# PKCS7 Signed And Enveloped Data ### Syntax #### SignedAndEnvelopedData ```java= SignedAndEnvelopedData ::= SEQUENCE { version Version, recipientInfos RecipientInfos, digestAlgorithms DigestAlgorithmIdentifiers, encryptedContentInfo EncryptedContentInfo, certificates[0] IMPLICIT ExtendedCertificatesAndCertificates OPTIONAL, crls[1] IMPLICIT CertificateRevocationLists OPTIONAL, signerInfos SignerInfos } ``` #### RecipientInfo ```java= RecipientInfo ::= SEQUENCE { version Version, issuerAndSerialNumber IssuerAndSerialNumber, keyEncryptionAlgorithm KeyEncryptionAlgorithmIdentifier, encryptedKey EncryptedKey } IssuerAndSerialNumber ::= SEQUENCE { issuer Name, serialNumber CertificateSerialNumber } KeyEncryptionAlgorithmIdentifier ::= AlgorithmIdentifier EncryptedKey ::= OCTET STRING ``` #### EncryptedContentInfo ```java= EncryptedContentInfo ::= SEQUENCE { contentType ContentType, contentEncryptionAlgorithm ContentEncryptionAlgorithmIdentifier, encryptedContent[0] IMPLICIT EncryptedContent OPTIONAL } EncryptedContent ::= OCTET STRING ``` #### SignerInfo ```java= SignerInfo ::= SEQUENCE { version Version, issuerAndSerialNumber IssuerAndSerialNumber, digestAlgorithm DigestAlgorithmIdentifier, authenticatedAttributes[0] IMPLICIT Attributes OPTIONAL, digestEncryptionAlgorithm DigestEncryptionAlgorithmIdentifier, encryptedDigest EncryptedDigest, unauthenticatedAttributes[1] IMPLICIT Attributes OPTIONAL } IssuerAndSerialNumber ::= SEQUENCE { issuer Name, serialNumber CertificateSerialNumber } DigestEncryptionAlgorithmIdentifier ::= AlgorithmIdentifier EncryptedDigest ::= OCTET STRING ``` ### Create SignedAndEnvelopedData step1 : 組 recipientInfo ``` generate sessionKey (3 des) key = 24 bytes iv = 8 bytes ``` ```java= RecipientInfo ::= SEQUENCE { version Version, issuerAndSerialNumber IssuerAndSerialNumber, keyEncryptionAlgorithm KeyEncryptionAlgorithmIdentifier, encryptedKey EncryptedKey } version = 0 //Recipient cert issuerAndSerialNumber ::= SEQUENCE { issuer = "issuerString", serialNumber = DerInt } keyEncryptionAlgorithm = rsaEncryption(OID) encryptedKey = recipient's public erypt 3DES Key ``` step2 : 組 digestAlgorithms, encryptedContentInfo, certificates ```java= digestAlgorithms = sha256(OID) ---- EncryptedContentInfo ::= SEQUENCE { contentType ContentType, contentEncryptionAlgorithm ContentEncryptionAlgorithmIdentifier, encryptedContent[0] IMPLICIT EncryptedContent OPTIONAL } contentType = pkcs7-data type contentEncryptionAlgorithm = des_EDE3_CBC (OID) encryptedContent = des_EDE3_CBC encrypt plaintext ---- certificates = signer's cert ---- crl = NULL ``` step3 : 組 signerInfo ```java= SignerInfo ::= SEQUENCE { version = 1 issuerAndSerialNumber, digestAlgorithm, authenticatedAttributes[0] IMPLICIT Attributes OPTIONAL, digestEncryptionAlgorithm, encryptedDigest EncryptedDigest, unauthenticatedAttributes[1] IMPLICIT Attributes OPTIONAL } //signer cert issuerAndSerialNumber ::= SEQUENCE { issuer = "issuerString", serialNumber = DerInt } digestAlgorithm = sha256 oid authenticatedAttributes = NULL encryptedDigest = signer's pkcs#1 signature unauthenticatedAttributes = NULL ``` step4 : 組 SignedAndEnvelopedData ```java= SEQUENCE (2 elem) OBJECT IDENTIFIER 1.2.840.113549.1.7.4 signedAndEnvelopedData (PKCS #7) [0] (1 elem) SEQUENCE (7 elem) version Version, recipientInfos RecipientInfos, digestAlgorithms DigestAlgorithmIdentifiers, encryptedContentInfo EncryptedContentInfo, certificates[0] IMPLICIT ExtendedCertificatesAndCertificates OPTIONAL, crls[1] IMPLICIT CertificateRevocationLists OPTIONAL, signerInfos SignerInfos } ```