[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: DER encoding of SET OF



All,

Getronics agrees with Bancroft Scott's statements in the enclosed
message exchange.  We will correct the Enhanced SNACC (eSNACC) ASN.1 C
and C++ libraries to implement the DER SET OF sorting rules as stated in
X.690 (and clarified by Bancroft's statements).  We will send a message
to this mail list as soon as the corrected eSNACC freeware is available.

Thank you all for your feedback.

===========================================
John Pawling, John.Pawling@xxxxxxxxxxxxxxxx
Getronics Government Solutions, LLC
===========================================
 


-----Original Message-----
From: Bancroft Scott [mailto:baos@xxxxxxx]
Sent: Tuesday, March 19, 2002 12:45 PM
To: imc-sfl@xxxxxxx
Cc: J.Larmouth@xxxxxxxxxxxxxxxxx
Subject: Re: DER encoding of SET OF



On Tue, 19 Mar 2002, Robert Colestock wrote:

> Manfred:
>
> You have been busy!
>
> Thank you for your thorough investigation.  I was not aware of the
> other packages using the older ASN.1 SET OF sorting rules.

There are no older ASN.1 (actually, DER) SET OF sorting rules. In case
my
memory is failing me, I checked X.690:1997, X.690:1994 and X.509 (from
which the X.690 DER is taken) and they all say the same thing.

> Rich (here) inidicated that this SET OF sort rule was changed
> relatively recently; our SFL strictly uses the new rules, hence the
> broken verification.

There are no new rules.  I've been the editor for ASN.1 and its encoding
rules for a decade, until last year, and I am certain that we did not
change how SET OF is sorted for DER.

> After investigating our ASN.1 encoding of the signed attributes of
this
> message, I believe the SFL encoding is correct.  The encoding
difference
> is due to the ASN.1 DER encoding rule that states that the SEQUENCE OF
> must be numerically ordered.  The SFL ordering is correct, but in this
> case it may not be obvious why.  The DER rules indicate the the
ordering
> must be made on the data, not the outer tag and length.

No, you misunderstand.  X.690 clause 11.6 states:

   "The encodings of the component values of a set-of value shall appear
   in ascending order, the encodings being compared as octet strings
..."

Note that it is speaks of the component values of the *set-of*.
The component values of the set-of are themselves all TLV pairs.

> Ignoring the tag and length, the 2nd and 3rd SEQUENCE items of the
> SignedAttrs are as follows (from original message not re-encoded
> results):
>
> ...
> 30 18 06 09 2A 86 48 86 F7 OD 01 09 03 31 0B 06 ...
> 30 1C 06 09 2A 86 48 86 F7 OD 01 09 05 31 0F 17 ...
> 30 23 06 09 2A 86 48 86 F7 OD 01 09 04 31 16 04 ...
> ...
>
> Our DER re-encoded results:
> ...
> 30 18 06 09 2A 86 48 86 F7 OD 01 09 03 31 0B 06 ...
> 30 23 06 09 2A 86 48 86 F7 OD 01 09 04 31 16 04 ...
> 30 1C 06 09 2A 86 48 86 F7 OD 01 09 05 31 0F 17 ...
>                                    ** <<< ORDERED VALUE >>>

The DER re-encoded results are incorrect.

------------------------------------------------------------------------
-
Bancroft Scott                               Toll Free
:1-888-OSS-ASN1
OSS Nokalva
International:1-732-302-0750
baos@xxxxxxx                                 Tech Support
:1-732-302-9669 x-1
1-732-302-9669 x-200                         Fax
:1-732-302-0023
http://www.oss.com