKey ::= OCTET STRING EncryptedKey ::= OCTET STRING
The fields of type RecipientInfo have the following meanings: The fields of type RecipientInfo have the following meanings:
o version is the syntax version number. It shall be o version is the syntax version number. It shall be
0 for this version of the standard. 0 for this version of the document.
o issuerAndSerialNumber specifies the recipient's o issuerAndSerialNumber specifies the recipient's
certificate (and thereby the recipient's certificate (and thereby the recipient's
distinguished name and public key) by issuer distinguished name and public key) by issuer
distinguished name and issuer-specific serial distinguished name and issuer-specific serial
number. number.
o keyEncryptionAlgorithm identifies the key- o keyEncryptionAlgorithm identifies the key-
encryption algorithm (and any associated encryption algorithm (and any associated
parameters) under which the content-encryption key parameters) under which the content-encryption key
is encrypted with the recipient's public key. The is encrypted with the recipient's public key. The
key-encryption process is described in Section key-encryption process is described in Section
10.4. 10.4.
o encryptedKey is the result of encrypting the o encryptedKey is the result of encrypting the
content-encryption key with the recipient's public content-encryption key with the recipient's public
key (see below). key (see below).
10.3 Content-encryption process 10.3 Content-encryption process
PKCS #7: Cryptographic Message Syntax
The input to the content-encryption process is the "value" of the The input to the content-encryption process is the "value" of the
content being enveloped. Specifically, the input is the contents content being enveloped. Specifically, the input is the contents
octets of a definite-length BER encoding of the content field of the octets of a definite-length BER encoding of the content field of the
ContentInfo value to which the enveloping process is applied. Only ContentInfo value to which the enveloping process is applied. Only
the contents octets of the BER encoding are encrypted, not the the contents octets of the BER encoding are encrypted, not the
identifier octets or length octets; those other octets are not identifier octets or length octets; those other octets are not
represented at all. represented at all.
When the content being enveloped has content type data, then just the When the content being enveloped has content type data, then just the
value of the data (e.g., the contents of a file) is encrypted. This value of the data (e.g., the contents of a file) is encrypted. This
RFC nnn PKCS #7: Cryptographic Message Syntax November 1993
has the advantage that the length of the content being encrypted need has the advantage that the length of the content being encrypted need
not be known in advance of the encryption process. This method is not be known in advance of the encryption process. This method is
compatible with Privacy- Enhanced Mail. compatible with Privacy- Enhanced Mail.
The identifier octets and the length octets are not encrypted. The The identifier octets and the length octets are not encrypted. The
length octets may be protected implicitly by the encryption process, length octets may be protected implicitly by the encryption process,
depending on the encryption algorithm. The identifier octets are not depending on the encryption algorithm. The identifier octets are not
protected at all, although they can be recovered from the content protected at all, although they can be recovered from the content
type, assuming that the content type uniquely determines the type, assuming that the content type uniquely determines the
identifier octets. Explicit protection of the identifier and length identifier octets. Explicit protection of the identifier and length
skipping to change at page 23, line 4 skipping to change at page 22, line 44
handling inputs whose lengths are not a multiple handling inputs whose lengths are not a multiple
of k octets. For such algorithms, the method shall of k octets. For such algorithms, the method shall
be to pad the input at the trailing end with k - be to pad the input at the trailing end with k -
(l mod k) octets all having value k - (l mod k), (l mod k) octets all having value k - (l mod k),
where l is the length of the input. In other where l is the length of the input. In other
words, the input is padded at the trailing end words, the input is padded at the trailing end
with one of the following strings: with one of the following strings:
01 -- if l mod k = k-1 01 -- if l mod k = k-1
02 02 -- if l mod k = k-2 02 02 -- if l mod k = k-2
PKCS #7: Cryptographic Message Syntax
. .
. .
. .
k k ... k k -- if l mod k = 0 k k ... k k -- if l mod k = 0
The padding can be removed unambiguously since all The padding can be removed unambiguously since all
input is padded and no padding string is a suffix input is padded and no padding string is a suffix
of another. This padding method is well-defined if of another. This padding method is well-defined if
and only if k < 256; methods for larger k are an and only if k < 256; methods for larger k are an
open issue for further study. open issue for further study.
RFC nnn PKCS #7: Cryptographic Message Syntax November 1993
10.4 Key-encryption process 10.4 Key-encryption process
The input to the key-encryption process--the value supplied to the The input to the key-encryption process--the value supplied to the
recipient's key-encryption algorithm--is just the "value" of the recipient's key-encryption algorithm--is just the "value" of the
content-encryption key. content-encryption key.
