Thanks for the details. The encoding rules are actually much simplified and
kerby-asn1 would be sure to be able to parse. The problem is I didn't find
clear ASN1 definitions as we found for Kerberos, PKINIT, CMS and X509. What's
kerby-asn1 is good at is, starting with a ASN1 defined type, the Java
pojo/model class can be easily written and the class can be inherently of
encoding/decoding capabilities and can also be clearly dumped out. Below is an
example we did recently for CMS. It follows BER encoding, using indefinitive
length. Without clear ASN1 type definitions, kerby-asn1 would not be much more
helpful than other ASN1 library supports I'm afraid.
/**
* Ref. RFC 5652
* <pre>
* SignedData ::= SEQUENCE {
* version CMSVersion,
* digestAlgorithms DigestAlgorithmIdentifiers,
* encapContentInfo EncapsulatedContentInfo,
* certificates [0] IMPLICIT CertificateSet OPTIONAL,
* crls [1] IMPLICIT RevocationInfoChoices OPTIONAL,
* signerInfos SignerInfos
* }
* </pre>
*
*/
public class SignedData extends Asn1SequenceType {
protected enum MyEnum implements EnumType {
CMS_VERSION,
DIGEST_ALGORITHMS,
ENCAP_CONTENT_INFO,
CERTIFICATES,
CRLS,
SIGNER_INFOS;
}
static Asn1FieldInfo[] fieldInfos = new Asn1FieldInfo[]{
new Asn1FieldInfo(CMS_VERSION, CmsVersion.class),
new Asn1FieldInfo(DIGEST_ALGORITHMS, DigestAlgorithmIdentifiers.class),
new Asn1FieldInfo(ENCAP_CONTENT_INFO, EncapsulatedContentInfo.class),
new ImplicitField(CERTIFICATES, 0, CertificateSet.class),
new ImplicitField(CRLS, 1, RevocationInfoChoices.class),
new Asn1FieldInfo(SIGNER_INFOS, SignerInfos.class)
};
public SignedData() {
super(fieldInfos);
}
public int getVersion() {
return getFieldAsInteger(CMS_VERSION);
}
public void setVersion(int version) {
setFieldAsInt(CMS_VERSION, version);
}
public DigestAlgorithmIdentifiers getDigestAlgorithms() {
return getFieldAs(DIGEST_ALGORITHMS, DigestAlgorithmIdentifiers.class);
}
public void setDigestAlgorithms(DigestAlgorithmIdentifiers
digestAlgorithms) {
setFieldAs(DIGEST_ALGORITHMS, digestAlgorithms);
}
public EncapsulatedContentInfo getEncapContentInfo() {
return getFieldAs(ENCAP_CONTENT_INFO, EncapsulatedContentInfo.class);
}
public void setEncapContentInfo(EncapsulatedContentInfo contentInfo) {
setFieldAs(ENCAP_CONTENT_INFO, contentInfo);
}
public CertificateSet getCertificates() {
return getFieldAs(CERTIFICATES, CertificateSet.class);
}
public void setCertificates(CertificateSet certificates) {
setFieldAs(CERTIFICATES, certificates);
}
public RevocationInfoChoices getCrls() {
return getFieldAs(CRLS, RevocationInfoChoices.class);
}
public void setCrls(RevocationInfoChoices crls) {
setFieldAs(CRLS, crls);
}
public SignerInfos getSignerInfos() {
return getFieldAs(SIGNER_INFOS, SignerInfos.class);
}
public void setSignerInfos(SignerInfos signerInfos) {
setFieldAs(SIGNER_INFOS, signerInfos);
}
-----Original Message-----
From: Emmanuel Lécharny [mailto:[email protected]]
Sent: Friday, December 18, 2015 5:50 PM
To: Apache Directory Developers List <[email protected]>
Subject: Re: [VOTE] Apache LDAP API 1.0.0-M33 release
Le 18/12/15 10:34, Zheng, Kai a écrit :
> Got it, thank for the clarifying.
>
> Would you point to the main RFC spec that contains the ASN1 definition the
> library implements? I would take a look and see what kerby-asn1 still lacks
> for it.
There is no such RFC. The only place where something related to ASN.1 is
explicited is in RFC 4511 :
4. Elements of Protocol
The protocol is described using Abstract Syntax Notation One
([ASN.1]) and is transferred using a subset of ASN.1 Basic Encoding
Rules ([BER]). Section 5 specifies how the protocol elements are
encoded and transferred.
and specifically :
5.1. Protocol Encoding
The protocol elements of LDAP SHALL be encoded for exchange using the
Basic Encoding Rules [BER] of [ASN.1] with the following
restrictions:
- Only the definite form of length encoding is used.
- OCTET STRING values are encoded in the primitive form only.
- If the value of a BOOLEAN type is true, the encoding of the value
octet is set to hex "FF".
- If a value of a type is its default value, it is absent. Only some
BOOLEAN and INTEGER types have default values in this protocol
definition.
These restrictions are meant to ease the overhead of encoding and
decoding certain elements in BER.
These restrictions do not apply to ASN.1 types encapsulated inside of
OCTET STRING values, such as attribute values, unless otherwise
stated.
So to speak, this is just a subset of the BER encoding. Note that Kerberos uses
a slightly different encoding : DER.
