On Mon, Nov 22, 2010, Patrick Patterson wrote:
> Hi All:
>
> Here is a question for the ASN1 encoding gods :)
>
> Given:
>
> LogotypeExtn ::= SEQUENCE {
> communityLogos [0] EXPLICIT SEQUENCE OF LogotypeInfo OPTIONAL,
> issuerLogo [1] EXPLICIT LogotypeInfo OPTIONAL,
> subjectLogo [2] EXPLICIT LogotypeInfo OPTIONAL,
> otherLogos [3] EXPLICIT SEQUENCE OF OtherLogotypeInfo OPTIONAL }
>
> LogotypeInfo ::= CHOICE {
> direct [0] LogotypeData,
> indirect [1] LogotypeReference }
>
> LogotypeReference ::= SEQUENCE {
> refStructHash SEQUENCE SIZE (1..MAX) OF HashAlgAndValue,
> refStructURI SEQUENCE SIZE (1..MAX) OF IA5String }
> -- Places to get the same "LTD" file
>
> HashAlgAndValue ::= SEQUENCE {
> hashAlg AlgorithmIdentifier,
> hashValue OCTET STRING }
>
>
> I believe that an indirect issuerLogo SHOULD be encoded in openssl.cnf as:
>
> [extra_extensions]
> 1.3.6.1.5.5.7.1.12 = ASN1:SEQUENCE:logotype_ext
>
> [logotype_ext]
> issuerLogo=EXPLICIT:1,SEQUENCE:logotype_indirect
>
> [logotype_indirect]
> refStructHash=SEQUENCE:HashAlgAndValue
> refStructURI=SEQWRAP,IA5STRING:http://some.valid.url.here
>
> [HashAlgAndValue]
> hashAlg=SEQUENCE:logo_algid
> hashValue=FORMAT:HEX,OCTETSTRING:ebd6c473fe37a0f90f2c4c654bf4d4087ab45fc
>
> [logo_algid]
> capabilityID = OID:sha1
> parameter = NULL
>
> (and please ignore the fact that I've mangled the value of the sha1 sum)
>
> Should the above actually encode the extension correctly, or is there
> something additional that I need to do for the CHOICE. The other thing is to
> know is if anyone knows whether, for implementation of 3709, if
> AlgorithmIdentifier parameters really should be NULL, or omitted.
>
For something that complex I'd normally code up a test module to check it was
parsed correctly and ideally have a few examples as well.
I can see at least two problems with the encoding above.
You have the outer explicitly tagged issuerLogo field but you haven't tagged
the choice option logotype_indirect which needs an implicit tag (taken from
RFC3709 definition).
Also refstructHash is a SEQUENCE OF HashAlgAndValue and HashAlgAndValue is
itself a SEQUENCE so you're missing a SEQUENCE tag there, since you've only
one element a SEQWRAP should do fine.
For SHA1 it is normal to omit the NULL in more modern specs but any decoder
should tolerate a NULL or absent parameters.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [email protected]
Automated List Manager [email protected]
