Mark,
Mark C Smith wrote:
Someone asked me this week what the correct BER encoding is for a
PasswordPolicyResponseValue (from
http://www.ietf.org/internet-drafts/draft-behera-ldap-password-policy-06.txt
).
The ASN.1 from section 5.2 of the I-D is:
PasswordPolicyResponseValue ::= SEQUENCE {
warning [0] CHOICE OPTIONAL {
timeBeforeExpiration [0] INTEGER (0 .. maxInt),
graceLoginsRemaining [1] INTEGER (0 .. maxInt) }
error [1] ENUMERATED OPTIONAL {
passwordExpired (0),
accountLocked (1),
changeAfterReset (2),
passwordModNotAllowed (3),
mustSupplyOldPassword (4),
invalidPasswordSyntax (5),
passwordTooShort (6),
passwordTooYoung (7),
passwordInHistory (8) } }
First up, there are syntax errors in this type definition.
It should read:
PasswordPolicyResponseValue ::= SEQUENCE {
warning [0] CHOICE {
timeBeforeExpiration [0] INTEGER (0 .. maxInt),
graceLoginsRemaining [1] INTEGER (0 .. maxInt) } OPTIONAL,
error [1] ENUMERATED {
passwordExpired (0),
accountLocked (1),
changeAfterReset (2),
passwordModNotAllowed (3),
mustSupplyOldPassword (4),
invalidPasswordSyntax (5),
passwordTooShort (6),
passwordTooYoung (7),
passwordInHistory (8) } OPTIONAL }
Notice that the warning element is both OPTIONAL (with a context
specific tag of 0) and a CHOICE with embedded context specific tags (0
timeBeforeExpiration and 1 for graceLoginsRemaining).
Normally, a CHOICE
is encoded simply as whatever element as chosen, e.g., if
timeBeforeExpiration is chosen one would just encode an INTEGER with a
context specific primitive tag of 0. But the tag associated with the
outer element (warning) also needs to be included so the decoder can
tell that a warning element was included (remember, it is optional).
What is the right way to encode this?
If the tag default is IMPLICIT TAGS then the encoding is as
you've stated above. The implicit tagging suppresses the universal tag
of the INTEGER, but there is no universal tag (or length) for CHOICE
and implicit tagging never applies to a CHOICE.
With IMPLICIT tags the warning element, when present, is encoded as
[constructed 0] length [primitive 0] length integer-value-octets
With EXPLICIT tags the warning element, when present, is encoded as
[constructed 0] length [constructed 0] length
[primitive UNIVERSAL 2] length integer-value-octets
One ASN.1 compiler I used encoded the warning element as a constructed
element that contains one integer (which allows two tags to
be encoded,
one associated with the constructed/container element and one with the
integer itself). Is that the right thing to do?
Yes, if the tag default is IMPLICIT TAGS, though the draft doesn't say
whether EXPLICIT or IMPLICIT tagging should apply.
Regards,
Steven