(Now that I've seen your certificate, going back on-list for the sake
of the archives :-) )
Certificate is a sequence:
Certificate ::= SEQUENCE {
tbsCertificate TBSCertificate,
signatureAlgorithm AlgorithmIdentifier,
signature BIT STRING }
The first field, tbsCertificate is also a sequence:
TBSCertificate ::= SEQUENCE {
version [0] Version DEFAULT v1,
serialNumber CertificateSerialNumber,
signature AlgorithmIdentifier,
issuer Name,
validity Validity,
subject Name,
subjectPublicKeyInfo SubjectPublicKeyInfo,
issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL,
-- If present, version MUST be v2 or v3
subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL,
-- If present, version MUST be v2 or v3
extensions [3] Extensions OPTIONAL
-- If present, version MUST be v3 -- }
Version ::= INTEGER { v1(0), v2(1), v3(2) }
In TBSCertificate, the first field is version. Since that has a
default value of v1, if the version is v1 a BER encoder may or may not
include it in the encoded structure. A DER encoder must not include it
in the structure. The way you can tell whether or not version is
present is by looking for the context tag, [0].
In the cert you sent, I see:
0 1332: SEQUENCE {
4 796: . SEQUENCE {
8 1: . . INTEGER 1
11 13: . . SEQUENCE {
13 9: . . . OBJECT IDENTIFIER sha1withRSAEncryption (1 2 840 113549 1 1 5)
: . . . . (PKCS #1)
24 0: . . . NULL
: . . . }
Note the absence of a tagged integer at the beginning. That means
there's no version field to read and your decoder must assume it's a
v1 cert.
HTH,
Geoff
--
You received this message because you are subscribed to the "Crypto++ Users"
Google Group.
To unsubscribe, send an email to [email protected].
More information about Crypto++ and this group is available at
http://www.cryptopp.com.
