Olaf Schlueter wrote:
>
> Looking at a Versign Certificate we stumbled today upon what we think is
> an non standard (should I say wrong ?) way of encoding
> crlDistributionPoint. We found that Openssl (using 0.9.3a for testing)
> displays and generates this extension in the same format, deviating from
> the specified standard syntax found in various specifications like
> (probably in the order of appearance): X.509, PKIX, Mailtrust V2, and
> SigI (the latter two specifications are german specifications derived
> from PKIX). The standard syntax is to encode crlDistributionPoints as
>
[description omitted]
>
> Or am I missing something ?
>
I've looked over the code that encodes cRLSistributionPoints and I can't
actually see the problem. It should be encoding GeneralNames.
Now what I'm thinking here is that because of the encoding rules:
DistributionPointName ::= CHOICE {
fullName [0] GeneralNames,
nameRelativeToCRLIssuer [1] RelativeDistinguishedName }
if there is only one GeneralName in the SEQUENCE OF GeneralName,
will look the same as:
DistributionPointName ::= CHOICE {
fullName [0] GeneralName,
nameRelativeToCRLIssuer [1] RelativeDistinguishedName }
In the first case the tag will be IMPLICIT and will thus "hide" the
SEQUENCE OF tag, it will be constructed because the underlying type is.
In the second case because GeneralName is a CHOICE type the tag will be
EXPLICIT and by definition constructed.
I may well be missing something myself here. ASN1 makes me feel ill at
times: though I'm told that is a natural reaction :-)
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
