PKCS7: Error: Object has zero length.
Dirk-Willem van Gulik
dirkx at webweaving.org
Wed Aug 2 10:27:06 UTC 2023
On 5 May 2020, at 12:17, minfrin at sharp.fm wrote:
> I am trying to create a "Degenerate certificates-only CMS Signed-Data? using openssl openssl-1.1.1c (from CentOS8) as described by https://tools.ietf.org/html/draft-gutmann-scep-15#section-3.4, and in the process I am getting the entry "Error: Object has zero length? in the PKCS7 structure and I don't know how to get rid of it:
>
> 0 2395: SEQUENCE {
> 4 9: OBJECT IDENTIFIER signedData (1 2 840 113549 1 7 2)
> 15 2380: [0] {
> 19 2376: SEQUENCE {
> 23 1: INTEGER 1
> 26 0: SET {}
> 28 15: SEQUENCE {
> 30 9: OBJECT IDENTIFIER data (1 2 840 113549 1 7 1)
> 41 2: [0] {
> 43 0: OCTET STRING
> : Error: Object has zero length. <???? here
> : }
> : }
> [snip]
>
> The code is here: https://source.redwax.eu/projects/RS/repos/mod_scep/browse/mod_scep.c#1134
>
> Or more specifically looks like this:
>
> p7 = PKCS7_new();
> PKCS7_set_type(p7, NID_pkcs7_signed);
> PKCS7_content_new(p7, NID_pkcs7_data);
> PKCS7_add_certificate(p7, cert);
> PKCS7_add_certificate(p7, conf->signer);
> i2d_PKCS7_bio(b, p7);
>
> Can anyone confirm what step I am missing?
Following the example of pkcs7crl - it seems that below is the approach to take.
But would love comments from an OpenSSL expert - as below is mostly cargo culting.
/* RFC 8894, 3.4: For SCEP, the content field of the ContentInfo value of
* a degenerate certificates-only SignedData MUST be omitted.
*/
p7 = PKCS7_new();
p7s = PKCS7_SIGNED_new();
PKCS7_set_type(p7, NID_pkcs7_signed);
p7->d.sign = p7s;
p7s->contents->type=OBJ_nid2obj(NID_pkcs7_data);
ASN1_INTEGER_set(p7s->version,1);
p7s->cert = sk_X509_new_null();
sk_X509_push(p7s->cert, cert1);
sk_X509_push(p7s->cert, signer);
p7s->crl = sk_X509_CRL_new_null();
i2d_PKCS7_bio(b, p7);
Dw
PKCS7:
type: pkcs7-signedData (1.2.840.113549.1.7.2)
d.sign:
version: 1
md_algs:
<EMPTY>
contents:
type: pkcs7-data (1.2.840.113549.1.7.1)
d.data: <ABSENT>
cert:
cert_info:
version: 2
serialNumber: 0x7ACEBF564F34757DC970F67683F5435CEC159F3B
signature:
algorithm: sha256WithRSAEncryption (1.2.840.113549.1.1.11)
parameter: NULL
issuer: CN=ca-test-scep
validity:
notBefore: Aug 1 13:06:37 2023 GMT
notAfter: Aug 31 13:06:37 2023 GMT
subject: CN=ca-test-scep
key: X509_PUBKEY:
algor:
algorithm: rsaEncryption (1.2.840.113549.1.1.1)
parameter: NULL
public_key: (0 unused bits)
0000 - 30 82 01 0a 02 82 01 01-00 ca cf 01 47 d5 0...........G.
....
010a - 03 01 00 01 ....
issuerUID: <ABSENT>
subjectUID: <ABSENT>
extensions:
object: X509v3 Subject Key Identifier (2.5.29.14)
critical: BOOL ABSENT
value:
0000 - 04 14 ab c6 fe 23 ec bd-13 aa f7 77 b0 .....#.....w.
000d - cc df a0 a2 e4 c9 a6 dd-79 ........y
object: X509v3 Authority Key Identifier (2.5.29.35)
critical: BOOL ABSENT
value:
0000 - 30 16 80 14 ab c6 fe 23-ec bd 13 aa f7 0......#.....
000d - 77 b0 cc df a0 a2 e4 c9-a6 dd 79 w.........y
object: X509v3 Basic Constraints (2.5.29.19)
critical: TRUE
value:
0000 - 30 03 01 01 ff 0....
sig_alg:
algorithm: sha256WithRSAEncryption (1.2.840.113549.1.1.11)
parameter: NULL
signature: (0 unused bits)
0000 - 8c 99 b2 a2 32 a6 53 82-9b 4a 97 fc 22 3a 7c ....2.S..J..":|
....
