Login
Login

PKCS 7

{{Short description|Cryptography standard}}

{{Correct title|title=PKCS #7|reason=hash}}

{{Infobox file format

| name = PKCS #7

| icon =

| extension = .p7b, .p7s, .p7m, .p7c, .p7r

| mime =

| released =

| standard =

| url =

| type code =

| uniform type =

| owner = RSA Security

| latest release version = 1.5

| latest release date = {{Start date and age|1998|03|01|df=yes}}

| genre = Archive file format

| container for = X.509 public key certificates, X.509 CRLs

| contained by =

| extended from =

| extended to =

}}

In cryptography, PKCS #7 ("PKCS #7: Cryptographic Message Syntax", "CMS") is a standard syntax for storing signed and/or encrypted data. PKCS #7 is one of the family of standards called Public-Key Cryptography Standards (PKCS) created by RSA Laboratories.

Standard

The latest version, 1.5, is available as RFC 2315.{{IETF RFC|2315}} - Public-Key Cryptography Standards (PKCS) #7: Cryptographic Message Syntax Specification Version 1.5, March 1998

An update to PKCS #7 is described in RFC 2630,{{IETF RFC|2630}} - Cryptographic Message Syntax, June 1999 which was replaced in turn by RFC 3369,{{IETF RFC|3369}} - Cryptographic Message Syntax (CMS), August 2002 RFC 3852{{IETF RFC|3852}} - Cryptographic Message Syntax (CMS), July 2004 and then by RFC 5652.{{IETF RFC|5652}} - Cryptographic Message Syntax (CMS), September 2009

PKCS #7 files may be stored both as raw DER format or as PEM format. PEM format is the same as DER format but wrapped inside Base64 encoding and sandwiched in between {{samp|{{nbhyph}}{{nbhyph}}{{nbhyph}}{{nbhyph}}{{nbhyph}}BEGIN PKCS7{{nbhyph}}{{nbhyph}}{{nbhyph}}{{nbhyph}}{{nbhyph}}}} and {{samp|{{nbhyph}}{{nbhyph}}{{nbhyph}}{{nbhyph}}{{nbhyph}}END PKCS7{{nbhyph}}{{nbhyph}}{{nbhyph}}{{nbhyph}}{{nbhyph}}}}. Windows uses the .p7b file name extension{{Cite web|url=https://extension.nirsoft.net/p7b|title=.p7b Extension - List of Windows programs that can open .p7b files}} for both these encodings.

A typical use of a PKCS #7 file would be to store certificates and/or certificate revocation lists (CRL).

Here's an example of how to first download a certificate, then wrap it inside a PKCS #7 archive and then read from that archive:

$ echo '' | openssl s_client -connect example.org:443 -host example.org 2>/dev/null | openssl x509 > example.org.cer 2>/dev/null

$ openssl crl2pkcs7 -nocrl -certfile example.org.cer -out example.org.cer.pem.p7b

$ openssl pkcs7 -in example.org.cer.pem.p7b -noout -print_certs

subject=C = US, ST = California, L = Los Angeles, O = Internet Corporation for Assigned Names and Numbers, OU = Technology, CN = www.example.org issuer=C = US, O = DigiCert Inc, CN = DigiCert SHA2 Secure Server CA

File types

  • .p7r – response to CSR. Contains the newly-signed certificate, and the CA's own cert.
  • .p7s - Digital Signature. May contain the original signed file or message. Used in S/MIME for email signing. Defined in RFC 2311.
  • .p7m - Message (SignedData, EnvelopedData) e.g. encrypted ("enveloped") file, message or MIME email letter. Defined in RFC 2311.
  • .p7c - degenerated SignedData "certs-only" structure, without any data to sign. Defined in RFC 2311.
  • .p7b - SignedData structure without data, just certificate(s) bundle and/or CRLs (rarely) but not a private key. Uses DER form or BER or PEM that starts with {{code|-----BEGIN PKCS7-----}}. The format used by Windows for certificate interchange. Supported by Java but often has .keystore as an extension instead. Unlike .pem style certificates, this format has a defined way to include certification-path certificates.

References

External links

  • Man page for [https://www.openssl.org/docs/manmaster/man1/openssl-pkcs7.html openssl-pkcs7]

{{PKCS navbox}}

{{Cryptography navbox}}

{{DEFAULTSORT:Pkcs12}}

Category:Cryptography standards