Can anyone tell me how ASN.1 CHOICE structures should be parsed: openssl parsing ... 185:d=1 hl=2 l= 45 cons: SEQUENCE 187:d=2 hl=2 l= 43 cons: cont [ 0 ] 189:d=3 hl=2 l= 41 cons: cont [ 0 ] 191:d=4 hl=2 l= 39 prim: cont [ 6 ] -> this is actually IA5STRING
from http://www.faqs.org/rfcs/rfc3280.html DistributionPoint ::= SEQUENCE { distributionPoint [0] DistributionPointName OPTIONAL, reasons [1] ReasonFlags OPTIONAL, cRLIssuer [2] GeneralNames OPTIONAL } DistributionPointName ::= CHOICE { fullName [0] GeneralNames, nameRelativeToCRLIssuer [1] RelativeDistinguishedName } GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName GeneralName ::= CHOICE { otherName [0] OtherName, rfc822Name [1] IA5String, dNSName [2] IA5String, x400Address [3] ORAddress, directoryName [4] Name, ediPartyName [5] EDIPartyName, uniformResourceIdentifier [6] IA5String, iPAddress [7] OCTET STRING, registeredID [8] OBJECT IDENTIFIER } How should this be parsed according to specifications? ASN.1 specification says that CHOICE is not encoded as separate entity (it is encoded solely as their choosen element). value1 CHOICE {flag BOOLEAN, value INTEGER} ::= flag:TRUE value2 CHOICE {flag BOOLEAN, value INTEGER} ::= value:72 we get the encodings: value1 01 01 FF (it is encoded as BOOLEAN with TAG 1) value2 02 01 48 (it is encoded as BOOLEAN with TAG 2) But what if there are nested CHOICE elements ? CHOICE { a CHOICE { c BOOLEAN, d INTEGER} , b CHOICE { c BOOLEAN, d INTEGER} } ? Now how org.mozilla.jss.asn1.* parses it, it takes 0 and use it for fullName and another 0 for otherName. But I fail to see, how to distinguiss between [0] [0] (fullName) and [0] [1] (nameRelativeToCRLIssuer ). I would always took fullName if it starts with [0]. BUG? There are two options: - each construct and their children should have unique TAG (both second CHOICEs should have different TAGs). - or choice should parse TAG and not forward it to its children ... CHOICE should handle CHOICE.encode (Tag tg, InputStream is) and read next TAG instead of using current one, before calling encode(InputStream is). Partial (hack) solution is to add a sequence before each second CHOICE. Comments??? Matej Spiller-Muys _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto