<div dir="ltr">I see, you're right. The contents octets do indeed contain the GeneralNames sequence. Thanks for clearing this up!<br></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Mar 31, 2017 at 4:38 AM, Dr. Stephen Henson <span dir="ltr"><<a href="mailto:steve@openssl.org" target="_blank">steve@openssl.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="HOEnZb"><div class="h5">On Thu, Mar 30, 2017, Winter Mute wrote:<br>
<br>
> Hello,<br>
> All certificates I have encountered with this extension seem to have a<br>
> problem with the encoding of the distributionPoint.<br>
> According to the specs:<br>
><br>
> DistributionPointName ::= CHOICE {<br>
> fullName [0] GeneralNames,<br>
> nameRelativeToCRLIssuer [1] RelativeDistinguishedName }<br>
><br>
> x509 implementations seem to confuse the "GeneralNames" with "GeneralName".<br>
> The distinction is that the former is a sequence consisting of one or more<br>
> instances of the latter, i.e:<br>
><br>
> GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName<br>
><br>
> Am I wrong about this? How does openssl parse this extension?<br>
<br>
</div></div>OpenSSL has never had a problem parsing this extension and it complies with<br>
the specs. If it did have a problem it wouldn't be able to display the<br>
contents of the extension.<br>
<br>
Note that you wont see the SEQUENCE tag for the SEQUENCE OF GeneralName<br>
because it is implicitly tagged.<br>
<br>
Can you point to an example of a certificate where you think it is incorrectly<br>
encoded?<br>
<br>
Steve.<br>
--<br>
Dr Stephen N. Henson. OpenSSL project core developer.<br>
Commercial tech support now available see: <a href="http://www.openssl.org" rel="noreferrer" target="_blank">http://www.openssl.org</a><br>
<span class="HOEnZb"><font color="#888888">--<br>
openssl-dev mailing list<br>
To unsubscribe: <a href="https://mta.openssl.org/mailman/listinfo/openssl-dev" rel="noreferrer" target="_blank">https://mta.openssl.org/<wbr>mailman/listinfo/openssl-dev</a><br>
</font></span></blockquote></div><br></div>