David Schwartz wrote:
Alright, there's a SEVERE disconnect here versus the description of an
integer as described in the thread "openssl can don' t handle 20 Octes
long Serial Numbers RFC 3280".
If you think there's a disconnect, you are confused.
This needs to be rectified soonest.
There is no disconnect.
For a negative number, prefixing it with a zero-byte changes the
meaning,
because the most significant bit is the sign bit. For a positive number,
adding a zero-byte to the beginning does not change the value. However, the
DER specification requires you to encode an integer in as few bytes as
possible.
Of course, it is impossible to remove the leading zero byte from a
negative
number if the high bit of the next byte is not zero, as that would change
the value.
Addition:
You could remove the leading 0xff byte from such number, if the next
octet has bit 7 (0x80) set.
However, it is possible to remove the leading zero byte from a
positive number, so such leading zero bytes are prohibited by the DER
specification.
Clarification:
In DER, the following is prohibited:
1. leading zero bytes if the next non-zero octet does not start with bit
7 set (0x80 mask).
2. leading 0xff (-1, 255) bytes, if the next non-0xff octet starts with
bit 7 set (0x80 mask).
The BER specification defines what the encodings mean. The DER
specification specifies a unique way to encode any given value. Analogously,
we all know what number "03" is, but if we were picking a unique way to
encode the number three, it would be "3" not "03".
What exactly do you think is the disconnect?
DS
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager [EMAIL PROTECTED]
