I recently started working on an EST server implementation and was wondering how to useSimplePKIResponseto send CA certificates to the client. I have been reading and searching but cannot really make sense of how to use the BC API.

What I understand / what I tried so far:

1. When sending a Simple PKI Response to the client, the data structure to be sent is a SignedData structure encapsulated in a ContentInfo structure, which is NOT signed (Section 2.2 of RFC 5272):

   Simple PKI Request                      Simple PKI Response   -------------------------               --------------------------    +----------+                            +------------------+    | PKCS #10 |                            | CMS ContentInfo  |    +----------+--------------+             +------------------+------+    | Certification Request   |             | CMS Signed Data,        |    |                         |             |   no SignerInfo         |    | Subject Name            |             |    | Subject Public Key Info |             | SignedData contains one |    |   (K_PUB)               |             | or more certificates in |    | Attributes              |             | the certificates field  |    |                         |             | Relevant CA certs and   |    +-----------+-------------+             | CRLs can be included    |                | signed with |             | as well.                |                | matching    |             |                         |                | K_PRIV      |             | encapsulatedContentInfo |                +-------------+             | is absent.              |                                            +--------------+----------+                                                           | unsigned |                                                           +----------+

2. The SignedData structure usually contains the following (Section 5.1 of RFC 5652):

SignedData ::= SEQUENCE {        version CMSVersion,        digestAlgorithms DigestAlgorithmIdentifiers,        encapContentInfo EncapsulatedContentInfo,        certificates [0] IMPLICIT CertificateSet OPTIONAL,        crls [1] IMPLICIT RevocationInfoChoices OPTIONAL,        signerInfos SignerInfos }      DigestAlgorithmIdentifiers ::= SET OF DigestAlgorithmIdentifier      SignerInfos ::= SET OF SignerInfo

3. In case of the Simple PKI Response, however, SignedData only contains one or more certificates (and optionally CRLs). The way I understand this is, that theencapContentInfo andsignerInfos is not part of the structure. This only leavesversion,digestAlgorithms,certificates andcrls (which was optional to begin with).

4. SimplePKIResponse has two constructors, although I find the javadoc forSimplePKIResponse(byte[] responseEncoding)confusing, as it states the parameter is the: "BER/DER encoding of the certificate.", but this constructor just calls the second constructor by passing it a ContentInfo instance. What is the meaning of "the certificate"? Also, the second constructor `SimplePKIResponse(ContentInfo signedData) is what seems to be used in ESTService directly, so I was looking into this further.

5. In addition, I followed the example in the documentation forCMSSignedDataGenerator to get a SignedData object. The certificates (and the signer) have been added, but what is the purpose ofCMSTypedData? The javadoc says the parameter content ofgenerate(CMSTypedData content) is "the content to be signed". I was then asking myself if this generator is only to be used for regular SignedData structures.

Hence, I am wondering if I am going at this the wrong way or if I am supposed to build an ASN.1 data structure of this non-conventional SignedData myself?

Could someone point me in the right direction? Thank you in advance 😃