Quantcast

Query about CRLDistributionPoints extension data

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Query about CRLDistributionPoints extension data

Winter Mute
Hello,
All certificates I have encountered with this extension seem to have a problem with the encoding of the distributionPoint.
According to the specs:
   DistributionPointName ::= CHOICE {
        fullName                [0]     GeneralNames,
        nameRelativeToCRLIssuer [1]     RelativeDistinguishedName }

x509 implementations seem to confuse the "GeneralNames" with "GeneralName". The distinction is that the former is a sequence consisting of one or more instances of the latter, i.e:
GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName


Am I wrong about this? How does openssl parse this extension?

--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Query about CRLDistributionPoints extension data

Dr. Stephen Henson
On Thu, Mar 30, 2017, Winter Mute wrote:

> Hello,
> All certificates I have encountered with this extension seem to have a
> problem with the encoding of the distributionPoint.
> According to the specs:
>
>    DistributionPointName ::= CHOICE {
>         fullName                [0]     GeneralNames,
>         nameRelativeToCRLIssuer [1]     RelativeDistinguishedName }
>
> x509 implementations seem to confuse the "GeneralNames" with "GeneralName".
> The distinction is that the former is a sequence consisting of one or more
> instances of the latter, i.e:
>
> GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName
>
> Am I wrong about this? How does openssl parse this extension?

OpenSSL has never had a problem parsing this extension and it complies with
the specs. If it did have a problem it wouldn't be able to display the
contents of the extension.

Note that you wont see the SEQUENCE tag for the SEQUENCE OF GeneralName
because it is implicitly tagged.

Can you point to an example of a certificate where you think it is incorrectly
encoded?

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Query about CRLDistributionPoints extension data

Winter Mute
I see, you're right. The contents octets do indeed contain the GeneralNames sequence. Thanks for clearing this up!

On Fri, Mar 31, 2017 at 4:38 AM, Dr. Stephen Henson <[hidden email]> wrote:
On Thu, Mar 30, 2017, Winter Mute wrote:

> Hello,
> All certificates I have encountered with this extension seem to have a
> problem with the encoding of the distributionPoint.
> According to the specs:
>
>    DistributionPointName ::= CHOICE {
>         fullName                [0]     GeneralNames,
>         nameRelativeToCRLIssuer [1]     RelativeDistinguishedName }
>
> x509 implementations seem to confuse the "GeneralNames" with "GeneralName".
> The distinction is that the former is a sequence consisting of one or more
> instances of the latter, i.e:
>
> GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName
>
> Am I wrong about this? How does openssl parse this extension?

OpenSSL has never had a problem parsing this extension and it complies with
the specs. If it did have a problem it wouldn't be able to display the
contents of the extension.

Note that you wont see the SEQUENCE tag for the SEQUENCE OF GeneralName
because it is implicitly tagged.

Can you point to an example of a certificate where you think it is incorrectly
encoded?

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev


--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Loading...