Re: DER coding CRLDistributions points

[Andy Newton]

As a follow up (I could not include this in the same email due mailing list 
limitations), when I compare the output of my program with the output of 
another certificate which does render properly in OpenSSL, I see a missing 
sequence.

Here is my extension as seen by dumpasn1:

534   53:         SEQUENCE {
   <06 03>
536    3:           OBJECT IDENTIFIER cRLDistributionPoints (2 5 29 31)
        :             (X.509 extension)
   <04 2E>
541   46:           OCTET STRING, encapsulates {
   <30 2C>
543   44:             SEQUENCE {
   <30 2A>
545   42:               SEQUENCE {
   <A0 28>
547   40:                 [0] {
   <86 26>
549   38:                   [6] 'rsync://rpki.arin.net/we-put-crls-here'
        :                   }
        :                 }
        :               }
        :             }
        :           }
        :         }

And here is the extension of the working cert as seen by dumpasn1:

923  128:         SEQUENCE {
   <06 03>
926    3:           OBJECT IDENTIFIER cRLDistributionPoints (2 5 29 31)
        :             (X.509 extension)
   <04 79>
931  121:           OCTET STRING, encapsulates {
   <30 77>
933  119:             SEQUENCE {
   <30 75>
935  117:               SEQUENCE {
   <A0 73>
937  115:                 [0] {
   <A0 71>
939  113:                   [0] {
   <86 6F>
941  111:                     [6]
        :                   'rsync://llamaxp.arin.net:10873/certrepo/69/f58f3'
        :                   '2-62a7-418e-9d4d-10a5cde21cf3/1/z7IkhiTQCJViMu58'
        :                   'ltnGiAqTm98.crl'
        :                     }
        :                   }
        :                 }
        :               }
        :             }
        :           }

It seems I'm missing an extra sequence, but I cannot determine where. Also, if 
I am I don't know why libtasn1 is allowing me to code the DER without complaint.

Any help is appreciated.

-andy