Werner Koch <wk(_at_)gnupg(_dot_)org> writes:
On Fri, 20 Jun 2008 12:48, rabbi(_at_)abditum(_dot_)com said:
Actually, my concern has to do with the fact that OIDs are of arbitrary
length. X.509 got it wrong; we might too.
How can you get this wrong? You compare the length byte and the the data.
That is trivial. Some folks might be tempted to use a BER parser but is
overkill and a bad practise.
You don't even check the length byte, you just have a table of encoded OIDs
and walk down them doing a memcmp() of the full encoded form. Also, while
they *can* be of arbitrary length, unless you design a pathologically stupid
one it's going to be in the region 5-15 bytes.
(You can also optimise the check by comparing an integer checksum of the OID
with a stored integer checksum as a quick-reject check, so an OID match
search is just a walk down a list of ints followed by a single memcmp()).