draft-ietf-smime-cms-04.txt   draft-ietf-smime-cms-05.txt 
S/MIME Working Group R. Housley S/MIME Working Group R. Housley
Internet Draft SPYRUS Internet Draft SPYRUS
expires in six months March 1998 expires in six months May 1998
Cryptographic Message Syntax Cryptographic Message Syntax
<draft-ietf-smime-cms-04.txt> <draft-ietf-smime-cms-05.txt>
Status of this Memo Status of this Memo
This document is an Internet-Draft. Internet-Drafts are working This document is an Internet-Draft. Internet-Drafts are working
documents of the Internet Engineering Task Force (IETF), its areas, documents of the Internet Engineering Task Force (IETF), its areas,
and its working groups. Note that other groups may also distribute and its working groups. Note that other groups may also distribute
working documents as Internet-Drafts. working documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet- Drafts as reference time. It is inappropriate to use Internet- Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
To view the entire list of current Internet-Drafts, please check To view the entire list of current Internet-Drafts, please check the
the "1id-abstracts.txt" listing contained in the Internet-Drafts "1id-abstracts.txt" listing contained in the Internet-Drafts Shadow
Shadow Directories on ftp.is.co.za (Africa), ftp.nordu.net Directories on ftp.is.co.za (Africa), ftp.nordu.net (Northern
(Northern Europe), ftp.nis.garr.it (Southern Europe), munnari.oz.au Europe), ftp.nis.garr.it (Southern Europe), munnari.oz.au (Pacific
(Pacific Rim), ftp.ietf.org (US East Coast), or ftp.isi.edu Rim), ftp.ietf.org (US East Coast), or ftp.isi.edu (US West Coast).
(US West Coast).
Abstract Abstract
This document describes the Cryptographic Message Syntax. This This document describes the Cryptographic Message Syntax. This
syntax is used to digitally sign, digest, authenticate, or encrypt syntax is used to digitally sign, digest, authenticate, or encrypt
arbitrary messages. arbitrary messages.
The Cryptographic Message Syntax is derived from PKCS #7 version 1.5. The Cryptographic Message Syntax is derived from PKCS #7 version 1.5
Wherever possible, backward compatibility is preserved; however, [RFC 2315]. Wherever possible, backward compatibility is preserved;
changes were necessary to accommodate attribute certificate transfer however, changes were necessary to accommodate attribute certificate
and key agreement techniques for key management. transfer and key agreement techniques for key management.
This draft is being discussed on the "ietf-smime" mailing list. To This draft is being discussed on the "ietf-smime" mailing list. To
join the list, send a message to <ietf-smime-request@imc.org> with join the list, send a message to <ietf-smime-request@imc.org> with
the single word "subscribe" in the body of the message. Also, there the single word "subscribe" in the body of the message. Also, there
is a Web site for the mailing list at <http://www.imc.org/ietf- is a Web site for the mailing list at <http://www.imc.org/ietf-
smime/>. smime/>.
Acknowledgements
This document is the result of contributions from many professionals.
I appreciate the hard work of all members of the IETF S/MIME Working
Group. I extend a special thanks to Rich Ankney, Tim Dean, Steve
Dusse, Paul Hoffman, Scott Hollenbeck, Burt Kaliski, John Pawling,
Blake Ramsdell, Jim Schaad, and Dave Solo for their efforts and
support.
1 Introduction 1 Introduction
This document describes the Cryptographic Message Syntax. This This document describes the Cryptographic Message Syntax. This
syntax is used to digitally sign or encrypt arbitrary messages. syntax is used to digitally sign or encrypt arbitrary messages.
The Cryptographic Message Syntax describes an encapsulation syntax The Cryptographic Message Syntax describes an encapsulation syntax
for data protection. It supports digital signatures and encryption. for data protection. It supports digital signatures and encryption.
The syntax allows multiple encapsulation, so one encapsulation The syntax allows multiple encapsulation, so one encapsulation
envelope can be nested inside another. Likewise, one party can envelope can be nested inside another. Likewise, one party can
digitally sign some previously encapsulated data. It also allows digitally sign some previously encapsulated data. It also allows
arbitrary attributes, such as signing time, to be authenticated along arbitrary attributes, such as signing time, to be signed along with
with the message content, and provides for other attributes such as the message content, and provides for other attributes such as
countersignatures to be associated with a signature. countersignatures to be associated with a signature.
The Cryptographic Message Syntax can support a variety of The Cryptographic Message Syntax can support a variety of
architectures for certificate-based key management, such as the one architectures for certificate-based key management, such as the one
defined by the PKIX working group. defined by the PKIX working group.
The Cryptographic Message Syntax values are generated using ASN.1, The Cryptographic Message Syntax values are generated using ASN.1,
using BER-encoding. Values are typically represented as octet using BER-encoding. Values are typically represented as octet
strings. While many systems are capable of transmitting arbitrary strings. While many systems are capable of transmitting arbitrary
octet strings reliably, it is well known that many electronic-mail octet strings reliably, it is well known that many electronic-mail
skipping to change at page 2, line 43 skipping to change at page 3, line 5
The Cryptographic Message Syntax is general enough to support many The Cryptographic Message Syntax is general enough to support many
different content types. This document defines six content types: different content types. This document defines six content types:
data, signed-data, enveloped-data, digested-data, encrypted-data, and data, signed-data, enveloped-data, digested-data, encrypted-data, and
authenticated-data. Also, additional content types can be defined authenticated-data. Also, additional content types can be defined
outside this document. outside this document.
An implementation that conforms to this specification must implement An implementation that conforms to this specification must implement
the data, signed-data, and enveloped-data content types. The other the data, signed-data, and enveloped-data content types. The other
content types may be implemented if desired. content types may be implemented if desired.
The Cryptographic Message Syntax exports one content type,
ContentInfo, as well as the various object identifiers.
As a general design philosophy, content types permit single pass As a general design philosophy, content types permit single pass
processing using indefinite-length Basic Encoding Rules (BER) processing using indefinite-length Basic Encoding Rules (BER)
encoding. Single-pass operation is especially helpful if content is encoding. Single-pass operation is especially helpful if content is
large, stored on tapes, or is "piped" from another process. Single- large, stored on tapes, or is "piped" from another process. Single-
pass operation has one significant drawback: it is difficult to pass operation has one significant drawback: it is difficult to
perform encode operations using the Distinguished Encoding Rules perform encode operations using the Distinguished Encoding Rules
(DER) encoding in a single pass since the lengths of the various (DER) encoding in a single pass since the lengths of the various
components may not be known in advance. Authenticated attributes components may not be known in advance. However, signed attributes
within the signed-data content type require DER encoding. within the signed-data content type and authenticated attributes
within the authenticated-data content type require DER encoding.
Signed attributes and authenticated attributes must be transmitted in
DER form to ensure that recipients can validate a content that
contains an unrecognized attribute.
3 General Syntax 3 General Syntax
The Cryptographic Message Syntax associates a protection content type The Cryptographic Message Syntax associates a protection content type
with a protection content. The syntax shall have ASN.1 type with a protection content. The syntax shall have ASN.1 type
ContentInfo: ContentInfo:
ContentInfo ::= SEQUENCE { ContentInfo ::= SEQUENCE {
contentType ContentType, contentType ContentType,
content [0] EXPLICIT ANY DEFINED BY contentType } content [0] EXPLICIT ANY DEFINED BY contentType }
skipping to change at page 4, line 23 skipping to change at page 4, line 32
Another typical application disseminates certificates and certificate Another typical application disseminates certificates and certificate
revocation lists (CRLs). revocation lists (CRLs).
The process by which signed-data is constructed involves the The process by which signed-data is constructed involves the
following steps: following steps:
1. For each signer, a message digest, or hash value, is computed 1. For each signer, a message digest, or hash value, is computed
on the content with a signer-specific message-digest algorithm. on the content with a signer-specific message-digest algorithm.
If two signers employ the same message digest algorithm, then the If two signers employ the same message digest algorithm, then the
message digest need be computed for only one of them. If the message digest need be computed for only one of them. If the
signer is authenticating any information other than the content signer is signing any information other than the content, the
(see Section 5.2), the message digest of the content and the other message digest of the content and the other information are
information are digested with the signer's message digest digested with the signer's message digest algorithm (see Section
algorithm, and the result becomes the "message digest." 5.4), and the result becomes the "message digest."
2. For each signer, the message digest is digitally signed using 2. For each signer, the message digest is digitally signed using
the signer's private key. the signer's private key.
3. For each signer, the signature value and other signer-specific 3. For each signer, the signature value and other signer-specific
information are collected into a SignerInfo value, as defined in information are collected into a SignerInfo value, as defined in
Section 5.2. Certificates and CRLs for each signer, and those not Section 5.3. Certificates and CRLs for each signer, and those not
corresponding to any signer, are collected in this step. corresponding to any signer, are collected in this step.
4. The message digest algorithms for all the signers and the 4. The message digest algorithms for all the signers and the
SignerInfo values for all the signers are collected together with SignerInfo values for all the signers are collected together with
the content into a SignedData value, as defined in Section 5.1. the content into a SignedData value, as defined in Section 5.1.
A recipient independently computes the message digest. This message A recipient independently computes the message digest. This message
digest and the signer's public key are used to validate the signature digest and the signer's public key are used to validate the signature
value. The signer's public key is referenced by an issuer value. The signer's public key is referenced by an issuer
distinguished name and an issuer-specific serial number that uniquely distinguished name and an issuer-specific serial number that uniquely
skipping to change at page 5, line 25 skipping to change at page 5, line 34
SignedData ::= SEQUENCE { SignedData ::= SEQUENCE {
version Version, version Version,
digestAlgorithms DigestAlgorithmIdentifiers, digestAlgorithms DigestAlgorithmIdentifiers,
encapContentInfo EncapsulatedContentInfo, encapContentInfo EncapsulatedContentInfo,
certificates [0] IMPLICIT CertificateSet OPTIONAL, certificates [0] IMPLICIT CertificateSet OPTIONAL,
crls [1] IMPLICIT CertificateRevocationLists OPTIONAL, crls [1] IMPLICIT CertificateRevocationLists OPTIONAL,
signerInfos SignerInfos } signerInfos SignerInfos }
DigestAlgorithmIdentifiers ::= SET OF DigestAlgorithmIdentifier DigestAlgorithmIdentifiers ::= SET OF DigestAlgorithmIdentifier
EncapsulatedContentInfo ::= SEQUENCE {
eContentType ContentType,
eContent [0] EXPLICIT OCTET STRING OPTIONAL }
ContentType ::= OBJECT IDENTIFIER
SignerInfos ::= SET OF SignerInfo SignerInfos ::= SET OF SignerInfo
The fields of type SignedData have the following meanings: The fields of type SignedData have the following meanings:
version is the syntax version number. If no attribute version is the syntax version number. If no attribute
certificates are present in the certificates field and the certificates are present in the certificates field and the
encapsulated content type is id-data, then the value of version encapsulated content type is id-data, then the value of version
shall be 1; however, if attribute certificates are present or the shall be 1; however, if attribute certificates are present or the
encapsulated content type is other than id-data, then the value of encapsulated content type is other than id-data, then the value of
version shall be 3. version shall be 3.
digestAlgorithms is a collection of message digest algorithm digestAlgorithms is a collection of message digest algorithm
identifiers. There may be any number of elements in the identifiers. There may be any number of elements in the
collection, including zero. Each element identifies the message collection, including zero. Each element identifies the message
digest algorithm, along with any associated parameters, used by digest algorithm, along with any associated parameters, used by
one or more signer. The collection is intended to list the one or more signer. The collection is intended to list the
message digest algorithms employed by all of the signers, in any message digest algorithms employed by all of the signers, in any
order, to facilitate one-pass signature verification. The message order, to facilitate one-pass signature verification. The message
digesting process is described in Section 5.3. digesting process is described in Section 5.4.
encapContentInfo is the content that is signed. It is a sequence encapContentInfo is the signed content, consisting of a content
of a content type identifier and the content itself. An object type identifier and the content itself. Details of the
identifier uniquely specifies the content type. The content EncapsulatedContentInfo type are discussed in section 5.2.
itself is carried in an octet string.
certificates is a collection of certificates. It is intended that certificates is a collection of certificates. It is intended that
the set of certificates be sufficient to contain chains from a the set of certificates be sufficient to contain chains from a
recognized "root" or "top-level certification authority" to all of recognized "root" or "top-level certification authority" to all of
the signers in the signerInfos field. There may be more the signers in the signerInfos field. There may be more
certificates than necessary, and there may be certificates certificates than necessary, and there may be certificates
sufficient to contain chains from two or more independent top- sufficient to contain chains from two or more independent top-
level certification authorities. There may also be fewer level certification authorities. There may also be fewer
certificates than necessary, if it is expected that recipients certificates than necessary, if it is expected that recipients
have an alternate means of obtaining necessary certificates (e.g., have an alternate means of obtaining necessary certificates (e.g.,
skipping to change at page 6, line 29 skipping to change at page 6, line 32
present, then the value of version shall be 3. present, then the value of version shall be 3.
crls is a collection of certificate revocation lists (CRLs). It crls is a collection of certificate revocation lists (CRLs). It
is intended that the set contain information sufficient to is intended that the set contain information sufficient to
determine whether or not the certificates in the certificates determine whether or not the certificates in the certificates
field are valid, but such correspondence is not necessary. There field are valid, but such correspondence is not necessary. There
may be more CRLs than necessary, and there may also be fewer CRLs may be more CRLs than necessary, and there may also be fewer CRLs
than necessary. than necessary.
signerInfos is a collection of per-signer information. There may signerInfos is a collection of per-signer information. There may
be any number of elements in the collection, including zero. [*** be any number of elements in the collection, including zero. The
Add forward reference ***] details of the SignerInfo type are discussed in section 5.3.
The optional omission of the eContent within the The optional omission of the eContent within the
EncapsulatedContentInfo field makes it possible to construct EncapsulatedContentInfo field makes it possible to construct
"external signatures." In the case of external signatures, the "external signatures." In the case of external signatures, the
content being signed is absent from the EncapsulatedContentInfo value content being signed is absent from the EncapsulatedContentInfo value
included in the signed-data content type. If the eContent value included in the signed-data content type. If the eContent value
within EncapsulatedContentInfo is absent, then the signatureValue is within EncapsulatedContentInfo is absent, then the signatureValue is
calculated and the eContentType is assigned as though the eContent calculated and the eContentType is assigned as though the eContent
value was present. value was present.
In the degenerate case where there are no signers, the In the degenerate case where there are no signers, the
EncapsulatedContentInfo value being "signed" is irrelevant. In this EncapsulatedContentInfo value being "signed" is irrelevant. In this
case, the content type within the EncapsulatedContentInfo value being case, the content type within the EncapsulatedContentInfo value being
"signed" should be id-data (as defined in section 4), and the content "signed" should be id-data (as defined in section 4), and the content
field of the EncapsulatedContentInfo value should be omitted. field of the EncapsulatedContentInfo value should be omitted.
[*** Add a separte "break out" of EncapsulatedContentInfo. ***] 5.2 EncapsulatedContentInfo Type
5.2 SignerInfo Type Per-signer information is represented in the type SignerInfo:
EncapsulatedContentInfo ::= SEQUENCE {
eContentType ContentType,
eContent [0] EXPLICIT OCTET STRING OPTIONAL }
ContentType ::= OBJECT IDENTIFIER
The fields of type EncapsulatedContentInfo have the following
meanings:
eContentType is an object identifier uniquely specifies the
content type.
eContent in the content itself, carried as an octet string. The
eContent need not be DER encoded.
5.3 SignerInfo Type
Per-signer information is represented in the type SignerInfo: Per-signer information is represented in the type SignerInfo:
SignerInfo ::= SEQUENCE { SignerInfo ::= SEQUENCE {
version Version, version Version,
issuerAndSerialNumber IssuerAndSerialNumber, issuerAndSerialNumber IssuerAndSerialNumber,
digestAlgorithm DigestAlgorithmIdentifier, digestAlgorithm DigestAlgorithmIdentifier,
authenticatedAttributes [0] IMPLICIT AuthAttributes OPTIONAL, signedAttrs [0] IMPLICIT SignedAttributes OPTIONAL,
signatureAlgorithm SignatureAlgorithmIdentifier, signatureAlgorithm SignatureAlgorithmIdentifier,
signature SignatureValue, signature SignatureValue,
unauthenticatedAttributes [1] IMPLICIT UnauthAttributes OPTIONAL } unsignedAttrs [1] IMPLICIT UnsignedAttributes OPTIONAL }
AuthAttributes ::= SET SIZE (1..MAX) OF AuthAttribute
AuthAttribute ::= SEQUENCE { SignedAttributes ::= SET SIZE (1..MAX) OF Attribute
attrType OBJECT IDENTIFIER,
critical BOOLEAN DEFAULT FALSE,
attrValues SET OF AttributeValue }
UnauthAttributes ::= SET SIZE (1..MAX) OF UnauthAttribute UnsignedAttributes ::= SET SIZE (1..MAX) OF Attribute
UnauthAttribute ::= SEQUENCE { Attribute ::= SEQUENCE {
attrType OBJECT IDENTIFIER, attrType OBJECT IDENTIFIER,
attrValues SET OF AttributeValue } attrValues SET OF AttributeValue }
AttributeValue ::= ANY AttributeValue ::= ANY
SignatureValue ::= OCTET STRING SignatureValue ::= OCTET STRING
The fields of type SignerInfo have the following meanings: The fields of type SignerInfo have the following meanings:
version is the syntax version number. If any of the authenticated version is the syntax version number; it shall be 1.
attributes are critical, then the version shall be 3. If all of
the authenticated attributes are non-critical, then the version
shall be 1. If the authenticatedAttributes field is absent, then
version shall be 1.
issuerAndSerialNumber specifies the signer's certificate (and issuerAndSerialNumber specifies the signer's certificate (and
thereby the signer's public key) by issuer distinguished name and thereby the signer's public key) by issuer distinguished name and
issuer-specific serial number. issuer-specific serial number.
digestAlgorithm identifies the message digest algorithm, and any digestAlgorithm identifies the message digest algorithm, and any
associated parameters, used by the signer. The message digest is associated parameters, used by the signer. The message digest is
computed over the encapsulated content and authenticated computed over the encapsulated content and signed attributes, if
attributes, if present. The message digest algorithm should be present. The message digest algorithm should be among those
among those listed in the digestAlgorithms field of the associated listed in the digestAlgorithms field of the associated SignerData.
SignerData. The message digesting process is described in Section The message digesting process is described in Section 5.4.
5.3.
authenticatedAttributes is a collection of attributes that are signedAttributes is a collection of attributes that are signed.
signed. The field is optional, but it must be present if the The field is optional, but it must be present if the content type
content type of the EncapsulatedContentInfo value being signed is of the EncapsulatedContentInfo value being signed is not id-data.
not data. The field may include critical and non-critical Each SignedAttribute in the SET must be DER encoded. Useful
attributes. Useful attribute types, such as signing time, are attribute types, such as signing time, are defined in Section 11.
defined in Section 11. If the field is present, it must contain, If the field is present, it must contain, at a minimum, the
at a minimum, the following two attributes: following two attributes:
A content-type attribute having as its value the content type A content-type attribute having as its value the content type
of the EncapsulatedContentInfo value being signed. Section of the EncapsulatedContentInfo value being signed. Section
11.1 defines the content-type attribute. 11.1 defines the content-type attribute.
A message-digest attribute, having as its value the message A message-digest attribute, having as its value the message
digest of the content. Section 11.2 defines the message-digest digest of the content. Section 11.2 defines the message-digest
attribute. attribute.
signatureAlgorithm identifies the signature algorithm, and any signatureAlgorithm identifies the signature algorithm, and any
associated parameters, used by the signer to generate the digital associated parameters, used by the signer to generate the digital
signature. signature.
signature is the result of digital signature generation, using the signature is the result of digital signature generation, using the
message digest and the signer's private key. message digest and the signer's private key.
unauthenticatedAttributes is a collection of attributes that are unsignedAttributes is a collection of attributes that are not
not signed. The field is optional, and it may not include signed. The field is optional. Useful attribute types, such as
critical attributes. Useful attribute types, such as
countersignatures, are defined in Section 11. countersignatures, are defined in Section 11.
The fields of type AuthAttribute and UnauthAttribute have the The fields of type SignedAttribute and UnsignedAttribute have the
following meanings: following meanings:
attrType indicates the type of attribute. It is an object attrType indicates the type of attribute. It is an object
identifier. identifier.
critical is a boolean value. TRUE indicates that the attribute is
critical, and FALSE indicates that the attribute is non-critical.
A recipient must reject the signed-data if it encounters a
critical attribute that it does not recognize; however, an
unrecognized non-critical attribute may be ignored. Authenticated
attributes may be critical or non-critical. Unauthenticated
attributes are always non-critical. Caution should be exercised
in adopting any critical attributes, which might reduce
interoperability.
attrValues is a set of values that comprise the attribute. The attrValues is a set of values that comprise the attribute. The
type of each value in the set can be determined uniquely by type of each value in the set can be determined uniquely by
attrType. attrType.
5.3 Message Digest Calculation Process 5.4 Message Digest Calculation Process
The message digest calculation process computes a message digest on The message digest calculation process computes a message digest on
either the content being signed or the content together with the either the content being signed or the content together with the
signer's authenticated attributes. In either case, the initial input signed attributes. In either case, the initial input to the message
to the message digest calculation process is the "value" of the digest calculation process is the "value" of the encapsulated content
encapsulated content being signed. Specifically, the initial input being signed. Specifically, the initial input is the
is the encapContentInfo eContent OCTET STRING to which the signing encapContentInfo eContent OCTET STRING to which the signing process
process is applied. Only the octets comprising the value of the is applied. Only the octets comprising the value of the eContent
eContent OCTET STRING are input to the message digest algorithm, not OCTET STRING are input to the message digest algorithm, not the tag
the tag or the length octets. or the length octets.
The result of the message digest calculation process depends on The result of the message digest calculation process depends on
whether the authenticatedAttributes field is present. When the field whether the signedAttributes field is present. When the field is
is absent, the result is just the message digest of the content as absent, the result is just the message digest of the content as
described above. When the field is present, however, the result is described above. When the field is present, however, the result is
the message digest of the complete DER encoding of the AuthAttributes the message digest of the complete DER encoding of the
value contained in the authenticatedAttributes field. Since the SignedAttributes value contained in the signedAttributes field.
AuthAttributes value, when present, must contain as attributes the Since the SignedAttributes value, when present, must contain the
content type and the content message digest, those values are content type and the content message digest attributes, those values
indirectly included in the result. A separate encoding of the are indirectly included in the result. A separate encoding of the
authenticatedAttributes field is performed for message digest signedAttributes field is performed for message digest calculation.
calculation. The IMPLICIT [0] tag in the authenticatedAttributes The IMPLICIT [0] tag in the signedAttributes field is not used for
field is not used for the DER encoding, rather an EXPLICIT SET OF tag the DER encoding, rather an EXPLICIT SET OF tag is used. That is,
is used. That is, the DER encoding of the SET OF tag, rather than of the DER encoding of the SET OF tag, rather than of the IMPLICIT [0]
the IMPLICIT [0] tag, is to be included in the message digest tag, is to be included in the message digest calculation along with
calculation along with the length and content octets of the the length and content octets of the SignedAttributes value.
AuthAttributes value.
When the authenticatedAttributes field is absent, then only the When the signedAttributes field is absent, then only the octets
octets comprising the value of the signedData encapContentInfo comprising the value of the signedData encapContentInfo eContent
eContent OCTET STRING (e.g., the contents of a file) are input to the OCTET STRING (e.g., the contents of a file) are input to the message
message digest calculation. This has the advantage that the length digest calculation. This has the advantage that the length of the
of the content being signed need not be known in advance of the content being signed need not be known in advance of the signature
signature generation process. generation process.
Although the encapContentInfo eContent OCTET STRING tag and length Although the encapContentInfo eContent OCTET STRING tag and length
octets are not included in the message digest calculation, they are octets are not included in the message digest calculation, they are
still protected by other means. The length octets are protected by still protected by other means. The length octets are protected by
the nature of the message digest algorithm since it is the nature of the message digest algorithm since it is
computationally infeasible to find any two distinct messages of any computationally infeasible to find any two distinct messages of any
length that have the same message digest. length that have the same message digest.
5.4 Message Signature Generation Process 5.5 Message Signature Generation Process
The input to the signature generation process includes the result of The input to the signature generation process includes the result of
the message digest calculation process and the signer's private key. the message digest calculation process and the signer's private key.
The details of the signature generation depend on the signature The details of the signature generation depend on the signature
algorithm employed. The object identifier, along with any algorithm employed. The object identifier, along with any
parameters, that specifies the signature algorithm employed by the parameters, that specifies the signature algorithm employed by the
signer is carried in the signatureAlgorithm field. The signature signer is carried in the signatureAlgorithm field. The signature
value generated by the signer is encoded as an OCTET STRING and value generated by the signer is encoded as an OCTET STRING and
carried in the signature field. carried in the signature field.
5.5 Message Signature Validation Process 5.6 Message Signature Validation Process
The input to the signature validation process includes the result of The input to the signature validation process includes the result of
the message digest calculation process and the signer's public key. the message digest calculation process and the signer's public key.
The details of the signature validation depend on the signature The details of the signature validation depend on the signature
algorithm employed. algorithm employed.
The recipient may not rely on any message digest values computed by The recipient may not rely on any message digest values computed by
the originator. If the signedData signerInfo includes the originator. If the signedData signerInfo includes
authenticatedAttributes, then the content message digest must be signedAttributes, then the content message digest must be calculated
calculated as described in section 5.3. For the signature to be as described in section 5.4. For the signature to be valid, the
valid, the message digest value calculated by the recipient must be message digest value calculated by the recipient must be the same as
the same as the value of the messageDigest attribute included in the the value of the messageDigest attribute included in the
authenticatedAttributes of the signedData signerInfo. signedAttributes of the signedData signerInfo.
6 Enveloped-data Content Type 6 Enveloped-data Content Type
The enveloped-data content type consists of an encrypted content of The enveloped-data content type consists of an encrypted content of
any type and encrypted content-encryption keys for one or more any type and encrypted content-encryption keys for one or more
recipients. The combination of the encrypted content and one recipients. The combination of the encrypted content and one
encrypted content-encryption key for a recipient is a "digital encrypted content-encryption key for a recipient is a "digital
envelope" for that recipient. Any type of content can be enveloped envelope" for that recipient. Any type of content can be enveloped
for an arbitrary number of recipients. for an arbitrary number of recipients.
skipping to change at page 12, line 4 skipping to change at page 11, line 45
id-envelopedData OBJECT IDENTIFIER ::= { iso(1) member-body(2) id-envelopedData OBJECT IDENTIFIER ::= { iso(1) member-body(2)
us(840) rsadsi(113549) pkcs(1) pkcs7(7) 3 } us(840) rsadsi(113549) pkcs(1) pkcs7(7) 3 }
The enveloped-data content type shall have ASN.1 type EnvelopedData: The enveloped-data content type shall have ASN.1 type EnvelopedData:
EnvelopedData ::= SEQUENCE { EnvelopedData ::= SEQUENCE {
version Version, version Version,
originatorInfo [0] IMPLICIT OriginatorInfo OPTIONAL, originatorInfo [0] IMPLICIT OriginatorInfo OPTIONAL,
recipientInfos RecipientInfos, recipientInfos RecipientInfos,
encryptedContentInfo EncryptedContentInfo } encryptedContentInfo EncryptedContentInfo }
OriginatorInfo ::= SEQUENCE { OriginatorInfo ::= SEQUENCE {
certs [0] IMPLICIT CertificateSet OPTIONAL, certs [0] IMPLICIT CertificateSet OPTIONAL,
crls [1] IMPLICIT CertificateRevocationLists OPTIONAL, crls [1] IMPLICIT CertificateRevocationLists OPTIONAL }
ukms [2] IMPLICIT UserKeyingMaterials OPTIONAL }
RecipientInfos ::= SET OF RecipientInfo RecipientInfos ::= SET OF RecipientInfo
EncryptedContentInfo ::= SEQUENCE { EncryptedContentInfo ::= SEQUENCE {
contentType ContentType, contentType ContentType,
contentEncryptionAlgorithm ContentEncryptionAlgorithmIdentifier, contentEncryptionAlgorithm ContentEncryptionAlgorithmIdentifier,
encryptedContent [0] IMPLICIT EncryptedContent OPTIONAL } encryptedContent [0] IMPLICIT EncryptedContent OPTIONAL }
EncryptedContent ::= OCTET STRING EncryptedContent ::= OCTET STRING
The fields of type EnvelopedData have the following meanings: The fields of type EnvelopedData have the following meanings:
version is the syntax version number. If originatorInfo is version is the syntax version number. If originatorInfo is
skipping to change at page 12, line 22 skipping to change at page 12, line 15
contentType ContentType, contentType ContentType,
contentEncryptionAlgorithm ContentEncryptionAlgorithmIdentifier, contentEncryptionAlgorithm ContentEncryptionAlgorithmIdentifier,
encryptedContent [0] IMPLICIT EncryptedContent OPTIONAL } encryptedContent [0] IMPLICIT EncryptedContent OPTIONAL }
EncryptedContent ::= OCTET STRING EncryptedContent ::= OCTET STRING
The fields of type EnvelopedData have the following meanings: The fields of type EnvelopedData have the following meanings:
version is the syntax version number. If originatorInfo is version is the syntax version number. If originatorInfo is
present, then version shall be 2. If any of the RecipientInfo present, then version shall be 2. If any of the RecipientInfo
structures included have a version of 2, then the version shall be structures included have a version other than 0, then the version
2. If originatorInfo is absent and all of the RecipientInfo shall be 2. If originatorInfo is absent and all of the
structures are version 0, then version shall be 0. RecipientInfo structures are version 0, then version shall be 0.
originatorInfo optionally provides information about the originatorInfo optionally provides information about the
originator. It is present only if required by the key management originator. It is present only if required by the key management
algorithm. It may contain certificates, CRLs, and user keying algorithm. It may contain certificates and CRLs:
material (UKMs):
certs is a collection of certificates. certs may contain certs is a collection of certificates. certs may contain
originator certificates associated with several different key originator certificates associated with several different key
management algorithms. The certificates contained in certs are management algorithms. The certificates contained in certs are
intended to be sufficient to make chains from a recognized intended to be sufficient to make chains from a recognized
"root" or "top-level certification authority" to all "root" or "top-level certification authority" to all
recipients. However, certs may contain more certificates than recipients. However, certs may contain more certificates than
necessary, and there may be certificates sufficient to make necessary, and there may be certificates sufficient to make
chains from two or more independent top-level certification chains from two or more independent top-level certification
authorities. Alternatively, certs may contain fewer authorities. Alternatively, certs may contain fewer
certificates than necessary, if it is expected that recipients certificates than necessary, if it is expected that recipients
have an alternate means of obtaining necessary certificates have an alternate means of obtaining necessary certificates
(e.g., from a previous set of certificates). (e.g., from a previous set of certificates).
crls is a collection of CRLs. It is intended that the set crls is a collection of CRLs. It is intended that the set
contain information sufficient to determine whether or not the contain information sufficient to determine whether or not the
certificates in the certs field are valid, but such certificates in the certs field are valid, but such
correspondence is not necessary. There may be more CRLs than correspondence is not necessary. There may be more CRLs than
necessary, and there may also be fewer CRLs than necessary. necessary, and there may also be fewer CRLs than necessary.
ukms is a collection of UKMs. The set includes a UKM for each
key management algorithm employed by the originator that
requires one. In general, several recipients will use each UKM
in the set.
recipientInfos is a collection of per-recipient information. recipientInfos is a collection of per-recipient information.
There must be at least one element in the collection. There must be at least one element in the collection.
encryptedContentInfo is the encrypted content information. encryptedContentInfo is the encrypted content information.
The fields of type EncryptedContentInfo have the following meanings: The fields of type EncryptedContentInfo have the following meanings:
contentType indicates the type of content. contentType indicates the type of content.
contentEncryptionAlgorithm identifies the content-encryption contentEncryptionAlgorithm identifies the content-encryption
skipping to change at page 13, line 30 skipping to change at page 13, line 17
encryptedContent is the result of encrypting the content. The encryptedContent is the result of encrypting the content. The
field is optional, and if the field is not present, its intended field is optional, and if the field is not present, its intended
value must be supplied by other means. value must be supplied by other means.
The recipientInfos field comes before the encryptedContentInfo field The recipientInfos field comes before the encryptedContentInfo field
so that an EnvelopedData value may be processed in a single pass. so that an EnvelopedData value may be processed in a single pass.
6.2 RecipientInfo Type 6.2 RecipientInfo Type
Per-recipient information is represented in the type RecipientInfo: Per-recipient information is represented in the type RecipientInfo.
RecipientInfo has a different format for the three key management
techniques that are supported: key transport, key agreement, and
previously distributed mail list keys. In all cases, the content-
encryption key is transferred to one or more recipient in encrypted
form.
RecipientInfo ::= SEQUENCE { RecipientInfo ::= CHOICE {
version Version, ktri KeyTransRecipientInfo,
rid RecipientIdentifier, kari KeyAgreeRecipientInfo,
originatorCert [0] EXPLICIT EntityIdentifier OPTIONAL, mlri MailListRecipientInfo }
EncryptedKey ::= OCTET STRING
6.2.1 KeyTransRecipientInfo Type
Per-recipient information using key transport is represented in the
type KeyTransRecipientInfo. Each instance of KeyTransRecipientInfo
transfers the content-encryption key to one recipient.
KeyTransRecipientInfo ::= SEQUENCE {
version Version, -- always set to 0 or 2
rid EntityIdentifier,
keyEncryptionAlgorithm KeyEncryptionAlgorithmIdentifier, keyEncryptionAlgorithm KeyEncryptionAlgorithmIdentifier,
encryptedKey EncryptedKey } encryptedKey EncryptedKey }
EntityIdentifier ::= CHOICE {
issuerAndSerialNumber IssuerAndSerialNumber,
subjectKeyIdentifier [0] SubjectKeyIdentifier }
The fields of type KeyTransRecipientInfo have the following meanings:
version is the syntax version number. If the RecipientIdentifier
is the CHOICE issuerAndSerialNumber, then the version shall be 0.
If the RecipientIdentifier is rKeyId, then the version shall be 2.
rid specifies the recipient's certificate or key that was used by
the sender to protect the content-encryption key.
keyEncryptionAlgorithm identifies the key-encryption algorithm,
and any associated parameters, used to encrypt the content-
encryption key for the recipient. The key-encryption process is
described in Section 6.4.
encryptedKey is the result of encrypting the content-encryption
key for the recipient.
The EntityIdentifier is a CHOICE with two alternatives specifying the
recipient's certificate, and thereby the recipient's public key. The
recipient's certificate must contain a key transport public key. The
content-encryption key is encrypted with the recipient's public key.
The issuerAndSerialNumber alternative identifies the recipient's
certificate by the issuer's distinguished name and the certificate
serial number; the subjectKeyIdentifier identifies the recipient's
certificate by the X.509 subjectKeyIdentifier extension value.
6.2.2 KeyAgreeRecipientInfo Type
Recipient information using key agreement is represented in the type
KeyAgreeRecipientInfo. Each instance of KeyAgreeRecipientInfo will
transfer the content-encryption key to one or more recipient.
KeyAgreeRecipientInfo := SEQUENCE {
version Version, -- always set to 3
originatorCert [0] EXPLICIT EntityIdentifier,
ukm [1] EXPLICIT UserKeyingMaterial OPTIONAL,
keyEncryptionAlgorithm KeyEncryptionAlgorithmIdentifier,
recipientEncryptedKeys RecipientEncryptedKeys }
RecipientEncryptedKeys ::= SEQUEENCE OF RecipientEncryptedKey
RecipientEncryptedKey := SEQUENCE {
rid RecipientIdentifier,
encryptedKey EncryptedKey }
RecipientIdentifier ::= CHOICE { RecipientIdentifier ::= CHOICE {
issuerAndSerialNumber IssuerAndSerialNumber, issuerAndSerialNumber IssuerAndSerialNumber,
rKeyId [0] IMPLICIT RecipientKeyIdentifier, rKeyId [0] IMPLICIT RecipientKeyIdentifier }
mlKeyId [1] IMPLICIT MailListKeyIdentifier }
RecipientKeyIdentifier ::= SEQUENCE { RecipientKeyIdentifier ::= SEQUENCE {
subjectKeyIdentifier SubjectKeyIdentifier, subjectKeyIdentifier SubjectKeyIdentifier,
date GeneralizedTime OPTIONAL, date GeneralizedTime OPTIONAL,
other OtherKeyAttribute OPTIONAL } other OtherKeyAttribute OPTIONAL }
MailListKeyIdentifier ::= SEQUENCE {
kekIdentifier OCTET STRING,
date GeneralizedTime OPTIONAL,
other OtherKeyAttribute OPTIONAL }
EntityIdentifier ::= CHOICE {
issuerAndSerialNumber IssuerAndSerialNumber,
subjectKeyIdentifier SubjectKeyIdentifier }
SubjectKeyIdentifier ::= OCTET STRING SubjectKeyIdentifier ::= OCTET STRING
EncryptedKey ::= OCTET STRING The fields of type KeyAgreeRecipientInfo have the following meanings:
The fields of type RecipientInfo have the following meanings:
version is the syntax version number. If the OriginatorCert is version is the syntax version number. It shall always be 3.
absent and the RecipientIdentifier is the CHOICE
issuerAndSerialNumber, then the version shall be 0. If the
OriginatorCert is present or the RecipientIdentifier is either the
CHOICE rKeyId or mlKeyId, then the version shall be 2.
rid specifies the recipient's certificate or key that was used by originatorCert is a CHOICE with two alternatives specifying the
the sender to protect the content-encryption key. sender's certificate, and thereby the sender's public key. The
sender's certificate must contain a key agreement public key, and
the sender uses the corresponding private key and the recipient's
public key to generate a pairwise key. The content-encryption key
is encrypted in the pairwise key. The issuerAndSerialNumber
alternative identifies the sender's certificate by the issuer's
distinguished name and the certificate serial number; the
subjectKeyIdentifier alternative identifies the sender's
certificate by the X.509 subjectKeyIdentifier extension value.
originatorCert optionally specifies the originator's certificate ukm is optional. With some key agreement algorithms, the sender
to be used by this recipient. This field should be included when provides a User Keying Material (UKM) to ensure that a different
the originator has more than one certificate containing a public key is generated each time the same two parties generate a
key associated with the key management algorithm used for this pairwise key.
recipient.
keyEncryptionAlgorithm identifies the key-encryption algorithm, keyEncryptionAlgorithm identifies the key-encryption algorithm,
and any associated parameters, used to encrypt the content- and any associated parameters, used to encrypt the content-
encryption key for the recipient. The key-encryption process is encryption key in the key-encryption key. The key-encryption
described in Section 6.4. process is described in Section 6.4.
recipientEncryptedKeys includes a recipient identifier and the
encrypted key for one or more recipients. The RecipientIdentifier
is a CHOICE with two alternatives specifying the recipient's
certificate, and thereby the recipient's public key, that was used
by the sender to generate a pairwise key. The recipient's
certificate must contain a key agreement public key. The
content-encryption key is encrypted in the pairwise key. The
issuerAndSerialNumber alternative identifies the recipient's
certificate by the issuer's distinguished name and the certificate
serial number; the RecipientKeyIdentifier is described below. The
encryptedKey is the result of encrypting the content-encryption encryptedKey is the result of encrypting the content-encryption
key for the recipient. key in the pairwise key generated using the key agreement
algorithm.
The RecipientIdentifier is a CHOICE with three alternatives. The
first two alternatives, issuerAndSerialNumber and rKeyId, specifies
the recipient's certificate, and thereby the recipient's public key.
The rKeyId alternative may optionally specify other parameters
needed, such as the date. If the recipient's certificate contains a
key transport public key, then the content-encryption key is
encrypted with the recipient's public key. If the recipient's
certificate contains a key agreement public key, then a pairwise
symmetric key is established and used to encrypt the content-
encryption key. The third alternative, mlKeyId, specifies a
symmetric key encryption key that was previously distributed to the
sender and recipient.
The fields of type RecipientKeyIdentifier have the following The fields of type RecipientKeyIdentifier have the following
meanings: meanings:
subjectKeyIdentifier identifies the recipient's certificate by the subjectKeyIdentifier identifies the recipient's certificate by the
X.509 subjectKeyIdentifier extension value. X.509 subjectKeyIdentifier extension value.
date is optional. When present, the date specifies which of the date is optional. When present, the date specifies which of the
recipient's UKMs was used by the sender. recipient's previously distributed UKMs was used by the sender.
other is optional. When present, this field contains additional other is optional. When present, this field contains additional
information used by the recipient to locate the keying material information used by the recipient to locate the public keying
used by the sender. material used by the sender.
6.2.3 MailListRecipientInfo Type
Recipient information using previously distributed symmetric keys is
represented in the type MailListRecipientInfo. Each instance of
MailListRecipientInfo will transfer the content-encryption key to one
or more recipients who have the previously distributed key-encryption
key.
MailListRecipientInfo := SEQUENCE {
version Version, -- always set to 4
mlid MailListKeyIdentifier,
keyEncryptionAlgorithm KeyEncryptionAlgorithmIdentifier,
encryptedKey EncryptedKey }
MailListKeyIdentifier ::= SEQUENCE {
kekIdentifier OCTET STRING,
date GeneralizedTime OPTIONAL,
other OtherKeyAttribute OPTIONAL }
The fields of type MailListRecipientInfo have the following meanings:
version is the syntax version number. It shall always be 4.
mlKeyId specifies a symmetric key encryption key that was
previously distributed to the sender and one or more recipients.
keyEncryptionAlgorithm identifies the key-encryption algorithm,
and any associated parameters, used to encrypt the content-
encryption key in the key-encryption key. The key-encryption
process is described in Section 6.4.
encryptedKey is the result of encrypting the content-encryption
key in the key-encryption key.
The fields of type MailListKeyIdentifier have the following meanings: The fields of type MailListKeyIdentifier have the following meanings:
kekIdentifier identifies the key-encryption key that was kekIdentifier identifies the key-encryption key that was
previously distributed to the sender and the recipient. previously distributed to the sender and one or more recipients.
date is optional. When present, the date specifies a single key- date is optional. When present, the date specifies a single key-
encryption key from a set that was previously distributed to the encryption key from a set that was previously distributed.
sender and the recipient.
other is optional. When present, this field contains additional other is optional. When present, this field contains additional
information used by the recipient to locate the keying material information used by the recipient to determine the key-encryption
used by the sender. key used by the sender.
6.3 Content-encryption Process 6.3 Content-encryption Process
The content-encryption key for the desired content-encryption The content-encryption key for the desired content-encryption
algorithm is randomly generated. The data to be protected is padded algorithm is randomly generated. The data to be protected is padded
as described below, then the padded data is encrypted using the as described below, then the padded data is encrypted using the
content-encryption key. The encryption operation maps an arbitrary content-encryption key. The encryption operation maps an arbitrary
string of octets (the data) to another string of octets (the string of octets (the data) to another string of octets (the
ciphertext) under control of a content-encryption key. The encrypted ciphertext) under control of a content-encryption key. The encrypted
data is included in the envelopedData encryptedContentInfo data is included in the envelopedData encryptedContentInfo
skipping to change at page 17, line 24 skipping to change at page 18, line 47
digest Digest } digest Digest }
Digest ::= OCTET STRING Digest ::= OCTET STRING
The fields of type DigestedData have the following meanings: The fields of type DigestedData have the following meanings:
version is the syntax version number. It shall be 0. version is the syntax version number. It shall be 0.
digestAlgorithm identifies the message digest algorithm, and any digestAlgorithm identifies the message digest algorithm, and any
associated parameters, under which the content is digested. The associated parameters, under which the content is digested. The
message-digesting process is the same as in Section 5.3 in the message-digesting process is the same as in Section 5.4 in the
case when there are no authenticated attributes. case when there are no signed attributes.
encapContentInfo is the content that is digested, as defined in encapContentInfo is the content that is digested, as defined in
section 5.1. section 5.2.
digest is the result of the message-digesting process. digest is the result of the message-digesting process.
The ordering of the digestAlgorithm field, the encapContentInfo The ordering of the digestAlgorithm field, the encapContentInfo
field, and the digest field makes it possible to process a field, and the digest field makes it possible to process a
DigestedData value in a single pass. DigestedData value in a single pass.
8 Encrypted-data Content Type 8 Encrypted-data Content Type
The encrypted-data content type consists of encrypted content of any The encrypted-data content type consists of encrypted content of any
skipping to change at page 18, line 27 skipping to change at page 19, line 51
9 Authenticated-data Content Type 9 Authenticated-data Content Type
The authenticated-data content type consists of content of any type, The authenticated-data content type consists of content of any type,
a message authentication code (MAC), and encrypted authentication a message authentication code (MAC), and encrypted authentication
keys for one or more recipients. The combination of the MAC and one keys for one or more recipients. The combination of the MAC and one
encrypted authentication key for a recipient is necessary for that encrypted authentication key for a recipient is necessary for that
recipient to validate the integrity of the content. Any type of recipient to validate the integrity of the content. Any type of
content can be integrity protected for an arbitrary number of content can be integrity protected for an arbitrary number of
recipients. recipients.
[*** Add processing steps ***] The process by which authenticated-data is constructed involves the
following steps:
1. A message-authentication key for a particular message-
authentication algorithm is generated at random.
2. The message-authentication key is encrypted for each
recipient. The details of this encryption depend on the key
management algorithm used.
3. For each recipient, the encrypted message-authentication key
and other recipient-specific information are collected into a
RecipientInfo value, defined in Section 6.2.
4. Using the message-authentication key, the originator computes
a MAC value on the content. If the originator is authenticating
any information in addition to the content (see Section 9.2), the
MAC value of the content and the other information are generated
using the same message authentication code algorithm and key, and
the result becomes the "MAC value."
9.1 AuthenticatedData Type 9.1 AuthenticatedData Type
The following object identifier identifies the authenticated-data The following object identifier identifies the authenticated-data
content type: content type:
id-ct-authData OBJECT IDENTIFIER ::= { iso(1) member-body(2) id-ct-authData OBJECT IDENTIFIER ::= { iso(1) member-body(2)
us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16)
ct(1) 2 } ct(1) 2 }
The authenticated-data content type shall have ASN.1 type The authenticated-data content type shall have ASN.1 type
AuthenticatedData: AuthenticatedData:
AuthenticatedData ::= SEQUENCE { AuthenticatedData ::= SEQUENCE {
version Version, version Version,
originatorInfo [0] IMPLICIT OriginatorInfo OPTIONAL, originatorInfo [0] IMPLICIT OriginatorInfo OPTIONAL,
recipientInfos RecipientInfos, recipientInfos RecipientInfos,
macAlgorithm MessageAuthenticationCodeAlgorithm, macAlgorithm MessageAuthenticationCodeAlgorithm,
encapContentInfo EncapsulatedContentInfo, encapContentInfo EncapsulatedContentInfo,
mac MessageAuthenticationCode } authenticatedAttributes [1] IMPLICIT AuthAttributes OPTIONAL,
mac MessageAuthenticationCode,
unauthenticatedAttributes [2] IMPLICIT UnauthAttributes OPTIONAL }
AuthAttributes ::= SET SIZE (1..MAX) OF Attribute
UnauthAttributes ::= SET SIZE (1..MAX) OF Attribute
MessageAuthenticationCode ::= OCTET STRING MessageAuthenticationCode ::= OCTET STRING
The fields of type AuthenticatedData have the following meanings: The fields of type AuthenticatedData have the following meanings:
version is the syntax version number. It shall be 0. version is the syntax version number. It shall be 0.
originatorInfo optionally provides information about the originatorInfo optionally provides information about the
originator. It is present only if required by the key management originator. It is present only if required by the key management
algorithm. It may contain certificates, CRLs, and user keying algorithm. It may contain certificates, CRLs, and user keying
skipping to change at page 19, line 23 skipping to change at page 21, line 23
defined in Section 6.1. There must be at least one element in the defined in Section 6.1. There must be at least one element in the
collection. collection.
macAlgorithm is a message authentication code algorithm macAlgorithm is a message authentication code algorithm
identifier. It identifies the message authentication code identifier. It identifies the message authentication code
algorithm, along with any associated parameters, used by the algorithm, along with any associated parameters, used by the
originator. Placement of the macAlgorithm field facilitates one- originator. Placement of the macAlgorithm field facilitates one-
pass processing by the recipient. pass processing by the recipient.
encapContentInfo is the content that is authenticated, as defined encapContentInfo is the content that is authenticated, as defined
in section 5.1. in section 5.2.
authenticatedAttributes is a collection of attributes that are
authenticated. The field is optional, but it must be present if
the content type of the EncapsulatedContentInfo value being
authenticated is not id-data. Each AuthenticatedAttribute in the
SET must be DER encoded. Useful attribute types are defined in
Section 11. If the field is present, it must contain, at a
minimum, the following two attributes:
A content-type attribute having as its value the content type
of the EncapsulatedContentInfo value being signed. Section
11.1 defines the content-type attribute.
A mac-value attribute, having as its value the message
authentication code of the content. Section 11.5 defines the
mac-value attribute.
mac is the message authentication code. mac is the message authentication code.
unauthenticatedAttributes is a collection of attributes that are
not authenticated. The field is optional. Useful attribute types
are defined in Section 11.
9.2 MAC Generation 9.2 MAC Generation
The MAC calculation process computes a message authentication code on The MAC calculation process computes a message authentication code on
either the message content or the content together with the either the message content or the content together with the
originator's authenticated attributes. originator's authenticated attributes.
If there are no authenticated attributes, the MAC input data is the If there are no authenticated attributes, the MAC input data is the
content octets of the DER encoding of the content field of the content octets of the DER encoding of the content field of the
ContentInfo value to which the MAC process is applied. Only the ContentInfo value to which the MAC process is applied. Only the
contents octets of the DER encoding of that field are input to the contents octets of the DER encoding of that field are input to the
MAC algorithm, not the identifier octets or the length octets. MAC algorithm, not the identifier octets or the length octets.
If authenticated attributes are present, they must include the If authenticated attributes are present, they must include the
contentType and messageDigest attributes (as described in Section content-type attribute (as described in Section 11.1) and mac-value
5.2), and a digestAlorithm attribute [*** needs an OID ***]. The attribute (as described in section 11.5). The MAC input data is the
digestAlgorithm indicates the algorithm used to compute the
messageDigest value from the content. The MAC input data is the the
complete DER encoding of the Attributes value contained in the complete DER encoding of the Attributes value contained in the
authenticatedAttributes field. Since the Attributes value, when the authenticatedAttributes field. Since the Attributes value, when the
field is present, must contain as attributes the content type and the field is present, must contain as attributes the content type and the
message digest of the content, those values are indirectly included mac value of the content, those values are indirectly included in the
in the result. A separate encoding of the authenticatedAttributes result. A separate encoding of the authenticatedAttributes field is
field is performed for MAC calculation. The IMPLICIT [0] tag in the performed for MAC calculation. The IMPLICIT [0] tag in the
authenticatedAttributes field is not used for the DER encoding, authenticatedAttributes field is not used for the DER encoding,
rather an EXPLICIT SET OF tag is used. That is, the DER encoding of rather an EXPLICIT SET OF tag is used. That is, the DER encoding of
the SET OF tag, rather than of the IMPLICIT [0] tag, is to be the SET OF tag, rather than of the IMPLICIT [0] tag, is to be
included in the message digest calculation along with the length and included in the MAC calculation along with the length and contents
contents octets of the AuthAttributes value. octets of the AuthAttributes value.
If the content has content type data and the authenticatedAttributes If the content has content type id-data and the
field is absent, then just the value of the data (e.g., the contents authenticatedAttributes field is absent, then just the value of the
of a file) is input to the MAC calculation. This has the advantage data (e.g., the contents of a file) is input to the MAC calculation.
that the length of the content need not be known in advance of the This has the advantage that the length of the content need not be
MAC calculation process. Although the identifier octets and the known in advance of the MAC calculation process. Although the tag
length octets are not included in the MAC calculation, they are still and length octets are not included in the MAC calculation, they are
protected by other means. The length octets are protected by the still protected by other means. The length octets are protected by
nature of the MAC algorithm since it is computationally infeasible to the nature of the MAC algorithm since it is computationally
find any two distinct messages of any length that have the same MAC. infeasible to find any two distinct messages of any length that have
the same MAC.
The fact that the MAC is computed on part of a DER encoding does not The fact that the MAC is computed on part of a DER encoding does not
mean that DER is the required method of representing that part for mean that DER is the required method of representing that part for
data transfer. Indeed, it is expected that some implementations will data transfer. Indeed, it is expected that some implementations will
store objects in forms other than their DER encodings, but such store objects in forms other than their DER encodings, but such
practices do not affect MAC computation. practices do not affect MAC computation.
The input to the MAC calculation process includes the MAC input data, The input to the MAC calculation process includes the MAC input data,
defined above, and an authentication key conveyed in a recipientInfo defined above, and an authentication key conveyed in a recipientInfo
structure. The details of MAC calculation depend on the MAC structure. The details of MAC calculation depend on the MAC
algorithm employed (e.g., HMAC-SHA1). The object identifier, along algorithm employed (e.g., DES-MAC and HMAC). The object identifier,
with any parameters, that specifies the MAC algorithm employed by the along with any parameters, that specifies the MAC algorithm employed
originator is carried in the macAlgorithm field. The MAC value by the originator is carried in the macAlgorithm field. The MAC
generated by the originator is encoded as an OCTET STRING and carried value generated by the originator is encoded as an OCTET STRING and
in the mac field. carried in the mac field.
9.2 MAC Validation 9.3 MAC Validation
The input to the MAC validation process includes the input data The input to the MAC validation process includes the input data
(determined based on the presence or absence of authenticated (determined based on the presence or absence of authenticated
attributes, as defined in 9.3), and the authentication key (conveyed attributes, as defined in 9.2), and the authentication key conveyed
in a recipientInfo structure). The details of the MAC validation in recipientInfo. The details of the MAC validation process depend
process depend on the MAC algorithm employed. on the MAC algorithm employed.
The recipient may not rely on any message digest values computed by The recipient may not rely on any MAC values computed by the
the originator. If the originator includes authenticated Attributes, originator. If the originator includes authenticated attributes,
then the ASN.1 DER encoded content of the authenticatedData object then the content of the authenticatedAttributes must be autenticated
must be digested as described in section 5.3. For the MAC to be as described in section 9.2. For the MAC to be valid, the message
valid, the message digest value calculated by the recipient must be MAC value calculated by the recipient must be the same as the value
the same as the value of the messageDigest attribute included in the of the macValue attribute included in the authenticatedAttributes.
authenticatedAttributes. Likewise, the attribute MAC value calculated by the recipient must be
the same as the value of the mac field included in the
authenticatedData.
10 Useful Types 10 Useful Types
This section is divided into two parts. The first part defines This section is divided into two parts. The first part defines
algorithm identifiers, and the second part defines other useful algorithm identifiers, and the second part defines other useful
types. types.
10.1 Algorithm Identifier Types 10.1 Algorithm Identifier Types
All of the algorithm identifiers have the same type: All of the algorithm identifiers have the same type:
skipping to change at page 22, line 49 skipping to change at page 25, line 26
be more CRLs than necessary or there may be fewer CRLs than be more CRLs than necessary or there may be fewer CRLs than
necessary. necessary.
The definition of CertificateList is imported from X.509. The definition of CertificateList is imported from X.509.
CertificateRevocationLists ::= SET OF CertificateList CertificateRevocationLists ::= SET OF CertificateList
10.2.2 CertificateChoices 10.2.2 CertificateChoices
The CertificateChoices type gives either a PKCS #6 extended The CertificateChoices type gives either a PKCS #6 extended
certificate, an X.509 certificate, or an X.509 attribute certificate. certificate [PKCS #6], an X.509 certificate, or an X.509 attribute
The PKCS #6 extended certificate is obsolete. It is included for certificate. The PKCS #6 extended certificate is obsolete. It is
backward compatibility, and its use should be avoided. included for backward compatibility, and its use should be avoided.
The definitions of Certificate and AttributeCertificate are imported The definitions of Certificate and AttributeCertificate are imported
from X.509. from X.509.
CertificateChoices ::= CHOICE { CertificateChoices ::= CHOICE {
certificate Certificate, -- See X.509 certificate Certificate, -- See X.509
extendedCertificate [0] IMPLICIT ExtendedCertificate, -- Obsolete extendedCertificate [0] IMPLICIT ExtendedCertificate, -- Obsolete
attrCert [1] IMPLICIT AttributeCertificate } -- See X.509 and X9.57 attrCert [1] IMPLICIT AttributeCertificate } -- See X.509 and X9.57
10.2.3 CertificateSet 10.2.3 CertificateSet
skipping to change at page 23, line 36 skipping to change at page 26, line 12
CertificateSet ::= SET OF CertificateChoices CertificateSet ::= SET OF CertificateChoices
10.2.4 IssuerAndSerialNumber 10.2.4 IssuerAndSerialNumber
The IssuerAndSerialNumber type identifies a certificate, and thereby The IssuerAndSerialNumber type identifies a certificate, and thereby
an entity and a public key, by the distinguished name of the an entity and a public key, by the distinguished name of the
certificate issuer and an issuer-specific certificate serial number. certificate issuer and an issuer-specific certificate serial number.
The definition of Name is imported from X.501, and the definition of The definition of Name is imported from X.501, and the definition of
SerialNumber is imported from X.509. CertificateSerialNumber is imported from X.509.
IssuerAndSerialNumber ::= SEQUENCE { IssuerAndSerialNumber ::= SEQUENCE {
issuer Name, issuer Name,
serialNumber SerialNumber } serialNumber CertificateSerialNumber }
SerialNumber ::= INTEGER CertificateSerialNumber ::= INTEGER
10.2.5 Version 10.2.5 Version
The Version type gives a syntax version number, for compatibility The Version type gives a syntax version number, for compatibility
with future revisions of this document. with future revisions of this document.
Version ::= INTEGER { v0(0), v1(1), v2(2), v3(3) } Version ::= INTEGER { v0(0), v1(1), v2(2), v3(3), v4(4) }
10.2.6 UserKeyingMaterial 10.2.6 UserKeyingMaterial
The UserKeyingMaterial type gives a syntax user keying material The UserKeyingMaterial type gives a syntax user keying material
(UKM). Some key management algorithms require UKMs. The sender (UKM). Some key agreement algorithms require UKMs to ensure that a
provides a UKM for the specific key management algorithm. The UKM is different key is generated each time the same two parties generate a
employed by all of the recipients that use the same key encryption pairwise key. The sender provides a UKM for use with a specific key
algorithm. agreement algorithm.
UserKeyingMaterial ::= SEQUENCE {
keyEncryptionAlgorithm KeyEncryptionAlgorithmIdentifier,
ukm OCTET STRING }
10.2.7 UserKeyingMaterials
The UserKeyingMaterial type provides a set of user keying materials
(UKMs). This allows the sender to provide a UKM for each key
management algorithm that requires one.
UserKeyingMaterials ::= SET SIZE (1..MAX) OF UserKeyingMaterial UserKeyingMaterial ::= OCTET STRING
10.2.8 OtherKeyAttribute 10.2.7 OtherKeyAttribute
The OtherKeyAttribute type gives a syntax for the inclusion of other The OtherKeyAttribute type gives a syntax for the inclusion of other
key attributes that permit the recipient to select the key used by key attributes that permit the recipient to select the key used by
the sender. The attribute object identifier must be registered along the sender. The attribute object identifier must be registered along
with the syntax of the attribute itself. Use of this structure with the syntax of the attribute itself. Use of this structure
should be avoided since it may impede interoperability. should be avoided since it may impede interoperability.
OtherKeyAttribute ::= SEQUENCE { OtherKeyAttribute ::= SEQUENCE {
keyAttrId OBJECT IDENTIFIER, keyAttrId OBJECT IDENTIFIER,
keyAttr ANY DEFINED BY keyAttrId OPTIONAL } keyAttr ANY DEFINED BY keyAttrId OPTIONAL }
11 Useful Attributes 11 Useful Attributes
This section defines attributes that may used with signed-data. All This section defines attributes that may used with signed-data or
of these attributes were originally defined in PKCS #9, and they are authenticated-data. Some of these attributes were originally defined
included here for easy reference. The attributes are not listed in in PKCS #9 [PKCS #9], others are defined and specified here. The
any particular order. attributes are not listed in any particular order.
11.1 Content Type 11.1 Content Type
The content-type attribute type specifies the content type of the The content-type attribute type specifies the content type of the
ContentInfo value being signed in signed-data. The content-type ContentInfo value being signed in signed-data. The content-type
attribute type is required if there are any authenticated attributes attribute type is required if there are any authenticated attributes
present. present.
The content-type attribute must be an authenticated attribute; it The content-type attribute must be a signed attribute or an
cannot be an unauthenticated attribute. The content-type attribute authenticated attribute; it cannot be an unsigned attribute or
is never critical. unauthenticated attribute.
The following object identifier identifies the content-type The following object identifier identifies the content-type
attribute: attribute:
id-contentType OBJECT IDENTIFIER ::= { iso(1) member-body(2) id-contentType OBJECT IDENTIFIER ::= { iso(1) member-body(2)
us(840) rsadsi(113549) pkcs(1) pkcs9(9) 3 } us(840) rsadsi(113549) pkcs(1) pkcs9(9) 3 }
Content-type attribute values have ASN.1 type ContentType: Content-type attribute values have ASN.1 type ContentType:
ContentType ::= OBJECT IDENTIFIER ContentType ::= OBJECT IDENTIFIER
A content-type attribute must have a single attribute value. A content-type attribute must have a single attribute value.
11.2 Message Digest 11.2 Message Digest
The message-digest attribute type specifies the message digest of the The message-digest attribute type specifies the message digest of the
encapContentInfo eContent OCTET STRING being signed in signed-data encapContentInfo eContent OCTET STRING being signed in signed-data
(see section 5.3), where the message digest is computed using the (see section 5.4), where the message digest is computed using the
signer's message digest algorithm. The message-digest attribute type signer's message digest algorithm.
is required if there are any authenticated attributes present.
The message-digest attribute must be an authenticated attribute; it Within signed-data, the message-digest signed attribute type is
cannot be an unauthenticated attribute. The message-digest attribute required if there are any attributes present.
is never critical.
The message-digest attribute must be a signed attribute; it cannot be
an unsigned attribute, an authenticated attribute, or unauthenticated
attribute.
The following object identifier identifies the message-digest The following object identifier identifies the message-digest
attribute: attribute:
id-messageDigest OBJECT IDENTIFIER ::= { iso(1) member-body(2) id-messageDigest OBJECT IDENTIFIER ::= { iso(1) member-body(2)
us(840) rsadsi(113549) pkcs(1) pkcs9(9) 4 } us(840) rsadsi(113549) pkcs(1) pkcs9(9) 4 }
Message-digest attribute values have ASN.1 type MessageDigest: Message-digest attribute values have ASN.1 type MessageDigest:
MessageDigest ::= OCTET STRING MessageDigest ::= OCTET STRING
A message-digest attribute must have a single attribute value. A message-digest attribute must have a single attribute value.
11.3 Signing Time 11.3 Signing Time
The signing-time attribute type specifies the time at which the The signing-time attribute type specifies the time at which the
signer (purportedly) performed the signing process. The signing-time signer (purportedly) performed the signing process. The signing-time
attribute type is intended for use in signed-data. attribute type is intended for use in signed-data.
The signing-time attribute may be an authenticated attribute or an The signing-time attribute may be a signed attribute; it cannot be an
unauthenticated attribute. The signing-time authenticated attribute unsigned attribute, an authenticated attribute, or an unauthenticated
may be critical or non-critical. attribute.
The following object identifier identifies the signing-time The following object identifier identifies the signing-time
attribute: attribute:
id-signingTime OBJECT IDENTIFIER ::= { iso(1) member-body(2) id-signingTime OBJECT IDENTIFIER ::= { iso(1) member-body(2)
us(840) rsadsi(113549) pkcs(1) pkcs9(9) 5 } us(840) rsadsi(113549) pkcs(1) pkcs9(9) 5 }
Signing-time attribute values have ASN.1 type SigningTime: Signing-time attribute values have ASN.1 type SigningTime:
SigningTime ::= Time SigningTime ::= Time
skipping to change at page 26, line 40 skipping to change at page 29, line 5
such as time-stamp servers, will be trusted implicitly. such as time-stamp servers, will be trusted implicitly.
11.4 Countersignature 11.4 Countersignature
The countersignature attribute type specifies one or more signatures The countersignature attribute type specifies one or more signatures
on the contents octets of the DER encoding of the signatureValue on the contents octets of the DER encoding of the signatureValue
field of a SignerInfo value in signed-data. Thus, the field of a SignerInfo value in signed-data. Thus, the
countersignature attribute type countersigns (signs in serial) countersignature attribute type countersigns (signs in serial)
another signature. another signature.
The countersignature attribute must be an unauthenticated attribute; The countersignature attribute must be an unsigned attribute; it
it cannot be an authenticated attribute. cannot be a signed attribute, an authenticated attribute, or an
unauthenticated attribute.
The following object identifier identifies the countersignature The following object identifier identifies the countersignature
attribute: attribute:
id-countersignature OBJECT IDENTIFIER ::= { iso(1) member-body(2) id-countersignature OBJECT IDENTIFIER ::= { iso(1) member-body(2)
us(840) rsadsi(113549) pkcs(1) pkcs9(9) 6 } us(840) rsadsi(113549) pkcs(1) pkcs9(9) 6 }
Countersignature attribute values have ASN.1 type Countersignature: Countersignature attribute values have ASN.1 type Countersignature:
Countersignature ::= SignerInfo Countersignature ::= SignerInfo
skipping to change at page 27, line 4 skipping to change at page 29, line 18
The following object identifier identifies the countersignature The following object identifier identifies the countersignature
attribute: attribute:
id-countersignature OBJECT IDENTIFIER ::= { iso(1) member-body(2) id-countersignature OBJECT IDENTIFIER ::= { iso(1) member-body(2)
us(840) rsadsi(113549) pkcs(1) pkcs9(9) 6 } us(840) rsadsi(113549) pkcs(1) pkcs9(9) 6 }
Countersignature attribute values have ASN.1 type Countersignature: Countersignature attribute values have ASN.1 type Countersignature:
Countersignature ::= SignerInfo Countersignature ::= SignerInfo
Countersignature values have the same meaning as SignerInfo values Countersignature values have the same meaning as SignerInfo values
for ordinary signatures, except that: for ordinary signatures, except that:
1. The authenticatedAttributes field must contain a message- 1. The signedAttributes field must contain a message-digest
digest attribute if it contains any other attributes, but need not attribute if it contains any other attributes, but need not
contain a content-type attribute, as there is no content type for contain a content-type attribute, as there is no content type for
countersignatures. countersignatures.
2. The input to the message-digesting process is the contents 2. The input to the message-digesting process is the contents
octets of the DER encoding of the signatureValue field of the octets of the DER encoding of the signatureValue field of the
SignerInfo value with which the attribute is associated. SignerInfo value with which the attribute is associated.
A countersignature attribute can have multiple attribute values. A countersignature attribute can have multiple attribute values.
The fact that a countersignature is computed on a signature value The fact that a countersignature is computed on a signature value
means that the countersigning process need not know the original means that the countersigning process need not know the original
content input to the signing process. This has advantages both in content input to the signing process. This has advantages both in
efficiency and in confidentiality. A countersignature, since it has efficiency and in confidentiality. A countersignature, since it has
type SignerInfo, can itself contain a countersignature attribute. type SignerInfo, can itself contain a countersignature attribute.
Thus it is possible to construct arbitrarily long series of Thus it is possible to construct arbitrarily long series of
countersignatures. countersignatures.
11.5 Message Authentication Code (MAC) Value
The MAC-value attribute type specifies the MAC of the
encapContentInfo eContent OCTET STRING being authenticated in
authenticated-data (see section 9), where the MAC value is computed
using the originator's MAC algorithm and the data-authentication key.
Within authenticated-data, the MAC-value attribute type is required
if there are any authenticated attributes present.
The MAC-value attribute must be a authenticated attribute; it cannot
be an signed attribute, an unsigned attribute, or unauthenticated
attribute.
The following object identifier identifies the MAC-value attribute:
id-macValue OBJECT IDENTIFIER ::= { iso(1) member-body(2)
us(840) rsadsi(113549) pkcs(1) pkcs9(9) smime(16) aa(2) 8 }
MAC-value attribute values have ASN.1 type MACValue:
MACValue ::= OCTET STRING
A MAC-value attribute must have a single attribute value.
12 Supported Algorithms 12 Supported Algorithms
This section lists the algorithms that must be implemented. This section lists the algorithms that must be implemented.
Additional algorithms that may be implemented are also included. Additional algorithms that may be implemented are also included.
12.1 Digest Algorithms 12.1 Digest Algorithms
CMS implementations must include SHA-1. CMS implementations may CMS implementations must include SHA-1. CMS implementations may
include MD5. include MD5.
12.1.1 SHA-1 12.1.1 SHA-1
[*** Add pointer to algorithm specification. Provide OID. ***]
12.1.2 MD5 12.1.2 MD5
[*** Add pointer to algorithm specification. Provide OID. ***]
12.2 Signature Algorithms 12.2 Signature Algorithms
CMS implementations must include DSA. CMS implementations may CMS implementations must include DSA. CMS implementations may
include RSA. include RSA.
12.2.1 DSA 12.2.1 DSA
[*** Add pointer to algorithm specification. Provide OID. Provide
ASN.1 for parameters and signature value. ***]
12.2.2 RSA 12.2.2 RSA
[*** Add pointer to algorithm specification. Provide OID. Provide
ASN.1 for parameters and signature value. ***]
12.3 Key Encryption Algorithms 12.3 Key Encryption Algorithms
CMS implementations must include X9.42 Static Diffie-Hellman. CMS CMS implementations must include X9.42 Static Diffie-Hellman. CMS
implementations may include RSA. implementations may include RSA and Triple-DES.
12.3.1 X9.42 Static Diffie-Hellman 12.3.1 X9.42 Static Diffie-Hellman
[*** Add pointer to algorithm specification. Provide OID. Provide
ASN.1 for parameters. ***]
12.3.2 RSA 12.3.2 RSA
[*** Add pointer to algorithm specification. Provide OID. Provide
ASN.1 for parameters. ***]
12.3.3 Triple-DES Key Wrap
[*** Add pointer to algorithm specification. Provide OID. ***]
12.4 Content Encryption Algorithms 12.4 Content Encryption Algorithms
CMS implementations must include Triple-DES in CBC mode. CMS CMS implementations must include Triple-DES in CBC mode. CMS
implementations may include DES in CBC mode and RC2 in CBC mode. implementations may include DES in CBC mode and RC2 in CBC mode.
12.4.1 Triple-DES CBC 12.4.1 Triple-DES CBC
[*** Add pointer to algorithm specification. Provide OID. ***]
12.4.2 DES CBC 12.4.2 DES CBC
[*** Add pointer to algorithm specification. Provide OID. ***]
12.4.3 RC2 CBC 12.4.3 RC2 CBC
12.5 MessageAuthenticationCodeAlgorithm [*** Add pointer to algorithm specification. Provide OID. ***]
12.5 Message Authentication Code Algorithms
No MAC algorithms are mandatory. CMS implementations may include DES No MAC algorithms are mandatory. CMS implementations may include DES
MAC and HMAC. MAC and HMAC.
12.5.1 DES MAC 12.5.1 DES MAC
[*** Add pointer to algorithm specification. Provide OID. ***]
12.5.2 HMAC 12.5.2 HMAC
[*** Add pointer to algorithm specification. Provide OID. ***]
Appendix A: ASN.1 Module Appendix A: ASN.1 Module
CryptographicMessageSyntax CryptographicMessageSyntax
{ iso(1) member-body(2) us(840) rsadsi(113549) { iso(1) member-body(2) us(840) rsadsi(113549)
pkcs(1) pkcs-9(9) smime(16) modules(0) cms(1) } pkcs(1) pkcs-9(9) smime(16) modules(0) cms(1) }
DEFINITIONS IMPLICIT TAGS ::= DEFINITIONS IMPLICIT TAGS ::=
BEGIN BEGIN
-- EXPORTS All --
-- The types and values defined in this module are exported for use in
-- the other ASN.1 modules. Other applications may use them for their
-- own purposes.
IMPORTS IMPORTS
-- Directory Information Framework (X.501) -- Directory Information Framework (X.501)
Name Name
FROM InformationFramework { joint-iso-itu-t ds(5) modules(1) FROM InformationFramework { joint-iso-itu-t ds(5) modules(1)
informationFramework(1) 3 } informationFramework(1) 3 }
-- Directory Authentication Framework (X.509) -- Directory Authentication Framework (X.509)
AlgorithmIdentifier, AttributeCertificate, Certificate, AlgorithmIdentifier, AttributeCertificate, Certificate,
CertificateList, CertificateSerialNumber CertificateList, CertificateSerialNumber
skipping to change at page 30, line 45 skipping to change at page 33, line 50
SignedData ::= SEQUENCE { SignedData ::= SEQUENCE {
version Version, version Version,
digestAlgorithms DigestAlgorithmIdentifiers, digestAlgorithms DigestAlgorithmIdentifiers,
encapContentInfo EncapsulatedContentInfo, encapContentInfo EncapsulatedContentInfo,
certificates [0] IMPLICIT CertificateSet OPTIONAL, certificates [0] IMPLICIT CertificateSet OPTIONAL,
crls [1] IMPLICIT CertificateRevocationLists OPTIONAL, crls [1] IMPLICIT CertificateRevocationLists OPTIONAL,
signerInfos SignerInfos } signerInfos SignerInfos }
DigestAlgorithmIdentifiers ::= SET OF DigestAlgorithmIdentifier DigestAlgorithmIdentifiers ::= SET OF DigestAlgorithmIdentifier
SignerInfos ::= SET OF SignerInfo
EncapsulatedContentInfo ::= SEQUENCE { EncapsulatedContentInfo ::= SEQUENCE {
eContentType ContentType, eContentType ContentType,
eContent [0] EXPLICIT OCTET STRING OPTIONAL } eContent [0] EXPLICIT OCTET STRING OPTIONAL }
SignerInfos ::= SET OF SignerInfo ContentType ::= OBJECT IDENTIFIER
SignerInfo ::= SEQUENCE { SignerInfo ::= SEQUENCE {
version Version, version Version,
issuerAndSerialNumber IssuerAndSerialNumber, issuerAndSerialNumber IssuerAndSerialNumber,
digestAlgorithm DigestAlgorithmIdentifier, digestAlgorithm DigestAlgorithmIdentifier,
authenticatedAttributes [0] IMPLICIT AuthAttributes OPTIONAL, signedAttrs [0] IMPLICIT SignedAttributes OPTIONAL,
signatureAlgorithm SignatureAlgorithmIdentifier, signatureAlgorithm SignatureAlgorithmIdentifier,
signature SignatureValue, signature SignatureValue,
unauthenticatedAttributes [1] IMPLICIT UnauthAttributes OPTIONAL } unsignedAttrs [1] IMPLICIT UnsignedAttributes OPTIONAL }
AuthAttributes ::= SET SIZE (1..MAX) OF AuthAttribute
AuthAttribute ::= SEQUENCE { SignedAttributes ::= SET SIZE (1..MAX) OF Attribute
attrType OBJECT IDENTIFIER,
critical BOOLEAN DEFAULT FALSE,
attrValues SET OF AttributeValue }
UnauthAttributes ::= SET SIZE (1..MAX) OF UnauthAttribute UnsignedAttributes ::= SET SIZE (1..MAX) OF Attribute
UnauthAttribute ::= SEQUENCE { Attribute ::= SEQUENCE {
attrType OBJECT IDENTIFIER, attrType OBJECT IDENTIFIER,
attrValues SET OF AttributeValue } attrValues SET OF AttributeValue }
AttributeValue ::= ANY AttributeValue ::= ANY
SignatureValue ::= OCTET STRING SignatureValue ::= OCTET STRING
EnvelopedData ::= SEQUENCE { EnvelopedData ::= SEQUENCE {
version Version, version Version,
originatorInfo [0] IMPLICIT OriginatorInfo OPTIONAL, originatorInfo [0] IMPLICIT OriginatorInfo OPTIONAL,
recipientInfos RecipientInfos, recipientInfos RecipientInfos,
encryptedContentInfo EncryptedContentInfo } encryptedContentInfo EncryptedContentInfo }
OriginatorInfo ::= SEQUENCE { OriginatorInfo ::= SEQUENCE {
certs [0] IMPLICIT CertificateSet OPTIONAL, certs [0] IMPLICIT CertificateSet OPTIONAL,
crls [1] IMPLICIT CertificateRevocationLists OPTIONAL, crls [1] IMPLICIT CertificateRevocationLists OPTIONAL }
ukms [2] IMPLICIT UserKeyingMaterials OPTIONAL }
RecipientInfos ::= SET OF RecipientInfo RecipientInfos ::= SET OF RecipientInfo
EncryptedContentInfo ::= SEQUENCE { EncryptedContentInfo ::= SEQUENCE {
contentType ContentType, contentType ContentType,
contentEncryptionAlgorithm ContentEncryptionAlgorithmIdentifier, contentEncryptionAlgorithm ContentEncryptionAlgorithmIdentifier,
encryptedContent [0] IMPLICIT EncryptedContent OPTIONAL } encryptedContent [0] IMPLICIT EncryptedContent OPTIONAL }
EncryptedContent ::= OCTET STRING EncryptedContent ::= OCTET STRING
RecipientInfo ::= SEQUENCE { RecipientInfo ::= CHOICE {
version Version, ktri KeyTransRecipientInfo,
rid RecipientIdentifier, kari KeyAgreeRecipientInfo,
originatorCert [0] EXPLICIT EntityIdentifier OPTIONAL, mlri MailListRecipientInfo }
EncryptedKey ::= OCTET STRING
KeyTransRecipientInfo ::= SEQUENCE {
version Version, -- always set to 0 or 2
rid EntityIdentifier,
keyEncryptionAlgorithm KeyEncryptionAlgorithmIdentifier, keyEncryptionAlgorithm KeyEncryptionAlgorithmIdentifier,
encryptedKey EncryptedKey } encryptedKey EncryptedKey }
EntityIdentifier ::= CHOICE {
issuerAndSerialNumber IssuerAndSerialNumber,
subjectKeyIdentifier [0] SubjectKeyIdentifier }
KeyAgreeRecipientInfo := SEQUENCE {
version Version, -- always set to 3
originatorCert [0] EXPLICIT EntityIdentifier,
ukm [1] EXPLICIT UserKeyingMaterial OPTIONAL,
keyEncryptionAlgorithm KeyEncryptionAlgorithmIdentifier,
recipientEncryptedKeys RecipientEncryptedKeys }
RecipientEncryptedKeys ::= SEQUEENCE OF RecipientEncryptedKey
RecipientEncryptedKey := SEQUENCE {
rid RecipientIdentifier,
encryptedKey EncryptedKey }
RecipientIdentifier ::= CHOICE { RecipientIdentifier ::= CHOICE {
issuerAndSerialNumber IssuerAndSerialNumber, issuerAndSerialNumber IssuerAndSerialNumber,
rKeyId [0] IMPLICIT RecipientKeyIdentifier, rKeyId [0] IMPLICIT RecipientKeyIdentifier }
mlKeyId [1] IMPLICIT MailListKeyIdentifier }
RecipientKeyIdentifier ::= SEQUENCE { RecipientKeyIdentifier ::= SEQUENCE {
subjectKeyIdentifier SubjectKeyIdentifier, subjectKeyIdentifier SubjectKeyIdentifier,
date GeneralizedTime OPTIONAL, date GeneralizedTime OPTIONAL,
other OtherKeyAttribute OPTIONAL } other OtherKeyAttribute OPTIONAL }
SubjectKeyIdentifier ::= OCTET STRING
MailListRecipientInfo := SEQUENCE {
version Version, -- always set to 4
mlid MailListKeyIdentifier,
keyEncryptionAlgorithm KeyEncryptionAlgorithmIdentifier,
encryptedKey EncryptedKey }
MailListKeyIdentifier ::= SEQUENCE { MailListKeyIdentifier ::= SEQUENCE {
kekIdentifier OCTET STRING, kekIdentifier OCTET STRING,
date GeneralizedTime OPTIONAL, date GeneralizedTime OPTIONAL,
other OtherKeyAttribute OPTIONAL } other OtherKeyAttribute OPTIONAL }
EntityIdentifier ::= CHOICE {
issuerAndSerialNumber IssuerAndSerialNumber,
subjectKeyIdentifier SubjectKeyIdentifier }
SubjectKeyIdentifier ::= OCTET STRING
