PKCS#7 to JOSE Migration

Migrate from legacy PKCS#7 (CMS) format to modern JOSE (JWE/JWS) format while preserving cryptographic security. AnkaSecure provides conversion utilities that transform PKCS#7 envelopes and signatures to JSON Web Encryption (JWE) and JSON Web Signature (JWS).

---

Why Migrate to JOSE?

Benefits of JOSE Format

JOSE (JSON Object Signing and Encryption): - ✅ Modern standard: IETF RFCs 7515-7518 (widely adopted) - ✅ JSON-native: Native integration with REST APIs, JavaScript, web applications - ✅ Compact format: Smaller payload size vs PKCS#7 (Base64url, no XML overhead) - ✅ Algorithm agility: Easy algorithm transition (built-in algorithm identifier) - ✅ Streaming support: JWET (AnkaSecure extension) for multi-GB files

PKCS#7 (CMS - Cryptographic Message Syntax): - ❌ Legacy format: ASN.1/DER encoding (1990s technology) - ❌ Binary format: Difficult to inspect, debug, transmit via JSON APIs - ❌ Larger overhead: ASN.1 structure adds 20-30% size overhead - ❌ Limited streaming: Not designed for large files

---

Migration Overview

Conversion Process

flowchart LR A[PKCS#7 Envelope] --> B[AnkaSecure Convert API] B --> C[JWE Compact/General] D[PKCS#7 Signed Data] --> E[AnkaSecure Convert API] E --> F[JWS Compact/General]

Key Point: AnkaSecure converts format only, preserving original keys and algorithms. To also upgrade algorithms (RSA → ML-KEM), use re-encryption after conversion.

---

PKCS#7 Enveloped-Data → JWE

Step 1: Analyze PKCS#7 Envelope

Inspect PKCS#7 file:

# View PKCS#7 envelope details
openssl cms -inform DER -in encrypted.p7m -cmsout -print

# Output shows:
# - Encryption algorithm (e.g., AES-256-CBC)
# - Key transport algorithm (e.g., RSA-OAEP)
# - Recipients (certificates)

Extract Metadata: - Encryption algorithm: AES-256-CBC - Key algorithm: RSA-2048-OAEP - Recipient: CN=ACME Corp Certificate

---

Step 2: Import PKCS#7 Recipient Key

If you have the private key for the recipient:

# Extract private key from PKCS#12
openssl pkcs12 -in certificate.p12 -nocerts -nodes -out private-key.pem

# Import to AnkaSecure
curl -X POST https://api.ankasecure.com/api/v1/key-management/keys/import \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "keyId": "imported-rsa-key",
    "format": "PEM",
    "privateKey": "-----BEGIN PRIVATE KEY-----\n...\n-----END PRIVATE KEY-----",
    "algorithm": "RSA-2048"
  }'

---

Step 3: Convert PKCS#7 → JWE

Via API:

curl -X POST https://api.ankasecure.com/api/v1/migration/convert/pkcs7-to-jwe \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "pkcs7Data": "MIIBqgYJKoZIhvcNAQcDoIIBmzCC...",  # Base64-encoded PKCS#7
    "recipientKeyId": "imported-rsa-key",
    "outputFormat": "compact"  # or "general"
  }'

# Response:
# {
#   "jwe": "eyJhbGciOiJSU0EtT0FFUC0yNTYiLCJlbmMiOiJBMjU2R0NNIn0...",
#   "format": "compact",
#   "algorithm": "RSA-OAEP-256",
#   "encryption": "A256GCM"
# }

Result: JWE Compact token (dot-separated Base64url)

---

Step 4: Optionally Re-Encrypt to PQC

Now upgrade from RSA to ML-KEM:

# Generate ML-KEM key
curl -X POST https://api.ankasecure.com/api/v1/key-management/keys \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"algorithm":"ML-KEM-768","keyId":"ml-kem-key"}'

# Re-encrypt JWE (RSA → ML-KEM)
curl -X POST https://api.ankasecure.com/api/v1/crypto/reencrypt \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "ciphertext": "eyJhbGciOiJSU0EtT0FFUC0yNTYi...",  # JWE from Step 3
    "newKeyId": "ml-kem-key"
  }'

# Response:
# {
#   "ciphertext": "eyJhbGciOiJNTC1LRU0tNzY4IiwiZW5jIjoiQTI1NkdDTSJ9...",
#   "keyUsed": "ml-kem-key",
#   "algorithm": "ML-KEM-768"
# }

Result: Quantum-resistant JWE (ML-KEM-768 encryption)

---

PKCS#7 Signed-Data → JWS

Step 1: Analyze PKCS#7 Signature

Inspect PKCS#7 signed file:

# View PKCS#7 signature details
openssl cms -inform DER -in signed.p7s -cmsout -print

# Output shows:
# - Signature algorithm (e.g., RSA-SHA256)
# - Signer certificate (CN=...)
# - Signature value

---

Step 2: Import Signing Certificate

Import signer's certificate (for verification):

# Extract certificate from PKCS#7
openssl pkcs7 -inform DER -in signed.p7s -print_certs -out signer-cert.pem

# Import to AnkaSecure (public key only)
curl -X POST https://api.ankasecure.com/api/v1/key-management/keys/import \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "keyId": "imported-rsa-signer",
    "format": "PEM",
    "publicKey": "-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----",
    "algorithm": "RSA-2048"
  }'

