Re: [ldapext] BER encoding of PasswordPolicyResponseValue?

[mcs@netscape.com (Mark C Smith)]

Thank you for your helpful response.

One follow up question: in the absence of any indication, the default in 
ASN.1 is EXPLICIT tagging, right? I suspect many LDAP extension 
documents intend to use IMPLICIT (which for example is specified in 
Appendix A of RFC 2251) but that fact may not be mentioned. One example:

http://www.ietf.org/internet-drafts/draft-ietf-ldapext-ldapv3-vlv-09.txt

-Mark


Steven Legg wrote:

> Mark,
>
> Mark C Smith wrote:
>  
>
> > Someone asked me this week what the correct BER encoding is for a
> > PasswordPolicyResponseValue (from
> >
> >    
> http://www.ietf.org/internet-drafts/draft-behera-ldap-password-policy-06.txt
> ).
>  
>
> > The ASN.1 from section 5.2 of the I-D is:
> >
> >    PasswordPolicyResponseValue ::= SEQUENCE {
> >       warning   [0] CHOICE OPTIONAL {
> >           timeBeforeExpiration  [0] INTEGER (0 .. maxInt),
> >           graceLoginsRemaining  [1] INTEGER (0 .. maxInt) }
> >       error     [1] ENUMERATED OPTIONAL {
> >           passwordExpired       (0),
> >           accountLocked         (1),
> >           changeAfterReset      (2),
> >           passwordModNotAllowed (3),
> >           mustSupplyOldPassword (4),
> >           invalidPasswordSyntax (5),
> >           passwordTooShort      (6),
> >           passwordTooYoung      (7),
> >           passwordInHistory     (8) } }
> >    
>
> First up, there are syntax errors in this type definition.
> It should read:
>
>    PasswordPolicyResponseValue ::= SEQUENCE {
>       warning   [0] CHOICE {
>           timeBeforeExpiration  [0] INTEGER (0 .. maxInt),
>           graceLoginsRemaining  [1] INTEGER (0 .. maxInt) } OPTIONAL,
>       error     [1] ENUMERATED {
>           passwordExpired       (0),
>           accountLocked         (1),
>           changeAfterReset      (2),
>           passwordModNotAllowed (3),
>           mustSupplyOldPassword (4),
>           invalidPasswordSyntax (5),
>           passwordTooShort      (6),
>           passwordTooYoung      (7),
>           passwordInHistory     (8) } OPTIONAL }
>
>
>  
>
> > Notice that the warning element is both OPTIONAL (with a context
> > specific tag of 0) and a CHOICE with embedded context specific tags (0
> > timeBeforeExpiration and 1 for graceLoginsRemaining).
> > Normally, a CHOICE
> > is encoded simply as whatever element as chosen, e.g., if
> > timeBeforeExpiration is chosen one would just encode an INTEGER with a
> > context specific primitive tag of 0. But the tag associated with the
> > outer element (warning) also needs to be included so the decoder can
> > tell that a warning element was included (remember, it is optional).
> > What is the right way to encode this?
> >    
>
> If the tag default is IMPLICIT TAGS then the encoding is as
> you've stated above. The implicit tagging suppresses the universal tag
> of the INTEGER, but there is no universal tag (or length) for CHOICE
> and implicit tagging never applies to a CHOICE.
>
> With IMPLICIT tags the warning element, when present, is encoded as
>
>    [constructed 0] length [primitive 0] length integer-value-octets
>
> With EXPLICIT tags the warning element, when present, is encoded as
>
>    [constructed 0] length [constructed 0] length
>        [primitive UNIVERSAL 2] length integer-value-octets
>
>  
>
> > One ASN.1 compiler I used encoded the warning element as a constructed
> > element that contains one integer (which allows two tags to
> > be encoded,
> > one associated with the constructed/container element and one with the
> > integer itself). Is that the right thing to do?
> >    
>
> Yes, if the tag default is IMPLICIT TAGS, though the draft doesn't say
> whether EXPLICIT or IMPLICIT tagging should apply.
>
> Regards,
> Steven

_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www1.ietf.org/mailman/listinfo/ldapext