Trying to generate an empty Name using the following code:
IDictionary emptyAttrs = new Hashtable();
IList ord = new ArrayList();
X509Name emptyName = new X509Name(ord, emptyAttrs);
var wrongEmptyNameEncoding = emptyName.GetEncoded();
Encodes like follows:
0:d=0 hl=2 l= 2 cons: SEQUENCE
2:d=1 hl=2 l= 0 cons: SET
But I think that the correct encoding shouldn't include the empty SET,
based on the following from X.501 (Rec. ITU-T X.501 (10/2016)):
Name ::= CHOICE { -- only one possibility for now -- rdnSequence
RDNSequence }
RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
...
RelativeDistinguishedName ::= SET SIZE (1..MAX) OF AttributeTypeAndValue
Additionally, the following from RFC 5280, “4.1.2.6. Subject” kind of
confirms this too:
If subject naming information is present only in the subjectAltName
> extension (e.g., a key bound only to an email address or URI), then the
> *subject
> name MUST be an empty sequence* and the subjectAltName extension MUST be
> critical.
Finally, it is just worth noting that for getting an X509Name which
correctly encodes an empty Name the following can be currently used as a
workaround:
X509Name emptyName = X509Name.GetInstance(new DerSequence());
--
Jaime Hablutzel - +51 994690880
