What is the double brace syntax in ASN.1?

Question

I'm reading the PKCS #7 ASN.1 definition, and came across this type. I can't seem to find out what {{Authenticated}} is doing in this code, or what production this would be called. I've also seen as {{...}} in the PKCS #8 standard.

-- ATTRIBUTE information object class specification
ATTRIBUTE ::= CLASS {
  &derivation            ATTRIBUTE OPTIONAL,
  &Type                  OPTIONAL, -- either &Type or &derivation required
  &equality-match        MATCHING-RULE OPTIONAL,
  &ordering-match        MATCHING-RULE OPTIONAL,
  &substrings-match      MATCHING-RULE OPTIONAL,
  &single-valued         BOOLEAN DEFAULT FALSE,
  &collective            BOOLEAN DEFAULT FALSE,
  &dummy                 BOOLEAN DEFAULT FALSE,
  -- operational extensions
  &no-user-modification  BOOLEAN DEFAULT FALSE,
  &usage                 AttributeUsage DEFAULT userApplications,
  &id                    OBJECT IDENTIFIER UNIQUE
}
WITH SYNTAX {
  [SUBTYPE OF &derivation]
  [WITH SYNTAX &Type]
  [EQUALITY MATCHING RULE &equality-match]
  [ORDERING MATCHING RULE &ordering-match]
  [SUBSTRINGS MATCHING RULE &substrings-match]
  [SINGLE VALUE &single-valued]
  [COLLECTIVE &collective]
  [DUMMY &dummy]
  [NO USER MODIFICATION &no-user-modification]
  [USAGE &usage]
  ID &id
}


Authenticated ATTRIBUTE ::= {
  contentType |
  messageDigest |
-- begin added for VCE SCEP-support
  transactionID |
  messageType |
  pkiStatus |
  failInfo |
  senderNonce |
  recipientNonce,
-- end added for VCE SCEP-support
  ...,  -- add application-specific attributes here
  signingTime
}

SignerInfoAuthenticatedAttributes ::= CHOICE {
    aaSet         [0] IMPLICIT SET OF AttributePKCS-7 {{Authenticated}},
    aaSequence    [2] EXPLICIT SEQUENCE OF AttributePKCS-7 {{Authenticated}}
    -- Explicit because easier to compute digest on sequence of attributes and then reuse
    -- encoded sequence in aaSequence.
}

-- Also defined in X.501
-- Redeclared here as a parameterized type
AttributePKCS-7 { ATTRIBUTE:IOSet } ::= SEQUENCE {
   type    ATTRIBUTE.&id({IOSet}),
   values  SET SIZE (1..MAX) OF ATTRIBUTE.&Type({IOSet}{@type})
}

-- Inlined from PKCS5v2-0 since it is the only thing imported from that module
-- AlgorithmIdentifier { ALGORITHM-IDENTIFIER:InfoObjectSet } ::=
AlgorithmIdentifier { TYPE-IDENTIFIER:InfoObjectSet } ::=
SEQUENCE {
--  algorithm ALGORITHM-IDENTIFIER.&id({InfoObjectSet}),
  algorithm TYPE-IDENTIFIER.&id({InfoObjectSet}),
--  parameters ALGORITHM-IDENTIFIER.&Type({InfoObjectSet}
  parameters TYPE-IDENTIFIER.&Type({InfoObjectSet}
    {@algorithm}) OPTIONAL }

-- Private-key information syntax

PrivateKeyInfo ::= SEQUENCE {
  version Version,
--  privateKeyAlgorithm AlgorithmIdentifier {{PrivateKeyAlgorithms}},
  privateKeyAlgorithm AlgorithmIdentifier {{...}},
  privateKey PrivateKey,
  attributes [0] Attributes OPTIONAL }

Answer 1

There is no ASN.1 item called double brace. Each single brace (even when nested) is a separate token. Since the definition of AttributePKCS-7 is not given here, I am guessing that it is likely a parametrized definition that takes an Information Object Set as the parameter. The outer pair of braces would be an indication of parameter substitution while the inner pair of braces indicates that Authenticated is an Information Object Set (which is used as the parameter). The purpose of the information object set is to restrict the possible values of certain fields to those contained in the object set. You will need to look at the definition of AttributePKCS-7 to see what components are being restricted by the object set.

As for the {{...}}, this is similar to the above except that the object set is an empty extensible object set (indicated by the {...}) which is being used as a parameter (indicated by the outer pair of braces).