[openssl-dev] Query about CRLDistributionPoints extension data

Dr. Stephen Henson steve at openssl.org
Fri Mar 31 01:38:51 UTC 2017

On Thu, Mar 30, 2017, Winter Mute wrote:

> Hello,
> All certificates I have encountered with this extension seem to have a
> problem with the encoding of the distributionPoint.
> According to the specs:
>    DistributionPointName ::= CHOICE {
>         fullName                [0]     GeneralNames,
>         nameRelativeToCRLIssuer [1]     RelativeDistinguishedName }
> x509 implementations seem to confuse the "GeneralNames" with "GeneralName".
> The distinction is that the former is a sequence consisting of one or more
> instances of the latter, i.e:
> GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName
> Am I wrong about this? How does openssl parse this extension?

OpenSSL has never had a problem parsing this extension and it complies with
the specs. If it did have a problem it wouldn't be able to display the
contents of the extension.

Note that you wont see the SEQUENCE tag for the SEQUENCE OF GeneralName
because it is implicitly tagged.

Can you point to an example of a certificate where you think it is incorrectly

Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org

More information about the openssl-dev mailing list