help-libtasn1
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: DER coding CRLDistributions points

From: Andy Newton
Subject: RE: DER coding CRLDistributions points
Date: Thu, 10 Feb 2011 14:39:17 +0000 
Problem solved.

Your pointer to the GnuTLS code was very helpful. However, their code and mine 
do the same thing.
The difference was in the asn file used to generate the asn1 array C file. 
Looking at the GnuTLS file, they marked distributionPoint as EXPLICIT. I had 
copied the file that came with libtasn1 and failed to notice this was missing.

Thanks for your help.

-andy

________________________________________
From: Simon Josefsson address@hidden
Sent: Thursday, February 10, 2011 6:09 AM
To: Andy Newton
Cc: address@hidden
Subject: Re: DER coding CRLDistributions points

Andy Newton <address@hidden> writes:

> As a follow up (I could not include this in the same email due mailing list 
> limitations), when I compare the output of my program with the output of 
> another certificate which does render properly in OpenSSL, I see a missing 
> sequence.

The difference is not a missing SEQUENCE, but a missing explicit [0]
tag, isn't it?  I can't provide any more help than this right now, but
maybe it will lead you in the right direction.  If you can distill your
problem into some self-contained code (ASN1 schema + C code + build
instructions) it would be easier to start debugging for us where the
problem is.

Also compare code in GnuTLS related to this:

http://git.savannah.gnu.org/cgit/gnutls.git/tree/lib/x509/extensions.c#n1111
http://git.savannah.gnu.org/cgit/gnutls.git/tree/lib/x509/extensions.c#n906

However it looks similar to your code.

/Simon

> Here is my extension as seen by dumpasn1:
>
> 534   53:         SEQUENCE {
>    <06 03>
> 536    3:           OBJECT IDENTIFIER cRLDistributionPoints (2 5 29 31)
>         :             (X.509 extension)
>    <04 2E>
> 541   46:           OCTET STRING, encapsulates {
>    <30 2C>
> 543   44:             SEQUENCE {
>    <30 2A>
> 545   42:               SEQUENCE {
>    <A0 28>
> 547   40:                 [0] {
>    <86 26>
> 549   38:                   [6] 'rsync://rpki.arin.net/we-put-crls-here'
>         :                   }
>         :                 }
>         :               }
>         :             }
>         :           }
>         :         }
>
> And here is the extension of the working cert as seen by dumpasn1:
>
> 923  128:         SEQUENCE {
>    <06 03>
> 926    3:           OBJECT IDENTIFIER cRLDistributionPoints (2 5 29 31)
>         :             (X.509 extension)
>    <04 79>
> 931  121:           OCTET STRING, encapsulates {
>    <30 77>
> 933  119:             SEQUENCE {
>    <30 75>
> 935  117:               SEQUENCE {
>    <A0 73>
> 937  115:                 [0] {
>    <A0 71>
> 939  113:                   [0] {
>    <86 6F>
> 941  111:                     [6]
>         :                   'rsync://llamaxp.arin.net:10873/certrepo/69/f58f3'
>         :                   '2-62a7-418e-9d4d-10a5cde21cf3/1/z7IkhiTQCJViMu58'
>         :                   'ltnGiAqTm98.crl'
>         :                     }
>         :                   }
>         :                 }
>         :               }
>         :             }
>         :           }
>
> It seems I'm missing an extra sequence, but I cannot determine where. Also, 
> if I am I don't know why libtasn1 is allowing me to code the DER without 
> complaint.
>
> Any help is appreciated.
>
> -andy
reply via email to
[Prev in Thread] Current Thread [Next in Thread]