PKCS7: Error: Object has zero length.

Dirk-Willem van Gulik dirkx at webweaving.org
Wed Aug 2 10:27:06 UTC 2023


On 5 May 2020, at 12:17, minfrin at sharp.fm wrote:

> I am trying to create a "Degenerate certificates-only CMS Signed-Data? using openssl openssl-1.1.1c (from CentOS8) as described by https://tools.ietf.org/html/draft-gutmann-scep-15#section-3.4, and in the process I am getting the entry "Error: Object has zero length? in the PKCS7 structure and I don't know how to get rid of it:
> 
>   0 2395: SEQUENCE {
>   4    9:   OBJECT IDENTIFIER signedData (1 2 840 113549 1 7 2)
>  15 2380:   [0] {
>  19 2376:     SEQUENCE {
>  23    1:       INTEGER 1
>  26    0:       SET {}
>  28   15:       SEQUENCE {
>  30    9:         OBJECT IDENTIFIER data (1 2 840 113549 1 7 1)
>  41    2:         [0] {
>  43    0:           OCTET STRING
>         :             Error: Object has zero length.    <???? here
>         :           }
>         :         }
> [snip]
> 
> The code is here: https://source.redwax.eu/projects/RS/repos/mod_scep/browse/mod_scep.c#1134
> 
> Or more specifically looks like this:
> 
>    p7 = PKCS7_new();
>    PKCS7_set_type(p7, NID_pkcs7_signed);
>    PKCS7_content_new(p7, NID_pkcs7_data);
>    PKCS7_add_certificate(p7, cert);
>    PKCS7_add_certificate(p7, conf->signer);
>    i2d_PKCS7_bio(b, p7);
> 
> Can anyone confirm what step I am missing?

Following the example of pkcs7crl - it seems that below is the approach to take. 

But would love comments from an OpenSSL expert - as below is mostly cargo culting.

    /* RFC 8894, 3.4: For SCEP, the content field of the ContentInfo value of 
     * a degenerate certificates-only SignedData MUST be omitted. 
     */
    p7 = PKCS7_new();
    p7s = PKCS7_SIGNED_new();

    PKCS7_set_type(p7, NID_pkcs7_signed);
    p7->d.sign = p7s;

    p7s->contents->type=OBJ_nid2obj(NID_pkcs7_data);
    ASN1_INTEGER_set(p7s->version,1);

    p7s->cert = sk_X509_new_null();
    sk_X509_push(p7s->cert, cert1);
    sk_X509_push(p7s->cert, signer);

    p7s->crl = sk_X509_CRL_new_null();

    i2d_PKCS7_bio(b, p7);

Dw

PKCS7: 
  type: pkcs7-signedData (1.2.840.113549.1.7.2)
  d.sign: 
    version: 1
    md_algs:
      <EMPTY>
    contents: 
      type: pkcs7-data (1.2.840.113549.1.7.1)
      d.data: <ABSENT>
    cert:
        cert_info: 
          version: 2
          serialNumber: 0x7ACEBF564F34757DC970F67683F5435CEC159F3B
          signature: 
            algorithm: sha256WithRSAEncryption (1.2.840.113549.1.1.11)
            parameter: NULL
          issuer: CN=ca-test-scep
          validity: 
            notBefore: Aug  1 13:06:37 2023 GMT
            notAfter: Aug 31 13:06:37 2023 GMT
          subject: CN=ca-test-scep
          key:           X509_PUBKEY: 
            algor: 
              algorithm: rsaEncryption (1.2.840.113549.1.1.1)
              parameter: NULL
            public_key:  (0 unused bits)
              0000 - 30 82 01 0a 02 82 01 01-00 ca cf 01 47 d5   0...........G.
....
              010a - 03 01 00 01                                 ....
          issuerUID: <ABSENT>
          subjectUID: <ABSENT>
          extensions:
              object: X509v3 Subject Key Identifier (2.5.29.14)
              critical: BOOL ABSENT
              value: 
                0000 - 04 14 ab c6 fe 23 ec bd-13 aa f7 77 b0   .....#.....w.
                000d - cc df a0 a2 e4 c9 a6 dd-79               ........y

              object: X509v3 Authority Key Identifier (2.5.29.35)
              critical: BOOL ABSENT
              value: 
                0000 - 30 16 80 14 ab c6 fe 23-ec bd 13 aa f7   0......#.....
                000d - 77 b0 cc df a0 a2 e4 c9-a6 dd 79         w.........y

              object: X509v3 Basic Constraints (2.5.29.19)
              critical: TRUE
              value: 
                0000 - 30 03 01 01 ff                           0....
        sig_alg: 
          algorithm: sha256WithRSAEncryption (1.2.840.113549.1.1.11)
          parameter: NULL
        signature:  (0 unused bits)
          0000 - 8c 99 b2 a2 32 a6 53 82-9b 4a 97 fc 22 3a 7c   ....2.S..J..":|
....
          00f0 - e7 2e 05 42 61 2b 16 4e-67 12 4c cf a0 6f 57   ...Ba+.Ng.L..oW
          00ff - 62                                             b

