On 5 May 2020, at 12:17, minfrin@xxxxxxxx wrote: > I am trying to create a "Degenerate certificates-only CMS Signed-Data? using openssl openssl-1.1.1c (from CentOS8) as described by https://tools.ietf.org/html/draft-gutmann-scep-15#section-3.4, and in the process I am getting the entry "Error: Object has zero length? in the PKCS7 structure and I don't know how to get rid of it: > > 0 2395: SEQUENCE { > 4 9: OBJECT IDENTIFIER signedData (1 2 840 113549 1 7 2) > 15 2380: [0] { > 19 2376: SEQUENCE { > 23 1: INTEGER 1 > 26 0: SET {} > 28 15: SEQUENCE { > 30 9: OBJECT IDENTIFIER data (1 2 840 113549 1 7 1) > 41 2: [0] { > 43 0: OCTET STRING > : Error: Object has zero length. <???? here > : } > : } > [snip] > > The code is here: https://source.redwax.eu/projects/RS/repos/mod_scep/browse/mod_scep.c#1134 > > Or more specifically looks like this: > > p7 = PKCS7_new(); > PKCS7_set_type(p7, NID_pkcs7_signed); > PKCS7_content_new(p7, NID_pkcs7_data); > PKCS7_add_certificate(p7, cert); > PKCS7_add_certificate(p7, conf->signer); > i2d_PKCS7_bio(b, p7); > > Can anyone confirm what step I am missing? Following the example of pkcs7crl - it seems that below is the approach to take. But would love comments from an OpenSSL expert - as below is mostly cargo culting. /* RFC 8894, 3.4: For SCEP, the content field of the ContentInfo value of * a degenerate certificates-only SignedData MUST be omitted. */ p7 = PKCS7_new(); p7s = PKCS7_SIGNED_new(); PKCS7_set_type(p7, NID_pkcs7_signed); p7->d.sign = p7s; p7s->contents->type=OBJ_nid2obj(NID_pkcs7_data); ASN1_INTEGER_set(p7s->version,1); p7s->cert = sk_X509_new_null(); sk_X509_push(p7s->cert, cert1); sk_X509_push(p7s->cert, signer); p7s->crl = sk_X509_CRL_new_null(); i2d_PKCS7_bio(b, p7); Dw PKCS7: type: pkcs7-signedData (1.2.840.113549.1.7.2) d.sign: version: 1 md_algs: <EMPTY> contents: type: pkcs7-data (1.2.840.113549.1.7.1) d.data: <ABSENT> cert: cert_info: version: 2 serialNumber: 0x7ACEBF564F34757DC970F67683F5435CEC159F3B signature: algorithm: sha256WithRSAEncryption (1.2.840.113549.1.1.11) parameter: NULL issuer: CN=ca-test-scep validity: notBefore: Aug 1 13:06:37 2023 GMT notAfter: Aug 31 13:06:37 2023 GMT subject: CN=ca-test-scep key: X509_PUBKEY: algor: algorithm: rsaEncryption (1.2.840.113549.1.1.1) parameter: NULL public_key: (0 unused bits) 0000 - 30 82 01 0a 02 82 01 01-00 ca cf 01 47 d5 0...........G. .... 010a - 03 01 00 01 .... issuerUID: <ABSENT> subjectUID: <ABSENT> extensions: object: X509v3 Subject Key Identifier (2.5.29.14) critical: BOOL ABSENT value: 0000 - 04 14 ab c6 fe 23 ec bd-13 aa f7 77 b0 .....#.....w. 000d - cc df a0 a2 e4 c9 a6 dd-79 ........y object: X509v3 Authority Key Identifier (2.5.29.35) critical: BOOL ABSENT value: 0000 - 30 16 80 14 ab c6 fe 23-ec bd 13 aa f7 0......#..... 