Kathy Wan writes:
> In the RFC7296 Internet Key Exchange Protocol Version 2 (IKEv2) ,
> the "Hash and URL of a bundle" type defines the X.509 bundle
> as a sequence of CertificateOrCRL.
>
> Let us say it is a sequence of certificates.
> My understanding is the bundle file which can be fetched from the url is DER
> encoded and contains multiple certificates.
Yes.
> The question is what is the exact format of the DER encoded bundle file
> especially how multiple certificates are delimited.
It is what is defined in the RFC7296:
CertBundle
{ iso(1) identified-organization(3) dod(6) internet(1)
security(5) mechanisms(5) pkix(7) id-mod(0)
id-mod-cert-bundle(34) }
DEFINITIONS EXPLICIT TAGS ::=
BEGIN
IMPORTS
Certificate, CertificateList
FROM PKIX1Explicit88
{ iso(1) identified-organization(3) dod(6)
internet(1) security(5) mechanisms(5) pkix(7)
id-mod(0) id-pkix1-explicit(18) } ;
CertificateOrCRL ::= CHOICE {
cert [0] Certificate,
crl [1] CertificateList }
CertificateBundle ::= SEQUENCE OF CertificateOrCRL
END
> Is it just simple concatenation of individual der-
> encoded certificate?
No, it is ANS.1 sequence of CertificateOrCRL, where CertificateOrCRL
is choise of Certificate or CRL. So it is not simple concatenation of
certificates.
--
[email protected]
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
