On 2009-08-20 07:27 PDT, Brendan wrote: > I am having trouble decoding a custom extension that I created using > Openssl. I have created the templates for nss but I am receiving a > "bad der" error number from the decoder. As far as I can tell the der > is correct and can be parsed by openssl commands that show the > structure is as expected.
> I have been looking at this for a while and think I have the template > but feel like I am missing something obvious along the way. When I > retrieve the extension from the cert, the raw asn.1 data appears > correct but the associated length is off. When I pass this through the > decoder it returns "bad der". If I increase the length "by hand" the > decoder returns success but returns null values (presumably because it > is going beyond the border of memory allocated for the raw extension > data) > > I feel there is something fundamental I am missing here as regards > memory allocation. Any ideas on these problems? There's too much information missing here to be able to provide a certain diagnosis. It would be useful to see the content (value) of otherCertExt.len and the values of that number of bytes (in hex) at otherCertExt.data, as returned by CERT_FindCertExtension. But I noticed a few things. The arguments you passed to SEC_ASN1DecoderStart appear to be wrong. You called it with a NULL value for the arena pointer, instead of a valid arena pointer, and you passed it the address of a pointer to the output structure, rather than the address of the output structure, e.g. you passed SEC_ASN1DecoderStart(NULL, &parsedCertStructure, [...] instead of SEC_ASN1DecoderStart(arena, parsedCertStructure, [...] This will cause the value in the variable parsedCertStructure, which is the pointer to the output structure, to get altered, which will have a bad effect on the subsequent call to SEC_QuickDERDecodeItem. Here are some additional thoughts. The three lines that call SEC_ASN1DecoderStart SEC_ASN1DecoderUpdate and SEC_ASN1DecoderFinish are equivalent to a single call to the simpler SEC_ASN1DecodeItem The function SEC_ASN1DecodeItem is equivalent to the function SEC_QuickDERDecodeItem except that the former uses the older BER/DER decoder and the latter uses the newer DER-only decoder. If you decide to call SEC_ASN1DecodeItem, you should pass it exactly the same arguments that you pass to SEC_QuickDERDecodeItem. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
