PKCS 7
PKCS #7, formally known as Public-Key Cryptography Standards #7: Cryptographic Message Syntax Version 1.5, is a specification that defines a general syntax for representing data to which cryptographic operations—such as digital signatures, encryption, and message digests—have been applied, enabling secure handling of content like digital envelopes and authenticated messages.[1] Developed by RSA Laboratories, it uses Abstract Syntax Notation One (ASN.1) for structure definition and Basic Encoding Rules (BER) for encoding, supporting recursive nesting of protected content and the inclusion of certificates or certificate revocation lists to facilitate verification.[1] This standard provides a flexible framework for interoperability in public-key cryptography applications, ensuring that protected data can be processed in a single pass without requiring multiple decryptions.[2]
Initiated in the early 1990s as part of the broader PKCS family of standards aimed at promoting public-key cryptography adoption, PKCS #7 was first published on November 1, 1993, to extend capabilities beyond earlier protocols like Privacy-Enhanced Mail (PEM) while maintaining compatibility.[2] It evolved through collaboration with developers to address needs in secure messaging and data protection, with its Version 1.5 incorporating support for six primary content types: data, signed-data, enveloped-data, signed-and-enveloped-data, digested-data, and encrypted-data.[1] In 1998, RSA Laboratories submitted it to the Internet Engineering Task Force (IETF) as RFC 2315, an informational document that formalized the syntax for wider dissemination.[1]
The IETF later refined and standardized PKCS #7 as the Cryptographic Message Syntax (CMS) in RFC 5652 (2009), enhancing it with features like algorithm-independent key management, support for attribute certificates, and improved handling of key agreement schemes while preserving backward compatibility with existing PKCS #7 implementations.[3] PKCS #7 and its CMS successor remain foundational in protocols such as Secure/Multipurpose Internet Mail Extensions (S/MIME) for signed and encrypted email, where it defines the application/pkcs7-mime media type.[4] It is also integral to Microsoft Authenticode for digitally signing executable files to verify authenticity and integrity in Windows environments.[5] Additional applications include certificate management over CMS (CMC) for public key infrastructure operations.[6]
Overview
Definition and Purpose
PKCS #7, formally known as Public-Key Cryptography Standards #7: Cryptographic Message Syntax Version 1.5, defines a generic syntax for data that may have cryptography applied to it, such as digital signatures or digital envelopes, thereby enabling the storage of digitally signed and/or enveloped (encrypted) data. This syntax supports a range of security mechanisms, including authentication, data integrity, and confidentiality, through structured message formats that encapsulate cryptographic content.[1]
The core purpose of PKCS #7 is to promote interoperability in public-key cryptography systems by standardizing the formatting of signed and encrypted messages, which facilitates secure data exchange in diverse applications like email security and certificate handling. It allows for the consistent generation, transmission, and verification of cryptographically protected data across different vendors and implementations, reducing compatibility issues in key management and message processing.[1][7]
Developed by RSA Laboratories, a division of RSA Data Security, Inc., as part of the broader Public-Key Cryptography Standards (PKCS) series, PKCS #7 was first publicly released on June 3, 1991, with multiple revisions culminating in version 1.5 on November 1, 1993. This effort addressed the need for uniform message formats in emerging cryptographic protocols during the early 1990s.[8][7]
PKCS #7 served as the foundation for the Internet Engineering Task Force's (IETF) Cryptographic Message Syntax (CMS), which was standardized as its successor to incorporate internet-specific enhancements.[9]
Key Features
PKCS #7 provides a flexible framework for cryptographic messaging through its support for multiple signers and nested signatures within the signed-data content type, enabling parallel signing of any content by multiple parties and allowing one signed message to be embedded within another for layered authentication.[10] This capability is particularly useful for scenarios requiring multi-party verification or chained trust relationships.
A distinctive attribute is the ability to embed certificates and certificate revocation lists (CRLs) directly within messages, such as in the signed-data structure, which includes sets of X.509 certificates and CRLs to facilitate validation without external dependencies.[10] This self-contained approach enhances portability and reduces the need for separate certificate exchanges.
The standard offers broad algorithmic flexibility, permitting the use of various hash functions (e.g., MD5), public-key encryption and signature algorithms (e.g., RSA), and symmetric encryption algorithms (e.g., DES), allowing implementations to select appropriate security levels based on context.[10] Later evolutions like CMS extend this to include DSA and other modern options, maintaining compatibility with PKCS #7.[9]
PKCS #7 supports indefinite-length encoding in its Basic Encoding Rules (BER) formulation for certain content types, enabling single-pass processing and streaming of large data volumes without requiring full content to be buffered in memory.[10] This streaming-friendly design is essential for handling voluminous payloads, such as in secure email attachments.
All PKCS #7 messages are structured as Abstract Syntax Notation One (ASN.1) objects encoded using Distinguished Encoding Rules (DER) or Basic Encoding Rules (BER), ensuring compact, binary-compatible representations that are interoperable across diverse systems and languages.[10] This encoding choice promotes deterministic parsing and unambiguous serialization, critical for cryptographic integrity.
History and Development
Origins in PKCS Series
The Public-Key Cryptography Standards (PKCS) series was initiated by RSA Laboratories, a division of RSA Data Security, Inc., in the late 1980s to accelerate the widespread adoption of interoperable public-key cryptography amid the rising demand for secure internet communications.[2] Between 1988 and 1991, RSA Laboratories developed this suite of vendor-neutral standards in collaboration with global developers, aiming to standardize key cryptographic primitives and protocols while soliciting public input without ceding control over final specifications.[11]
PKCS #7, which defines a syntax for cryptographically protected messages, originated with versions 1.0 through 1.3 produced in February and March 1991 by an RSA Laboratories team led by Burton S. Kaliski Jr.[1] This effort was driven by the urgent need for a unified format to encapsulate signed and enveloped data, enabling reliable digital signatures and encryption in distributed systems where prior methods lacked standardization.[2]
In the broader PKCS framework, PKCS #7 emerged concurrently with foundational standards like PKCS #1, which specified RSA encryption and signature schemes, and PKCS #6, which extended X.509 certificate syntax for better attribute handling.[11] These early documents collectively addressed gaps in public-key infrastructure, with PKCS #7 focusing on message-level syntax to integrate seamlessly with the others for end-to-end security.[2]
The initial PKCS #7 draft targeted shortcomings in preexisting ad-hoc formats, such as those in the Privacy Enhanced Mail (PEM) protocol, which were limited to ASCII-encoded text and single signatures unsuitable for evolving MIME-based email environments.[2] By introducing support for binary data, multiple signers, and extensible content types, it provided a more robust foundation for secure messaging.[11]
Standardization Process
PKCS #7 was initially developed and published by RSA Laboratories as part of the Public-Key Cryptography Standards (PKCS) series. Version 1.0 through 1.3 were distributed internally to participants in RSA Data Security's standards meetings in February and March 1991, followed by version 1.4 as part of the initial public release on June 3, 1991.[8] Version 1.5, released in November 1993, introduced enhancements such as support for multiple signers in signed data structures, expanding its utility for complex cryptographic operations.[2] RSA Laboratories maintained the standard through these revisions until 1997, when the company withdrew from ongoing PKCS maintenance to focus on other priorities.[12] This paved the way for the formation of the IETF S/MIME Working Group in October 1997, which began adapting PKCS #7 into the CMS standard.[13]
In 1997, following RSA's withdrawal, the Internet Engineering Task Force (IETF) adopted PKCS #7 as the foundation for the Cryptographic Message Syntax (CMS), a more generalized and updated standard. This transition culminated in the publication of RFC 2630 in June 1999, which formalized CMS while preserving compatibility with PKCS #7 version 1.5 where possible.[14] RFC 2630 was later obsoleted by RFC 3369 (August 2002), which was obsoleted by RFC 3852 (July 2004), and subsequently by RFC 5652 (September 2009), which refined CMS for broader interoperability and security enhancements.[3] PKCS #7 itself was republished by the IETF as RFC 2315 in March 1998 to document version 1.5 for reference.[1]
PKCS #7 played a key institutional role in integrating with established standards, including X.509 for bundling certificates in cryptographic exchanges and early versions of S/MIME for secure email messaging.[4] A significant adoption milestone occurred with its integration into Microsoft's CryptoAPI in Windows 2000, enabling widespread use in software signing and secure communications within enterprise environments.[15] As of 2025, despite the dominance of CMS in modern protocols, PKCS #7 remains referenced in legacy systems for compatibility in areas like code signing and certificate handling.[3]
Message Syntax
Content Types
PKCS #7 defines a set of content types that specify the structure and purpose of cryptographic messages, enabling operations such as signing, encryption, and integrity protection. These types are identified by ASN.1 object identifiers (OIDs) under the pkcs-7 arc (1.2.840.113549.1.7) and allow for the encapsulation of arbitrary data or other enhanced content types. The standard supports flexibility in selecting cryptographic algorithms for these operations.[1]
The primary content types in PKCS #7 are as follows:
| Content Type | OID | Description |
|---|
| data | 1.2.840.113549.1.7.1 | Represents arbitrary binary data, such as plain octet strings, without any cryptographic processing applied.[1] |
| signed-data | 1.2.840.113549.1.7.2 | Encapsulates content along with digital signatures from one or more signers, including encrypted digests to verify integrity and authenticity.[1] |
| enveloped-data | 1.2.840.113549.1.7.3 | Provides confidentiality by encrypting the content and including encrypted symmetric keys for multiple recipients.[1] |
| signed-and-enveloped-data | 1.2.840.113549.1.7.4 | Combines signing and enveloping, where content is signed, then encrypted along with the signatures and keys for recipients and signers.[1] |
| digested-data | 1.2.840.113549.1.7.5 | Includes content paired with a message digest for integrity checking, without signatures.[1] |
| encrypted-data | 1.2.840.113549.1.7.6 | Encrypts content using a symmetric key, but without recipient-specific key information, suitable for scenarios where keys are managed separately.[1] |
Core Data Structures
PKCS #7 employs Abstract Syntax Notation One (ASN.1) to define its core data structures, enabling a flexible and extensible framework for cryptographic messaging.[1] At the highest level, the ContentInfo structure serves as the top-level wrapper for all PKCS #7 messages.[16] It is defined in ASN.1 as:
ContentInfo ::= SEQUENCE {
contentType ContentType,
content [0] EXPLICIT ANY DEFINED BY contentType OPTIONAL
}
ContentInfo ::= SEQUENCE {
contentType ContentType,
content [0] EXPLICIT ANY DEFINED BY contentType OPTIONAL
}
Here, contentType is an OBJECT IDENTIFIER that identifies the type of content encapsulated (such as signed-data or enveloped-data), while the content field holds the actual data, whose structure is determined by the specified contentType.[16] This design allows PKCS #7 to support various content types within a unified syntax, with the optional explicit tagging ([0] EXPLICIT) providing context-specific encoding.[16]
Central to signed messages is the SignerInfo structure, which encapsulates the information for a single signer.[17] Its ASN.1 definition is:
SignerInfo ::= SEQUENCE {
version Version,
issuerAndSerialNumber IssuerAndSerialNumber,
digestAlgorithm DigestAlgorithmIdentifier,
authenticatedAttributes [0] IMPLICIT Attributes OPTIONAL,
digestEncryptionAlgorithm DigestEncryptionAlgorithmIdentifier,
encryptedDigest EncryptedDigest,
unauthenticatedAttributes [1] IMPLICIT Attributes OPTIONAL
}
SignerInfo ::= SEQUENCE {
version Version,
issuerAndSerialNumber IssuerAndSerialNumber,
digestAlgorithm DigestAlgorithmIdentifier,
authenticatedAttributes [0] IMPLICIT Attributes OPTIONAL,
digestEncryptionAlgorithm DigestEncryptionAlgorithmIdentifier,
encryptedDigest EncryptedDigest,
unauthenticatedAttributes [1] IMPLICIT Attributes OPTIONAL
}
The version field is an INTEGER (1 if the signer's certificate is version 1, or 3 if version 3).[17] issuerAndSerialNumber identifies the signer's certificate via its issuer name and serial number.[17] The digestAlgorithm specifies the hashing algorithm used (e.g., SHA-1), while authenticatedAttributes and unauthenticatedAttributes are sets of optional attributes, with implicit tagging for efficiency ([0] IMPLICIT and [1] IMPLICIT).[17] Authenticated attributes are included in the signature computation, ensuring their integrity, whereas unauthenticated attributes are not.[17] The digestEncryptionAlgorithm denotes the algorithm for signing the digest (e.g., RSA), and encryptedDigest is the OCTET STRING containing the signer's digital signature.[17] A key example of an authenticated attribute is the message-digest attribute, which holds the hash value of the content, computed as the result of applying the specified digest algorithm to the content octets.[17]
For key management in enveloped or signed-and-enveloped data, the RecipientInfo structure facilitates secure key delivery to recipients.[18] It is defined as:
RecipientInfo ::= SEQUENCE {
version Version,
issuerAndSerialNumber IssuerAndSerialNumber,
keyEncryptionAlgorithm KeyEncryptionAlgorithmIdentifier,
encryptedKey EncryptedKey
}
RecipientInfo ::= SEQUENCE {
version Version,
issuerAndSerialNumber IssuerAndSerialNumber,
keyEncryptionAlgorithm KeyEncryptionAlgorithmIdentifier,
encryptedKey EncryptedKey
}
The version is typically 0, issuerAndSerialNumber identifies the recipient's certificate, keyEncryptionAlgorithm specifies the encryption method for the session key (e.g., RSA), and encryptedKey is the OCTET STRING of the encrypted content-encryption key.[18] Multiple RecipientInfo instances can be included to support different recipients.
