X.509: Add missing IMPLICIT annotations to AKID ASN.1 module
The ASN.1 module in RFC 5280 appendix A.1 uses EXPLICIT TAGS whereas the one in appendix A.2 uses IMPLICIT TAGS. The kernel's simplified asn1_compiler.c always uses EXPLICIT TAGS, hence definitions from appendix A.2 need to be annotated as IMPLICIT for the compiler to generate RFC-compliant code. In particular, GeneralName is defined in appendix A.2: GeneralName ::= CHOICE { otherName [0] OtherName, ... dNSName [2] IA5String, x400Address [3] ORAddress, directoryName [4] Name, ... } Because appendix A.2 uses IMPLICIT TAGS, the IA5String tag (0x16) of a dNSName is not rendered. Instead, the string directly succeeds the [2] tag (0x82). Likewise, the SEQUENCE tag (0x30) of an OtherName is not rendered. Instead, only the constituents of the SEQUENCE are rendered: An OID tag (0x06), a [0] tag (0xa0) and an ANY tag. That's three consecutive tags instead of a single encompassing tag. The situation is different for x400Address and directoryName choices: They reference ORAddress and Name, which are defined in appendix A.1, therefore use EXPLICIT TAGS. The AKID ASN.1 module is missing several IMPLICIT annotations, hence isn't RFC-compliant. In the unlikely event that an AKID contains other elements beside a directoryName, users may see parse errors. Add the missing annotations but do not tag this commit for stable as I am not aware of any issue reports. Fixes are only eligible for stable if they're "obviously correct" and with ASN.1 there's no such thing. Signed-off-by: Lukas Wunner <lukas@wunner.de> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
This commit is contained in:
parent
200a98797b
commit
a1e452026e
@ -14,15 +14,15 @@ CertificateSerialNumber ::= INTEGER ({ x509_akid_note_serial })
|
|||||||
GeneralNames ::= SEQUENCE OF GeneralName
|
GeneralNames ::= SEQUENCE OF GeneralName
|
||||||
|
|
||||||
GeneralName ::= CHOICE {
|
GeneralName ::= CHOICE {
|
||||||
otherName [0] ANY,
|
otherName [0] IMPLICIT OtherName,
|
||||||
rfc822Name [1] IA5String,
|
rfc822Name [1] IMPLICIT IA5String,
|
||||||
dNSName [2] IA5String,
|
dNSName [2] IMPLICIT IA5String,
|
||||||
x400Address [3] ANY,
|
x400Address [3] ANY,
|
||||||
directoryName [4] Name ({ x509_akid_note_name }),
|
directoryName [4] Name ({ x509_akid_note_name }),
|
||||||
ediPartyName [5] ANY,
|
ediPartyName [5] IMPLICIT EDIPartyName,
|
||||||
uniformResourceIdentifier [6] IA5String,
|
uniformResourceIdentifier [6] IMPLICIT IA5String,
|
||||||
iPAddress [7] OCTET STRING,
|
iPAddress [7] IMPLICIT OCTET STRING,
|
||||||
registeredID [8] OBJECT IDENTIFIER
|
registeredID [8] IMPLICIT OBJECT IDENTIFIER
|
||||||
}
|
}
|
||||||
|
|
||||||
Name ::= SEQUENCE OF RelativeDistinguishedName
|
Name ::= SEQUENCE OF RelativeDistinguishedName
|
||||||
@ -33,3 +33,13 @@ AttributeValueAssertion ::= SEQUENCE {
|
|||||||
attributeType OBJECT IDENTIFIER ({ x509_note_OID }),
|
attributeType OBJECT IDENTIFIER ({ x509_note_OID }),
|
||||||
attributeValue ANY ({ x509_extract_name_segment })
|
attributeValue ANY ({ x509_extract_name_segment })
|
||||||
}
|
}
|
||||||
|
|
||||||
|
OtherName ::= SEQUENCE {
|
||||||
|
type-id OBJECT IDENTIFIER,
|
||||||
|
value [0] ANY
|
||||||
|
}
|
||||||
|
|
||||||
|
EDIPartyName ::= SEQUENCE {
|
||||||
|
nameAssigner [0] ANY OPTIONAL,
|
||||||
|
partyName [1] ANY
|
||||||
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user