Unsupported PKCS#7 Format
URI: https://docs.ankatech.co/errors/unsupported-pkcs7-format HTTP Status: 422 Unprocessable Entity
When You See This
Your PKCS#7/CMS file is structurally valid and was successfully parsed, but contains features that are not yet supported in the current version of the conversion engine.
Common Causes
- Multiple signers detected – Your SignedData has 2 or more signers; only single-signer conversion is supported in Phase 1
- Multiple recipients detected – Your EnvelopedData has 2 or more recipients; only single-recipient conversion is supported in Phase 1
- Unsupported content type – The PKCS#7 content type OID is recognized but conversion not implemented
- Complex nested structures – Advanced nesting patterns requiring JSON serialization (available in Phase 2)
Response Example
{
"type": "https://docs.ankatech.co/errors/unsupported-pkcs7-format",
"title": "Unsupported PKCS#7 Format",
"status": 422,
"detail": "Multiple signers detected: 3. Only single-signer conversion is currently supported.",
"instance": "/api/migration/convert-pkcs7-to-jose",
"timestamp": 1738117563,
"extensions": {
"errorCode": "MULTIPLE_SIGNERS_NOT_SUPPORTED",
"availableInPhase": "Phase 2 (JSON serialization)",
"currentPhase": "Phase 1 (Compact serialization only)"
}
}
Error Codes
| Code | Description | Available In |
|---|---|---|
MULTIPLE_SIGNERS_NOT_SUPPORTED | SignedData with >1 signer | Phase 2 |
MULTIPLE_RECIPIENTS_NOT_SUPPORTED | EnvelopedData with >1 recipient | Phase 2 |
UNKNOWN_CONTENT_TYPE | Unrecognized PKCS#7 content type OID | Future |
How to Resolve
Option 1: Use Single-Actor Files (Recommended for Phase 1)
Re-create your PKCS#7 files with single signer/recipient:
For SignedData:
# Create with single signer
openssl cms -sign -in document.txt -out document.p7m \
-outform DER -signer single-signer.pem -inkey single-key.key
For EnvelopedData:
# Create with single recipient
openssl cms -encrypt -in document.txt -out document.p7e \
-outform DER -recip single-recipient.pem
Option 2: Wait for Phase 2 (Multi-Actor Support)
Phase 2 will support:
- Multiple signers → JWS JSON serialization (RFC 7515 § 7.2)
- Multiple recipients → JWE JSON serialization (RFC 7516 § 7.2)
- Complex nested structures → JWE(JWS) with JSON format
Availability: Check release notes for Phase 2 timeline
Option 3: Convert Each Actor Separately (Workaround)
If you need immediate conversion:
- Extract individual signatures/encryptions from your multi-actor PKCS#7
- Create separate PKCS#7 files for each actor
- Convert each file individually to JOSE
- Combine JOSE tokens manually using JSON serialization
Analyze Before Converting
Use the analyze endpoint to check your file before conversion:
POST /api/migration/analyze-pkcs7
Content-Type: application/json
{
"pkcs7Data": "<base64-encoded-pkcs7>",
"validateCertificates": false,
"validateTimestamp": false
}
The response will show:
- Number of signers
- Number of recipients
- Support status with reason codes
- Migration recommendations
Related Errors
- Invalid PKCS#7 Structure - File is not valid PKCS#7
- Missing Private Key - Required key not imported
- Not Implemented - Feature not yet available
Roadmap
Phase 1 (Current):
- ✅ SignedData (1 signer) → JWS Compact
- ✅ EnvelopedData (1 recipient) → JWE Compact
- ✅ SignedAndEnvelopedData (1+1) → JWE(JWS) Compact
Phase 2 (Upcoming):
- Multiple signers → JWS JSON
- Multiple recipients → JWE JSON
- Advanced nesting → JWE(JWS) JSON
Need Help?
- Use
POST /api/migration/analyze-pkcs7to inspect your file