<HTML><BODY style="word-wrap: break-word; -khtml-nbsp-mode: space; -khtml-line-break: after-white-space; ">Ron,<DIV><BR class="khtml-block-placeholder"></DIV><DIV>I just want to reiterate that by not preserving the original bytes when decoding, we are forced to re-encode to check signatures. With that comment out of the way...</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>First, I turned off CertificateExtension decoding and republished, so the latest code should now work. I couldn't get it to work...</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>Second, this is long in the tooth... </DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>I am referring to the ASN1 book by Olivier Dubuisson, which you had referred me to at one point so I think you have access to this pdf.</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>Per Figure 18.2 on page 396, we are using the ASN1ExplicitContextValue to wrap APPLICATION {01cttttt}, Context-specific {10cttttt} and PRIVATE {11cttttt} values - tags 6 and 7. They can be Primitive (Implicit) or Constructed (Explicit) - tag 5. This specific example is using Explicit Context-specific [0] (see page 409, section 18.2.16 Tagged value, where the value of the Explicit triplet is itself one triplet).</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>Now, this section just named refers to page 216, which is the chapter on Constructed values. I just scanned it and it seems necessary to define structures as a SEQUENCE, with no "implicit" structures - i.e. they don't seem to define a Context-specific type that can hold more than one Triplet without embedding it in a SEQUENCE.</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>So, here is the type definition for an Extension:</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>Extension ::= SEQUENCE {</DIV><DIV> extnId EXTENSION.&id ({ExtensionSet}),</DIV><DIV> critical BOOLEAN DEFAULT FALSE,</DIV><DIV> extnValue OCTET STRING }</DIV><DIV> -- contains a DER encoding of a value of type</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>and the problem we are having is by trying to DER decode the extnValue field. Here is the full data for that field, both raw and parsed with hex values:</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>#(48 50 130 16 104 111 109 101 46 115 101 108 102 105 115 104 46 111 114 103 160 30 6 8 43 6 1 5 5 7 8 5 160 18 12 16 104 111 109 101 46 115 101 108 102 105 115 104 46 111 114 103) asByteArray</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>SEQUENCE = T(30) L(32) V( </DIV><DIV><SPAN class="Apple-tab-span" style="white-space:pre"> </SPAN>Implicit [2] = T(82) L(10) V(68 6F 6D 65 2E 73 65 6C 66 69 73 68 2E 6F 72 67) </DIV><DIV><SPAN class="Apple-tab-span" style="white-space:pre"> </SPAN>Explicit [0] = T(A0) L(1E) V(</DIV><DIV><SPAN class="Apple-tab-span" style="white-space:pre"> </SPAN>OID = T(06) L(08) V(2B 06 01 05 05 07 08 05) </DIV><DIV><SPAN class="Apple-tab-span" style="white-space:pre"> </SPAN>Explicit [0] = T(A0) L(12) V(</DIV><DIV><SPAN class="Apple-tab-span" style="white-space:pre"> </SPAN>String = T(0C) L(10) V(68 6F 6D 65 2E 73 65 6C 66 69 73 68 2E 6F 72 67))))</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">The outer is a SEQUENCE and is ok. Inside, at the value of the first Explicit [0] Triplet, it is not a SEQUENCE, but it has 2 Triplets inside of it. Looking at its Length (1E), it thinks it should be holding both Triplets.</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">The code is only grabbing the first Triplet when decoding an Explicit [0], and then the outer Sequence is decoding the second inner Triplet, so I actually get:</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><BR></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">Sequence (</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><SPAN class="Apple-tab-span" style="white-space:pre"> </SPAN>Implicit [2]</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><SPAN class="Apple-tab-span" style="white-space:pre"> </SPAN>Explicit [0] (OID)</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><SPAN class="Apple-tab-span" style="white-space:pre"> </SPAN>Explicit [0] (String))</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><BR></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">instead of:</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><BR></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">Sequence (</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><SPAN class="Apple-tab-span" style="white-space:pre"> </SPAN>Implicit [2]</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><SPAN class="Apple-tab-span" style="white-space:pre"> </SPAN>Explicit [0] (</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><SPAN class="Apple-tab-span" style="white-space:pre"> </SPAN><SPAN class="Apple-tab-span" style="white-space:pre"> </SPAN>OID</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><SPAN class="Apple-tab-span" style="white-space:pre"> </SPAN><SPAN class="Apple-tab-span" style="white-space:pre"> </SPAN>Explicit [0]))</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><BR></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">the corresponding length is messed up when I re-encode it.</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>That's funny, as we agree. I'll post to the ASN1 list...</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>later,</DIV><DIV>Rob</DIV><DIV><BR><DIV><DIV>On Mar 20, 2007, at 4:30 PM, Ron Teitelbaum wrote:</DIV><BR class="Apple-interchange-newline"><BLOCKQUOTE type="cite"><SPAN class="Apple-style-span" style="border-collapse: separate; border-spacing: 0px 0px; color: rgb(0, 0, 0); font-family: Times New Roman; font-size: 18px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-align: auto; -khtml-text-decorations-in-effect: none; text-indent: 0px; -apple-text-size-adjust: auto; text-transform: none; orphans: 2; white-space: normal; widows: 2; word-spacing: 0px; "><DIV class="Section1"><P class="MsoNormal"><FONT size="2" color="navy" face="Arial"><SPAN style="font-size: 10.0pt;font-family:Arial;color:navy; color: rgb(0, 0, 128); font-size: 13.3333px; "><SPAN class="Apple-style-span" style="color: rgb(0, 0, 128); font-family: Arial; font-size: 13.3333px; ">So it’s an explicit cv holding onto an explicit cv and another value. Notice the problem goes back even further and happens twice for this extension. So assuming that this problem matches with the asn rules then can we say that we encode, for size only, the content of an explicit contenxt value as a collection when the element size doesn’t match the first size. </SPAN></SPAN></FONT></P><P class="MsoNormal"><FONT size="2" color="navy" face="Arial"><SPAN style="font-size: 10.0pt;font-family:Arial;color:navy; color: rgb(0, 0, 128); font-size: 13.3333px; "><SPAN class="Apple-style-span" style="color: rgb(0, 0, 128); font-family: Arial; font-size: 13.3333px; ">So encode is</SPAN></SPAN></FONT></P><P class="MsoNormal"><FONT size="2" color="navy" face="Arial"><SPAN style="font-size: 10.0pt;font-family:Arial;color:navy; color: rgb(0, 0, 128); font-size: 13.3333px; "><SPAN class="Apple-style-span" style="color: rgb(0, 0, 128); font-family: Arial; font-size: 13.3333px; "> checkValueSize against next item and set value to collection if necessary, then decode until size is reached.</SPAN></SPAN></FONT></P><P class="MsoNormal"><FONT size="2" color="navy" face="Arial"><SPAN style="font-size: 10.0pt;font-family:Arial;color:navy; color: rgb(0, 0, 128); font-size: 13.3333px; "><SPAN class="Apple-style-span" style="color: rgb(0, 0, 128); font-family: Arial; font-size: 13.3333px; ">And decode is</SPAN></SPAN></FONT></P><P class="MsoNormal"><FONT size="2" color="navy" face="Arial"><SPAN style="font-size: 10.0pt;font-family:Arial;color:navy; color: rgb(0, 0, 128); font-size: 13.3333px; "><SPAN class="Apple-style-span" style="color: rgb(0, 0, 128); font-family: Arial; font-size: 13.3333px; "> If value is collection then encode items in collection and then set size from encoded values.</SPAN></SPAN></FONT></P><P class="MsoNormal"><FONT size="2" color="navy" face="Arial"><SPAN style="font-size: 10.0pt;font-family:Arial;color:navy; color: rgb(0, 0, 128); font-size: 13.3333px; "><SPAN class="Apple-style-span" style="color: rgb(0, 0, 128); font-family: Arial; font-size: 13.3333px; ">I still want to check the docs but I’m guessing that I just missed this possibility. </SPAN></SPAN></FONT></P><P class="MsoNormal"><FONT size="2" color="navy" face="Arial"><SPAN style="font-size: 10.0pt;font-family:Arial;color:navy; color: rgb(0, 0, 128); font-size: 13.3333px; "><SPAN class="Apple-style-span" style="color: rgb(0, 0, 128); font-family: Arial; font-size: 13.3333px; ">Since the ECV is just a wrapper for the tag number, (and your isPrimitive flag), would this cause any other problems?</SPAN></SPAN></FONT></P></DIV></SPAN></BLOCKQUOTE></DIV></DIV></BODY></HTML>