Commit a1e45202 authored by Lukas Wunner's avatar Lukas Wunner Committed by Herbert Xu

X.509: Add missing IMPLICIT annotations to AKID ASN.1 module

The ASN.1 module in RFC 5280 appendix A.1 uses EXPLICIT TAGS whereas the
one in appendix A.2 uses IMPLICIT TAGS.

The kernel's simplified asn1_compiler.c always uses EXPLICIT TAGS, hence
definitions from appendix A.2 need to be annotated as IMPLICIT for the
compiler to generate RFC-compliant code.

In particular, GeneralName is defined in appendix A.2:

GeneralName ::= CHOICE {
        otherName                       [0] OtherName,
        ...
        dNSName                         [2] IA5String,
        x400Address                     [3] ORAddress,
        directoryName                   [4] Name,
        ...
        }

Because appendix A.2 uses IMPLICIT TAGS, the IA5String tag (0x16) of a
dNSName is not rendered.  Instead, the string directly succeeds the
[2] tag (0x82).

Likewise, the SEQUENCE tag (0x30) of an OtherName is not rendered.
Instead, only the constituents of the SEQUENCE are rendered:  An OID tag
(0x06), a [0] tag (0xa0) and an ANY tag.  That's three consecutive tags
instead of a single encompassing tag.

The situation is different for x400Address and directoryName choices:
They reference ORAddress and Name, which are defined in appendix A.1,
therefore use EXPLICIT TAGS.

The AKID ASN.1 module is missing several IMPLICIT annotations, hence
isn't RFC-compliant.  In the unlikely event that an AKID contains other
elements beside a directoryName, users may see parse errors.

Add the missing annotations but do not tag this commit for stable as I
am not aware of any issue reports.  Fixes are only eligible for stable
if they're "obviously correct" and with ASN.1 there's no such thing.
Signed-off-by: default avatarLukas Wunner <lukas@wunner.de>
Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
parent 200a9879
...@@ -14,15 +14,15 @@ CertificateSerialNumber ::= INTEGER ({ x509_akid_note_serial }) ...@@ -14,15 +14,15 @@ CertificateSerialNumber ::= INTEGER ({ x509_akid_note_serial })
GeneralNames ::= SEQUENCE OF GeneralName GeneralNames ::= SEQUENCE OF GeneralName
GeneralName ::= CHOICE { GeneralName ::= CHOICE {
otherName [0] ANY, otherName [0] IMPLICIT OtherName,
rfc822Name [1] IA5String, rfc822Name [1] IMPLICIT IA5String,
dNSName [2] IA5String, dNSName [2] IMPLICIT IA5String,
x400Address [3] ANY, x400Address [3] ANY,
directoryName [4] Name ({ x509_akid_note_name }), directoryName [4] Name ({ x509_akid_note_name }),
ediPartyName [5] ANY, ediPartyName [5] IMPLICIT EDIPartyName,
uniformResourceIdentifier [6] IA5String, uniformResourceIdentifier [6] IMPLICIT IA5String,
iPAddress [7] OCTET STRING, iPAddress [7] IMPLICIT OCTET STRING,
registeredID [8] OBJECT IDENTIFIER registeredID [8] IMPLICIT OBJECT IDENTIFIER
} }
Name ::= SEQUENCE OF RelativeDistinguishedName Name ::= SEQUENCE OF RelativeDistinguishedName
...@@ -33,3 +33,13 @@ AttributeValueAssertion ::= SEQUENCE { ...@@ -33,3 +33,13 @@ AttributeValueAssertion ::= SEQUENCE {
attributeType OBJECT IDENTIFIER ({ x509_note_OID }), attributeType OBJECT IDENTIFIER ({ x509_note_OID }),
attributeValue ANY ({ x509_extract_name_segment }) attributeValue ANY ({ x509_extract_name_segment })
} }
OtherName ::= SEQUENCE {
type-id OBJECT IDENTIFIER,
value [0] ANY
}
EDIPartyName ::= SEQUENCE {
nameAssigner [0] ANY OPTIONAL,
partyName [1] ANY
}
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment