DER encoding of SET OF is not ITU-T X.690 conform #195
Description
Problem
According to the Distinguished Encoding Rules (DER, ITU-T X.690 section 11.6), when encoding a SET OF, the elements must be encoded and then sorted in ascending order of their encoded byte values. This ensures canonical encoding and interoperability.
Currently, the Python implementation of asn1tools does not perform this sorting step for SET OF types. The SetOf class in asn1tools/codecs/der.py inherits from ArrayType and its encode_content method encodes elements in the order received, without sorting their encodings. This leads to non-compliant DER output when the order of SET OF elements varies.
Evidence
- DER spec (X.690): https://www.itu.int/rec/T-REC-X.690-202102-I/en
- Implementation reference: in
asn1tools/codecs/der.pyseeSetOfandArrayType.encode_content() - No sorting of encoded element values is present.
Expected behavior
- For every SET OF, elements should be encoded individually.
- The resulting byte sequences should be sorted in ascending lexicographic order.
- The sorted encodings should be concatenated and emitted as the SET OF content.
Steps to Reproduce
- Define an ASN.1 SET OF type and provide values in different orders.
- Encode with asn1tools using DER.
- Observe the output bytes change with input order, violating DER.
Suggested Solution
Update the DER encoder for SET OF so that it encodes each element, sorts the encoded elements, and then emits them in sorted order (per X.690 section 11.6). Reference implementations (such as asn1c) do this with a sort step on the encoded buffers.
Impact
- DER encoded SET OF values are not interoperable with other DER tools when element order varies.
- This may cause signature validation and canonicalization failures in downstream applications.
Happy to provide an initial patch or further test cases if helpful!