[Cryptography Team] first cut at CertificateExtensions and ASN1
issues
Robert Withers
reefedjib at yahoo.com
Sun Jan 28 21:03:26 UTC 2007
My code changes broke the certificate validation code, so I rolled
this back.
The big problem with ASN1 is that the re-encoding of a decoded ASN1
does not necessarily match the original encoding. There seem to be
several reasons for this, including an incomplete parsing of context-
specific values and an optional NULL parameter in the
X509AlgorithmIdentifier. There may be others. It would be nice to
capture and maintain the original bytes for each node in the
ASN1Value tree, so we could produce the original bytes on demand.
However, checking the Certificate signature of the TBSCertificate is
the only use of this that I know of. I believe this is what VW does
and why it does it. Based on he way we incrementally decode ASN1
from a stream, I don't see how to do it. We would need to change the
way we decode ASN1.
food for thought.
Rob
On Jan 27, 2007, at 10:59 AM, Robert Withers wrote:
> I made a first cut at parsing the CertificateExtensions. I grab
> the OID and then I do an ASN1 DER decoding of the value. We have
> shortcomings in the way we decode the tag for DER/BER encodings.
> We don't decode multi-byte tags for example.
>
> When I was decoding the cert extensions, I ran across several new
> tags, namely 128 and 130. According to ASN1dubuisson.pdf, these
> are context-specific, primitive types. When we have the high order
> bit set, we are masking the low order bits. I changed the mask to
> mask out the high order bit. This means that my 2 tags decode to a
> ByteArray, while the ExplicitConstructed type (101xxxxx) still
> decodes correctly. You may want to review my code in Cryptography-
> ASN package, specifically the ASN1Value class>>#typeClassForTag:
>
> Robert
> _______________________________________________
> Cryptography mailing list
> Cryptography at lists.squeakfoundation.org
> http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/
> cryptography
More information about the Cryptography
mailing list