11. Signed-and-enveloped-data content type 11. Signed-and-enveloped-data content type
This section defines the signed-and-enveloped-data content type. For This section defines the signed-and-enveloped-data content type. For
brevity, much of this section is expressed in terms of material in brevity, much of this section is expressed in terms of material in
skipping to change at page 24, line 5 skipping to change at page 23, line 44
enveloped-data content type will be to represent one signer's digital enveloped-data content type will be to represent one signer's digital
signature and one or more recipients' digital envelopes on content of signature and one or more recipients' digital envelopes on content of
the data content type. the data content type.
The process by which signed-and-enveloped data is constructed The process by which signed-and-enveloped data is constructed
involves the following steps: involves the following steps:
1. A content-encryption key for a particular content- 1. A content-encryption key for a particular content-
encryption algorithm is generated at random. encryption algorithm is generated at random.
PKCS #7: Cryptographic Message Syntax
2. For each recipient, the content-encryption key is 2. For each recipient, the content-encryption key is
encrypted with the recipient's public key. encrypted with the recipient's public key.
3. For each recipient, the encrypted content- 3. For each recipient, the encrypted content-
encryption key and other recipient-specific encryption key and other recipient-specific
information are collected into a RecipientInfo information are collected into a RecipientInfo
value, defined in Section 10.2. value, defined in Section 10.2.
4. For each signer, a message digest is computed on 4. For each signer, a message digest is computed on
the content with a signer-specific message-digest the content with a signer-specific message-digest
algorithm. (If two signers employ the same message- algorithm. (If two signers employ the same message-
RFC nnn PKCS #7: Cryptographic Message Syntax November 1993
digest algorithm, then the message digest need be digest algorithm, then the message digest need be
computed for only one of them.) computed for only one of them.)
5. For each signer, the message digest and associated 5. For each signer, the message digest and associated
information are encrypted with the signer's information are encrypted with the signer's
private key, and the result is encrypted with the private key, and the result is encrypted with the
content-encryption key. (The second encryption may content-encryption key. (The second encryption may
require that the result of the first encryption be require that the result of the first encryption be
padded to a multiple of some block size; see padded to a multiple of some block size; see
Section 10.3 for discussion.) Section 10.3 for discussion.)
skipping to change at page 25, line 5 skipping to change at page 24, line 45
decrypted with the recipient's private key, and the encrypted content decrypted with the recipient's private key, and the encrypted content
is decrypted with the recovered content-encryption key. Second, the is decrypted with the recovered content-encryption key. Second, the
doubly encrypted message digest for each signer is decrypted with the doubly encrypted message digest for each signer is decrypted with the
recovered content-encryption key, the result is decrypted with the recovered content-encryption key, the result is decrypted with the
signer's public key, and the recovered message digest is compared to signer's public key, and the recovered message digest is compared to
an independently computed message digest. an independently computed message digest.
Recipient private keys and signer public keys are contained or Recipient private keys and signer public keys are contained or
referenced as discussed in Sections 9 and 10. referenced as discussed in Sections 9 and 10.
PKCS #7: Cryptographic Message Syntax
This section is divided into three parts. The first part describes This section is divided into three parts. The first part describes
the top-level type SignedAndEnvelopedData and the second part the top-level type SignedAndEnvelopedData and the second part
describes the digest-encryption process. Other types and processes describes the digest-encryption process. Other types and processes
are the same as in Sections 9 and 10. The third part summarizes are the same as in Sections 9 and 10. The third part summarizes
compatibility with Privacy- Enhanced Mail. compatibility with Privacy- Enhanced Mail.
Note. The signed-and-enveloped-data content type provides Note. The signed-and-enveloped-data content type provides
cryptographic enhancements similar to those resulting from the cryptographic enhancements similar to those resulting from the
sequential combination of signed-data and enveloped-data content sequential combination of signed-data and enveloped-data content
types. However, since the signed-and-enveloped-data content type does types. However, since the signed-and-enveloped-data content type does
RFC nnn PKCS #7: Cryptographic Message Syntax November 1993
not have authenticated or unauthenticated attributes, nor does it not have authenticated or unauthenticated attributes, nor does it
provide enveloping of signer information other than the signature, provide enveloping of signer information other than the signature,
the sequential combination of signed-data and enveloped-data content the sequential combination of signed-data and enveloped-data content
types is generally preferable to the SignedAndEnvelopedData content types is generally preferable to the SignedAndEnvelopedData content
type, except when compatibility with the ENCRYPTED process type in type, except when compatibility with the ENCRYPTED process type in
Privacy-Enhanced Mail in intended. Privacy-Enhanced Mail in intended.
11.1 SignedAndEnvelopedData type 11.1 SignedAndEnvelopedData type
The signed-and-enveloped-data content type shall have ASN.1 type The signed-and-enveloped-data content type shall have ASN.1 type
skipping to change at page 25, line 45 skipping to change at page 25, line 35
[0] IMPLICIT ExtendedCertificatesAndCertificates [0] IMPLICIT ExtendedCertificatesAndCertificates
OPTIONAL, OPTIONAL,
crls crls
[1] IMPLICIT CertificateRevocationLists OPTIONAL, [1] IMPLICIT CertificateRevocationLists OPTIONAL,
signerInfos SignerInfos } signerInfos SignerInfos }
The fields of type SignedAndEnvelopedData have the following The fields of type SignedAndEnvelopedData have the following
meanings: meanings:
o version is the syntax version number. It shall be o version is the syntax version number. It shall be
1 for this version of the standard. 1 for this version of the document.
o recipientInfos is a collection of per-recipient o recipientInfos is a collection of per-recipient
information, as in Section 10. There must be at information, as in Section 10. There must be at
least one element in the collection. least one element in the collection.
o digestAlgorithms is a collection of message-digest o digestAlgorithms is a collection of message-digest
algorithm identifiers, as in Section 9. The algorithm identifiers, as in Section 9. The
message-digesting process is the same as in message-digesting process is the same as in
Section 9 in the case when there are no Section 9 in the case when there are no
PKCS #7: Cryptographic Message Syntax
authenticated attributes. authenticated attributes.
o encryptedContentInfo is the encrypted content, as o encryptedContentInfo is the encrypted content, as
in Section 10. It can have any of the defined in Section 10. It can have any of the defined
content types. content types.
o certificates is a set of PKCS #6 extended o certificates is a set of PKCS #6 extended
certificates and X.509 certificates, as in Section certificates and X.509 certificates, as in Section
9. 9.
RFC nnn PKCS #7: Cryptographic Message Syntax November 1993
o crls is a set of certificate-revocation lists, as o crls is a set of certificate-revocation lists, as
in Section 9. in Section 9.
o signerInfos is a collection of per-signer o signerInfos is a collection of per-signer
information. There must be at least one element in information. There must be at least one element in
the collection. SignerInfo values have the same the collection. SignerInfo values have the same
meaning as in Section 9 with the exception of the meaning as in Section 9 with the exception of the
encryptedDigest field (see below). encryptedDigest field (see below).
Notes. Notes.
skipping to change at page 27, line 4 skipping to change at page 26, line 44
process SignedAndEnvelopedData values of either process SignedAndEnvelopedData values of either
version as though they were version 1 values. It version as though they were version 1 values. It
is suggested that PKCS implementations generate is suggested that PKCS implementations generate
only version 1 SignedAndEnvelopedData values, but only version 1 SignedAndEnvelopedData values, but
be prepared to process SignedAndEnvelopedData be prepared to process SignedAndEnvelopedData
values of either version. values of either version.
11.2 Digest-encryption process 11.2 Digest-encryption process
The input to the digest-encryption process is the same as in Section The input to the digest-encryption process is the same as in Section
PKCS #7: Cryptographic Message Syntax
9, but the process itself is different. Specifically, the process 9, but the process itself is different. Specifically, the process
involves two steps. First, the input to the process is supplied to involves two steps. First, the input to the process is supplied to
the signer's digest- encryption algorithm, as in Section 9. Second, the signer's digest- encryption algorithm, as in Section 9. Second,
the result of the first step is encrypted with the content-encryption the result of the first step is encrypted with the content-encryption
key. There is no DER encoding between the two steps; the "value" key. There is no DER encoding between the two steps; the "value"
output by the first step is input directly to the second step. (See output by the first step is input directly to the second step. (See
Section 10.3 for discussion.) Section 10.3 for discussion.)
This process is compatible with the ENCRYPTED process type in This process is compatible with the ENCRYPTED process type in
Privacy-Enhanced Mail. Privacy-Enhanced Mail.
