no, that's misunderstanding (well, my english is not that great);
here is the complete ocsp request generated by openssl (i'm not sure
about the version; i'm at work and tried it at home):
Offset| Len |LenByte|
======+======+=======+==============================================================
0| 102| 1| SEQUENCE :
2| 100| 1| SEQUENCE :
4| 77| 1| SEQUENCE :
6| 75| 1| SEQUENCE :
8| 73| 1| SEQUENCE :
10| 9| 1| SEQUENCE :
12| 5| 1| OBJECT IDENTIFIER : sha1
[1.3.14.3.2.26]
19| 0| 1| NULL :
21| 20| 1| OCTET STRING :
| | |
C0FE0278FC99188891B3F212E9C7E1B21AB7BFC0
43| 20| 1| OCTET STRING :
| | |
0DFC1DF0A9E0F01CE7F2B213177E6F8D157CD4F6
65| 16| 1| INTEGER :
| | | 4302AB26321D1C8AA2B54FEE5F8335A5
83| 19| 1| CONTEXT SPECIFIC (2) :
85| 17| 1| SEQUENCE :
87| 15| 1| SEQUENCE :
89| 9| 1| OBJECT IDENTIFIER :
[1.3.6.1.5.5.7.48.1.2]
100| 2| 1| OCTET STRING :
102| 16| 1| OCTET STRING :
| | | 7F6B115E2A42DCE810F762B1E389A610
Here the RFC2560:
OCSPRequest ::= SEQUENCE {
tbsRequest TBSRequest,
optionalSignature [0] EXPLICIT Signature OPTIONAL }
TBSRequest ::= SEQUENCE {
version [0] EXPLICIT Version DEFAULT v1,
requestorName [1] EXPLICIT GeneralName OPTIONAL,
requestList SEQUENCE OF Request,
requestExtensions [2] EXPLICIT Extensions OPTIONAL }
So, as you can see: the CONTEXT SPECIFIC part is actually the
requestExtensions part
But why is it context specifiy and not just the sequences?
Here a full request i would have expected (well
Offset| Len |LenByte|
======+======+=======+==========================================================================================
0| 103| 1| SEQUENCE :
2| 101| 1| SEQUENCE :
4| 77| 1| SEQUENCE :
6| 75| 1| SEQUENCE :
8| 73| 1| SEQUENCE :
10| 9| 1| SEQUENCE :
12| 5| 1| OBJECT IDENTIFIER : sha1
[1.3.14.3.2.26]
19| 0| 1| NULL :
21| 20| 1| OCTET STRING :
| | |
C0FE0278FC99188891B3F212E9C7E1B21AB7BFC0
43| 20| 1| OCTET STRING :
| | |
0DFC1DF0A9E0F01CE7F2B213177E6F8D157CD4F6
65| 16| 1| INTEGER :
| | | 4302AB26321D1C8AA2B54FEE5F8335A5
83| 20| 1| SEQUENCE :
85| 18| 1| SEQUENCE :
87| 9| 1| OBJECT IDENTIFIER :
[1.3.6.1.5.5.7.48.1.2]
98| 2| 1| OCTET STRING :
100| 16| 1| OCTET STRING :
| | | 9DB6697F527D504B82AC93070847A13C
Thanks.
Sascha
Dr. Stephen Henson schrieb:
On Wed, Sep 07, 2005, Sascha Kiefer wrote:
Hi list,
openssl makes - for example: OCSP request with nonce - the
requestExtensions a "context specific" integer.
Why does it do this? I mean, it works, but is it mandatory?
Which version of OpenSSL are you using? Some of the older versions use raw
random data in the extnValue OCTET STRING which was what the spec seemed to
say and several implementations it interoped with did. So this "context
specific integer" might be the result of an attempt to parse random data.
Newer versions should use an OCTET STRING within the extnValue OCTET STRING
when it generates a nonce and use an exact copy of the received version when
it copies a nonce.
Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