        cert_info: 
          version: 2
          serialNumber: 0x7ACEBF564F34757DC970F67683F5435CEC159F3B
          signature: 
            algorithm: sha256WithRSAEncryption (1.2.840.113549.1.1.11)
            parameter: NULL
          issuer: CN=ca-test-scep
          validity: 
            notBefore: Aug  1 13:06:37 2023 GMT
            notAfter: Aug 31 13:06:37 2023 GMT
          subject: CN=ca-test-scep
          key:           X509_PUBKEY: 
            algor: 
              algorithm: rsaEncryption (1.2.840.113549.1.1.1)
              parameter: NULL
            public_key:  (0 unused bits)
              0000 - 30 82 01 0a 02 82 01 01-00 ca cf 01 47 d5   0...........G.
...
              010a - 03 01 00 01                                 ....
          issuerUID: <ABSENT>
          subjectUID: <ABSENT>
          extensions:
              object: X509v3 Subject Key Identifier (2.5.29.14)
              critical: BOOL ABSENT
              value: 
                0000 - 04 14 ab c6 fe 23 ec bd-13 aa f7 77 b0   .....#.....w.
                000d - cc df a0 a2 e4 c9 a6 dd-79               ........y

              object: X509v3 Authority Key Identifier (2.5.29.35)
              critical: BOOL ABSENT
              value: 
                0000 - 30 16 80 14 ab c6 fe 23-ec bd 13 aa f7   0......#.....
                000d - 77 b0 cc df a0 a2 e4 c9-a6 dd 79         w.........y

              object: X509v3 Basic Constraints (2.5.29.19)
              critical: TRUE
              value: 
                0000 - 30 03 01 01 ff                           0....
        sig_alg: 
          algorithm: sha256WithRSAEncryption (1.2.840.113549.1.1.11)
          parameter: NULL
        signature:  (0 unused bits)
          0000 - 8c 99 b2 a2 32 a6 53 82-9b 4a 97 fc 22 3a 7c   ....2.S..J..":|
....
          00ff - 62                                             b
    crl:
      <EMPTY>
    signer_info:
      <EMPTY>