RFC nnn PKCS #7: Cryptographic Message Syntax November 1993
Note. The purpose of the second step is to prevent an adversary from Note. The purpose of the second step is to prevent an adversary from
recovering the message digest of the content. Otherwise, an recovering the message digest of the content. Otherwise, an
adversary would be able to determine which of a list of candidate adversary would be able to determine which of a list of candidate
contents (e.g., "Yes" or "No") is the actual content by comparing the contents (e.g., "Yes" or "No") is the actual content by comparing the
their message digests to the actual message digest. their message digests to the actual message digest.
11.3 Compatibility with Privacy-Enhanced Mail 11.3 Compatibility with Privacy-Enhanced Mail
Compatibility with the ENCRYPTED process type of PEM occurs when the Compatibility with the ENCRYPTED process type of PEM occurs when the
content type of the ContentInfo value being signed and enveloped is content type of the ContentInfo value being signed and enveloped is
data, the message-digest algorithm is md2 or md5, the content- data, the message-digest algorithm is md2 or md5, the content-
encryption algorithm is DES in CBC mode, the digest-encryption encryption algorithm is DES in CBC mode, the digest-encryption
algorithm is PKCS #1's rsaEncryption, and the key-encryption algorithm is PKCS #1's rsaEncryption, and the key-encryption
algorithm is PKCS #1's rsaEncryption. Under all those conditions, algorithm is PKCS #1's rsaEncryption. Under all those conditions,
the doubly encrypted message digest and the encrypted content the doubly encrypted message digest and the encrypted content
encryption key match the ones produced in PEM because of reasons encryption key match the ones produced in PEM because of reasons
similar to those given in Section 9.5, as well as the following: similar to those given in Section 9.5, as well as the following:
1. The value input to the content-encryption 1. The value input to the content-encryption
algorithm in PEM is the same as in this standard. algorithm in PEM is the same as in this document.
DES in CBC mode is the same as desCBC. DES in CBC mode is the same as desCBC.
2. The value input to the key-encryption algorithm in 2. The value input to the key-encryption algorithm in
PEM is the same as in this standard (see Section PEM is the same as in this document (see Section
10.4). RSA public-key encryption in PEM is the 10.4). RSA public-key encryption in PEM is the
same as PKCS #1's rsaEncryption. same as PKCS #1's rsaEncryption.
3. The double-encryption process applied to the 3. The double-encryption process applied to the
message digest in this standard and in PEM are the message digest in this document and in PEM are the
same. same.
The other parts of the signed-and-enveloped-data content type The other parts of the signed-and-enveloped-data content type
(certificates, CRLs, algorithm identifiers, etc.) are easily (certificates, CRLs, algorithm identifiers, etc.) are easily
translated to and from their corresponding PEM components. (CRLs are translated to and from their corresponding PEM components. (CRLs are
carried in a separate PEM message.) carried in a separate PEM message.)
12. Digested-data content type 12. Digested-data content type
PKCS #7: Cryptographic Message Syntax
The digested-data content type consists of content of any type and a The digested-data content type consists of content of any type and a
message digest of the content. message digest of the content.
It is expected that the typical application of the digested- data It is expected that the typical application of the digested- data
content type will be to add integrity to content of the data content content type will be to add integrity to content of the data content
type, and that the result would become the content input to the type, and that the result would become the content input to the
enveloped-data content type. enveloped-data content type.
The process by which digested-data is constructed involves the The process by which digested-data is constructed involves the
following steps: following steps:
RFC nnn PKCS #7: Cryptographic Message Syntax November 1993
1. A message digest is computed on the content with a 1. A message digest is computed on the content with a
message-digest algorithm. message-digest algorithm.
2. The message-digest algorithm and the message 2. The message-digest algorithm and the message
digest are collected together with the content digest are collected together with the content
into a DigestedData value. into a DigestedData value.
A recipient verifies the message digest by comparing the message A recipient verifies the message digest by comparing the message
digest to an independently computed message digest. digest to an independently computed message digest.
skipping to change at page 28, line 40 skipping to change at page 28, line 30
version Version, version Version,
digestAlgorithm DigestAlgorithmIdentifier, digestAlgorithm DigestAlgorithmIdentifier,
contentInfo ContentInfo, contentInfo ContentInfo,
digest Digest } digest Digest }
Digest ::= OCTET STRING Digest ::= OCTET STRING
The fields of type DigestedData have the following meanings: The fields of type DigestedData have the following meanings:
o version is the syntax version number. It shall be o version is the syntax version number. It shall be
0 for this version of the standard. 0 for this version of the document.
o digestAlgorithm identifies the message-digest o digestAlgorithm identifies the message-digest
algorithm (and any associated parameters) under algorithm (and any associated parameters) under
which the content is digested. (The message- which the content is digested. (The message-
digesting process is the same as in Section 9 in digesting process is the same as in Section 9 in
the case when there are no authenticated the case when there are no authenticated
attributes.) attributes.)
o contentInfo is the content that is digested. It o contentInfo is the content that is digested. It
can have any of the defined content types. can have any of the defined content types.
o digest is the result of the message-digesting o digest is the result of the message-digesting
process. process.