000d - 77 b0 cc df a0 a2 e4 c9-a6 dd 79 w.........y object: X509v3 Basic Constraints (2.5.29.19) critical: TRUE value: 0000 - 30 03 01 01 ff 0.... sig_alg: algorithm: sha256WithRSAEncryption (1.2.840.113549.1.1.11) parameter: NULL signature: (0 unused bits) 0000 - 8c 99 b2 a2 32 a6 53 82-9b 4a 97 fc 22 3a 7c ....2.S..J..":| .... 00f0 - e7 2e 05 42 61 2b 16 4e-67 12 4c cf a0 6f 57 ...Ba+.Ng.L..oW 00ff - 62 b cert_info: version: 2 serialNumber: 0x7ACEBF564F34757DC970F67683F5435CEC159F3B signature: algorithm: sha256WithRSAEncryption (1.2.840.113549.1.1.11) parameter: NULL issuer: CN=ca-test-scep validity: notBefore: Aug 1 13:06:37 2023 GMT notAfter: Aug 31 13:06:37 2023 GMT subject: CN=ca-test-scep key: X509_PUBKEY: algor: algorithm: rsaEncryption (1.2.840.113549.1.1.1) parameter: NULL public_key: (0 unused bits) 0000 - 30 82 01 0a 02 82 01 01-00 ca cf 01 47 d5 0...........G. ... 010a - 03 01 00 01 .... issuerUID: <ABSENT> subjectUID: <ABSENT> extensions: object: X509v3 Subject Key Identifier (2.5.29.14) critical: BOOL ABSENT value: 0000 - 04 14 ab c6 fe 23 ec bd-13 aa f7 77 b0 .....#.....w. 000d - cc df a0 a2 e4 c9 a6 dd-79 ........y object: X509v3 Authority Key Identifier (2.5.29.35) critical: BOOL ABSENT value: 0000 - 30 16 80 14 ab c6 fe 23-ec bd 13 aa f7 0......#..... 000d - 77 b0 cc df a0 a2 e4 c9-a6 dd 79 w.........y object: X509v3 Basic Constraints (2.5.29.19) critical: TRUE value: 0000 - 30 03 01 01 ff 0.... sig_alg: algorithm: sha256WithRSAEncryption (1.2.840.113549.1.1.11) parameter: NULL signature: (0 unused bits) 0000 - 8c 99 b2 a2 32 a6 53 82-9b 4a 97 fc 22 3a 7c ....2.S..J..":| .... 00ff - 62 b crl: <EMPTY> signer_info: <EMPTY> 0:d=0 hl=4 l=1615 cons: SEQUENCE 4:d=1 hl=2 l= 9 prim: OBJECT :pkcs7-signedData 15:d=1 hl=4 l=1600 cons: cont [ 0 ] 19:d=2 hl=4 l=1596 cons: SEQUENCE 23:d=3 hl=2 l= 1 prim: INTEGER :01 26:d=3 hl=2 l= 0 cons: SET 28:d=3 hl=2 l= 11 cons: SEQUENCE 30:d=4 hl=2 l= 9 prim: OBJECT :pkcs7-data 41:d=3 hl=4 l=1570 cons: cont [ 0 ] 45:d=4 hl=4 l= 783 cons: SEQUENCE 49:d=5 hl=4 l= 503 cons: SEQUENCE 53:d=6 hl=2 l= 3 cons: cont [ 0 ] 55:d=7 hl=2 l= 1 prim: INTEGER :02 58:d=6 hl=2 l= 20 prim: INTEGER :7ACEBF564F34757DC970F67683F5435CEC159F3B 80:d=6 hl=2 l= 13 cons: SEQUENCE 82:d=7 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption 93:d=7 hl=2 l= 0 prim: NULL 95:d=6 hl=2 l= 23 cons: SEQUENCE 97:d=7 hl=2 l= 21 cons: SET 99:d=8 hl=2 l= 19 cons: SEQUENCE 101:d=9 hl=2 l= 3 prim: OBJECT :commonName 106:d=9 hl=2 l= 12 prim: UTF8STRING :ca-test-scep 120:d=6 hl=2 l= 30 cons: SEQUENCE 122:d=7 hl=2 l= 13 prim: UTCTIME :230801130637Z 137:d=7 hl=2 l= 13 prim: UTCTIME :230831130637Z 152:d=6 hl=2 l= 23 cons: SEQUENCE 154:d=7 hl=2 l= 21 cons: SET 156:d=8 hl=2 l= 19 cons: SEQUENCE 158:d=9 hl=2 l= 3 prim: OBJECT :commonName 163:d=9 hl=2 l= 12 prim: UTF8STRING :ca-test-scep 177:d=6 hl=4 l= 290 cons: SEQUENCE 181:d=7 hl=2 l= 13 