[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Key Usage Extension Encoding
>I am canvassing opinion on how the key usage field should be encoded. I
>have heard some divergence of opinion which seems to be rooted in
>differing interpretations of the ASN encoding rules as well as the
>actual pkix usage. ASN rules state any unused bits are set to zero.
>There are now 9 bits defined in the key usage extension in pkix part 1
>v5. If I wanted to set digital signatures and key agreement (bit 0 and
>bit 4), what would the encoded bit string look like and how many bits
>are encoded to be in use 2 or 9?
>Thanks
>Dr Trevor Freeman
>Senior Consultant
>Microsoft Consulting Services
>Microsoft Ltd ECU
>> Tel: UK(+44) 1734 270412
>Fax: UK(+44) 1734 270435
>
>
>
> I believe that DER requires that the BIT STRING contain (starting with the
>tag):
>
> 0x03020388
>
>where the '88' is bits 0 and 4 and the '03' arises because there are 3 bits at
>the end which are named but not set, i.e. not used.
>
>
>
I think this coding 03020388 is correct:
DER-Encoding of a "NamedBitString"
According to X.680, Chapter 19.7, the trailing bits which are
0 can be removed from the coding (and are not relevant anymore)
In X.690,Chapter 11.2.2 (DER-encoding):
the bitstring shall have all trailing 0 bits
removed before it is encoded
It means, the bitstring '10001' represents:
digitalSignature ON
nonRepudiation OFF
keyEncipherment OFF
dataEncipherment OFF
keyAgreement ON
keyCertSign OFF
cRLSign OFF
encipherOnly OFF
decipherOnly OFF
and it is the only correct DER-encoding for this.
Olivier.
+-----------------------------------------------------------+
| Olivier Onimus |
| Danet GmbH, Business Unit Telecommunications Technology |
| Gutenbergstrasse 10, D-64331 Weiterstadt, Germany |
| Tel: +49-6151-868-127 |
| Fax: +49-6151-868-264 |
| e-mail: onimus@danet.de |
+-----------------------------------------------------------+