PKCS #7: Cryptographic Message Syntax
Note. The fact that the digestAlgorithm field comes before the Note. The fact that the digestAlgorithm field comes before the
contentInfo field and the digest field comes after it makes it contentInfo field and the digest field comes after it makes it
possible to process a DigestedData value in a single pass. (Single- possible to process a DigestedData value in a single pass. (Single-
pass processing is described in Section 5.) pass processing is described in Section 5.)
13. Encrypted-data content type 13. Encrypted-data content type
The encrypted-data content type consists of encrypted content of any The encrypted-data content type consists of encrypted content of any
type. Unlike the enveloped-data content type, the encrypted-data type. Unlike the enveloped-data content type, the encrypted-data
content type has neither recipients nor encrypted content-encryption content type has neither recipients nor encrypted content-encryption
RFC nnn PKCS #7: Cryptographic Message Syntax November 1993
keys. Keys are assumed to be managed by other means. keys. Keys are assumed to be managed by other means.
It is expected that the typical application of the encrypted- data It is expected that the typical application of the encrypted- data
content type will be to encrypt content of the data content type for content type will be to encrypt content of the data content type for
local storage, perhaps where the encryption key is a password. local storage, perhaps where the encryption key is a password.
The encrypted-data content type shall have ASN.1 type EncryptedData: The encrypted-data content type shall have ASN.1 type EncryptedData:
EncryptedData ::= SEQUENCE { EncryptedData ::= SEQUENCE {
version Version, version Version,
encryptedContentInfo EncryptedContentInfo } encryptedContentInfo EncryptedContentInfo }
The fields of type EncryptedData have the following meanings: The fields of type EncryptedData have the following meanings:
o version is the syntax version number. It shall be o version is the syntax version number. It shall be
0 for this version of the standard. 0 for this version of the document.
o encryptedContentInfo is the encrypted content o encryptedContentInfo is the encrypted content
information, as in Section 10. information, as in Section 10.
14. Object identifiers 14. Object identifiers
This standard defines seven object identifiers: pkcs-7, data, This document defines seven object identifiers: pkcs-7, data,
signedData, envelopedData, signedAndEnvelopedData, digestedData, and signedData, envelopedData, signedAndEnvelopedData, digestedData, and
encryptedData. encryptedData.
The object identifier pkcs-7 identifies this standard. The object identifier pkcs-7 identifies this document.
pkcs-7 OBJECT IDENTIFIER ::= pkcs-7 OBJECT IDENTIFIER ::=
{ iso(1) member-body(2) US(840) rsadsi(113549) { iso(1) member-body(2) US(840) rsadsi(113549)
pkcs(1) 7 } pkcs(1) 7 }
The object identifiers data, signedData, envelopedData, The object identifiers data, signedData, envelopedData,
signedAndEnvelopedData, digestedData, and encryptedData, identify, signedAndEnvelopedData, digestedData, and encryptedData, identify,
respectively, the data, signed-data, enveloped- data, signed-and- respectively, the data, signed-data, enveloped- data, signed-and-
enveloped-data, digested-data, and encrypted-data content types enveloped-data, digested-data, and encrypted-data content types
defined in Sections 8-13. defined in Sections 8-13.