cons: SEQUENCE 183:d=8 hl=2 l= 9 prim: OBJECT :rsaEncryption 194:d=8 hl=2 l= 0 prim: NULL 196:d=7 hl=4 l= 271 prim: BIT STRING 471:d=6 hl=2 l= 83 cons: cont [ 3 ] 473:d=7 hl=2 l= 81 cons: SEQUENCE 475:d=8 hl=2 l= 29 cons: SEQUENCE 477:d=9 hl=2 l= 3 prim: OBJECT :X509v3 Subject Key Identifier 482:d=9 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:0414ABC6FE23ECBD13AAF777B0CCDFA0A2E4C9A6DD79 506:d=8 hl=2 l= 31 cons: SEQUENCE 508:d=9 hl=2 l= 3 prim: OBJECT :X509v3 Authority Key Identifier 513:d=9 hl=2 l= 24 prim: OCTET STRING [HEX DUMP]:30168014ABC6FE23ECBD13AAF777B0CCDFA0A2E4C9A6DD79 539:d=8 hl=2 l= 15 cons: SEQUENCE 541:d=9 hl=2 l= 3 prim: OBJECT :X509v3 Basic Constraints 546:d=9 hl=2 l= 1 prim: BOOLEAN :255 549:d=9 hl=2 l= 5 prim: OCTET STRING [HEX DUMP]:30030101FF 556:d=5 hl=2 l= 13 cons: SEQUENCE 558:d=6 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption 569:d=6 hl=2 l= 0 prim: NULL 571:d=5 hl=4 l= 257 prim: BIT STRING 832:d=4 hl=4 l= 779 cons: SEQUENCE 836:d=5 hl=4 l= 499 cons: SEQUENCE 840:d=6 hl=2 l= 3 cons: cont [ 0 ] 842:d=7 hl=2 l= 1 prim: INTEGER :02 845:d=6 hl=2 l= 20 prim: INTEGER :0F7078BF3836891FEDD9F4827383C70CEF8E6E99 867:d=6 hl=2 l= 13 cons: SEQUENCE 869:d=7 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption 880:d=7 hl=2 l= 0 prim: NULL 882:d=6 hl=2 l= 23 cons: SEQUENCE 884:d=7 hl=2 l= 21 cons: SET 886:d=8 hl=2 l= 19 cons: SEQUENCE 888:d=9 hl=2 l= 3 prim: OBJECT :commonName 893:d=9 hl=2 l= 12 prim: UTF8STRING :ca-test-scep 907:d=6 hl=2 l= 30 cons: SEQUENCE 909:d=7 hl=2 l= 13 prim: UTCTIME :230801150559Z 924:d=7 hl=2 l= 13 prim: UTCTIME :230831150559Z 939:d=6 hl=2 l= 23 cons: SEQUENCE 941:d=7 hl=2 l= 21 cons: SET 943:d=8 hl=2 l= 19 cons: SEQUENCE 945:d=9 hl=2 l= 3 prim: OBJECT :commonName 950:d=9 hl=2 l= 12 prim: UTF8STRING :ra-test-scep 964:d=6 hl=4 l= 290 cons: SEQUENCE 968:d=7 hl=2 l= 13 cons: SEQUENCE 970:d=8 hl=2 l= 9 prim: OBJECT :rsaEncryption 981:d=8 hl=2 l= 0 prim: NULL 983:d=7 hl=4 l= 271 prim: BIT STRING 1258:d=6 hl=2 l= 79 cons: cont [ 3 ] 1260:d=7 hl=2 l= 77 cons: SEQUENCE 1262:d=8 hl=2 l= 11 cons: SEQUENCE 1264:d=9 hl=2 l= 3 prim: OBJECT :X509v3 Key Usage 1269:d=9 hl=2 l= 4 prim: OCTET STRING [HEX DUMP]:030205A0 1275:d=8 hl=2 l= 29 cons: SEQUENCE 1277:d=9 hl=2 l= 3 prim: OBJECT :X509v3 Subject Key Identifier 1282:d=9 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:04146B9856B974066BF9B1B183A405D402138C5C7691 1306:d=8 hl=2 l= 31 cons: SEQUENCE 1308:d=9 hl=2 l= 3 prim: OBJECT :X509v3 Authority Key Identifier 1313:d=9 hl=2 l= 24 prim: OCTET STRING [HEX DUMP]:30168014ABC6FE23ECBD13AAF777B0CCDFA0A2E4C9A6DD79 1339:d=5 hl=2 l= 13 cons: SEQUENCE 1341:d=6 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption 1352:d=6 hl=2 l= 0 prim: NULL 1354:d=5 hl=4 l= 257 prim: BIT STRING 1615:d=3 hl=2 l= 0 cons: cont [ 1 ] 1617:d=3 hl=2 l= 0 cons: SET
