Let's put this to rest, shall we? : ; cat > checkasn1int.sh #! /bin/sh CMD="$@" for x in "3003 02011F" \ "3003 020180" \ "3004 0202001F" \ "3004 02020080"; do echo Trying sequence $x echo $x | xxd -r -ps | $CMD done : ; sh checkasn1int.sh openssl asn1parse -inform d -i Trying sequence 3003 02011F 0:d=0 hl=2 l= 3 cons: SEQUENCE 2:d=1 hl=2 l= 1 prim: INTEGER :1F Trying sequence 3003 020180 0:d=0 hl=2 l= 3 cons: SEQUENCE 2:d=1 hl=2 l= 1 prim: INTEGER :-80 Trying sequence 3004 0202001F 0:d=0 hl=2 l= 4 cons: SEQUENCE 2:d=1 hl=2 l= 2 prim: INTEGER :1F Trying sequence 3004 02020080 0:d=0 hl=2 l= 4 cons: SEQUENCE 2:d=1 hl=2 l= 2 prim: INTEGER :80 : ; openssl version OpenSSL 1.0.2f 28 Jan 2016 : ; sh checkasn1int.sh util/shlib_wrap.sh apps/openssl asn1parse -inform d -i Trying sequence 3003 02011F 0:d=0 hl=2 l= 3 cons: SEQUENCE 2:d=1 hl=2 l= 1 prim: INTEGER :1F Trying sequence 3003 020180 0:d=0 hl=2 l= 3 cons: SEQUENCE 2:d=1 hl=2 l= 1 prim: INTEGER :-80 Trying sequence 3004 0202001F 0:d=0 hl=2 l= 4 cons: SEQUENCE 2:d=1 hl=2 l= 2 prim: INTEGER :BAD INTEGER:[001F] Trying sequence 3004 02020080 0:d=0 hl=2 l= 4 cons: SEQUENCE 2:d=1 hl=2 l= 2 prim: INTEGER :80 : ; util/shlib_wrap.sh apps/openssl version OpenSSL 1.1.0-pre3-dev xx XXX xxxx : ;
Cheers, Richard In message <d2e24b89.26f4d%...@ll.mit.edu> on Thu, 11 Feb 2016 19:37:18 +0000, "Blumenthal, Uri - 0553 - MITLL" <u...@ll.mit.edu> said: uri> On 2/11/16, 14:29 , "openssl-dev on behalf of Salz, Rich" uri> <openssl-dev-boun...@openssl.org on behalf of rs...@akamai.com> wrote: uri> uri> >If arbitrary leading zero's were allowed in DER, then the encoding uri> >wouldn't be *distinguished*, i.e., unique. uri> uri> I am NOT talking about “arbitrary” leading zeros. I explicitly state (and uri> cite the sources, might add the ASN.1 standard itself, and “ASN.1 uri> Complete” by John Larmouth) that a leading zero *is* necessary and uri> required for a positive integer when its MSB is one (e.g., 0x80). In other uri> cases it indeed does not belong. uri> uri> >In BER, almost anything goes :) uri> uri> We are *explicitly* and *exclusively* discussing DER. Anything goes for uri> Bear. :-) uri> uri> P.S. In the integer value provided by Cristian, indeed the MSB was 0 (the uri> first “valuable” byte was 0x59), so the leading zero byte did not belong. uri> But I hope OpenSSL-1.1 would properly process 0x02020080. -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev