Organizations

a portal for promoting internet and telecom
standardization knowledge

IETF topics > Security
  RFC index search site map about tech-invite home
# IETF   # 3GPP   # ETSI
# Alliances, Fora, & other SDOs
Standardization work
# IETF WGs: RFCs+I-Ds   # IAB # IRTF
# 3GPP series   # ETSI committees
IETF topics
# SIP   # Security  
# Presence, IM & XCAP
# Conferencing   # Media Control  
# EAP   # Mobility Management  
3GPP topics
# Network Architecture   # GPRS  
# IMS   # Security Architecture  
# AKA   # GAA/GBA   # LI  
# GAN   # MBMS   # I-WLAN   # EPS  
# PCC   # Charging  
# HSS & Subscriber Data   # GUP  
# LCS   # Presence   # PoC  
# SIP-I   # ISC   # ICS  
ETSI topics
# TISPAN NGN  
Other topics
# M2M   # RFID   # NFC  
# Network Simulation
#public access
#private access (full or partial)
# public access so far, but very likely private access with next version
# Cryptography Basics  
# SSL/TLS Sequence Charts  
# PKI Certificate Examples  
# PKI Certificate & CRL Profile  
# CMS Examples  
# CMS's ASN.1 Definitions  

Cryptographic Message Syntax (CMS)

CMS (RFC 5652) is used to digitally sign, digest, authenticate, or encrypt arbitrary message content.
This page reports the CMS ASN.1 syntax as defined in the module identified by:

  CryptographicMessageSyntax2004
    { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) modules(0) cms-2004(24) }
Top General Data Signed-data Enveloped-data Digested-data
  Encrypted-data Authenticated-data Useful Types Useful Attributes

General Syntax

id-ct-contentInfoOBJECT IDENTIFIER ::= {
   iso(1)   member-body(2)   us(840)   rsadsi(113549)   pkcs(1)   pkcs-9(9)  
   smime(16)   ct(1)   6
}
ContentInfo::= SEQUENCE {
contentType ContentType,
content[0] EXPLICIT ANY DEFINED BY contentType }
Top General Data Signed-data Enveloped-data Digested-data
  Encrypted-data Authenticated-data Useful Types Useful Attributes

Data Content Type

id-dataOBJECT IDENTIFIER ::= {
   iso(1)   member-body(2)   us(840)   rsadsi(113549)   pkcs(1)   pkcs7(7)   1
}
Top General Data Signed-data Enveloped-data Digested-data
  Encrypted-data Authenticated-data Useful Types Useful Attributes

Signed-data Content Type

id-signedDataOBJECT IDENTIFIER ::= {
   iso(1)   member-body(2)   us(840)   rsadsi(113549)   pkcs(1)   pkcs7(7)   2
}
SignedData::= SEQUENCE {
version CMSVersion,
digestAlgorithms DigestAlgorithmIdentifiers,
encapContentInfo EncapsulatedContentInfo,
certificates [0] IMPLICIT CertificateSet OPTIONAL,
crls [1] IMPLICIT RevocationInfoChoices OPTIONAL,
signerInfos SignerInfos }
DigestAlgorithmIdentifiers::= SET OF DigestAlgorithmIdentifier
SignerInfos::= SET OF SignerInfo
Encapsulated Content Information  Up
EncapsulatedContentInfo::= SEQUENCE {
eContentType ContentType,
eContent [0] EXPLICIT OCTET STRING OPTIONAL }
Signer Information  Up
SignerInfo::= SEQUENCE {
version CMSVersion,
sid SignerIdentifier,
digestAlgorithm DigestAlgorithmIdentifier,
signedAttrs [0] IMPLICIT SignedAttributes OPTIONAL,
signatureAlgorithm SignatureAlgorithmIdentifier,
signature SignatureValue,
unsignedAttrs [1] IMPLICIT UnsignedAttributes OPTIONAL }
SignerIdentifier::= CHOICE {
issuerAndSerialNumber IssuerAndSerialNumber,
subjectKeyIdentifier [0] SubjectKeyIdentifier }
SignedAttributes::= SET SIZE (1..MAX) OF Attribute
UnsignedAttributes::= SET SIZE (1..MAX) OF Attribute
SignatureValue::= OCTET STRING
Top General Data Signed-data Enveloped-data Digested-data
  Encrypted-data Authenticated-data Useful Types Useful Attributes

Enveloped-Data Content Type

id-envelopedDataOBJECT IDENTIFIER ::= {
   iso(1)   member-body(2)   us(840)   rsadsi(113549)   pkcs(1)   pkcs7(7)   3
}
EnvelopedData::= SEQUENCE {
version CMSVersion,
originatorInfo [0] IMPLICIT OriginatorInfo OPTIONAL,
recipientInfos RecipientInfos,
encryptedContentInfo EncryptedContentInfo,
unprotectedAttrs [1] IMPLICIT UnprotectedAttributes OPTIONAL }
RecipientInfos::= SET SIZE (1..MAX) OF RecipientInfo
UnprotectedAttributes::= SET SIZE (1..MAX) OF Attribute
Originator Information  Up
OriginatorInfo::= SEQUENCE {
certs [0] IMPLICIT CertificateSet OPTIONAL,
crls [1] IMPLICIT RevocationInfoChoices OPTIONAL }
Encrypted Content Information  Up
EncryptedContentInfo::= SEQUENCE {
contentType ContentType,
contentEncryptionAlgorithm ContentEncryptionAlgorithmIdentifier,
encryptedContent [0] IMPLICIT EncryptedContent OPTIONAL }
EncryptedContent::= OCTET STRING
Recipient Information  Up
RecipientInfo::= CHOICE {
ktri KeyTransRecipientInfo,
kari [1] KeyAgreeRecipientInfo,
kekri [2] KEKRecipientInfo,
pwri [3] PasswordRecipientinfo,
ori [4] OtherRecipientInfo }
EncryptedKey::= OCTET STRING
Key Transport Recipient Information  Up
KeyTransRecipientInfo::= SEQUENCE {
version CMSVersion, -- always set to 0 or 2
rid RecipientIdentifier,
keyEncryptionAlgorithm KeyEncryptionAlgorithmIdentifier,
encryptedKey EncryptedKey }
RecipientIdentifier::= CHOICE {
issuerAndSerialNumber IssuerAndSerialNumber,
subjectKeyIdentifier [0] SubjectKeyIdentifier }
Key Agreement Recipient Information  Up
KeyAgreeRecipientInfo::= SEQUENCE {
version CMSVersion, -- always set to 3
originator [0] EXPLICIT OriginatorIdentifierOrKey,
ukm [1] EXPLICIT UserKeyingMaterial OPTIONAL,
keyEncryptionAlgorithm KeyEncryptionAlgorithmIdentifier,
recipientEncryptedKeys RecipientEncryptedKeys }
OriginatorIdentifierOrKey::= CHOICE {
issuerAndSerialNumber IssuerAndSerialNumber,
subjectKeyIdentifier [0] SubjectKeyIdentifier,
originatorKey [1] OriginatorPublicKey }
OriginatorPublicKey::= SEQUENCE {
algorithm AlgorithmIdentifier,
publicKey BIT STRING }
RecipientEncryptedKeys::= SEQUENCE OF RecipientEncryptedKey
RecipientEncryptedKey::= SEQUENCE {
rid KeyAgreeRecipientIdentifier,
encryptedKey EncryptedKey }
KeyAgreeRecipientIdentifier::= CHOICE {
issuerAndSerialNumber IssuerAndSerialNumber,
rKeyId [0] IMPLICIT RecipientKeyIdentifier }
RecipientKeyIdentifier::= SEQUENCE {
subjectKeyIdentifier SubjectKeyIdentifier,
date GeneralizedTime OPTIONAL,
other OtherKeyAttribute OPTIONAL }
SubjectKeyIdentifier::= OCTET STRING
Key-Encryption-Key Recipient Information  Up
KEKRecipientInfo::= SEQUENCE {
version CMSVersion, -- always set to 4
kekid KEKIdentifier,
keyEncryptionAlgorithm KeyEncryptionAlgorithmIdentifier,
encryptedKey EncryptedKey }
KEKIdentifier::= SEQUENCE {
keyIdentifier OCTET STRING,
date GeneralizedTime OPTIONAL,
other OtherKeyAttribute OPTIONAL }
Recipient Information using a Password or shared secret value  Up
PasswordRecipientInfo::= SEQUENCE {
version CMSVersion, -- always set to 0
keyDerivationAlgorithm [0] KeyDerivationAlgorithmIdentifier OPTIONAL,
keyEncryptionAlgorithm KeyEncryptionAlgorithmIdentifier,
encryptedKey EncryptedKey }
Recipient Information for additional key management techniques  Up
OtherRecipientInfo::= SEQUENCE {
oriType OBJECT IDENTIFIER,
oriValue ANY DEFINED BY oriType }
Top General Data Signed-data Enveloped-data Digested-data
  Encrypted-data Authenticated-data Useful Types Useful Attributes

Digested-data Content Type

id-digestedDataOBJECT IDENTIFIER ::= {
   iso(1)   member-body(2)   us(840)   rsadsi(113549)   pkcs(1)   pkcs7(7)   5
}
DigestedData::= SEQUENCE {
version CMSVersion,
digestAlgorithm DigestAlgorithmIdentifier,
encapContentInfo EncapsulatedContentInfo,
digest Digest }
Digest::= OCTET STRING
Top General Data Signed-data Enveloped-data Digested-data
  Encrypted-data Authenticated-data Useful Types Useful Attributes

Encrypted-data Content Type

id-encryptedDataOBJECT IDENTIFIER ::= {
   iso(1)   member-body(2)   us(840)   rsadsi(113549)   pkcs(1)   pkcs7(7)   6
}
EncryptedData::= SEQUENCE {
version CMSVersion,
encryptedContentInfo EncryptedContentInfo,
unprotectedAttrs [1] IMPLICIT UnprotectedAttributes OPTIONAL }
Top General Data Signed-data Enveloped-data Digested-data
  Encrypted-data Authenticated-data Useful Types Useful Attributes

Authenticated-data Content Type

id-ct-authDataOBJECT IDENTIFIER ::= {
   iso(1)   member-body(2)   us(840)   rsadsi(113549)   pkcs(1)   pkcs-9(9)   smime(16)
   ct(1)   2
}
AuthenticatedData::= SEQUENCE {
version CMSVersion,
originatorInfo [0] IMPLICIT OriginatorInfo OPTIONAL,
recipientInfos RecipientInfos,
macAlgorithm MessageAuthenticationCodeAlgorithm,
digestAlgorithm [1] DigestAlgorithmIdentifier OPTIONAL,
encapContentInfo EncapsulatedContentInfo,
authAttrs [2] IMPLICIT AuthAttributes OPTIONAL,
mac MessageAuthenticationCode,
unauthAttrs [3] IMPLICIT UnauthAttributes OPTIONAL }
AuthAttributes::= SET SIZE (1..MAX) OF Attribute
UnauthAttributes::= SET SIZE (1..MAX) OF Attribute
MessageAuthenticationCode::= OCTET STRING
Top General Data Signed-data Enveloped-data Digested-data
  Encrypted-data Authenticated-data Useful Types Useful Attributes

Useful Types

Version Numbers  Up
CMSVersion::= INTEGER {
v0(0),
v1(1),
v2(2),
v3(3),
v4(4),
v5(5) }
Algorithm Identifiers  Up
DigestAlgorithmIdentifier::= AlgorithmIdentifier
SignatureAlgorithmIdentifier::= AlgorithmIdentifier
KeyEncryptionAlgorithmIdentifier::= AlgorithmIdentifier
ContentEncryptionAlgorithmIdentifier::= AlgorithmIdentifier
MessageAuthenticationCodeAlgorithm::= AlgorithmIdentifier
KeyDerivationAlgorithmIdentifier::= AlgorithmIdentifier
Certificates  Up
CertificateSet::= SET OF CertificateChoices
CertificateChoices::= CHOICE {
certificate Certificate,
extendedCertificate [0] IMPLICIT ExtendedCertificate, -- Obsolete
v1AttrCert [1] IMPLICIT AttributeCertificateV1, -- Obsolete
v2AttrCert [2] IMPLICIT AttributeCertificateV2,
other [3] IMPLICIT OtherCertificateFormat }
AttributeCertificateV2::= SET OF AttributeCertificate
OtherCertificateFormat::= SEQUENCE {
otherCertFormat OBJECT IDENTIFIER,
otherCert ANY DEFINED BY otherCertFormat }
Certificate Revocation Lists  Up
RevocationInfoChoices::= SET OF RevocationInfoChoice
RevocationInfoChoice::= CHOICE {
crl CertificateList,
other [1] IMPLICIT OtherRevocationInfoFormat }
OtherRevocationInfoFormat::= SEQUENCE {
otherRevInfoFormat OBJECT IDENTIFIER,
otherRevInfo ANY DEFINED BY otherRevInfoFormat }
Issuer and Serial Number  Up
IssuerAndSerialNumber::= SEQUENCE {
issuer Name,
serialNumber CertificateSerialNumber }
User Keying Material  Up
UserKeyingMaterial::= OCTET STRING
Other Key Attribute  Up
OtherKeyAttribute::= SEQUENCE {
keyAttrId OBJECT IDENTIFIER,
keyAttr ANY DEFINED BY keyAttrId }
Attribute type  Up
Attribute::= SEQUENCE {
attrType OBJECT IDENTIFIER,
attrValues SET OF AttributeValue }
AttributeValue::= ANY
Top General Data Signed-data Enveloped-data Digested-data
  Encrypted-data Authenticated-data Useful Types Useful Attributes

Useful Attributes

Content Type Up
The content-type attribute type specifies the content type of the ContentInfo within signed-data or authenticated-data. The content- type attribute type MUST be present whenever signed attributes are present in signed-data or authenticated attributes present in authenticated-data. The content-type attribute value MUST match the encapContentInfo eContentType value in the signed-data or authenticated-data. The content-type attribute MUST be a signed attribute or an authenticated attribute.
id-contentTypeOBJECT IDENTIFIER ::= {
   iso(1)   member-body(2)   us(840)   rsadsi(113549)   pkcs(1)   pkcs9(9)   3
}
ContentType::= OBJECT IDENTIFIER
Message Digest Up
The message-digest attribute type specifies the message digest of the encapContentInfo eContent OCTET STRING being signed in signed-data or authenticated in authenticated-data. For signed-data, the message digest is computed using the signer's message digest algorithm. For authenticated-data, the message digest is computed using the originator's message digest algorithm. Within signed-data, the message-digest signed attribute type MUST be present when there are any signed attributes present. Within authenticated-data, the message-digest authenticated attribute type MUST be present when there are any authenticated attributes present. The message-digest attribute MUST be a signed attribute or an authenticated attribute.
id-messageDigestOBJECT IDENTIFIER ::= {
   iso(1)   member-body(2)   us(840)   rsadsi(113549)   pkcs(1)   pkcs9(9)   4
}
MessageDigest::= OCTET STRING
Signing Time Up
The signing-time attribute type specifies the time at which the signer (purportedly) performed the signing process. It is intended for use in signed-data. The signing-time attribute type MUST be a signed attribute or an authenticated attribute.
id-signingTimeOBJECT IDENTIFIER ::= {
   iso(1)   member-body(2)   us(840)   rsadsi(113549)   pkcs(1)   pkcs9(9)   5
}
SigningTime::= Time
Time::= CHOICE {
utcTime UTCTime
generalTime GeneralizedTime }
Countersignature Up
The countersignature attribute type specifies one or more signatures on the contents octets of the signature OCTET STRING in a SignerInfo value of the signed-data. Thus, it countersigns (signs in serial) another signature. The countersignature attribute type MUST be an unsigned attribute.
id-countersignatureOBJECT IDENTIFIER ::= {
   iso(1)   member-body(2)   us(840)   rsadsi(113549)   pkcs(1)   pkcs9(9)   6
}
Countersignature::= SignerInfo
Last update: September 18, 2009 
© 2005-2010 Joël Repiquet, All Rights Reserved.