[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: comments on client auth

I agree that writing a DER dumper is not very hard. A DER encoder is
a complete pain in the butt.

This is because DER uses fixed length recursive encodings, before writing the 
first byte of the message it is necessary to analyse the entire message. 
Consider the structure :-

struct {
    integer	a
    struct {
	integer	b
	integer c

This is translated into tag - length value as follows

TAG-STRUCT length (struct length (a) + 
	length (struct + length (b) + length (c)))
    TAG-INTEGER length (a) a
    TAG-STRUCT length (struct + length (b) + length (c))
	TAG-INTEGER length (b) b
	TAG-INTEGER length (c) c

Ie to calculate the length of the outer wrapper one must first encode the inner 
content. This is a pain, it is impossible to do it with a linear traversal of 
the structure. 

Plus the length of length items is itself variable so its all a lot of hard 

I know that there are ASN.1 supporters but having written code myself and found 
the spec to be baddly thought out, the documentation baddly organised and the 
architecture needlessly complex I'm not amongst them.