    0:d=0  hl=4 l=1615 cons: SEQUENCE          
    4:d=1  hl=2 l=   9 prim:  OBJECT            :pkcs7-signedData
   15:d=1  hl=4 l=1600 cons:  cont [ 0 ]        
   19:d=2  hl=4 l=1596 cons:   SEQUENCE          
   23:d=3  hl=2 l=   1 prim:    INTEGER           :01
   26:d=3  hl=2 l=   0 cons:    SET               
   28:d=3  hl=2 l=  11 cons:    SEQUENCE          
   30:d=4  hl=2 l=   9 prim:     OBJECT            :pkcs7-data
   41:d=3  hl=4 l=1570 cons:    cont [ 0 ]        
   45:d=4  hl=4 l= 783 cons:     SEQUENCE          
   49:d=5  hl=4 l= 503 cons:      SEQUENCE          
   53:d=6  hl=2 l=   3 cons:       cont [ 0 ]        
   55:d=7  hl=2 l=   1 prim:        INTEGER           :02
   58:d=6  hl=2 l=  20 prim:       INTEGER           :7ACEBF564F34757DC970F67683F5435CEC159F3B
   80:d=6  hl=2 l=  13 cons:       SEQUENCE          
   82:d=7  hl=2 l=   9 prim:        OBJECT            :sha256WithRSAEncryption
   93:d=7  hl=2 l=   0 prim:        NULL              
   95:d=6  hl=2 l=  23 cons:       SEQUENCE          
   97:d=7  hl=2 l=  21 cons:        SET               
   99:d=8  hl=2 l=  19 cons:         SEQUENCE          
  101:d=9  hl=2 l=   3 prim:          OBJECT            :commonName
  106:d=9  hl=2 l=  12 prim:          UTF8STRING        :ca-test-scep
  120:d=6  hl=2 l=  30 cons:       SEQUENCE          
  122:d=7  hl=2 l=  13 prim:        UTCTIME           :230801130637Z
  137:d=7  hl=2 l=  13 prim:        UTCTIME           :230831130637Z
  152:d=6  hl=2 l=  23 cons:       SEQUENCE          
  154:d=7  hl=2 l=  21 cons:        SET               
  156:d=8  hl=2 l=  19 cons:         SEQUENCE          
  158:d=9  hl=2 l=   3 prim:          OBJECT            :commonName
  163:d=9  hl=2 l=  12 prim:          UTF8STRING        :ca-test-scep
  177:d=6  hl=4 l= 290 cons:       SEQUENCE          
  181:d=7  hl=2 l=  13 cons:        SEQUENCE          
  183:d=8  hl=2 l=   9 prim:         OBJECT            :rsaEncryption
  194:d=8  hl=2 l=   0 prim:         NULL              
  196:d=7  hl=4 l= 271 prim:        BIT STRING        
  471:d=6  hl=2 l=  83 cons:       cont [ 3 ]        
  473:d=7  hl=2 l=  81 cons:        SEQUENCE          
  475:d=8  hl=2 l=  29 cons:         SEQUENCE          
  477:d=9  hl=2 l=   3 prim:          OBJECT            :X509v3 Subject Key Identifier
  482:d=9  hl=2 l=  22 prim:          OCTET STRING      [HEX DUMP]:0414ABC6FE23ECBD13AAF777B0CCDFA0A2E4C9A6DD79
  506:d=8  hl=2 l=  31 cons:         SEQUENCE          
  508:d=9  hl=2 l=   3 prim:          OBJECT            :X509v3 Authority Key Identifier
  513:d=9  hl=2 l=  24 prim:          OCTET STRING      [HEX DUMP]:30168014ABC6FE23ECBD13AAF777B0CCDFA0A2E4C9A6DD79
  539:d=8  hl=2 l=  15 cons:         SEQUENCE          
  541:d=9  hl=2 l=   3 prim:          OBJECT            :X509v3 Basic Constraints
  546:d=9  hl=2 l=   1 prim:          BOOLEAN           :255
  549:d=9  hl=2 l=   5 prim:          OCTET STRING      [HEX DUMP]:30030101FF
  556:d=5  hl=2 l=  13 cons:      SEQUENCE          
  558:d=6  hl=2 l=   9 prim:       OBJECT            :sha256WithRSAEncryption
  569:d=6  hl=2 l=   0 prim:       NULL              
  571:d=5  hl=4 l= 257 prim:      BIT STRING        
  832:d=4  hl=4 l= 779 cons:     SEQUENCE          
  836:d=5  hl=4 l= 499 cons:      SEQUENCE          
  840:d=6  hl=2 l=   3 cons:       cont [ 0 ]        
  842:d=7  hl=2 l=   1 prim:        INTEGER           :02
  845:d=6  hl=2 l=  20 prim:       INTEGER           :0F7078BF3836891FEDD9F4827383C70CEF8E6E99
  867:d=6  hl=2 l=  13 cons:       SEQUENCE          
  869:d=7  hl=2 l=   9 prim:        OBJECT            :sha256WithRSAEncryption
  880:d=7  hl=2 l=   0 prim:        NULL              
  882:d=6  hl=2 l=  23 cons:       SEQUENCE          
  884:d=7  hl=2 l=  21 cons:        SET               
  886:d=8  hl=2 l=  19 cons:         SEQUENCE          
  888:d=9  hl=2 l=   3 prim:          OBJECT            :commonName
  893:d=9  hl=2 l=  12 prim:          UTF8STRING        :ca-test-scep
  907:d=6  hl=2 l=  30 cons:       SEQUENCE          
  909:d=7  hl=2 l=  13 prim:        UTCTIME           :230801150559Z
  924:d=7  hl=2 l=  13 prim:        UTCTIME           :230831150559Z
  939:d=6  hl=2 l=  23 cons:       SEQUENCE          
  941:d=7  hl=2 l=  21 cons:        SET               
  943:d=8  hl=2 l=  19 cons:         SEQUENCE          
  945:d=9  hl=2 l=   3 prim:          OBJECT            :commonName
  950:d=9  hl=2 l=  12 prim:          UTF8STRING        :ra-test-scep
  964:d=6  hl=4 l= 290 cons:       SEQUENCE          
  968:d=7  hl=2 l=  13 cons:        SEQUENCE          
  970:d=8  hl=2 l=   9 prim:         OBJECT            :rsaEncryption
  981:d=8  hl=2 l=   0 prim:         NULL              
  983:d=7  hl=4 l= 271 prim:        BIT STRING        
 1258:d=6  hl=2 l=  79 cons:       cont [ 3 ]        
 1260:d=7  hl=2 l=  77 cons:        SEQUENCE          
 1262:d=8  hl=2 l=  11 cons:         SEQUENCE          
 1264:d=9  hl=2 l=   3 prim:          OBJECT            :X509v3 Key Usage
 1269:d=9  hl=2 l=   4 prim:          OCTET STRING      [HEX DUMP]:030205A0
 1275:d=8  hl=2 l=  29 cons:         SEQUENCE          
 1277:d=9  hl=2 l=   3 prim:          OBJECT            :X509v3 Subject Key Identifier
 1282:d=9  hl=2 l=  22 prim:          OCTET STRING      [HEX DUMP]:04146B9856B974066BF9B1B183A405D402138C5C7691
 1306:d=8  hl=2 l=  31 cons:         SEQUENCE          
 1308:d=9  hl=2 l=   3 prim:          OBJECT            :X509v3 Authority Key Identifier
 1313:d=9  hl=2 l=  24 prim:          OCTET STRING      [HEX DUMP]:30168014ABC6FE23ECBD13AAF777B0CCDFA0A2E4C9A6DD79
 1339:d=5  hl=2 l=  13 cons:      SEQUENCE          
 1341:d=6  hl=2 l=   9 prim:       OBJECT            :sha256WithRSAEncryption
 1352:d=6  hl=2 l=   0 prim:       NULL              
 1354:d=5  hl=4 l= 257 prim:      BIT STRING        
 1615:d=3  hl=2 l=   0 cons:    cont [ 1 ]        
 1617:d=3  hl=2 l=   0 cons:    SET               



More information about the openssl-users mailing list