asn1 encoding for empty KDC_Options

[Tom Yu]

>>>>> "Eric" == Naud, Eric <eric.naud at Terayon.com> writes:

Eric> The KDC server and the ASN1 parser that I use both report an
Eric> error with the following bitstring encoding for the kdc options:

Eric> A0 07 03 05 00 00 00 00 00 

Eric> It reports the following:
Eric> <A0 07>
Eric> . . . . [0] {
Eric> <03 05>
Eric> . . . . . BIT STRING 0 unused bits
Eric> . . . . . . '00000000000000000000000000000000'B
Eric> . . . . . . Error: Spurious zero bits in bitstring.
Eric> . . . . . }

Note that X.690 prohibits trailing zero bits in bitstrings, but only
for DER or CER, and even then only if NamedBits notation is used to
define the bitstring.  Unfortunately, this is the case in RFC1510, so
pretty much all implementations of RFC1510 are not in compliance.
This is being fixed by changing the Kerberos specifcation within the
IETF to use bitstrings with unnamed bits.  What implementations are
actually doing is emitting bitstrings of length 32 always.

Eric> Apparently ASN1 doesn't like null bit string, what should be
Eric> done in the case where the KDC-Options MUST NOT be set. Can I
Eric> just remove it from the aS request?

No.  It is not an optional component of the AS-REQ.  How are you
generating the AS-REQ?  And which KDC implementation is giving you an
error on that bitstring?  Which ASN.1 parser did you use to produce
the above trace?

---Tom