[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: DER encoding of KeyUsage BIT STRING

To: "'Dr S N Henson'" <drh@xxxxxxxxxxx>, ietf-pkix@xxxxxxx
Subject: RE: DER encoding of KeyUsage BIT STRING
From: Ambarish Malpani <ambarish@xxxxxxxxxxxx>
Date: Tue, 06 Mar 2001 15:25:46 -0800

Hi Steve,
    What I was referring to, was the fact that SSLeay/OpenSSL
does break up a structure into its component pieces and then
re-encode them to, for example verify signatures, etc.

    I know I had encountered this behavior when somebody was 
BER encoding their data for transmission (even thought they
had signed the original DER encoding of the data).

Regards,
Ambarish

---------------------------------------------------------------------
Ambarish Malpani
Architect                                                650.567.5457
ValiCert, Inc.                                  ambarish@xxxxxxxxxxxx
339 N. Bernardo Ave.                          http://www.valicert.com
Mountain View, CA 94043


> -----Original Message-----
> From: Dr S N Henson [mailto:drh@xxxxxxxxxxx]
> Sent: Tuesday, March 06, 2001 3:11 PM
> To: ietf-pkix@xxxxxxx
> Subject: Re: DER encoding of KeyUsage BIT STRING
> 
> 
> Ambarish Malpani wrote:
> > 
> > SSLeay/OpenSSL does that. Seems to work pretty well with most
> > things.
> > 
> 
> The way OpenSSL handles BIT STRINGs goes something like this...
> 
> If the BIT STRING comes from an decoding a BIT STRING then the encoded
> structure will precisely match the decoded one. This is primarily to
> avoid breaking signatures.
> 
> If the BIT STRING is created internally then the number of unused bits
> is set appropriately according to the number of trailing zeroes.
> 
> If the BIT STRING has certain flags set (which effectively mark it as
> unnamed) then the number of bits is set to zero.
> 
> None of this however applies to certificate extensions because the
> actual encoding is wrapped in an OCTET STRING. The actual extension
> could contain completely unstructured garbage and it would still
> reencode properly. 
> 
> Steve.
> -- 
> Dr Stephen N. Henson.   http://www.drh-consultancy.demon.co.uk/
> Personal Email: shenson@xxxxxxxxxxxxxxxxxxxxxxxxxxx 
> Senior crypto engineer, Celo Communications: http://www.celocom.com/
> Core developer of the   OpenSSL project: http://www.openssl.org/
> Business Email: drh@xxxxxxxxxxx PGP key: via homepage.
>

Prev by Date: Son-of-2459 - AIA with multiple AccessDescriptions with the sameaccessMethod
Next by Date: RE: Open Issue in Part1: path length constraints
Previous by thread: Re: DER encoding of KeyUsage BIT STRING
Next by thread: Son-of-2459 - AIA with multiple AccessDescriptions with the sameaccessMethod
Index(es):
- Date
- Thread