Thanks Kivinen for your explanation. Understand now.
On Fri, Mar 6, 2015 at 4:52 AM, Tero Kivinen <[email protected]> wrote:
> Kathy Wan writes:
> > In the RFC7296 Internet Key Exchange Protocol Version 2 (IKEv2) ,
> > the "Hash and URL of a bundle" type defines the X.509 bundle
> > as a sequence of CertificateOrCRL.
> >
> > Let us say it is a sequence of certificates.
> > My understanding is the bundle file which can be fetched from the url is
> DER
> > encoded and contains multiple certificates.
>
> Yes.
>
> > The question is what is the exact format of the DER encoded bundle file
> > especially how multiple certificates are delimited.
>
> It is what is defined in the RFC7296:
>
> CertBundle
> { iso(1) identified-organization(3) dod(6) internet(1)
> security(5) mechanisms(5) pkix(7) id-mod(0)
> id-mod-cert-bundle(34) }
>
> DEFINITIONS EXPLICIT TAGS ::=
> BEGIN
>
> IMPORTS
> Certificate, CertificateList
> FROM PKIX1Explicit88
> { iso(1) identified-organization(3) dod(6)
> internet(1) security(5) mechanisms(5) pkix(7)
> id-mod(0) id-pkix1-explicit(18) } ;
>
> CertificateOrCRL ::= CHOICE {
> cert [0] Certificate,
> crl [1] CertificateList }
>
> CertificateBundle ::= SEQUENCE OF CertificateOrCRL
>
> END
>
> > Is it just simple concatenation of individual der-
> > encoded certificate?
>
> No, it is ANS.1 sequence of CertificateOrCRL, where CertificateOrCRL
> is choise of Certificate or CRL. So it is not simple concatenation of
> certificates.
> --
> [email protected]
>
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
