[openssl-dev] Query about CRLDistributionPoints extension data
Dr. Stephen Henson
steve at openssl.org
Fri Mar 31 01:38:51 UTC 2017
On Thu, Mar 30, 2017, Winter Mute wrote:
> Hello,
> All certificates I have encountered with this extension seem to have a
> problem with the encoding of the distributionPoint.
> According to the specs:
>
> DistributionPointName ::= CHOICE {
> fullName [0] GeneralNames,
> nameRelativeToCRLIssuer [1] RelativeDistinguishedName }
>
> x509 implementations seem to confuse the "GeneralNames" with "GeneralName".
> The distinction is that the former is a sequence consisting of one or more
> instances of the latter, i.e:
>
> GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName
>
> Am I wrong about this? How does openssl parse this extension?
OpenSSL has never had a problem parsing this extension and it complies with
the specs. If it did have a problem it wouldn't be able to display the
contents of the extension.
Note that you wont see the SEQUENCE tag for the SEQUENCE OF GeneralName
because it is implicitly tagged.
Can you point to an example of a certificate where you think it is incorrectly
encoded?
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
More information about the openssl-dev
mailing list