PKCS 7

PKCS #7
Filename extension	.p7b,.p7s,.p7m,.p7c,.p7r
Developed by	RSA Security
Latest release	1.5; 1 March 1998;26 years ago
Type of format	Archive file format
Container for	X.509public key certificates,X.509CRLs

Incryptography,PKCS #7( "PKCS #7: Cryptographic Message Syntax", "CMS" ) is a standard syntax for storing signed and/or encrypted data. PKCS #7 is one of the family of standards called Public-Key Cryptography Standards (PKCS) created byRSA Laboratories.

Standard

The latest version, 1.5, is available as RFC 2315.^[1]

An update to PKCS #7 is described in RFC 2630,^[2]which was replaced in turn by RFC 3369,^[3]RFC 3852^[4]and then by RFC 5652.^[5]

PKCS #7 files may be stored both as rawDERformat or asPEMformat. PEM format is the same as DER format but wrapped insideBase64encoding and sandwiched in between‑‑‑‑‑BEGIN PKCS7‑‑‑‑‑and‑‑‑‑‑END PKCS7‑‑‑‑‑.Windows uses the.p7bfile name extension^[6]for both these encodings.

A typical use of a PKCS #7 file would be to store certificates and/orcertificate revocation lists(CRL).

Here's an example of how to first download a certificate, then wrap it inside a PKCS #7 archive and then read from that archive:

$echo''|openssls_client-connectexample.org:443-hostexample.org2>/dev/null|opensslx509>example.org.cer2>/dev/null

$opensslcrl2pkcs7-nocrl-certfileexample.org.cer-outexample.org.cer.pem.p7b

$opensslpkcs7-inexample.org.cer.pem.p7b-noout-print_certs
subject=C = US, ST = California, L = Los Angeles, O = Internet Corporation for Assigned Names and Numbers, OU = Technology, CN = www.example.org issuer=C = US, O = DigiCert Inc, CN = DigiCert SHA2 Secure Server CA

File types

.p7r– response to CSR. Contains the newly-signed certificate, and the CA's own cert.
.p7s- Digital Signature. May contain the original signed file or message. Used inS/MIMEfor email signing. Defined in RFC 2311.
.p7m- Message (SignedData, EnvelopedData) e.g. encrypted ( "enveloped" ) file, message or MIME email letter. Defined in RFC 2311.
.p7c- degenerated SignedData "certs-only" structure, without any data to sign. Defined in RFC 2311.
.p7b- SignedData structure without data, just certificate(s) bundle and/orCRLs(rarely) but not a private key. UsesDERform orBERor PEM that starts with-----BEGIN PKCS7-----.The format used by Windows for certificate interchange. Supported by Java but often has.keystoreas an extension instead. Unlike.pemstyle certificates, this format has adefinedway to include certification-path certificates.

References

^RFC 2315- Public-Key Cryptography Standards (PKCS) #7: Cryptographic Message Syntax Specification Version 1.5, March 1998
^RFC 2630- Cryptographic Message Syntax, June 1999
^RFC 3369- Cryptographic Message Syntax (CMS), August 2002
^RFC 3852- Cryptographic Message Syntax (CMS), July 2004
^RFC 5652- Cryptographic Message Syntax (CMS), September 2009
^".p7b Extension - List of Windows programs that can open.p7b files".

External links

Man page foropenssl-pkcs7

[RFC2315-1] RFC 2315- Public-Key Cryptography Standards (PKCS) #7: Cryptographic Message Syntax Specification Version 1.5, March 1998

[RFC2630-2] RFC 2630- Cryptographic Message Syntax, June 1999

[RFC3369-3] RFC 3369- Cryptographic Message Syntax (CMS), August 2002

[RFC3852-4] RFC 3852- Cryptographic Message Syntax (CMS), July 2004

[RFC5652-5] RFC 5652- Cryptographic Message Syntax (CMS), September 2009

[.p7b-6] ".p7b Extension - List of Windows programs that can open.p7b files".

[1]

[2]

[3]

[4]

[5]

[6]