[openssl-dev] Query about CRLDistributionPoints extension data

Winter Mute zshrdlu at gmail.com
Thu Mar 30 17:55:24 UTC 2017

All certificates I have encountered with this extension seem to have a
problem with the encoding of the distributionPoint.
According to the specs:

   DistributionPointName ::= CHOICE {
        fullName                [0]     GeneralNames,
        nameRelativeToCRLIssuer [1]     RelativeDistinguishedName }

x509 implementations seem to confuse the "GeneralNames" with "GeneralName".
The distinction is that the former is a sequence consisting of one or more
instances of the latter, i.e:

GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName

Am I wrong about this? How does openssl parse this extension?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20170330/defd957d/attachment.html>

More information about the openssl-dev mailing list