Re: CERT REQ payload Handling Clarification

[Brian Korver <briank@briank.com>]

"Suresh Singh K." wrote:
> 
> Hi ,
>      Please clarify the following Issue for CERT REQ payload Handling :
> 
>       As the encoding of a CA 's  DN  into the CERT_REQ payload
> is done using BER ,one should be able to encode it using DER only
> (as DER is subset of BER). And the other end's BER decoding  software
> should be able to decode the DER encoding.
>      For decoding , we cannot assume that the other end with always
> encode the CA's DN in DER only. He can encode using the other
> two BER encoding method , in which case we should be able to
> decode any of the 3 encoding method for BER, including DER.
> 
> 
> Thanks in advance,
> 
>        Suresh
> 

Suresh,

I'm not aware of any restriction on DER vs. BER in the CERTREQ payload,
but you're probably right that you can't assume the other end will
always send DER.  But that probably doesn't imply that you need to
re-encode to DER.

The most common case is that the sender has the CA certificate that
contains the DN which is then used to populate the CERTREQ payload.
In fact, I would guess that most implementations pull the DN directly
from the certificate (byte-for-byte).  It is likely that the CA used
DER when it generated that certificate, but it isn't a given.  Thus,
the encoding of contents of the CERTREQ payload will depend on the
encoding method that the CA used.  This is probably a good thing
in most cases, as the recipient of the CERTREQ payload will (must?)
possess the CA certificate and will use the DN to find that certificate.
It is highly unlikely that if the DN is not DER in the certificate,
that a DER DN can be used as a key to lookup that certificate.

-brian
briank@briank.com