Problem solved. Your pointer to the GnuTLS code was very helpful. However, their code and mine do the same thing. The difference was in the asn file used to generate the asn1 array C file. Looking at the GnuTLS file, they marked distributionPoint as EXPLICIT. I had copied the file that came with libtasn1 and failed to notice this was missing.
Thanks for your help. -andy ________________________________________ From: Simon Josefsson [[email protected]] Sent: Thursday, February 10, 2011 6:09 AM To: Andy Newton Cc: [email protected] Subject: Re: DER coding CRLDistributions points Andy Newton <[email protected]> writes: > As a follow up (I could not include this in the same email due mailing list > limitations), when I compare the output of my program with the output of > another certificate which does render properly in OpenSSL, I see a missing > sequence. The difference is not a missing SEQUENCE, but a missing explicit [0] tag, isn't it? I can't provide any more help than this right now, but maybe it will lead you in the right direction. If you can distill your problem into some self-contained code (ASN1 schema + C code + build instructions) it would be easier to start debugging for us where the problem is. Also compare code in GnuTLS related to this: http://git.savannah.gnu.org/cgit/gnutls.git/tree/lib/x509/extensions.c#n1111 http://git.savannah.gnu.org/cgit/gnutls.git/tree/lib/x509/extensions.c#n906 However it looks similar to your code. /Simon > Here is my extension as seen by dumpasn1: > > 534 53: SEQUENCE { > <06 03> > 536 3: OBJECT IDENTIFIER cRLDistributionPoints (2 5 29 31) > : (X.509 extension) > <04 2E> > 541 46: OCTET STRING, encapsulates { > <30 2C> > 543 44: SEQUENCE { > <30 2A> > 545 42: SEQUENCE { > <A0 28> > 547 40: [0] { > <86 26> > 549 38: [6] 'rsync://rpki.arin.net/we-put-crls-here' > : } > : } > : } > : } > : } > : } > > And here is the extension of the working cert as seen by dumpasn1: > > 923 128: SEQUENCE { > <06 03> > 926 3: OBJECT IDENTIFIER cRLDistributionPoints (2 5 29 31) > : (X.509 extension) > <04 79> > 931 121: OCTET STRING, encapsulates { > <30 77> > 933 119: SEQUENCE { > <30 75> > 935 117: SEQUENCE { > <A0 73> > 937 115: [0] { > <A0 71> > 939 113: [0] { > <86 6F> > 941 111: [6] > : 'rsync://llamaxp.arin.net:10873/certrepo/69/f58f3' > : '2-62a7-418e-9d4d-10a5cde21cf3/1/z7IkhiTQCJViMu58' > : 'ltnGiAqTm98.crl' > : } > : } > : } > : } > : } > : } > > It seems I'm missing an extra sequence, but I cannot determine where. Also, > if I am I don't know why libtasn1 is allowing me to code the DER without > complaint. > > Any help is appreciated. > > -andy
