Vitaly Chikunov <vt@xxxxxxxxxxxx> wrote: > > Regarding your comment (2), I am not sure I understand. Why do you say that > > the DER format cannot be parsed by the kernel's ASN.1 parser? For example, > > It can, but DER is stricter than BER. For example, in DER 'OCTET STRING' > length field should be encoded in just one byte if it's smaller than > 128, in BER it could be encoded in multiple encodings. This does not > seem like a big deal, though. With BER decoder an improperly DER-encoded > certificate could be successfully parsed. Whilst that is true, I don't think it's that big a deal. DER is a subset of BER, so a BER decoder ought to be able to parse it. Note that X.509 is supposed to be DER, but we use a BER decoder for that too. David
