Share via


Components of a CMS/PKCS #7 MessageĀ 

The CMS/PKCS #7 message structure facilitates the implementation of one or multiple security services into a message. Attributes can also be associated with the CMS/PKCS #7 message, which yield additional information about the message.

Data to Be Protected

CMS/PKCS #7 gains the capability of applying multiple security services to data by storing it in a ContentInfo object. This object is a property of the two primary classes that protect data in the System.Security.Cryptography.Pkcs namespace, SignedCms and EnvelopedCms. The ContentInfo object might store unprotected data, but it might also encapsulate data that was previously protected by a CMS/PKCS #7 security service. This encapsulation allows nested layers of security to be applied to data. For example, data that has already been digitally signed can then be digitally enveloped.

The data being supplied with a new layer of protection in a CMS/PKCS #7 message, which is in the ContentInfo object, is referred to as the inner content of the CMS/PKCS #7 message. The data that results from applying that protection is referred to as the outer content of the CMS/PKCS #7 message. The outer content is obtained by invoking the Encode method of the applicable CMS/PKCS #7 message object. In practice, this means invoking System.Security.Cryptography.Pkcs.SignedCms.Encode or System.Security.Cryptography.Pkcs.EnvelopedCms.Encode.

For more information about data that is protected by multiple security services, see Enveloped and Signed CMS/PKCS #7 Message. For a code example of data protected by multiple security services, see How to: Sign and Envelop a Message.

Attributes

CMS/PKCS #7 enables you to place attributes in protected messages. An attribute consists of an object identifier (Oid) that identifies what kind of attribute it is, and data that holds the value of the attribute. The choice, location, and characteristics of these attributes depend on the type of CMS/PKCS #7 message.

A SignedCms message can carry two types of signature-specific attributes: those that are signed along with the message content, and those that remain unsigned. For more information, see SignedCms Message. An EnvelopedCms message can carry attributes that remain unencrypted. For more information, see EnvelopedCms Message.

The following attribute classes are included in the System.Security.Cryptography.Pkcs namespace. Some are required by the CMS/PKCS #7 standards, and others are attributes useful in many application scenarios:

Custom attributes can also be fashioned to suit the needs of an application. Derive a custom attribute class from Pkcs9AttributeObject.

Subjects

A subject in a CMS/PKCS #7 message is an entity involved in producing or consuming the message. Depending on the behavior of an application, a subject may play any of a number of different roles. Examples of such roles include sender, author, signer, countersigner, recipient, or reader of a message, or some combination thereof. The subject can be a person, a software application, or any other entity that has a unique identity. The two main classes that embody subjects in System.Security.Cryptography.Pkcs are CmsSigner and CmsRecipient.

Subjects in CMS/PKCS #7 use cryptographic credentials to perform their operations. These are usually in the form of a public key certificate with an associated private key. A subject is identified and located by its public key certificate. That certificate can be uniquely identified by one of two ways.

  • The distinguished name of the issuer along with an issuer-specific certificate serial number

  • A subject key identifier

These mechanisms of identification are represented in the SubjectIdentifierType enumeration. Some of the constructors used in the CmsSigner and CmsRecipient classes take a SubjectIdentifierType member as input.