---

Step 3: Convert PKCS#7 → JWS

Via API:

curl -X POST https://api.ankasecure.com/api/v1/migration/convert/pkcs7-to-jws \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "pkcs7Signature": "MIIBqgYJKoZIhvcNAQcCoIIBmzCC...",  # Base64-encoded PKCS#7
    "signerKeyId": "imported-rsa-signer",
    "outputFormat": "compact"  # or "general"
  }'

# Response:
# {
#   "jws": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...",
#   "format": "compact",
#   "algorithm": "RS256",
#   "verified": true
# }

Result: JWS Compact token (dot-separated Base64url)

---

Step 4: Optionally Re-Sign with PQC

Upgrade from RSA to ML-DSA:

# Generate ML-DSA key
curl -X POST https://api.ankasecure.com/api/v1/key-management/keys \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"algorithm":"ML-DSA-65","keyId":"ml-dsa-key"}'

# Re-sign JWS (RSA → ML-DSA)
curl -X POST https://api.ankasecure.com/api/v1/crypto/resign \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "jws": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...",  # JWS from Step 3
    "newKeyId": "ml-dsa-key"
  }'

# Response:
# {
#   "jws": "eyJhbGciOiJNTC1EU0EtNjUiLCJ0eXAiOiJKV1QifQ...",
#   "keyUsed": "ml-dsa-key",
#   "algorithm": "ML-DSA-65"
# }

Result: Quantum-resistant JWS (ML-DSA-65 signature)

---

Batch Conversion

Convert Multiple PKCS#7 Files

Automate with CLI:

# Convert all PKCS#7 envelopes in directory
for file in *.p7m; do
  echo "Converting $file..."

  # 1. Convert PKCS#7 → JWE
  ankasecure-cli migration convert-pkcs7 \
    --input "$file" \
    --output "${file%.p7m}.jwe" \
    --format pkcs7-envelope \
    --recipient-key imported-rsa-key

  # 2. Re-encrypt to ML-KEM (optional)
  ankasecure-cli crypto reencrypt \
    --input "${file%.p7m}.jwe" \
    --output "${file%.p7m}.mlkem.jwe" \
    --new-key ml-kem-key
done

echo "Batch conversion complete"

---

Format Comparison

PKCS#7 Enveloped-Data

Structure: ASN.1/DER binary

EnvelopedData ::= SEQUENCE {
  version CMSVersion,
  recipientInfos RecipientInfos,
  encryptedContentInfo EncryptedContentInfo
}

Size: ~1.2-1.5x payload size (ASN.1 overhead)

---

JWE (JSON Web Encryption)

Structure: JSON (compact or general serialization)

Compact Serialization (dot-separated):

BASE64URL(UTF8(JWE Protected Header)) .
BASE64URL(JWE Encrypted Key) .
BASE64URL(JWE Initialization Vector) .
BASE64URL(JWE Ciphertext) .
BASE64URL(JWE Authentication Tag)

Example:

eyJhbGciOiJNTC1LRU0tNzY4IiwiZW5jIjoiQTI1NkdDTSJ9.
UGhvbWJhLi4u.
48V1_ALb6US04U3b.
5eym8TW_c8SuK0ltJ3rpYIzOeDQz7TALvtu6UG9oMo4vpzs9tX_EFShS8iB7j6jiSdiwkIr3ajwQzaBtQD_A.
XFBoMYUZodetZdvTiFvSkQ

Size: ~1.05-1.15x payload size (Base64url overhead, more efficient)

---

Migration Checklist

Pre-Migration

• [ ] Inventory PKCS#7 files (count, total size)
• [ ] Identify recipient certificates/keys
• [ ] Import keys to AnkaSecure (if not already present)
• [ ] Test conversion with sample file (1 file)
• [ ] Verify converted JWE/JWS decrypts/verifies correctly

Migration

• [ ] Convert PKCS#7 → JOSE (format conversion)
• [ ] Optionally re-encrypt/re-sign to PQC algorithms
• [ ] Update applications to use JWE/JWS format
• [ ] Test end-to-end with production-like workload

Post-Migration

• [ ] Archive original PKCS#7 files (for rollback)
• [ ] Monitor for conversion errors (track failure rate)
• [ ] Update documentation (format change notification)
• [ ] Decommission PKCS#7 processing after transition period

---

Troubleshooting

Conversion Fails with "Invalid PKCS#7 Structure"

Symptom: {"error":"MIGRATION_001","message":"Invalid PKCS#7 format"}

Causes: - PKCS#7 file corrupted - Wrong encoding (expecting DER, received PEM or vice versa) - File is not actually PKCS#7 (misnamed)

Solutions: - Verify PKCS#7 structure with OpenSSL:

openssl cms -inform DER -in file.p7m -cmsout -print

- Convert PEM to DER if needed:

openssl cms -inform PEM -in file.pem -outform DER -out file.p7m

Recipient Key Not Found

Symptom: {"error":"KEY_001","message":"Recipient key not found"}

Causes: - Private key not imported to AnkaSecure - Key ID mismatch

Solutions: - Import recipient's private key (Step 2 above) - Verify key ID matches (imported-rsa-key) - List imported keys:

curl https://api.ankasecure.com/api/v1/key-management/keys \
  -H "Authorization: Bearer YOUR_TOKEN"

---

Next Steps

Conversion Successful? Continue with:

• RSA → ML-KEM Migration - Upgrade to quantum-resistant encryption
• RSA → ML-DSA Migration - Upgrade to quantum-resistant signatures
• Migration Planning Guide - Plan organization-wide migration

Need Help? - Error Reference - Complete error code catalog - Migration API Documentation - API details - Support - Contact support team

---

Documentation Version: 3.0.0 Last Updated: 2025-12-26