DER is a proper subset of BER. Thus, any BER decoder can also decode DER; DER simply removes the 'indefinite length' string forms and a couple of other forms from the acceptable vocabulary.
The reason for this is that all of the information necessary to make an X.509 certificate should already be processed, and thus there should be no need to create an indefinite-length string. This helps reduce the number of ways that a certificate creation process can go wrong -- and the number of valid bit combinations that a given signature could properly sign (thus reducing the number of ways that, for example, an MD5 preimage could compromise the system's security). -Kyle H On Sun, Apr 5, 2009 at 5:14 AM, Randy Turner <rtur...@amalfisystems.com> wrote: > > On Apr 2, 2009, at 2:22 PM, Dr. Stephen Henson wrote: > >> On Thu, Apr 02, 2009, Randy Turner wrote: >> >>> >>> Hello list, >>> >>> Are the ASN.1 functions in OpenSSL "generic" enough to be used for other >>> purposes besides reading/writing certificates? >>> >> >> Yes. >> >>> I was curious if the ASN.1 code could encode/decode both BER and DER, >>> generically, even if the source of the data is NOT associated with >>> certificates. For instance, can these routines be used to encode/decode >>> a >>> CMS container. Since CMS is pretty close to PKCS#7, my assumption would >>> be >>> "yes". But taken to another extreme, could I use the ASN.1 library in >>> OpenSSL to encode/decode Kerberos traffic, or SNMP traffic (BER), or >>> other >>> protocols encoded in BER/DER? >>> >>> Just curious how "reusable" the OpenSSL ASN.1 was, and if it's not >>> "quite" >>> as reusable as I am thinking about, is there a generic library available? >>> I've tried using "asn1c", but this code seems to break when I feed it >>> valid >>> BER... >>> >> >> OpenSSL supports CMS already. It should always decode BER correctly. DER >> is >> output in most cases. The one exception is streaming encode currently used >> for >> CMS and PKCS#7 in 1.0.0-beta and later only. > > The way that I interpret the above paragraph, I can use the OpenSSL ASN.1 > code to > decode BER and output DER. Can I "encode" BER and "decode" DER? > > Thanks! > Randy > > >> >> Steve. >> -- >> Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage >> OpenSSL project core developer and freelance consultant. >> Homepage: http://www.drh-consultancy.demon.co.uk >> ______________________________________________________________________ >> OpenSSL Project http://www.openssl.org >> User Support Mailing List openssl-us...@openssl.org >> Automated List Manager majord...@openssl.org >> > > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
