Omit empty optional sequences if they are specified with a minimum length
Description of problem:
Over in gnutls#1238 (closed), I noted that certtool
was emitting an empty sequence of policyQualifiers even though the ASN.1 specification for policyQualifiers
clearly says (1..MAX) OPTIONAL
.
If libtasn1 knows that a given SEQUENCE
is OPTIONAL
and it has a minimum length (e.g. (1..MAX)
, or, regardless of the upper limit, even (1..2)
really), and the data structure to be written is an empty sequence, then libtasn1 should be clever enough to omit the member entirely.
Version of libtasn1 used:
4.16.0-2
Distributor of libtasn1 (e.g., Ubuntu, Fedora, RHEL)
Debian
How reproducible:
Steps to Reproduce:
printf 'policy1=1.2.3.4\ncn="test"' > foo.template
certtool --generate-privkey > foo.key
certtool --generate-self-signed --template foo.template --load-privkey foo.key --outder | dumpasn1
Actual results:
556 18: SEQUENCE {
558 3: OBJECT IDENTIFIER certificatePolicies (2 5 29 32)
563 11: OCTET STRING 30 09 30 07 06 03 2A 03 04 30 00
: }
The payload of the extension converts to:
$ xxd -r -c 256 <<<"0000 30 09 30 07 06 03 2A 03 04 30 00" | dumpasn1 -
0 9: SEQUENCE {
2 7: SEQUENCE {
4 3: OBJECT IDENTIFIER '1 2 3 4'
9 0: SEQUENCE {}
: }
: }
$
Expected results:
The payload of the extension should be 30 07 30 05 06 03 2A 03 04
, which is:
0 7: SEQUENCE {
2 5: SEQUENCE {
4 3: OBJECT IDENTIFIER '1 2 3 4'
: }
: }
Edited by Daniel Kahn Gillmor