> From: owner-openssl-...@openssl.org On Behalf Of Igor Levicki via RT > Sent: Monday, August 18, 2014 15:10
> [serial number sometimes has extra 00 byte] > depending on whether the sign bit is set or not. > Yes. Decades ago X.509 defined serialNumber in ASN.1 as INTEGER, which is two's-complement, and historically some implementations have worked incorrectly for negative-appearing serial "numbers". Thus 5280 now requires serial number be non-negative, which for values with the 0x80 bit in the high byte requires a prefix of 0x00. OpenSSL is correct. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org