1. 技术文章
  2. CDP extension ASN.1 tag

CDP extension ASN.1 tag

我与影子孤独终老i 提交于 2021-02-17 06:41:05

问题


I'm trying to understand ASN.1 format used in CDP Extension in x509 certificate.

When reading the cert from google, I see these code related:

30 26 30 24 a0 22 a0 20 86 1e (url start)

according to http://rcardon.free.fr/websign/download/api-x509-ext/be/cardon/asn1/x509/extensions/CRLDistributionPoints.html and http://javadoc.iaik.tugraz.at/iaik_jce/current/iaik/asn1/structures/GeneralNames.html, the GeneralNames should be a SEQUENCE of GeneralName. Why there is a 86 directly without another 30?

Thanks a lot.

Update: And, I know it may be not correct in grammar, if there is only one DistributionPoint with one DistributionPointName-Url(*1), DistributionPointName-nameRelativeToCRLIssuer(*2), a reason with all 0(*3), and 2 cRLIssuer-DNSName(*4 and *5), the packet should be:

  30 len --DistributionPoint
    a0 len --DistributionPointName for distributionPoint
      a0 len --GeneralNames for fullName
        86 len --IA5String for uniformResourceIdentifier
        (*1) data here
      a1 len --RelativeDistinguishedName for nameRelativeToCRLIssuer  (edited)
        (*2) data here
    81 03 --Reason
      07 00 00 --BITSTRING of Reason (*3)
    a2 len --GeneralNames for cRLIssuer
      82 len --IA5String for dNSName
        (*4) data here
      82 len --IA5String for dNSName
        (*5) data here

Am I right?


回答1:


Have you tried to analyze provided octets? You ask for missing SEQUENCE, but do not ask for extra a0 tag around 86 tag. If you would, you could figure out what is going on.

The binary encoding of your CDP extension value looks ok. 0x86 is general name CHOICE of uniformResourceLocator field. If you split down your binary string into pieces you will get the following mapping (assuming implicit tagging mode, as per RFC 5280):

  • 30 26 -- maps to CRLDistributionPoints
  • 30 24 -- maps to DistributionPoint
  • a0 22 -- maps to DistributionPointName (it is OPTIONAL field, thus uses implicit tagging)
  • a0 20 -- maps to GeneralNames (it is a CHOICE value, thus uses implicit tagging)
  • 86 1e -- maps to uniformResourceIdentifier field of IA5String type. It is CHOICE value, this uses implicit tagging.

It seems you are confused with tags. GeneralName type indeed is SEQUENCE, but in a given context it is used within a CHOICE, so it is implicitly tagged: SEQUENCE tag is replaced with a corresponding CONTEXT_SPECIFIC tag [0].

Update:

When ASN module contains CHOICE, OPTIONAL, DEFAULT keywords, they are using CONTEXT_SPECIFIC class which has base tag number 0x80. Selectors are specified in square brackets. In these cases, you do (when module defaults to implicit tags, like in our case): CONTEXT_SPECIFIC class (0x80) + CONSTRUCTED BIT (0x32) from original type + Selector number in square brackets.

For example, optional SEQUENCE with selector 0 will result in 0x80 + 0x20 + 0 = 0xa0. CHOICE [6] IA5String will result in 0x80 + 0x0 (CONSTRUCTED bit is 0) + 0x6 = 0x86.

When module defaults to explicit tags or there is EXPLICIT keywor, then original type is not changed (SEQUENCE remains SEQUENCE), instead it is encoded as nested type for CONSTRUCTED CONTEXT_SPECIFIC.



来源:https://stackoverflow.com/questions/61817332/cdp-extension-asn-1-tag

标签
asn.1
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!