> I searched the archives, but didn't find any hits for what I want. If this > has already been discussed, please let me know how to improve my search > string. > > On to my question: I know DER is a subset of BER, so therefore > OpenSSL does > "write to BER", but can we write to any other BER encodings besides DER?
No, but why would you want to? Every object that can be legally coded in BER has a representation in DER. > My issue stems from a server expecting an PKCS1 X509 ASN.1 BER encoded > public key. I'm currently calling i2d_RSA_PUBKEY() after generating a new > RSA object, but the result is in DER encoding and the server does not like > it. Sounds like a bug. A DER-encoded public key is a BER-encoded public key since DER is a subset of DER. An analogy might help. Consider two number specifications, one called "decimal" and the other called "distinguished decimal". The difference is that distinguished decimal disallows some thing decimal allows. For example, decimal allows "10", "10.0" and "010". "Distinguished decimal" requires that all leading or trailing zeroes or that are not required are not allows, so only "10" is permitted. Since "10" is legal decimal, any legal distinguished decimal output is also perfectly valid decimal, and there is nothing you can express in decimal that you cannot express in distinguished decimal. The difference is that decimal can be signed and distinguished decimal cannot be. How can you test if someone has signed 10 if you don't know if they signed "10.0" or "010" or "000010"? DER is similiarly BER with every optional decision made for you already. OpenSSL can *read* BER. Since it can output DER, it can output BER. DS ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
