[openssl-dev] Query about CRLDistributionPoints extension data
Winter Mute
zshrdlu at gmail.com
Fri Mar 31 09:47:15 UTC 2017
I see, you're right. The contents octets do indeed contain the GeneralNames
sequence. Thanks for clearing this up!
On Fri, Mar 31, 2017 at 4:38 AM, Dr. Stephen Henson <steve at openssl.org>
wrote:
> On Thu, Mar 30, 2017, Winter Mute wrote:
>
> > Hello,
> > All certificates I have encountered with this extension seem to have a
> > problem with the encoding of the distributionPoint.
> > According to the specs:
> >
> > DistributionPointName ::= CHOICE {
> > fullName [0] GeneralNames,
> > nameRelativeToCRLIssuer [1] RelativeDistinguishedName }
> >
> > x509 implementations seem to confuse the "GeneralNames" with
> "GeneralName".
> > The distinction is that the former is a sequence consisting of one or
> more
> > instances of the latter, i.e:
> >
> > GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName
> >
> > Am I wrong about this? How does openssl parse this extension?
>
> OpenSSL has never had a problem parsing this extension and it complies with
> the specs. If it did have a problem it wouldn't be able to display the
> contents of the extension.
>
> Note that you wont see the SEQUENCE tag for the SEQUENCE OF GeneralName
> because it is implicitly tagged.
>
> Can you point to an example of a certificate where you think it is
> incorrectly
> encoded?
>
> Steve.
> --
> Dr Stephen N. Henson. OpenSSL project core developer.
> Commercial tech support now available see: http://www.openssl.org
> --
> openssl-dev mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20170331/80f42801/attachment-0001.html>
More information about the openssl-dev
mailing list