x509 + asn1: are subjectAltName elements explicit or implicit?

Question

From https://www.rfc-editor.org/rfc/rfc5280:

SubjectAltName ::= GeneralNames

GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName

GeneralName ::= CHOICE {
     otherName                 [0]  AnotherName,
     rfc822Name                [1]  IA5String,
     dNSName                   [2]  IA5String,
     x400Address               [3]  ORAddress,
     directoryName             [4]  Name,
     ediPartyName              [5]  EDIPartyName,
     uniformResourceIdentifier [6]  IA5String,
     iPAddress                 [7]  OCTET STRING,
     registeredID              [8]  OBJECT IDENTIFIER }

In the wild I've encountered x509 certificates where this extension is used.

rfc822Name and dNSName entries are tagged with 0x81 and 0x82 (context-specific bit set plus type)

but directoryName is tagged with 0xA4 (context-specific bit set plus constructed bit plus type = EXPLICIT) where Name is defined as...

Name ::= CHOICE { -- only one possibility for now --
      rdnSequence  RDNSequence }

RDNSequence ::= SEQUENCE OF RelativeDistinguishedName

DistinguishedName ::=   RDNSequence

RelativeDistinguishedName ::= SET SIZE (1..MAX) OF AttributeTypeAndValue

So my question is -- if I'm implementing this ASN1 structure, how do I know which of these elements is EXPLICIT and which are IMPLICIT ?

My understanding is that EXPLICIT is the default and the spec in the RFC doesn't specify anything.

See appendix A. GeneralNames is defined in the module in A.2 with IMPLICIT TAGS while Name is defined in the module in A.1 with EXPLICIT TAGS. — dave_thompson_085, Jun 10 '20 at 02:41
Ahhhhh always an appendix thank you. Post as answer if you want the points! — pinhead, Jun 10 '20 at 02:48
It's pretty hard to understand the meaning of that appendix! — pinhead, Jun 10 '20 at 11:10

x509 + asn1: are subjectAltName elements explicit or implicit?

0 Answers0