[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: going back to stone axes

> From: frantz@netcom.com (Bill Frantz)
>  /* BTSOOM what CONSTRUCTED means */

nice acronym - I'll have to remember that one :-)

/* IDENTIFIER OCTET = Tag Class | Form of Encoding | Tag Number */

#define CLASS_MASK      0xc0    /* bits 8 and 7 */
#define UNIVERSAL       0x00    /* 0 = Universal (defined by ITU X.680) */
#define APPLICATION     0x40    /* 1 = Application */
#define CONTEXT         0x80    /* 2 = Context-specific */
#define PRIVATE         0xc0    /* 3 = Private */

#define FORM_MASK       0x20    /* bit 6 */
#define PRIMITIVE       0x00    /* 0 = primitive */
#define CONSTRUCTED     0x20    /* 1 = constructed */

> This code assumes that either: (1) All the data will be in memory, so the
> system which uses it should have a packet buffer whose length is greater
> than 0x7fffffff, or (2) The calling code will be willing to continue to
> fill a shorter buffer from the network while it is parsing *data.

... and Carl notes that the code exit()'s if length is greater than

That is exactly the point.  We are discussing using ASN.1 for certificate
handling, not MPEG video streams.  Just because ASN.1 allows a designer
to specify indefinite length structures, and BER allows them to be
transmitted, does not mean that ASN.1 software *for certificate purposes*
must be fully general, large, or baroque.

I submit that it is perfectly reasonable for an implementation to
barf (call an error routine, not exit!) if it receives something that
should be a certificate but has a length > 2^16 or 2^32.  The implementation
I'm familiar with uses 2048 byte slots to store certificates, more than
half of which is generally unused.  This is plenty small enough to allow
in-memory processing on any reasonable machine.

A previous poster questioned whether a "tiny subset" of ASN.1 would be
useful for anything.  Certainly it is - using only UNIVERSAL tags
and limiting lengths to something reasonable gets rid of 99.7% of the
code complexity without compromising the ability to do anything
desirable (short of MPEG logos :-) with ASN.1 format certificates.