Advise key management protocol

Question

Assume that sender and recipient both already have each others public keys(certificates). Sender needs to generate session key to encrypt some data and sends encrypted data to recipient. All offline - without interaction steps. But Sender must be authenticated. Could you advise well-known key management protocol to solve this problem?

I asked this question some times ago but it was deleted. Now I have found the exact answer and want to publish it.

Updated: I answered my own question but would be great if somebody comment or give alternative answer. I want to emphasize that protocol should be offline - interactive protocols like TLS doesn't fit. If such offline protocol without TLS-like handshakes are not possible without additional threats/attacks (replay and others) - please specify most secure protocol and its threats that it has but TSL doesn't. authentication of source is necessary. non repudiation is optional.

Answer 1

There is an answer in PKCS#7 in section 11. Signed-and-enveloped-data content type. Below encryption with the signer's private key means signing process.

"The signed-and-enveloped-data content type consists of encrypted content of anytype, encrypted content-encryption keys for one or more recipients, and doubly encrypted message digests for one or more signers. The "double encryption" consists of an encryption with a signer's private key followed by an encryption with the content- encryption key.

The process by which signed-and-enveloped data is constructed involves the following steps:

    1.   A content-encryption key for a particular content-
         encryption algorithm is generated at random.

    2.   For each recipient, the content-encryption key is
         encrypted with the recipient's public key.

    3.   For each recipient, the encrypted content-
         encryption key and other recipient-specific
         information are collected into a RecipientInfo
         value, defined in Section 10.2.

    4.   For each signer, a message digest is computed on
         the content with a signer-specific message-digest
         algorithm. (If two signers employ the same message-
         digest algorithm, then the message digest need be
         computed for only one of them.)

    5.   For each signer, the message digest and associated
         information are encrypted with the signer's
         private key, and the result is encrypted with the
         content-encryption key. (The second encryption may
         require that the result of the first encryption be
         padded to a multiple of some block size; see
         Section 10.3 for discussion.)

    6.   For each signer, the doubly encrypted message
         digest and other signer-specific information are
         collected into a SignerInfo value, defined in
         Section 9.2.

    7.   The content is encrypted with the content-
         encryption key. 

A recipient opens the envelope and verifies the signatures in two steps. First, the one of the encrypted content-encryption keys is decrypted with the recipient's private key, and the encrypted content is decrypted with the recovered content-encryption key. Second, the doubly encrypted message digest for each signer is decrypted with the recovered content-encryption key, the result is decrypted with the signer's public key, and the recovered message digest is compared to an independently computed message digest..."