问题
I'm trying to understand ASN.1 format used in CDP Extension in x509 certificate.
When reading the cert from google, I see these code related:
30 26 30 24 a0 22 a0 20 86 1e (url start)
according to http://rcardon.free.fr/websign/download/api-x509-ext/be/cardon/asn1/x509/extensions/CRLDistributionPoints.html and http://javadoc.iaik.tugraz.at/iaik_jce/current/iaik/asn1/structures/GeneralNames.html, the GeneralNames should be a SEQUENCE of GeneralName. Why there is a 86 directly without another 30?
Thanks a lot.
Update: And, I know it may be not correct in grammar, if there is only one DistributionPoint with one DistributionPointName-Url(*1), DistributionPointName-nameRelativeToCRLIssuer(*2), a reason with all 0(*3), and 2 cRLIssuer-DNSName(*4 and *5), the packet should be:
30 len --DistributionPoint
a0 len --DistributionPointName for distributionPoint
a0 len --GeneralNames for fullName
86 len --IA5String for uniformResourceIdentifier
(*1) data here
a1 len --RelativeDistinguishedName for nameRelativeToCRLIssuer (edited)
(*2) data here
81 03 --Reason
07 00 00 --BITSTRING of Reason (*3)
a2 len --GeneralNames for cRLIssuer
82 len --IA5String for dNSName
(*4) data here
82 len --IA5String for dNSName
(*5) data here
Am I right?
回答1:
Have you tried to analyze provided octets? You ask for missing SEQUENCE, but do not ask for extra a0
tag around 86
tag. If you would, you could figure out what is going on.
The binary encoding of your CDP extension value looks ok. 0x86 is general name CHOICE of uniformResourceLocator
field. If you split down your binary string into pieces you will get the following mapping (assuming implicit tagging mode, as per RFC 5280):
- 30 26 -- maps to
CRLDistributionPoints
- 30 24 -- maps to
DistributionPoint
- a0 22 -- maps to
DistributionPointName
(it is OPTIONAL field, thus uses implicit tagging) - a0 20 -- maps to
GeneralNames
(it is a CHOICE value, thus uses implicit tagging) - 86 1e -- maps to
uniformResourceIdentifier
field ofIA5String
type. It is CHOICE value, this uses implicit tagging.
It seems you are confused with tags. GeneralName
type indeed is SEQUENCE
, but in a given context it is used within a CHOICE, so it is implicitly tagged: SEQUENCE tag is replaced with a corresponding CONTEXT_SPECIFIC
tag [0].
Update:
When ASN module contains CHOICE, OPTIONAL, DEFAULT keywords, they are using CONTEXT_SPECIFIC class which has base tag number 0x80. Selectors are specified in square brackets. In these cases, you do (when module defaults to implicit tags, like in our case): CONTEXT_SPECIFIC class (0x80) + CONSTRUCTED BIT (0x32) from original type + Selector number in square brackets.
For example, optional SEQUENCE with selector 0 will result in 0x80 + 0x20 + 0 = 0xa0. CHOICE [6] IA5String will result in 0x80 + 0x0 (CONSTRUCTED bit is 0) + 0x6 = 0x86.
When module defaults to explicit tags or there is EXPLICIT keywor, then original type is not changed (SEQUENCE remains SEQUENCE), instead it is encoded as nested type for CONSTRUCTED CONTEXT_SPECIFIC.
来源:https://stackoverflow.com/questions/61817332/cdp-extension-asn-1-tag