Creating a Network of Trust Using X.509 Certifi cates - Implementing SSL/TLS Using Cryptography and PKI

Cryptography Reference

In-Depth Information

issuer = ( struct asn1struct * ) signatureAlgorithmIdentifier->next;

validity = ( struct asn1struct * ) issuer->next;

subject = ( struct asn1struct * ) validity->next;

publicKeyInfo = ( struct asn1struct * ) subject->next;

extensions = ( struct asn1struct * ) publicKeyInfo->next;

if ( parse_huge( &target->serialNumber, serialNumber ) ) { return 2; }

if ( parse_algorithm_identifier( &target->signature,

signatureAlgorithmIdentifier ) )

{ return 3; }

if ( parse_name( &target->issuer, issuer ) ) { return 4; }

if ( parse_validity( &target->validity, validity ) ) { return 5; }

if ( parse_name( &target->subject, subject ) ) { return 6; }

if ( parse_public_key_info( &target->subjectPublicKeyInfo, publicKeyInfo ) )

{ return 7; }

if ( extensions )

{

if ( parse_extensions( target, extensions ) ) { return 8; }

}

return 0;

}

The only thing that makes the tbsCertificate structure tricky to parse is

the version number. The original designers of the X.509 structure didn't see fi t

to include a version number in it, so the version was added later on, necessitat-

ing an explicit tag as discussed previously. So, if the tag class of the fi rst node

is context-specifi c and the tag is explicit tag 0, it must be the version number

and the serial number follows as the next element. Otherwise, the version of the

certifi cate is 1 and the serial number is the fi rst element. To mix things up just

a bit more, the version number, if present, is contained within the explicit tag,

so you need to look for the fi rst child of the explicit tag. Almost all certifi cates

you fi nd on the public Internet these days include a version tag, but you must

be prepared to deal with a very, very old one.

Also, version 1 is identifi ed by the number 0, version 2 by the number 1, and

version 3 by the number 2. I think they're just messing with your head.

Whether a version number was supplied or not, the next element is the serial

number. Go ahead and parse this into a huge structure as shown in Listing 5-15,

although it is just treated as a byte array; you won't be performing any huge

math on it.

Listing 5-15: “x509.c” parse_huge

static int parse_huge( huge *target, struct asn1struct *source )

{

target->sign = 0;

target->size = source->length;

target->rep = ( char * ) malloc( target->size );

(Continued)

Implementing SSL/TLS Using Cryptography and PKI

Search WWH ::

Custom Search

Home