Hi Steve: Please see reply inline.
On 2010-11-23, at 2:41 PM, Dr. Stephen Henson wrote: > On Mon, Nov 22, 2010, Patrick Patterson wrote: >> >> I believe that an indirect issuerLogo SHOULD be encoded in openssl.cnf as: >> >> [extra_extensions] >> 1.3.6.1.5.5.7.1.12 = ASN1:SEQUENCE:logotype_ext >> >> [logotype_ext] >> issuerLogo=EXPLICIT:1,SEQUENCE:logotype_indirect >> >> [logotype_indirect] >> refStructHash=SEQUENCE:HashAlgAndValue >> refStructURI=SEQWRAP,IA5STRING:http://some.valid.url.here >> >> [HashAlgAndValue] >> hashAlg=SEQUENCE:logo_algid >> hashValue=FORMAT:HEX,OCTETSTRING:ebd6c473fe37a0f90f2c4c654bf4d4087ab45fc >> >> [logo_algid] >> capabilityID = OID:sha1 >> parameter = NULL >> >> (and please ignore the fact that I've mangled the value of the sha1 sum) >> >> Should the above actually encode the extension correctly, or is there >> something additional that I need to do for the CHOICE. The other thing is to >> know is if anyone knows whether, for implementation of 3709, if >> AlgorithmIdentifier parameters really should be NULL, or omitted. >> > > For something that complex I'd normally code up a test module to check it was > parsed correctly and ideally have a few examples as well. > > I can see at least two problems with the encoding above. > > You have the outer explicitly tagged issuerLogo field but you haven't tagged > the choice option logotype_indirect which needs an implicit tag (taken from > RFC3709 definition). > Ok - what would the syntax of that be? I don't think that I can do: [logotype_ext] issuerLogo=EXPLICIT:1,EXPLICIT:1, SEQUENCE:logotype_indirect Can I? > Also refstructHash is a SEQUENCE OF HashAlgAndValue and HashAlgAndValue is > itself a SEQUENCE so you're missing a SEQUENCE tag there, since you've only > one element a SEQWRAP should do fine. > Ok - so guess that that has be done as: [logotype_indirect] refStructHash=SEQUENCE:HashAlgAndValueSeq refStructURI=SEQWRAP,IA5STRING:http://some.valid.url.here [HashAlgAndValueSeq] seq=SEQWRAP:HashAlgAndValue Correct? > For SHA1 it is normal to omit the NULL in more modern specs but any decoder > should tolerate a NULL or absent parameters. > Ok - thanks for the clarity here. --- Patrick Patterson Chief PKI Architect Carillon Information Security Inc. http://www.carillon.ca ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org