On 01/04/2015 02:38 PM, Nikos Mavrogiannopoulos wrote: > On Fri, 2015-01-02 at 12:59 -0500, Daniel Kahn Gillmor wrote: >> [ sorry, digging up an old thread as i happen to be thinking about the >> issue today ] >> >> On Thu 2014-05-15 07:49:14 -0400, Nikos Mavrogiannopoulos wrote: >>> On Thu, May 15, 2014 at 12:08 PM, Josef Wolf <[email protected]> wrote: >>>> Hello, >>>> I am currently trying to use UUIDs (as Bignum) for the serial number of >>>> certificates. AFAIK, the RFC 5280 allows up to 20 octets. But I have a hard >>>> time to specify more than 31 bits in the template file. >>>> With a prefix of 0x (indicating hex number), I get serial number 0. Ough! >>>> Given as a decimal number, the number is truncated to 0x7fffffff. >>>> Is this a limitation in certtool or am I missing something? >>> >>> It was a limitation. Support for up to 63-bit serial numbers was added in >>> 3.3.0. >> If the value received from the user for the serial number exceeds 63 >> bits, should GnuTLS throw an error rather than truncate? I worry that >> silently proceeding with a truncation seems likely to cause people using >> certtool to issue multiple certificates with serial numbers of >> 0x7fffffffffffffff. > > Does it truncate? As far as I see, it already throws an error for > out-of-range numbers.
sorry, i should have been more clear that i was talking about certtool.
for example:
certtool -p key.pem
echo 'serial = 10000000000000000000' > template
echo 'serial = 10000000000000000001' > template2
then these two commands:
certtool --generate-self-signed --load-privkey key.pem \
--template template 2>&1 | grep Serial
certtool --generate-self-signed --load-privkey key.pem \
--template template2 2>&1 | grep Serial
both produce:
Serial Number (hex): 7fffffffffffffff
--dkg
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnutls-help mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnutls-help
