Cryptography Reference
In-Depth Information
parse_huge( target->rsa_public_key.exponent, public_key_value.children->next );
// This is important. Most times, the response includes a trailing 0 byte
// to stop implementations from interpreting it as a twos-complement
// negative number. However, in this implementation, this causes the
// results to be the wrong size, so they need to be contracted.
contract( target->rsa_public_key.modulus );
contract( target->rsa_public_key.exponent );
}
else
{
fprintf( stderr, “Error; unsupported OID in public key info.\n” );
return 7;
}
asn1free( &public_key_value );
return 0;
}
The only potential surprise in this routine is the “skip over the 0 byte” part.
What's the 0 byte? Well, the subject public key is declared as an ASN.1 bit string.
The DER encoding of a bit string starts with a length — just like any other
ASN.1 value — but a bit string can be any length; it doesn't necessarily need
to be a multiple of eight bits. Because DER encoding requires that the result
be normalized to eight-bit octets, the fi rst byte of any bit string following the
length is the amount of padding bits that were added to the bit string to pad it
up to a multiple of eight. In the case of an RSA public key, the result is always
a multiple of eight, so this byte is always 0.
NOTE
Technically, you really ought to verify that this is the case, but, practi-
cally speaking, you never see a public key value that's not a multiple of eight
bits. If you actually fi nd an example “in the wild” that contradicts this code, I'd
like to know about it.
Parsing Certifi cate Extensions
Optionally, and only if the version of the certifi cate is greater than or equal to
three, the public key information can be followed by a sequence of extensions.
Practically speaking, all certifi cates that you come across on today's Internet
include extensions; RFC 2459 dedicates 19 pages to describing a subset of the
available X.509 certifi cate extensions. Although many of them are important,
I'm just showing you how to deal with extensions in general and focus on
one — perhaps the most important one: the
key usage
extension that enables the
receiver to determine if the certifi cate is allowed to sign other certifi cates or not.
First, if extensions are present, loop through them as in Listing 5-20.
Search WWH ::
Custom Search