I'm currently validating my implementation of a certificate conforming to the RFC5280.
The General Name is defined as:
GeneralName ::= CHOICE {
otherName [0] OtherName,
rfc822Name [1] IA5String,
dNSName [2] IA5String,
x400Address [3] ORAddress,
directoryName [4] Name,
ediPartyName [5] EDIPartyName,
uniformResourceIdentifier [6] IA5String,
iPAddress [7] OCTET STRING,
registeredID [8] OBJECT IDENTIFIER }
Now I can't find the definition of the CHOICE keyword. Is it possible for my certificate to contain multiple directoryName-, or URI-fields? Or does choice mean any of the below but not more than once?
Is it possible for my certificate to contain multiple directoryName-, or URI-fields?
Yes.
Or does choice mean any of the below but not more than once?
Also yes.
A choice is a single choice. It probably says it succinctly in the document somewhere, but ITU-T X.680 always refers to choices as single values, such as:
29.8 The choice type contains values which do not all have the same tag. (The tag depends on the alternative which contributed the value to the choice type.)
(emphasis mine)
The certificate can contain multiple directoryName/etc values because things like the subject alternative name extension don't have GeneralName values, they have GeneralNames values. And, of course, GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName