[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
DER coding CRLDistributions points
|
From: |
Andy Newton |
|
Subject: |
DER coding CRLDistributions points |
|
Date: |
Wed, 9 Feb 2011 16:35:28 +0000 |
Hello,
I am attempting to DER code the id-ce-cRLDistributionPoints x509 extension. I'm
using the pkix.asn file that accompanies libtasn1 (v2.9), but I've added some
structures for RFC 3779. I've using asn1Parse to convert it to a C array. The
DER coding works without error, but the resulting DER is incompatible with
OpenSSL and dumpasn1 shows differing structures from my DER and a certificate
that does work with OpenSSL.
Here is my code snippet that is creating the DER structure:
// cdp is constructed as the ASN1_TYPE holding the structure of the
extension
....
// write new thing in cdp sequence
result = asn1_write_value( cdp, "", "NEW", 1 );
//
// write cdp full name choice
result = asn1_write_value( cdp, "?LAST.distributionPoint", "fullName",
1 );
//
// write new sequence item for cdp general name
result = asn1_write_value( cdp, "?LAST.distributionPoint.fullName",
"NEW", 1 );
//
// write cdp uniformResourceIdentifier choice
result = asn1_write_value( cdp,
"?LAST.distributionPoint.fullName.?LAST", "uniformResourceIdentifier", 1 );
//
// write cdp URI
result = asn1_write_value( cdp,
"?LAST.distributionPoint.fullName.?LAST.uniformResourceIdentifier",
cert->crlDistributionPoint, strlen( cert->crlDistributionPoint
) );
//
// write NULL for cdp reasons
result = asn1_write_value( cdp, "?LAST.reasons", NULL, 0 );
//
// write NULL for cdp cRLIssuer
result = asn1_write_value( cdp, "?LAST.cRLIssuer", NULL, 0 );
>From reading RFC 5280 and the pkix.asn file, I think this is correct.
However, when OpenSSL looks at this extension, here is what I get:
X509v3 CRL Distribution Points:
0,0*.(.&rsync://rpki.arin.net/we-put-crls-here
Here is what OpenSSL prints for another certificate (from some Java software)
with this extension:
X509v3 CRL Distribution Points:
Full Name:
URI:rsync://llamaxp.arin.net:10873/certrepo/69/f58f32-62a7-418e-9d4d-10a5cde21cf3/1/z7IkhiTQCJViMu58ltnGiAqTm98.crl
Using dumpasn1, I can see that the version working with OpenSSL has an extra
sequence which mine does not.
Here is my extension as seen by dumpasn1:
534 53: SEQUENCE {
<06 03>
536 3: OBJECT IDENTIFIER cRLDistributionPoints (2 5 29 31)
: (X.509 extension)
<04 2E>
541 46: OCTET STRING, encapsulates {
<30 2C>
543 44: SEQUENCE {
<30 2A>
545 42: SEQUENCE {
<A0 28>
547 40: [0] {
<86 26>
549 38: [6] 'rsync://rpki.arin.net/we-put-crls-here'
: }
: }
: }
: }
: }
: }
And here is the extension of the working cert as seen by dumpasn1:
923 128: SEQUENCE {
<06 03>
926 3: OBJECT IDENTIFIER cRLDistributionPoints (2 5 29 31)
: (X.509 extension)
<04 79>
931 121: OCTET STRING, encapsulates {
<30 77>
933 119: SEQUENCE {
<30 75>
935 117: SEQUENCE {
<A0 73>
937 115: [0] {
<A0 71>
939 113: [0] {
<86 6F>
941 111: [6]
: 'rsync://llamaxp.arin.net:10873/certrepo/69/f58f3'
: '2-62a7-418e-9d4d-10a5cde21cf3/1/z7IkhiTQCJViMu58'
: 'ltnGiAqTm98.crl'
: }
: }
: }
: }
: }
: }
It seems I'm missing an extra sequence, but I cannot determine where. Also, if
I am I don't know why libtasn1 is allowing me to code the DER without complaint.
Any help is appreciated.
-andy
- DER coding CRLDistributions points,
Andy Newton <=