Attributes in PKCS #7 follow the X.501 standard, defined as Attributes ::= SET OF Attribute, where each Attribute is a SEQUENCE of type, values, and optional context.[19] Authenticated attributes, such as signing time or content type, are hashed and signed to provide authenticity, while unauthenticated ones, like countersignatures, offer additional metadata without integrity protection.[17] For instance, the message-digest attribute ensures the receiver can verify the content's integrity by recomputing the hash and comparing it to the signed value.[17]
PKCS #7 messages are encoded using Basic Encoding Rules (BER) as the general encoding format. Distinguished Encoding Rules (DER), a canonical subset of BER, are required for the inner content of signed-data, signed-and-enveloped-data, and digested-data types to ensure unambiguous representation of ASN.1 structures.[20] DER uses definite-length encoding, which may require a two-pass process for length determination in some generators.[20] The standard supports implicit tagging throughout, as seen in attribute and certificate fields, to reduce encoding overhead and improve efficiency without altering the data's semantic meaning.[16]
Conceptually, the hash computation in PKCS #7 involves generating a digest by applying the chosen hash function to the DER-encoded content octets (excluding the identifier and length fields).[21] If authenticated attributes are present, the digest is computed over their complete DER-encoded value instead.[21] This digest is then encrypted with the signer's private key to produce the signature in encryptedDigest, allowing verification by decrypting with the public key and matching against a recomputed digest.[21] This process ensures non-repudiation and integrity for the signed elements.[21]
Applications
Secure Email and S/MIME
PKCS#7 is integral to secure email messaging via its foundational role in the Secure/Multipurpose Internet Mail Extensions (S/MIME) standard, enabling digital signatures and encryption for MIME-based communications.[22] In S/MIME, PKCS#7 structures provide the cryptographic framework for protecting email content against unauthorized access and alterations, with the signed-data content type used for clear-signed messages that preserve readability while verifying sender authenticity, and the enveloped-data content type applied for encrypting messages to ensure confidentiality for specified recipients.[23] This integration allows S/MIME to leverage PKCS#7's robust syntax for embedding certificates, signatures, and encrypted keys directly within email payloads.[22]
The signing and encryption process in S/MIME begins with the sender preparing the email body as a MIME entity, computing a cryptographic digest or signature using their private key, and encapsulating the result in a PKCS#7 object.[22] For clear-signed messages, this PKCS#7 signed-data structure is attached as a multipart/signed MIME part alongside the original body, enabling non-S/MIME recipients to view the content while allowing verification by capable clients.[23] In encryption scenarios, the enveloped-data structure wraps the content with recipient public keys, producing an application/pkcs7-mime body part that obscures the message until decrypted with the corresponding private keys.[22]
These mechanisms deliver key security benefits, including non-repudiation via verifiable digital signatures that bind the sender to the message and integrity assurance by detecting any post-signature modifications.[23] S/MIME version 3, formalized in RFC 2633 in 1999, explicitly mandated compatibility with PKCS#7 formats to ensure interoperability with existing implementations, though contemporary S/MIME version 4.0 (RFC 8551) has transitioned to the Cryptographic Message Syntax (CMS) as its core, maintaining full backward compatibility with PKCS#7 version 1.5 structures.[22]
Practical adoption is evident in widely used email clients; for example, Microsoft Outlook employs PKCS#7 enveloped-data and signed-data for S/MIME encryption and signing of attachments and messages, while Mozilla Thunderbird supports these structures for secure email handling through its built-in S/MIME capabilities.[24]
Code Signing and Software Distribution
PKCS#7's signed-data content type forms the foundation of Microsoft Authenticode, a code-signing technology that embeds digital signatures, including timestamps, within Portable Executable (PE) files such as .exe executables and .dll libraries to authenticate software origin and integrity.[25] This embedding occurs in non-executable sections of the PE file, where the PKCS#7 structure encapsulates the hashed binary content, the signer's certificate chain, and optional attributes like timestamps, ensuring the signature remains attached to the file during distribution.[25] Authenticode signatures are also applied to catalog files (.cat) using detached PKCS#7 signed-data, which include file hashes for verifying multi-file packages without altering the originals.[25]
