Invalid PKCS#7 Structure

URI: https://docs.ankatech.co/errors/invalid-pkcs7 HTTP Status: 400 Bad Request

When You See This

You attempted to convert a PKCS#7/CMS file to JOSE format, but the provided file is not a valid PKCS#7/CMS structure. The parser was unable to recognize the file as valid DER-encoded PKCS#7 data.

Common Causes

• Wrong file type provided – You uploaded a JSON, JWK, text file, or other non-PKCS#7 format
• Corrupted PKCS#7 file – The .p7m, .p7s, or .p7e file is truncated or damaged
• Incorrect encoding – File is not in DER binary format (PEM format not supported for conversion)
• Invalid ASN.1 structure – The binary data doesn't follow the PKCS#7/CMS ASN.1 schema

Response Example

{
  "type": "https://docs.ankatech.co/errors/invalid-pkcs7",
  "title": "Invalid PKCS#7 Structure",
  "status": 400,
  "detail": "The provided file is not a valid PKCS#7/CMS structure. Expected formats: SignedData (.p7m, .p7s), EnvelopedData (.p7e), or SignedAndEnvelopedData with DER encoding.",
  "instance": "/api/migration/convert-pkcs7-to-jose",
  "timestamp": 1738117563,
  "extensions": {
    "expectedFormats": [
      "SignedData (.p7m, .p7s)",
      "EnvelopedData (.p7e)",
      "SignedAndEnvelopedData"
    ],
    "expectedEncoding": "DER (binary)",
    "hint": "For JSON/JWK keys, use POST /api/migration/keys/import instead"
  }
}

How to Resolve

If you have a JSON/JWK key file:

Use the key import endpoint instead:

POST /api/migration/keys/import
Content-Type: application/json

{
  "kid": "my-imported-key",
  "kty": "RSA",
  "alg": "RSA-2048",
  "publicKey": "<base64-encoded-public-key>",
  "privateKey": "<base64-encoded-private-key>",
  "keyOps": ["encrypt", "decrypt"]
}

If you have a valid PKCS#7 file:

1. Verify file format:

   # Check if it's a valid PKCS#7 file using OpenSSL
   openssl pkcs7 -in yourfile.p7m -inform DER -print_certs -noout
   

2. Ensure DER encoding (not PEM):

   # If your file is in PEM format, convert to DER
   openssl pkcs7 -in yourfile.pem -inform PEM -out yourfile.p7m -outform DER
   

3. Verify file integrity:

4. Check file size (must be > 0 bytes)
5. Ensure file is not corrupted

6. Verify file extension matches content (.p7m for SignedData, .p7e for EnvelopedData)

7. Re-submit with correct PKCS#7 file

If you need to create a PKCS#7 file:

# Create SignedData (.p7m)
openssl cms -sign -in document.txt -out document.p7m \
  -outform DER -signer certificate.pem -inkey privatekey.key

# Create EnvelopedData (.p7e)
openssl cms -encrypt -in document.txt -out document.p7e \
  -outform DER -recip recipient-cert.pem

Related Errors

• Unsupported PKCS#7 Format - Valid PKCS#7 but feature not supported
• Missing Private Key - Valid PKCS#7 but required key not imported
• Payload Too Large - PKCS#7 file exceeds 5MB limit

Need Help?

If you're unsure about your file format:

1. Use the Analyze PKCS#7 endpoint first:

   POST /api/migration/analyze-pkcs7
   

   This will provide detailed structure information without attempting conversion.