TicketFlags encoding

Nico Williams nico at cryptonector.com
Thu Aug 1 02:30:20 EDT 2013


On Wed, Jul 31, 2013 at 9:08 PM, Frank Cusack <frank at linetwo.net> wrote:
> What would be the correct DER encoding of the Forwardable flag, by itself?

Forwardable is 0x40000000 in typical C implementations, but it's bit 1
in RFC1510, bit #1 being the second bit of a bit string where we count
bits from the left (zero-based count).  We pretend it's not a named
bit, and we pretend the string is 32 bits long (instead of having to
be 2 bits long otherwise).

So the encoding is:

0x03 (tag) 0x05 (length) 0x00 (bits of padding) 0x40 0x00 0x00 0x00

The length counts the padding bit count byte.

> Without the 32 bit minimum, I'm confused as to which of these would be
> correct:
>
> 03 02 06 40
> 03 03 03 40 00

The first: 0x03 0x02 0x06 0x40.  This means that the bit string is
"start with 0x40 and remove the trailing six bits, leaving you with a
2 bit long bit string 01 (binary)".  The encoding is 2 bytes (one for
padding count, one for the 2 bits + padding); the whole thing is
UNIVERSAL tag #3 (BIT STRING).

> With the 32 bit minimum, I'm confused as to which of these is correct:
>
> 03 05 1E 40 00 00 00
> 03 05 13 40 00 00 00
> 03 05 00 40 00 00 00

The padding bit count must be between 0 and 7; the first two choices
are right out :)  It counts the number of bits of padding needed on
the right end of the bit string to get it to a multiple of 8 bits.

The bit string is 32 bits, 32 mod 8 == 0 so the count of padding bits
is zero.  So the third choice.

> Or, something different?  Do I have the bit ordering correct?  (bit 0 =
> leading/most significant)

You do.

Nico
--


More information about the Kerberos mailing list