PKCS #7: Cryptographic Message Syntax data OBJECT IDENTIFIER ::= { pkcs-7 1 }
signedData OBJECT IDENTIFIER ::= { pkcs-7 2 }
data OBJECT IDENTIFIER ::= { pkcs-7 1 } signedData OBJECT IDENTIFIER envelopedData OBJECT IDENTIFIER ::= { pkcs-7 3 }
::= { pkcs-7 2 } envelopedData OBJECT IDENTIFIER ::= { pkcs-7 3 }
signedAndEnvelopedData OBJECT IDENTIFIER ::= signedAndEnvelopedData OBJECT IDENTIFIER ::=
{ pkcs-7 4 } digestedData OBJECT IDENTIFIER ::= { pkcs-7 5 } { pkcs-7 4 }
digestedData OBJECT IDENTIFIER ::= { pkcs-7 5 }
encryptedData OBJECT IDENTIFIER ::= { pkcs-7 6 } encryptedData OBJECT IDENTIFIER ::= { pkcs-7 6 }
These object identifiers are intended to be used in the contentType These object identifiers are intended to be used in the contentType
field of a value of type ContentInfo (see Section 5). The content field of a value of type ContentInfo (see Section 5). The content
RFC nnn PKCS #7: Cryptographic Message Syntax November 1993
field of that type, which has the content-type-specific syntax ANY field of that type, which has the content-type-specific syntax ANY
DEFINED BY contentType, would have ASN.1 type Data, SignedData, DEFINED BY contentType, would have ASN.1 type Data, SignedData,
EnvelopedData, SignedAndEnvelopedData, DigestedData, and EnvelopedData, SignedAndEnvelopedData, DigestedData, and
EncryptedData, respectively. These object identifiers are also EncryptedData, respectively. These object identifiers are also
intended to be used in a PKCS #9 content-type attribute. intended to be used in a PKCS #9 content-type attribute.
Revision history Revision history
Versions 1.0-1.3 Versions 1.0-1.3
skipping to change at page 31, line 4 skipping to change at page 30, line 44
added. added.
o Section 9.1: SignedData syntax is revised. The new o Section 9.1: SignedData syntax is revised. The new
version allows for the dissemination of version allows for the dissemination of
certificate-revocation lists along with certificate-revocation lists along with
signatures. It also allows for the dissemination signatures. It also allows for the dissemination
of certificates and certificate-revocation lists of certificates and certificate-revocation lists
alone, without any signatures. alone, without any signatures.
o Section 9.2: SignerInfo syntax is revised. The new o Section 9.2: SignerInfo syntax is revised. The new
PKCS #7: Cryptographic Message Syntax
version includes a message-digest encryption version includes a message-digest encryption
process compatible with Privacy-Enhanced Mail as process compatible with Privacy-Enhanced Mail as
specified in RFC 1423. specified in RFC 1423.
o Section 9.3: Meaning of "the DER encoding of the o Section 9.3: Meaning of "the DER encoding of the
authenticatedAttributes field" is clarified as authenticatedAttributes field" is clarified as
"the DER encoding of the Attributes value." "the DER encoding of the Attributes value."
RFC nnn PKCS #7: Cryptographic Message Syntax November 1993
o Section 10.3: Padding method for content- o Section 10.3: Padding method for content-
encryption algorithms is described. encryption algorithms is described.
o Section 11.1: SignedAndEnvelopedData syntax is o Section 11.1: SignedAndEnvelopedData syntax is
revised. The new version allows for the revised. The new version allows for the
dissemination of certificate-revocation lists. dissemination of certificate-revocation lists.
o Section 13: Encrypted-data content type is added. o Section 13: Encrypted-data content type is added.
This content type consists of encrypted content of This content type consists of encrypted content of
any type. any type.
o Section 14: encryptedData object identifier is o Section 14: encryptedData object identifier is
added. added.
Supersedes June 3, 1991 version, which was also published as NIST/OSI Supersedes June 3, 1991 version, which was also published as NIST/OSI
Implementors' Workshop document SEC-SIG-91-22. Implementors' Workshop document SEC-SIG-91-22.
Copyright Copyright
Copyright (C) 1991-1993 RSA Laboratories, a division of RSA Data Copyright (c) 1991-1993 RSA Laboratories, a division of RSA Data
Security, Inc. License to copy this document is granted provided that Security, Inc. Any substantial use of the text from this document
it is identified as "RSA Data Security, Inc. Public-Key Cryptography must acknowledge RSA Data Security, Inc. RSA Data Security, Inc.
Standards (PKCS)" in all material mentioning or referencing this requests that all material mentioning or referencing this document
document. identify this as "RSA Data Security, Inc. PKCS #7".
Author's Address Author's Address
RSA Laboratories Burt Kaliski
100 Marine Parkway RSA Laboratories East
Redwood City, CA 94065 USA 20 Crosby Drive
Tel: (415) 595-7703 Bedford, MA 01730
Fax: (415) 595-4126 (617) 687-7000
pkcs-editor@rsa.com burt@rsa.com
 End of changes. 96 change blocks. 
126 lines changed or deleted 128 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/