00f0 - e7 2e 05 42 61 2b 16 4e-67 12 4c cf a0 6f 57 ...Ba+.Ng.L..oW
00ff - 62 b
cert_info:
version: 2
serialNumber: 0x7ACEBF564F34757DC970F67683F5435CEC159F3B
signature:
algorithm: sha256WithRSAEncryption (1.2.840.113549.1.1.11)
parameter: NULL
issuer: CN=ca-test-scep
validity:
notBefore: Aug 1 13:06:37 2023 GMT
notAfter: Aug 31 13:06:37 2023 GMT
subject: CN=ca-test-scep
key: X509_PUBKEY:
algor:
algorithm: rsaEncryption (1.2.840.113549.1.1.1)
parameter: NULL
public_key: (0 unused bits)
0000 - 30 82 01 0a 02 82 01 01-00 ca cf 01 47 d5 0...........G.
...
010a - 03 01 00 01 ....
issuerUID: <ABSENT>
subjectUID: <ABSENT>
extensions:
object: X509v3 Subject Key Identifier (2.5.29.14)
critical: BOOL ABSENT
value:
0000 - 04 14 ab c6 fe 23 ec bd-13 aa f7 77 b0 .....#.....w.
000d - cc df a0 a2 e4 c9 a6 dd-79 ........y
object: X509v3 Authority Key Identifier (2.5.29.35)
critical: BOOL ABSENT
value:
0000 - 30 16 80 14 ab c6 fe 23-ec bd 13 aa f7 0......#.....
000d - 77 b0 cc df a0 a2 e4 c9-a6 dd 79 w.........y
object: X509v3 Basic Constraints (2.5.29.19)
critical: TRUE
value:
0000 - 30 03 01 01 ff 0....
sig_alg:
algorithm: sha256WithRSAEncryption (1.2.840.113549.1.1.11)
parameter: NULL
signature: (0 unused bits)
0000 - 8c 99 b2 a2 32 a6 53 82-9b 4a 97 fc 22 3a 7c ....2.S..J..":|
....
00ff - 62 b
crl:
<EMPTY>
signer_info:
<EMPTY>
0:d=0 hl=4 l=1615 cons: SEQUENCE
4:d=1 hl=2 l= 9 prim: OBJECT :pkcs7-signedData
15:d=1 hl=4 l=1600 cons: cont [ 0 ]
19:d=2 hl=4 l=1596 cons: SEQUENCE
23:d=3 hl=2 l= 1 prim: INTEGER :01
26:d=3 hl=2 l= 0 cons: SET
28:d=3 hl=2 l= 11 cons: SEQUENCE
30:d=4 hl=2 l= 9 prim: OBJECT :pkcs7-data
41:d=3 hl=4 l=1570 cons: cont [ 0 ]
45:d=4 hl=4 l= 783 cons: SEQUENCE
49:d=5 hl=4 l= 503 cons: SEQUENCE
53:d=6 hl=2 l= 3 cons: cont [ 0 ]
55:d=7 hl=2 l= 1 prim: INTEGER :02
58:d=6 hl=2 l= 20 prim: INTEGER :7ACEBF564F34757DC970F67683F5435CEC159F3B
80:d=6 hl=2 l= 13 cons: SEQUENCE
82:d=7 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption
93:d=7 hl=2 l= 0 prim: NULL
95:d=6 hl=2 l= 23 cons: SEQUENCE
97:d=7 hl=2 l= 21 cons: SET
99:d=8 hl=2 l= 19 cons: SEQUENCE
101:d=9 hl=2 l= 3 prim: OBJECT :commonName
106:d=9 hl=2 l= 12 prim: UTF8STRING :ca-test-scep
120:d=6 hl=2 l= 30 cons: SEQUENCE
122:d=7 hl=2 l= 13 prim: UTCTIME :230801130637Z
137:d=7 hl=2 l= 13 prim: UTCTIME :230831130637Z
152:d=6 hl=2 l= 23 cons: SEQUENCE
154:d=7 hl=2 l= 21 cons: SET
156:d=8 hl=2 l= 19 cons: SEQUENCE
158:d=9 hl=2 l= 3 prim: OBJECT :commonName
163:d=9 hl=2 l= 12 prim: UTF8STRING :ca-test-scep
177:d=6 hl=4 l= 290 cons: SEQUENCE
181:d=7 hl=2 l= 13 cons: SEQUENCE
183:d=8 hl=2 l= 9 prim: OBJECT :rsaEncryption
194:d=8 hl=2 l= 0 prim: NULL
196:d=7 hl=4 l= 271 prim: BIT STRING
471:d=6 hl=2 l= 83 cons: cont [ 3 ]
473:d=7 hl=2 l= 81 cons: SEQUENCE
475:d=8 hl=2 l= 29 cons: SEQUENCE
477:d=9 hl=2 l= 3 prim: OBJECT :X509v3 Subject Key Identifier
482:d=9 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:0414ABC6FE23ECBD13AAF777B0CCDFA0A2E4C9A6DD79
506:d=8 hl=2 l= 31 cons: SEQUENCE
508:d=9 hl=2 l= 3 prim: OBJECT :X509v3 Authority Key Identifier
513:d=9 hl=2 l= 24 prim: OCTET STRING [HEX DUMP]:30168014ABC6FE23ECBD13AAF777B0CCDFA0A2E4C9A6DD79
539:d=8 hl=2 l= 15 cons: SEQUENCE
541:d=9 hl=2 l= 3 prim: OBJECT :X509v3 Basic Constraints
546:d=9 hl=2 l= 1 prim: BOOLEAN :255
549:d=9 hl=2 l= 5 prim: OCTET STRING [HEX DUMP]:30030101FF
556:d=5 hl=2 l= 13 cons: SEQUENCE
558:d=6 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption
569:d=6 hl=2 l= 0 prim: NULL
571:d=5 hl=4 l= 257 prim: BIT STRING
832:d=4 hl=4 l= 779 cons: SEQUENCE
836:d=5 hl=4 l= 499 cons: SEQUENCE
840:d=6 hl=2 l= 3 cons: cont [ 0 ]
842:d=7 hl=2 l= 1 prim: INTEGER :02
845:d=6 hl=2 l= 20 prim: INTEGER :0F7078BF3836891FEDD9F4827383C70CEF8E6E99
867:d=6 hl=2 l= 13 cons: SEQUENCE
869:d=7 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption
880:d=7 hl=2 l= 0 prim: NULL
882:d=6 hl=2 l= 23 cons: SEQUENCE
884:d=7 hl=2 l= 21 cons: SET
886:d=8 hl=2 l= 19 cons: SEQUENCE
888:d=9 hl=2 l= 3 prim: OBJECT :commonName
893:d=9 hl=2 l= 12 prim: UTF8STRING :ca-test-scep
907:d=6 hl=2 l= 30 cons: SEQUENCE
909:d=7 hl=2 l= 13 prim: UTCTIME :230801150559Z
924:d=7 hl=2 l= 13 prim: UTCTIME :230831150559Z
939:d=6 hl=2 l= 23 cons: SEQUENCE
941:d=7 hl=2 l= 21 cons: SET
943:d=8 hl=2 l= 19 cons: SEQUENCE
945:d=9 hl=2 l= 3 prim: OBJECT :commonName
950:d=9 hl=2 l= 12 prim: UTF8STRING :ra-test-scep
964:d=6 hl=4 l= 290 cons: SEQUENCE
968:d=7 hl=2 l= 13 cons: SEQUENCE
970:d=8 hl=2 l= 9 prim: OBJECT :rsaEncryption
981:d=8 hl=2 l= 0 prim: NULL
983:d=7 hl=4 l= 271 prim: BIT STRING
1258:d=6 hl=2 l= 79 cons: cont [ 3 ]
1260:d=7 hl=2 l= 77 cons: SEQUENCE
1262:d=8 hl=2 l= 11 cons: SEQUENCE
1264:d=9 hl=2 l= 3 prim: OBJECT :X509v3 Key Usage
1269:d=9 hl=2 l= 4 prim: OCTET STRING [HEX DUMP]:030205A0
1275:d=8 hl=2 l= 29 cons: SEQUENCE
1277:d=9 hl=2 l= 3 prim: OBJECT :X509v3 Subject Key Identifier
1282:d=9 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:04146B9856B974066BF9B1B183A405D402138C5C7691
1306:d=8 hl=2 l= 31 cons: SEQUENCE
1308:d=9 hl=2 l= 3 prim: OBJECT :X509v3 Authority Key Identifier
1313:d=9 hl=2 l= 24 prim: OCTET STRING [HEX DUMP]:30168014ABC6FE23ECBD13AAF777B0CCDFA0A2E4C9A6DD79
1339:d=5 hl=2 l= 13 cons: SEQUENCE
1341:d=6 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption
1352:d=6 hl=2 l= 0 prim: NULL
1354:d=5 hl=4 l= 257 prim: BIT STRING
1615:d=3 hl=2 l= 0 cons: cont [ 1 ]
1617:d=3 hl=2 l= 0 cons: SET
More information about the openssl-users
mailing list