The signing process begins with the developer obtaining a code-signing certificate from a trusted certificate authority (CA), such as VeriSign, which binds the publisher's identity to the public key.[25] Using tools like SignTool, the developer computes a hash of the binary (typically with SHA-256) and signs it with the corresponding private key, generating a PKCS#7 signed-data object that is then appended to the PE file.[26] To enhance longevity against certificate expiration, timestamps are added via countersignatures from a Time-Stamp Authority (TSA), as defined in RFC 3161, where the TSA creates a PKCS#7 signed-data token over the original signature's hash and signing time, confirming the signing occurred before the certificate's validity end.[27][26]
Verification of an Authenticode signature involves multiple steps: the system recomputes the file hash and compares it against the decrypted signature value using the signer's public key from the embedded certificate; it then validates the certificate chain up to a trusted root CA and checks revocation status via Certificate Revocation Lists (CRLs) or Online Certificate Status Protocol (OCSP).[25] If a timestamp countersignature is present, its validity is similarly checked against the TSA's certificate, ensuring the software was signed at a verifiable time.[27] This process has been integral to Windows driver signing, where kernel-mode components like ci.dll enforce Authenticode validation to prevent loading of tampered or unsigned drivers, a requirement solidified with Windows Vista in 2007 but rooted in earlier implementations.[25]
By detecting any modifications to the signed binary through hash mismatches, PKCS#7-based Authenticode prevents tampering and malware injection during software distribution, thereby building user trust in the publisher.[25] For instance, Adobe Acrobat employs PKCS#7 signed-data in the adbe.pkcs7.detached format to embed digital signatures in PDF documents, hashing the document content (excluding the signature itself) and encrypting the hash to maintain integrity against alterations post-signing.[28] In software update scenarios, PKCS#7's enveloped-data content type supports secure key distribution by encrypting symmetric keys for recipients, enabling confidential delivery of update payloads.[1]
Common Extensions
PKCS#7 messages are commonly stored using specific file extensions that indicate their content type and encoding, with conventions originating from S/MIME implementations in the 1990s.[29]
The .p7b and .p7c extensions are used for Base64-encoded PKCS#7 files containing certificates or signed data without the original content, often serving as certificate chain bundles.[30][31]
In contrast, .p7m files represent signed-and-enveloped data, encapsulating both the signed message and encryption for secure email transmission, and are particularly prevalent in European contexts for digitally signed communications.[31][32]
The .p7s extension denotes detached signatures, which include only the PKCS#7 signed-data structure for verifying separately stored content.[31]
PKCS#7 files may be encoded in PEM format, which uses Base64 with header and footer markers like "-----BEGIN PKCS7-----", or in DER format, which is the binary equivalent without such wrappers.[33]
Encoding and Usage
PKCS#7 structures are encoded using the Distinguished Encoding Rules (DER) of ASN.1, providing a compact binary format suitable for storage and transmission. This encoding ensures deterministic representation of the cryptographic message syntax, with message digests computed over the DER-encoded content octets. For text-based applications, PKCS#7 data is often converted to Privacy-Enhanced Mail (PEM) format by Base64-encoding the DER bytes and enclosing them in ASCII armor with headers like -----BEGIN PKCS7----- and -----END PKCS7-----, facilitating compatibility with email and configuration files.
Practical implementation relies on established tools and APIs. The OpenSSL toolkit supports PKCS#7 operations through commands like openssl cms -sign, which generates signed messages by specifying input data, signer certificates, and optional detached mode via the -outform DER or PEM flags. Similarly, Java libraries such as BouncyCastle provide Cryptographic Message Syntax (CMS) APIs, enabling programmatic creation and verification of PKCS#7 structures using classes such as CMSSignedData from the org.bouncycastle.cms package.[34]
Common usage pitfalls include the choice between detached and opaque signing modes. In detached signing, the original content is omitted from the PKCS#7 SignedData structure, requiring separate provision of the data for verification, which aids in scenarios like software distribution but demands careful handling to avoid mismatches. Opaque signing embeds the content directly within the structure, simplifying bundled transmission but increasing file size and potentially complicating updates to the signed data. Interoperability challenges often stem from algorithm selections, such as employing deprecated digests like MD5 or SHA-1, which may fail validation in modern systems enforcing stronger primitives like SHA-256, or mismatches in key exchange algorithms that violate RFC compatibility rules.
