PKCS #7 Attributes

PKCS #7 is a cryptographic message syntax standard. A PKCS #7 message does not, by itself, constitute a certificate request, but it can encapsulate a PKCS #10 or CMC request in a ContentInfo ASN.1 structure by using one of the following content types. Encapsulation enables you to add extra functionality, such as multiple signatures, that is not otherwise available.

  • Data
  • SignedData
  • EnvelopedData
  • SignedAndEnvelopedData
  • DigestedData
  • EncryptedData

Attributes can be added to the authenticatedAttributes and unauthenticatedAttributes fields of the SignedData content type.

SignedData ::= SEQUENCE 
   version             INTEGER,
   digestAlgorithms    DigestAlgorithmIdentifiers,
   contentInfo         ContentInfo,
   certificates        [0] IMPLICIT Certificates OPTIONAL,
   crls                [1] IMPLICIT CertificateRevocationLists OPTIONAL,
   signerInfos         SignerInfos

SignerInfos ::= SET OF SignerInfo

SignerInfo ::= SEQUENCE 
    version                     INTEGER,
    sid                         CertIdentifier,
    digestAlgorithm             DigestAlgorithmIdentifier,
    authenticatedAttributes     [0] IMPLICIT Attributes OPTIONAL,
    digestEncryptionAlgorithm   DigestEncryptionAlgId,
    encryptedDigest             EncryptedDigest,
    unauthenticatedAttributes   [1] IMPLICIT Attributes

Attributes ::= SET OF Attribute

Attribute ::= SEQUENCE 
   type       EncodedObjectID,
   values     AttributeSetValue

The process required to archive a client's private key on a certification authority (CA) provides a comprehensive example of how authenticated (signed) attributes and the unauthenticated attributes can be used:

  • The client creates an IX509CertificateRequestPkcs10 object and adds appropriate data for the type of certificate being requested.
  • The client uses the PKCS #10 request to initialize an IX509CertificateRequestCmc object. The PKCS #10 request is placed into the TaggedRequest structure in the CMC request. For more information, see CMC Attributes.
  • The client encrypts a private key and uses it to initialize an IX509AttributeArchiveKey object. The new ArchiveKey attribute is encapsulated in an EnvelopedData structure.
    EnvelopedData ::= SEQUENCE 
        version                 INTEGER,
        recipientInfos          RecipientInfos,
        encryptedContentInfo    EncryptedContentInfo
    RecipientInfos ::= SET OF RecipientInfo
    EncryptedContentInfo ::= SEQUENCE 
        contentType                 ContentType,
        contentEncryptionAlgorithm  ContentEncryptionAlgId,
        encryptedContent            [0] IMPLICIT EncryptedContent OPTIONAL
    EncryptedContent ::= OCTET STRING
    RecipientInfo ::= SEQUENCE 
        version                 INTEGER,
        issuerAndSerialNumber   IssuerAndSerialNumber,
        keyEncryptionAlgorithm  KeyEncryptionAlgId,
        encryptedKey            EncryptedKey
  • The client creates a SHA-1 hash of the encrypted key and uses it to initialize an IX509AttributeArchiveKeyHash object.
  • The client retrieves the CryptAttributes collection from the CMC request and adds the ArchiveKey and the ArchiveKeyHash attributes to it. The attributes are placed into the TaggedAttributes structure of the CMC request.
  • The client uses the CMC request to initialize an IX509CertificateRequestPkcs7 object. This places the CMC request into the contentInfo field of the PKCS #7 SignedData structure.
  • The ArchiveKeyHash attribute is signed and placed in the authenticatedAttributes sequence of the SignerInfo structure.
  • The ArchiveKey attribute is placed in the unauthenticatedAttributes sequence of the SignerInfo structure associated with the primary signer of the PKCS #7 message.

Related topics

Supported Attributes



Community Additions