[Cryptography Team] Debugging SSL on Linux

Robert Withers reefedjib at yahoo.com
Wed Mar 21 20:32:58 UTC 2007 

On Mar 21, 2007, at 9:59 AM, Ron Teitelbaum wrote:

> Rob,
>
>
>
> I think what we have is a
>
>
>
> 3.2 Constructed, definite-length method
> This method applies to simple string types, structured types, types  
> derived
> simple string types and structured types by implicit tagging, and  
> types derived
> from anything by explicit tagging. It requires that the length of  
> the value be
> known in advance. The parts of the BER encoding are as follows:
> Identifier octets. As described in Section 3.1, except that bit 6  
> has value "1,"
> indicating that the encoding is constructed.

It turns out to be Implicit, which means you don't have the value  
encoded with explicit tags.  The definition specifies the type, in  
this case a Sequence.

>  The value 160 (1 in bit 6) should be considered a Constructed,  
> Definite-length field.  I’m still researching it but it would seem  
> to me that this is how you define a user object within a value.   
> Instead of having a primitive data type within an explicit context  
> value you have a constructed data type (in our world an object with  
> ivars).
It is constructed because it is not a simple "primitive" type.
>  I’m still reading but I think that we may be able to replace 160  
> with ASN1ExplicitContextValueConstructed that has a definite length  
> and holds the values in a sequence.  Do you have the actual ANS.1  
> definition for this extension?  I’d be interested if it says that  
> it’s explicit constructed.
It's Implicit constructed.  Here is the definition:

-- subject alternative name extension OID and syntax

id-ce-subjectAltName OBJECT IDENTIFIER ::=  { id-ce 17 }

SubjectAltName ::= GeneralNames

GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName

GeneralName ::= CHOICE {
      otherName                       [0]     AnotherName,
      rfc822Name                      [1]     IA5String,
      dNSName                         [2]     IA5String,
      x400Address                     [3]     ORAddress,
      directoryName                   [4]     Name,
      ediPartyName                    [5]     EDIPartyName,
      uniformResourceIdentifier       [6]     IA5String,
      iPAddress                       [7]     OCTET STRING,
      registeredID                    [8]     OBJECT IDENTIFIER }

-- AnotherName replaces OTHER-NAME ::= TYPE-IDENTIFIER, as
-- TYPE-IDENTIFIER is not supported in the '88 ASN.1 syntax

AnotherName ::= SEQUENCE {
      type-id    OBJECT IDENTIFIER,
      value      [0] EXPLICIT ANY DEFINED BY type-id }

EDIPartyName ::= SEQUENCE {
      nameAssigner            [0]     DirectoryString OPTIONAL,
      partyName               [1]     DirectoryString }

and my bytes specify:

Sequence {
	dNSName [2]  IA5String,
	otherName [0] AnotherName}

where AnotherName is an Implicit sequence.

Rob

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.squeakfoundation.org/pipermail/cryptography/attachments/20070321/4ad9be5d/attachment-0001.htm

More information about the Cryptography mailing list