Home

PKCS7

PKCS#7, originally published as part of the Public Key Cryptography Standards by RSA Laboratories, defines a container format for cryptographic data known as the Cryptographic Message Syntax (CMS). It is used to sign, digest, and encrypt arbitrary data and to transport these operations in a standardized way.

The standard defines four data types: SignedData, EnvelopedData, DigestedData, and EncryptedData. These types are described using

PKCS#7 is widely used as the basis for secure messaging in S/MIME and for packaging cryptographic operations

Common file extensions associated with PKCS#7 include .p7s for detached signatures and .p7m for signed/enveloped data.

Related concepts include other PKCS standards from RSA, the CMS specification, and S/MIME as a practical application.

ASN.1
and
are
typically
encoded
with
DER.
A
SignedData
object
can
carry
one
or
more
recipients,
signature
algorithms,
and
optional
signing
attributes;
EnvelopedData
encapsulates
content
for
encryption
to
one
or
more
recipients;
DigestedData
carries
a
message
digest
of
the
content;
EncryptedData
contains
the
raw
encrypted
content.
PKCS#7
structures
provide
a
flexible
framework
for
combining
data,
signatures,
certificates,
and
revocation
lists.
in
email
and
other
protocols.
In
modern
practice,
the
CMS
standard
(RFC
5652)
supersedes
PKCS#7
in
many
contexts,
and
the
term
PKCS#7
is
often
used
interchangeably
with
CMS.
Software
and
libraries
typically
support
PKCS#7/CMS
payloads
under
both
names.
OpenSSL,
Bouncy
Castle,
and
other
cryptographic
libraries
provide
tooling
to
create,
parse,
and
verify
PKCS#7/CMS
messages.
PKCS#7
remains
relevant
for
interoperability
with
legacy
systems
and
various
security
tooling.