Andy Newton <[email protected]> writes: > As a follow up (I could not include this in the same email due mailing list > limitations), when I compare the output of my program with the output of > another certificate which does render properly in OpenSSL, I see a missing > sequence.
The difference is not a missing SEQUENCE, but a missing explicit [0] tag, isn't it? I can't provide any more help than this right now, but maybe it will lead you in the right direction. If you can distill your problem into some self-contained code (ASN1 schema + C code + build instructions) it would be easier to start debugging for us where the problem is. Also compare code in GnuTLS related to this: http://git.savannah.gnu.org/cgit/gnutls.git/tree/lib/x509/extensions.c#n1111 http://git.savannah.gnu.org/cgit/gnutls.git/tree/lib/x509/extensions.c#n906 However it looks similar to your code. /Simon > Here is my extension as seen by dumpasn1: > > 534 53: SEQUENCE { > <06 03> > 536 3: OBJECT IDENTIFIER cRLDistributionPoints (2 5 29 31) > : (X.509 extension) > <04 2E> > 541 46: OCTET STRING, encapsulates { > <30 2C> > 543 44: SEQUENCE { > <30 2A> > 545 42: SEQUENCE { > <A0 28> > 547 40: [0] { > <86 26> > 549 38: [6] 'rsync://rpki.arin.net/we-put-crls-here' > : } > : } > : } > : } > : } > : } > > And here is the extension of the working cert as seen by dumpasn1: > > 923 128: SEQUENCE { > <06 03> > 926 3: OBJECT IDENTIFIER cRLDistributionPoints (2 5 29 31) > : (X.509 extension) > <04 79> > 931 121: OCTET STRING, encapsulates { > <30 77> > 933 119: SEQUENCE { > <30 75> > 935 117: SEQUENCE { > <A0 73> > 937 115: [0] { > <A0 71> > 939 113: [0] { > <86 6F> > 941 111: [6] > : 'rsync://llamaxp.arin.net:10873/certrepo/69/f58f3' > : '2-62a7-418e-9d4d-10a5cde21cf3/1/z7IkhiTQCJViMu58' > : 'ltnGiAqTm98.crl' > : } > : } > : } > : } > : } > : } > > It seems I'm missing an extra sequence, but I cannot determine where. Also, > if I am I don't know why libtasn1 is allowing me to code the DER without > complaint. > > Any help is appreciated. > > -andy
