PKI Certificate Tutorials - Herong's Tutorial Examples - v1.10, by Herong Yang
ASN.1 Type Modifier - Type Tagging
This section provides a quick introduction of ASN.1 type modifiers. Specifying a type modifier is alao called type tagging, which allows you to define your type tags to resolve ambiguity issues in BER encoding.
BER (Basic Encoding Rules) encoding UNIVERSAL type tags works well for simple SEQUENCE structures as shown in the previous tutorial. But it will lead to ambiguity issues for complex SEQUENCE structures or SET structures.
For example, the following SEQUENCE structure has some optional members:
Contact ::= SEQUENCE { name UTF8String, phone UTF8String OPTIONAL, email UTF8String OPTIONAL, address UTF8String OPTIONAL }
Here is a Contact value and its BER encoding:
bestFriend Contact ::= { name "Joe", address "123 4567 W" } - BER encoding of bestFriend in Hex digits: 30 11 0c 03 4a 6f 65 0c 0a 31 32 33 20 34 35 36 37 20 57
When the DER output is decoded back, we get a SEQUENCE of 2 UTF8String member values with an ambiguity issue. Based on the data structure definition, we know the first value, "Joe", is the "name" member. But we are not sure what the second value is for. It could be any of those 3 optional members.
SEQUENCE { UTF8String "Joe" UTF8String "123 4567 W" }
To avoid this ambiguity issue, ASN.1 allows to define your own type tags using the IMPLICIT or EXPLICIT tagging modifier notations as shown below:
type - No modifier. Keeps the default tag in the UNIVERSAL class [class tag] IMPLICIT type - Replaces the default tag with the given tag in the given class [class tag] EXPLICIT type - Creates a new constructed type with the given tag and class - Places the original type inside the new type as the only member
Here is our Contact structure defined with different implicit tags for different optional members to solve the ambiguity issue.
ContactImp ::= SEQUENCE { name UTF8String, phone [PRIVATE 20] IMPLICIT UTF8String OPTIONAL, email [PRIVATE 9] IMPLICIT UTF8String OPTIONAL, address [PRIVATE 5] IMPLICIT UTF8String OPTIONAL } bestFriend ContactImp ::= { name "Joe", address "123 4567 W" } - BER encoding of bestFriend in Hex digits: 30 11 0c 03 4a 6f 65 c5 0a 31 32 33 20 34 35 36 37 20 57 - Decoded back: SEQUENCE { UTF8String 'Joe' [PRIVATE 5] 31323320343536372057 } - The "PRIVATE 5" is the address member. - Its value is a sequence of bytes to be interpreted by receiver
Here is our Contact structure defined with different explicit tags for different optional members to solve the ambiguity issue.
ContactExp ::= SEQUENCE { name UTF8String, phone [PRIVATE 20] EXPLICIT UTF8String OPTIONAL, email [PRIVATE 9] EXPLICIT UTF8String OPTIONAL, address [PRIVATE 5] EXPLICIT UTF8String OPTIONAL } bestFriend ContactExp ::= { name "Joe", address "123 4567 W" } - BER encoding of bestFriend in Hex digits: 30 11 0c 03 4a 6f 65 e5 0c 0c 0a 31 32 33 20 34 35 36 37 20 57 - Decoded back: SEQUENCE { UTF8String 'Joe' [PRIVATE 5] { UTF8String "123 4567 W" } } - The "PRIVATE 5" is the address member. - Its constructed value is a UTF8String value.
Note that the "class" parameter and the IMPLICIT/EXPLICIT keyword are optional in tagging modifier notations as shown below:
[class tag] type - Tagging style is inherited from containing type Module - Type module supports the "EXPLICIT|IMPLICIT TAGS" option - The default is "EXPLICIT TAGS" [tag] IMPLICIT type - Implicit tagging with the CONTEXT-SPECIFIC class [tag] EXPLICIT type - Explicit tagging with the CONTEXT-SPECIFIC class [tag] type - Inherited tagging style with the CONTEXT-SPECIFIC class
Also note that tagged types can be nested in multiple levels. For example:
MyType ::= [PRIVATE 2] IMPLICIT [ APPLICATION 23 ] [ 3 ] UTF8String
Table of Contents
Introduction of PKI (Public Key Infrastructure)
Introduction of PKI Certificate
What Is ASN.1 (Abstract Syntax Notation One)
What Is BER (Basic Encoding Rules)
►ASN.1 Type Modifier - Type Tagging
What Is DER (Distinguished Encoding Rules)
PKI Certificate Structure in ASN.1 Notations
PKI Certificate in Base64 Format
PKI Certificate File Viewer and Decoder
PKI Certificate File ASN.1 Parser
OpenSSL - Cryptography Toolkit
"openssl ca" - CA (Certificate Authority) Tool
Java "keytool" Commands and KeyStore Files
PKCS12 Certificate Bundle File