CODEC: ASN.1, X.509v3 and PKCS


As cryptography becomes more and more pervasive in out Internet applications, flexible, modular, robust, extensible and well-tested libraries are needed in order to perform cryptographic operations and to encode and decode cryptographic syntax standards. At the same time, these libraries must be designed in a fashion that promotes usability and ease of understanding, since not all software developers can be expected to be experts in applied cryptography.


CODEC is an efficient and easily extendible encoder and decoder for various ASN.1 based cryptographic standards. CODEC is written in pure Java and supports e.g.,

CODEC is a well tested library which is running already for years in several real-world applications. CODEC is the basis for the commercial products of FlexSecure, including FlexiTRUST, a PKI product that has been evaluated and certified according to EAL3+ of the ISO-15408 (Common Criteria), and which is used by the German Regulatory Authority for Telecommunications and Post (Bundesnetzagentur) to run the German National root authority for digital signature certificates.

CODEC is well integrated in the Java Cryptography Architecture (JCA) and Extension (JCE). This means e.g., that AlgorithmIdentifier transparently returns AlgorithmParameters (a JCA object) rather than a generic ASN.1 object, which simplifies software development. The resolution of algorithm names is done transparently based on the properties of the registered cryptographic service providers. This is not straightforward in practice, particularly not in the case of PKCS#7. My article in the Dr. Dobb's Journal (see below) gives some background.

CODEC uses an efficient two-pass encoding process, which avoids copying octet strings. Each octet is written just once. Here, the observation is that the reverse of the postorder traversal of the object graph can determine the lengths (pass 1) required to subsequently encode the data structures in preorder (pass2). The figure below illustrates this:

CODEC uses a two-pass encoder which determines the lengths of ASN.1 structures in the first pass, and performs the encoding in a second pass. Data is written at most once during encoding and decoding.
The only case where this does not apply is if ASN.1 SET OF structures are encoded according to strict X.690, which requires sorting the SET OF elements according to their encodings.

A version of CODEC is available as open source as part of the SeMoA distribution, and is used by several people for developing ASN.1 applications.

Selected Publications

  1. Volker Roth.
    Java Security Architecture and Extensions.
    Dr. Dobbs Journal, 2002(335), April 2002.
    [pdf] Search on Scholar