[Cryptography] Is ASN.1 still the thing?

Tero Kivinen kivinen at kivinen.iki.fi
Wed Nov 15 22:22:09 EST 2017


Carl Wallace writes:
> You do not have to decode and re-encode. You can parse enough to verify
> the signature then continue parsing the TBSCertificate structure. I tend
> to doubt many implementations re-encode because that will fail too often
> if you try that approach. I am curious, has anyone ever seen a certificate
> that was presented with a BER encoded TBSCertificate structure that
> required DER re-encoding to verify? I have not, but I have seen structures
> that will not verify if you re-encode.

I have seen them in the anx Santa Barbara IPsec interop in 1999. There
was CA vendor who was using LDAP server that decided to convert all
ASN.1 DER encoded objects to BER using indefinate form of lengths when
serving them out from the LDAP directory, thus if vendor used LDAP to
fetch his certificate they were not DER encoded. This included
sequences for public key and extensions in addition to first two
sequences. 

Haven't seen them since, and our certificate library did not cope with
them then (and I think the library might not cope with them even now,
but I am not sure). 
-- 
kivinen at iki.fi


More information about the cryptography mailing list