Redigera

Dela via


PKCS #7 Attributes

PKCS #7 is a cryptographic message syntax standard. A PKCS #7 message does not, by itself, constitute a certificate request, but it can encapsulate a PKCS #10 or CMC request in a ContentInfo ASN.1 structure by using one of the following content types. Encapsulation enables you to add extra functionality, such as multiple signatures, that is not otherwise available.

  • Data
  • SignedData
  • EnvelopedData
  • SignedAndEnvelopedData
  • DigestedData
  • EncryptedData

Attributes can be added to the authenticatedAttributes and unauthenticatedAttributes fields of the SignedData content type.

SignedData ::= SEQUENCE 
{
   version             INTEGER,
   digestAlgorithms    DigestAlgorithmIdentifiers,
   contentInfo         ContentInfo,
   certificates        [0] IMPLICIT Certificates OPTIONAL,
   crls                [1] IMPLICIT CertificateRevocationLists OPTIONAL,
   signerInfos         SignerInfos
}

SignerInfos ::= SET OF SignerInfo

SignerInfo ::= SEQUENCE 
{
    version                     INTEGER,
    sid                         CertIdentifier,
    digestAlgorithm             DigestAlgorithmIdentifier,
    authenticatedAttributes     [0] IMPLICIT Attributes OPTIONAL,
    digestEncryptionAlgorithm   DigestEncryptionAlgId,
    encryptedDigest             EncryptedDigest,
    unauthenticatedAttributes   [1] IMPLICIT Attributes
}

Attributes ::= SET OF Attribute

Attribute ::= SEQUENCE 
{
   type       EncodedObjectID,
   values     AttributeSetValue
}

The process required to archive a client's private key on a certification authority (CA) provides a comprehensive example of how authenticated (signed) attributes and the unauthenticated attributes can be used:

  • The client creates an IX509CertificateRequestPkcs10 object and adds appropriate data for the type of certificate being requested.

  • The client uses the PKCS #10 request to initialize an IX509CertificateRequestCmc object. The PKCS #10 request is placed into the TaggedRequest structure in the CMC request. For more information, see CMC Attributes.

  • The client encrypts a private key and uses it to initialize an IX509AttributeArchiveKey object. The new ArchiveKey attribute is encapsulated in an EnvelopedData structure.

    EnvelopedData ::= SEQUENCE 
    {
        version                 INTEGER,
        recipientInfos          RecipientInfos,
        encryptedContentInfo    EncryptedContentInfo
    } 
    
    RecipientInfos ::= SET OF RecipientInfo
    
    EncryptedContentInfo ::= SEQUENCE 
    {
        contentType                 ContentType,
        contentEncryptionAlgorithm  ContentEncryptionAlgId,
        encryptedContent            [0] IMPLICIT EncryptedContent OPTIONAL
    } 
    
    EncryptedContent ::= OCTET STRING
    
    RecipientInfo ::= SEQUENCE 
    {
        version                 INTEGER,
        issuerAndSerialNumber   IssuerAndSerialNumber,
        keyEncryptionAlgorithm  KeyEncryptionAlgId,
        encryptedKey            EncryptedKey
    } 
    
  • The client creates a SHA-1 hash of the encrypted key and uses it to initialize an IX509AttributeArchiveKeyHash object.

  • The client retrieves the CryptAttributes collection from the CMC request and adds the ArchiveKey and the ArchiveKeyHash attributes to it. The attributes are placed into the TaggedAttributes structure of the CMC request.

  • The client uses the CMC request to initialize an IX509CertificateRequestPkcs7 object. This places the CMC request into the contentInfo field of the PKCS #7 SignedData structure.

  • The ArchiveKeyHash attribute is signed and placed in the authenticatedAttributes sequence of the SignerInfo structure.

  • The ArchiveKey attribute is placed in the unauthenticatedAttributes sequence of the SignerInfo structure associated with the primary signer of the PKCS #7 message.

Supported Attributes