Bug #12162


OpenSSL::PKCS7 seems to create broken objects (nested asn.1 error)

Added by wesoly_opos (Jarosław Górny) over 5 years ago. Updated over 5 years ago.

Third Party's Issue
Target version:
ruby -v:
ruby 2.3.0p0 (2015-12-25 revision 53290) [x86_64-darwin15]


When trying to read previously created OpenSSL::PKCS7 object, it fails with 'nested asn.1 error'. Seems like object is broken.

Steps to reproduce:

  1. Generate x.509 certificate (either from CLI or in Ruby) and store it in OpenSSL::X509::Certificate object.
  2. Create new OpenSSL::PKCS7 object, set the 'type' attribute to ':signed'
  3. Add OpenSSL::X509::Certificate object to OpenSSL::PKCS7 object with #add_certificate() method
  4. Try to read back the object created in step '3' with:


ArgumentError: Could not parse the PKCS7: nested asn1 error
from (pry):8:in `initialize'

Expected result: should be able to read from previously created PKCS7 object (casted to string with #to_s method)

The session is attached to this ticket. It can be also found online:

note 1: I was able to reproduce this problem with ruby 2.2.x and latest head (2.4.0). On Linux too.
note 2: This code used to work when ruby was linked to openssl v 0.9.8.


gistfile1.txt (4.35 KB) gistfile1.txt Example interactive session, where the error can be observed. wesoly_opos (Jarosław Górny), 03/09/2016 02:55 PM

Related issues

Has duplicate Ruby master - Bug #12794: Invalid ASN1 from OpenSSL::X509::RequestsRejectedopensslActions

Updated by shyouhei (Shyouhei Urabe) over 5 years ago

  • Status changed from Open to Assigned
  • Assignee set to openssl

Updated by rhenium (Kazuki Yamaguchi) over 5 years ago

  • Status changed from Assigned to Third Party's Issue

The direct reason is that PKCS7#to_s returns a broken PEM. It looks like the behavior was changed in OpenSSL 1.0.1i:;a=commit;h=d70c0be4c1e33985a79d691786db72661fdfd057

But since the PKCS7 object is actually incomplete at that time you call PKCS7#to_s, I'm not sure whether if this is a bug or not.

Actions #3

Updated by rhenium (Kazuki Yamaguchi) about 5 years ago

  • Has duplicate Bug #12794: Invalid ASN1 from OpenSSL::X509::Requests added

Also available in: Atom PDF