[EMAIL PROTECTED] wrote:
>
> Ok, I guess we figured it out. First: the encoding used by verisign and openssl
> is correct. Second: The SEQUENCE tag will even be missing if more than one
> GeneralName is encoded in the distributionPointName.fullName. At least it is
> using the snacc ASN.1 compiler. From the specs we deduce that the default
> tagging in the PKIX asn1 definitions is IMPLICIT. So the syntax described in my
> previous mail is incomplete, the complete syntax is
>
> DistributionPointName ::= CHOICE {
> fullName [0] IMPLICIT GeneralNames,
> nameRelativeToCRLIssuer [1] IMPLICIT RelativeDistinguishedName }
>
> causing the GeneralNames syntax for fullname to be implicitly assumed, and the
> value field of fullName will be concatenated encodings of GeneralName items. If
> we change that to EXPLICIT in the ASN.1 definition, the SEQUENCE OF encoding
> appears even if there is only one GeneralName in fullname. That behaviour was
> what we initially expected.
>
Yes its says in PKIX that the default tagging is IMPLICIT.
My point about fullName and one actual GeneralName is that under these
circumstances the encoding for fullName if it is either GeneralName or
GeneralNames is the same. This is because the tagging is by default
IMPLICIT in the GeneralNames case which hides the SEQUENCE OF, in the
GeneralName case the underlying type is a CHOICE so it ends up as
EXPLICIT. The two have the same encoding.
If you have more than one then you this doesn't make any sense because
you can't encode it in the GeneralName case.
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
