RE: ASN.1 DER encoding of SEQUENCE components with DEFAULT values

Sat, 07 Dec 2002 16:18:33 -0800

Title: RE: ASN.1 DER encoding of SEQUENCE components with DEFAULT values

Mr. Henson,
I understand the reason for retaining this behavior, but there is one problem with this approach. The OpenSSL library also becomes generator of broken encoding, if these DEFAULT SEQUENCE components are populated with default values.

It is kind of vicious cycle. The OpenSSL library is basically correctly DER encoding the SEQUENCE structures only if these DEFAULT SEQUENCE components with default values are missing (NULL).

Regards,
Stefan Kotes


-----Original Message-----
From: Dr. Stephen Henson [mailto:[EMAIL PROTECTED]]
Sent: Friday, December 06, 2002 5:09 PM
To: [EMAIL PROTECTED]
Subject: Re: ASN.1 DER encoding of SEQUENCE components with DEFAULT
values


On Fri, Dec 06, 2002, Stefan Kotes wrote:

> Openssl Team,
> I have one question regarding DER encoding of the SEQUENCE/SET components.
> According to the "A Layman's Guide to a Subset of ASN.1, BER, and DER"
> document, if the value of a SEQUENCE or SET component with DEFAULT qualifier
> is the default value, the encoding of that component in not supposed to be
> included in contents octets.
> Openssl does not seem to follow this rule with "version" member of
> structures like X509_CINF, OCSP_REQUEST, OCSP_RESPDATA. Is this ASN.1
> encoding behavior in openssl library by design or is it something you plan
> to change ?
>

DEFAULT is handled in OpenSSL by using OPTIONAL and then handling things
appropriately in any friendly wrappers that access the field.

IIRC the actual rules only enforce omission of the field for DER and it can
still be included for BER.

One reason for retaining this behaviour is that some broken encodings which
are supposed to follow DER still include fields which have the default value.
If OpenSSL always omitted the field then this would result in a different
encoding, which would break signatures.

Steve.
--
Dr. Stephen Henson      [EMAIL PROTECTED]           
OpenSSL Project         http://www.openssl.org/~steve/
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to