Is it mandatory to include PKCS#7 data (OID 1.2.840.113549.1.7.1) octet string i

Question

Is it mandatory to include PKCS#7 data (OID 1.2.840.113549.1.7.1) octet string into the sequence of PKCS#7 signed data?

I mean if you want to sign PDF, you are basically adding PKCS#7 container inside the document. And if the PCKS#7 signed data contains the whole data that was signed, that doubles the lenght of the signed PDF document.

If this is not mandatory, is there any way how to remove the octet string from OID 1.2.840.113549.1.7.1? Or is PKCS#7 signed data integrity protected so no one is able to just remove this octet string?

Explanation / Answer

The actual data can be omitted from a SignedData encapContentInfo; see current CMS RFC which is not materially changed from earlier versions. The RFC calls this "external signature"; IME it is also called "detached signature" or "clear-sign[ing,ed]", and is widely used. For example S/MIME signed messages usually are a multipart containing the plaintext data and separately (the encoding of) a no-data/external/detached signature on that plaintext; this allows the text part to be handled by a non-SMIME-aware or even non-MIME-aware program (only without signature verification).

Related Questions

Navigate

• Browse (All)
• Browse I
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.