Creating a Network of Trust Using X.509 Certifi cates - Implementing SSL/TLS Using Cryptography and PKI

Cryptography Reference

In-Depth Information

Bit Strings

So far, DER is pretty straightforward, and everything except bit strings, sequences

and sets has been covered. Bit strings are just like strings, with one minor

difference. Their type is 3 to distinguish them from printable strings, but the

encoding is exactly the same: tag, length, contents. The only difference between

bit strings and character strings is that bit strings don't necessarily have to end

on an eight-bit boundary, so they have an extra byte to indicate how much pad-

ding was included. In practice, this is always 0 because all useful bit patterns

are eight-bit aligned anyway.

However, as you recall from the discussion of public key algorithms and

signature values, bit strings contain nested ASN.1 structures. All the examples

of DER-encoded values examined so far have been able to get away with repre-

senting their length with a single byte, but a nested ASN.1 structure is bound

to be larger than this. So how are lengths greater than 255 represented?

Actually, a single-length byte can only represent 127 byte values. The high-

order bit is reserved. If it's 1, then the low order seven bits represent not the

length of the value, but the length of the length — that is, how many of the

bytes following encode the length of the subsequently following value. So, if a

bit string is 512 bytes long, the DER-encoded representation looks like Table 5-5:

Table 5-5: ASN.1 Encoding of Long Values

TAG

NUMBER

NUMBER OF

LENGTH BYTES

ACTUAL

LENGTH VALUE

BITS OF

PADDING

VALUE

03

83

02 00 00

00

(512 bytes of

value)

Technically, a value doesn't have to be a bit string to have a length greater

than 127; integers, strings, and OIDs could, at least in theory. In practice, though,

this never happens.

Sequences and Sets: Grouping and Nesting ASN.1 Values

So, you're almost ready to start encoding an entire X.509 certifi cate. There are two

missing pieces, though. Notice that there are several sequences nested inside other

sequences, and sets nested inside sequences (and sequences nested inside sets...).

Sets and sequences are what ASN.1 calls a constructed type — that is, a type contain-

ing other types. Technically, they're encoded the same way other values are. They

start with a tag, are followed by a variable number of length bytes, and are then

followed by their contents. However, for constructed types, the contents themselves

are further ASN.1-encoded tags. Sequences are identifi ed by tag 0x30, and sets are

identifi ed by tag 0x31. Any tag value whose sixth bit is 1 is a constructed tag and

the parser must recognize that it contains additional ASN.1-encoded data.

Implementing SSL/TLS Using Cryptography and PKI

Search WWH ::

Custom Search

Home