A representative example is exporting certificate chains from the Windows Certificate Store. Using the Certificate Manager (certmgr.msc), users can select a certificate, choose "Export" under All Tasks, and specify PKCS#7 format (.p7b) without the private key, producing a SignedData structure containing the end-entity certificate and its chain for secure distribution to clients or servers. This method ensures chain integrity without exposing sensitive keys, commonly used in PKI deployments.
Relation to CMS
Evolution from PKCS 7
The IETF began adopting PKCS #7 in 1997 through discussions in working groups like PKIX, leading to its formal standardization as the Cryptographic Message Syntax (CMS) to integrate it into Internet protocols.[35] This effort culminated in RFC 2630, published in June 1999, which defined CMS version 1 as the IETF's standards-track specification derived from PKCS #7 version 1.5.[36] CMS was further updated and consolidated in RFC 5652, published in September 2009, which obsoleted prior versions and incorporated errata to enhance clarity and security.[3] Subsequent RFCs, such as 6268 (2011) for updated ASN.1 modules and 9629 (2024) for key encapsulation mechanism (KEM) support, have further enhanced CMS for modern cryptographic needs including post-quantum resistance.[37][38]
The primary motivations for evolving PKCS #7 into CMS were to provide broader support for cryptographic algorithms beyond those initially defined by RSA Laboratories and to establish an open Internet standard independent of proprietary influences.[39] PKCS #7, originally developed by RSA in 1993, was limited in its algorithm scope, such as lacking support for mechanisms like OAEP key transport or AES encryption.[1] By contrast, CMS extended these capabilities while maintaining backward compatibility with PKCS #7 version 1.5 wherever possible, ensuring that existing implementations could interoperate with minimal disruption.[40]
CMS retains a high degree of compatibility with PKCS #7, allowing it to be used seamlessly in modern protocols for secure communications.[41] This evolution has facilitated widespread adoption, with legacy systems continuing to rely on PKCS #7 for compatibility reasons, while new implementations preferentially use CMS to leverage its enhanced features and IETF standardization.[40]
Key Differences
CMS introduces several new content types not present in PKCS #7, including authenticated-enveloped-data, which provides both confidentiality and integrity protection for message content using authenticated encryption algorithms, as defined in RFC 5083. Additionally, CMS supports compressed-data, allowing for the compression of message content prior to cryptographic operations to reduce transmission size, specified in RFC 3274. In terms of recipient mechanisms, CMS extends key agreement support to include modern schemes like Elliptic Curve Diffie-Hellman (ECDH) through the KeyAgreeRecipientInfo structure, enabling more flexible key derivation processes beyond the key transport methods predominant in PKCS #7.[42]
Regarding algorithms, CMS offers greater extensibility for cryptographic primitives, accommodating post-quantum options through the assignment of new object identifiers (OIDs) for algorithms resistant to quantum attacks, such as those standardized by NIST in recent years.[38] In contrast, PKCS #7 is constrained to algorithms from the 1990s, including insecure options like MD5 for hashing and limited signature schemes, without provisions for emerging quantum-safe alternatives.
Syntax-wise, CMS employs a stricter ASN.1 specification based on ITU-T standards from the late 1980s to 2002, mandating explicit tagging in certain structures to ensure unambiguous parsing, such as in the SignedData and EnvelopedData types.[43] Furthermore, CMS obsoletes the use of indefinite-length encoding in many cases, requiring definite-length DER encoding to promote interoperability and avoid parsing ambiguities that were permissible under PKCS #7's more permissive BER rules.[43]
In terms of compatibility, most PKCS #7 messages can be parsed and processed by CMS-compliant implementations due to syntactic alignment and backward-compatible OIDs for core content types like data, signed-data, and enveloped-data.[39] However, the reverse is not true; CMS messages incorporating new features or OIDs, such as those for authenticated-enveloped-data or post-quantum algorithms, cannot be reliably interpreted by legacy PKCS #7 systems, potentially leading to rejection or errors.[44]