Re: encoding an X.509 certificate

[Ben Laurie <ben@xxxxxxxxx>]

Tom Scavo wrote:
> I've asked the following question in a number of forums with no luck.
> I'm hoping someone with intimate knowledge of ASN.1 encodings can help
> me out here.  Many thanks in advance.
> 
> Currently there are three profiles before the OASIS Security Services
> Technical Committee (SSTC) that rely on XML elements of the form:
> 
> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
>  <ds:X509Data>
>    <ds:X509Certificate>
> MII...
>    </ds:X509Certificate>
>  </ds:X509Data>
> </ds:KeyInfo>
> 
> Interestingly, the above element has sparked a vigorous debate within
> the SSTC, which has since spread to the W3C XML Signature WG.  The
> issue involves the ASN.1 encoding of the underlying certificate (which
> is base64 encoded in the XML).  Specifically, should the certificate
> be DER-encoded or should the encoding be left unspecified?
> 
> So my question is:  If you were given an X.509 certificate of unknown
> encoding, could you determine the encoding by simply inspecting the
> bytes?  Does your favorite ASN.1 library support such a function?

Surely an X.509 certificate is, by definition, in DER?

Cheers,

Ben.

-- 
http://www.apache-ssl.org/ben.html           http://www.links.org/

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff