ASN.1 questions

Lon Willett <>
Thu Oct 26 19:07:28 CEST 2000


At 13:59 25/10/00, Kenneth Lundin wrote:
>"Victor M. Gulias" wrote:

 [snip]

>> Also, the ASN.1 compiler uses per and ber to code the types. What
>> about *der* encoding?
>DER is the same as BER but with some restrictions. The
>Erlang/ASN.1 compiler does not follow the DER rules 100% but
>I don't think it matters in practical use.
>
>DER puts restrictions on:
>
>Length forms (always use definite length) , ok
>String encoding, ok
>Set components, no not always
>Boolean TRUE with all eigth bits set, yes
>Unused bits in BIT STRING, yes
>Real values, no we hardly support them at all
>GeneralString values, no 
>Set and Sequence components with default value, no not always
>GeneralizedTime, no
>UTCTime, no
>
>For all practical uses that I have seen so far the "no's" in the list
>are not important. But if someone can show practical examples where
>it is important please show me and I will implement 100% DER.

Coming from the PKI world, I'll point out that the X.500/X.509 does require a bit more in the way of DER encoding.  I was thinking about maybe hacking it in myself, but I'm a relative new-comer to Erlang, and haven't yet had a chance to really get into the gory details of the language or the ASN.1 support.

To be more specific about what would be useful for X.509 PKI support, and note a few other things about DER:

Length encoding  -- the restrictions are a bit stronger than what you stated.  IIRC, it boils down to having to use the shortest possible encoding of the length (which may be what you are already doing; I haven't checked).

UTCTime and GeneralizedTime -- used frequently, and often done wrong (a common source of bugs).

SET OF -- used in a couple of places, but the main one of concern is that X.500 names are basically a SEQUENCE OF SET OF AttributeValueAssertion.  Usually, the set has only a single element, so there is no problem, but it is not unknown for it to have more.

enumerated BIT STRING -- this is distinct from a definite length BIT STRING in that _all_ trailing zero bits should be stripped, whether they are defined or not.  This is widely used.

defaulted component values -- this is used, but can be worked around by defining them as optional instead, and then removing/filling-in the default outside of the en/de-coder.

If I get the time to play with this, I'll be sure to check with you first, so we don't duplicate each others work.  But I probably won't have the time this month anyway.  )-:

Cheers,

Lon Willett



>/Regards Kenneth
>> 
>> Regards,
>> 
>> --
>> Victor M. Gulias




More information about the erlang-questions mailing list