IBM Crypto Education Community

 View Only

 Digital Signature Verify (DSV) failed with 8/894

Mark Vollmer's profile image
Mark Vollmer posted Wed November 05, 2025 07:47 PM

I'm calling the DSV with a message (TBS data), a 256 byte signature to validate and a PKCS#7 wrapped CA certificate. I'm using the following rules: 

RSA

PKCS-1.1

MESSAGE

SHA-256

PKI-NONE

RFC-5280

The error tells me: A required extension is not supplied.

Since there isn't a parameter called "extension" for this call, what is this error code telling me?   I just need a little help pointing me in the right direction.

I've confirmed that the message, signature and ca cert are sized properly and in the parameter fields correctly.  At least to the best of my knowledge.

Any help would be appreciated.

Sincerely,

Mark Vollmer

Eric Rossman's profile image
Eric Rossman posted Thu November 06, 2025 02:33 PM

I see how this could be confusing. Reason code 894 is documented as "A required certificate extension was not supplied." The most likely answer is that the CRL in the X.509 CA cert you provided is missing one of the required CRL extensions. I didn't dig all the way down, but I saw two extensions that are always required by CCA: authorityKeyIdentifier and cRLNumber. If the X.509 certificate you are providing doesn't have both of those, it will fail RFC-5280 processing.

Related Content