EncryptedKey ::= OCTET STRING
DigestedData ::= SEQUENCE { DigestedData ::= SEQUENCE {
version Version, version Version,
digestAlgorithm DigestAlgorithmIdentifier, digestAlgorithm DigestAlgorithmIdentifier,
encapContentInfo EncapsulatedContentInfo, encapContentInfo EncapsulatedContentInfo,
digest Digest } digest Digest }
Digest ::= OCTET STRING Digest ::= OCTET STRING
EncryptedData ::= SEQUENCE { EncryptedData ::= SEQUENCE {
version Version, version Version,
skipping to change at page 33, line 4 skipping to change at page 36, line 20
version Version, version Version,
digestAlgorithm DigestAlgorithmIdentifier, digestAlgorithm DigestAlgorithmIdentifier,
encapContentInfo EncapsulatedContentInfo, encapContentInfo EncapsulatedContentInfo,
digest Digest } digest Digest }
Digest ::= OCTET STRING Digest ::= OCTET STRING
EncryptedData ::= SEQUENCE { EncryptedData ::= SEQUENCE {
version Version, version Version,
encryptedContentInfo EncryptedContentInfo } encryptedContentInfo EncryptedContentInfo }
AuthenticatedData ::= SEQUENCE { AuthenticatedData ::= SEQUENCE {
version Version, version Version,
originatorInfo [0] IMPLICIT OriginatorInfo OPTIONAL, originatorInfo [0] IMPLICIT OriginatorInfo OPTIONAL,
recipientInfos RecipientInfos, recipientInfos RecipientInfos,
macAlgorithm MessageAuthenticationCodeAlgorithm, macAlgorithm MessageAuthenticationCodeAlgorithm,
encapContentInfo EncapsulatedContentInfo, encapContentInfo EncapsulatedContentInfo,
mac MessageAuthenticationCode } authenticatedAttributes [1] IMPLICIT AuthAttributes OPTIONAL,
mac MessageAuthenticationCode,
unauthenticatedAttributes [2] IMPLICIT UnauthAttributes OPTIONAL }
MessageAuthenticationCode ::= OCTET STRING AuthAttributes ::= SET SIZE (1..MAX) OF Attribute
CertificateRevocationLists ::= SET OF CertificateList UnauthAttributes ::= SET SIZE (1..MAX) OF Attribute
ContentEncryptionAlgorithmIdentifier ::= AlgorithmIdentifier MessageAuthenticationCode ::= OCTET STRING
DigestAlgorithmIdentifier ::= AlgorithmIdentifier DigestAlgorithmIdentifier ::= AlgorithmIdentifier
SignatureAlgorithmIdentifier ::= AlgorithmIdentifier SignatureAlgorithmIdentifier ::= AlgorithmIdentifier
KeyEncryptionAlgorithmIdentifier ::= AlgorithmIdentifier
ContentEncryptionAlgorithmIdentifier ::= AlgorithmIdentifier
MessageAuthenticationCodeAlgorithm ::= AlgorithmIdentifier
CertificateRevocationLists ::= SET OF CertificateList
CertificateChoices ::= CHOICE { CertificateChoices ::= CHOICE {
certificate Certificate, -- See X.509 certificate Certificate, -- See X.509
extendedCertificate [0] IMPLICIT ExtendedCertificate, -- Obsolete extendedCertificate [0] IMPLICIT ExtendedCertificate, -- Obsolete
attrCert [1] IMPLICIT AttributeCertificate } -- See X.509 and X9.57 attrCert [1] IMPLICIT AttributeCertificate } -- See X.509 & X9.57
CertificateSet ::= SET OF CertificateChoices CertificateSet ::= SET OF CertificateChoices
IssuerAndSerialNumber ::= SEQUENCE { IssuerAndSerialNumber ::= SEQUENCE {
issuer Name, issuer Name,
serialNumber SerialNumber } serialNumber CertificateSerialNumber }
SerialNumber ::= INTEGER
KeyEncryptionAlgorithmIdentifier ::= AlgorithmIdentifier KeyEncryptionAlgorithmIdentifier ::= AlgorithmIdentifier
Version ::= INTEGER { v0(0), v1(1), v2(2), v3(3) } Version ::= INTEGER { v0(0), v1(1), v2(2), v3(3), v4(4) }
UserKeyingMaterial ::= SEQUENCE { UserKeyingMaterial ::= OCTET STRING
algorithm AlgorithmIdentifier,
ukm OCTET STRING }
UserKeyingMaterials ::= SET SIZE (1..MAX) OF UserKeyingMaterial UserKeyingMaterials ::= SET SIZE (1..MAX) OF UserKeyingMaterial
OtherKeyAttribute ::= SEQUENCE { OtherKeyAttribute ::= SEQUENCE {
keyAttrId OBJECT IDENTIFIER, keyAttrId OBJECT IDENTIFIER,
keyAttr ANY DEFINED BY keyAttrId OPTIONAL } keyAttr ANY DEFINED BY keyAttrId OPTIONAL }
MessageAuthenticationCodeAlgorithm ::= AlgorithmIdentifier
-- CMS Attributes -- CMS Attributes
MessageDigest ::= OCTET STRING MessageDigest ::= OCTET STRING
SigningTime ::= Time SigningTime ::= Time
Time ::= CHOICE { Time ::= CHOICE {
utcTime UTCTime, utcTime UTCTime,
generalTime GeneralizedTime } generalTime GeneralizedTime }
Countersignature ::= SignerInfo Countersignature ::= SignerInfo
MACValue ::= OCTET STRING
-- Object Identifiers -- Object Identifiers
id-data OBJECT IDENTIFIER ::= { iso(1) member-body(2) id-data OBJECT IDENTIFIER ::= { iso(1) member-body(2)
us(840) rsadsi(113549) pkcs(1) pkcs7(7) 1 } us(840) rsadsi(113549) pkcs(1) pkcs7(7) 1 }
id-signedData OBJECT IDENTIFIER ::= { iso(1) member-body(2) id-signedData OBJECT IDENTIFIER ::= { iso(1) member-body(2)
us(840) rsadsi(113549) pkcs(1) pkcs7(7) 2 } us(840) rsadsi(113549) pkcs(1) pkcs7(7) 2 }
id-envelopedData OBJECT IDENTIFIER ::= { iso(1) member-body(2) id-envelopedData OBJECT IDENTIFIER ::= { iso(1) member-body(2)
us(840) rsadsi(113549) pkcs(1) pkcs7(7) 3 } us(840) rsadsi(113549) pkcs(1) pkcs7(7) 3 }
skipping to change at page 35, line 4 skipping to change at page 38, line 36
us(840) rsadsi(113549) pkcs(1) pkcs9(9) 3 } us(840) rsadsi(113549) pkcs(1) pkcs9(9) 3 }
id-messageDigest OBJECT IDENTIFIER ::= { iso(1) member-body(2) id-messageDigest OBJECT IDENTIFIER ::= { iso(1) member-body(2)
us(840) rsadsi(113549) pkcs(1) pkcs9(9) 4 } us(840) rsadsi(113549) pkcs(1) pkcs9(9) 4 }
id-signingTime OBJECT IDENTIFIER ::= { iso(1) member-body(2) id-signingTime OBJECT IDENTIFIER ::= { iso(1) member-body(2)
us(840) rsadsi(113549) pkcs(1) pkcs9(9) 5 } us(840) rsadsi(113549) pkcs(1) pkcs9(9) 5 }
id-countersignature OBJECT IDENTIFIER ::= { iso(1) member-body(2) id-countersignature OBJECT IDENTIFIER ::= { iso(1) member-body(2)
us(840) rsadsi(113549) pkcs(1) pkcs9(9) 6 } us(840) rsadsi(113549) pkcs(1) pkcs9(9) 6 }
id-macValue OBJECT IDENTIFIER ::= { iso(1) member-body(2)
us(840) rsadsi(113549) pkcs(1) pkcs9(9) smime(16) aa(2) 8 }
-- Obsolete Extended Certificate syntax from PKCS#6 -- Obsolete Extended Certificate syntax from PKCS#6
ExtendedCertificateOrCertificate ::= CHOICE { ExtendedCertificateOrCertificate ::= CHOICE {
certificate Certificate, certificate Certificate,
extendedCertificate [0] IMPLICIT ExtendedCertificate } extendedCertificate [0] IMPLICIT ExtendedCertificate }
ExtendedCertificate ::= SEQUENCE { ExtendedCertificate ::= SEQUENCE {
extendedCertificateInfo ExtendedCertificateInfo, extendedCertificateInfo ExtendedCertificateInfo,
signatureAlgorithm SignatureAlgorithmIdentifier, signatureAlgorithm SignatureAlgorithmIdentifier,
signature Signature } signature Signature }
skipping to change at page 36, line 7 skipping to change at page 40, line 7
version Version, version Version,
certificate Certificate, certificate Certificate,
attributes UnauthAttributes } attributes UnauthAttributes }
Signature ::= BIT STRING Signature ::= BIT STRING
END -- of CryptographicMessageSyntax END -- of CryptographicMessageSyntax
References References
PKCS #6 RSA Laboratories. PKCS #6: Extended-Certificate Syntax RFC 2313 Kaliski, B. PKCS #1: RSA Encryption, Version 1.5.
Standard. Version 1.5, November 1993. March 1998.
PKCS #7 RSA Laboratories. PKCS #7: Cryptographic Message Syntax RFC 2315 Kaliski, B. PKCS #7: Cryptographic Message Syntax,
Standard. Version 1.5, November 1993. Version 1.5. March 1998.
PKCS #7: Cryptographic Message Syntax, Internet Draft PKCS #6 RSA Laboratories. PKCS #6: Extended-Certificate Syntax
draft-hoffman-pkcs-crypt-msg-xx. Standard, Version 1.5. November 1993.
PKCS #9 RSA Laboratories. PKCS #9: Selected Attribute Types. PKCS #9 RSA Laboratories. PKCS #9: Selected Attribute Types,
Version 1.1, November 1993. Version 1.1. November 1993.
X.208 CCITT. Recommendation X.208: Specification of Abstract X.208 CCITT. Recommendation X.208: Specification of Abstract
Syntax Notation One (ASN.1). 1988. Syntax Notation One (ASN.1). 1988.
X.209 CCITT. Recommendation X.209: Specification of Basic Encoding X.209 CCITT. Recommendation X.209: Specification of Basic Encoding
Rules for Abstract Syntax Notation One (ASN.1). 1988. Rules for Abstract Syntax Notation One (ASN.1). 1988.
X.501 CCITT. Recommendation X.501: The Directory - Models. 1988. X.501 CCITT. Recommendation X.501: The Directory - Models. 1988.
X.509 CCITT. Recommendation X.509: The Directory - Authentication X.509 CCITT. Recommendation X.509: The Directory - Authentication
skipping to change at page 36, line 49 skipping to change at page 41, line 9
Implementations must protect the key management private key and the Implementations must protect the key management private key and the
content-encryption key. Compromise of the key management private key content-encryption key. Compromise of the key management private key
may result in the disclosure of all messages protected with that key. may result in the disclosure of all messages protected with that key.
Similarly, compromise of the content-encryption key may result in Similarly, compromise of the content-encryption key may result in
disclosure of the encrypted content. disclosure of the encrypted content.
Author Address Author Address
Russell Housley Russell Housley
SPYRUS SPYRUS
PO Box 1198 381 Elden Street
Herndon, VA 20172 Suite 1120
Herndon, VA 20170
USA USA
housley@spyrus.com housley@spyrus.com
 End of changes. 

This html diff was produced by rfcdiff 1.23, available from http://www.levkowetz.com/ietf/tools/rfcdiff/