Re: [openssl-users] Leading Zeros in ASN1_INTEGER?

Mon, 30 Jan 2017 04:01:36 -0800 

Why not?

This serial number could also be displayed as 3203232750, or 000BEED73EE, or 
03203232750.

Cordialement,
Erwann Abalea

Le 30 janv. 2017 à 11:03, Matthias Ballreich 
<matthias.ballre...@outlook.de<mailto:matthias.ballre...@outlook.de>> a écrit :

thanks for explanation.

But why did Windows Cert Manager and Firefox Cert Manager show 00BEED73EE as 
serial number instead of BEED73EE (which openssl shows)?

________________________________
Von: openssl-users 
<openssl-users-boun...@openssl.org<mailto:openssl-users-boun...@openssl.org>> 
im Auftrag von Viktor Dukhovni 
<openssl-us...@dukhovni.org<mailto:openssl-us...@dukhovni.org>>
Gesendet: Samstag, 28. Januar 2017 17:00:53
An: openssl-users@openssl.org<mailto:openssl-users@openssl.org>
Betreff: Re: [openssl-users] Leading Zeros in ASN1_INTEGER?


> On Jan 28, 2017, at 10:01 AM, Matthias Ballreich 
> <matthias.ballre...@outlook.de<mailto:matthias.ballre...@outlook.de>> wrote:
>
> is it normal that OpenSSL removes the leading Zeros in an ASN1_INTEGER?
> I tried to read the Certificate Serial and the Certificate Serial in the
> AuthorityKeyID-Extension with C++, which works very well, but i noticed
> that OpenSSL removes the leading Zeros on it.
>
> The real ASN1-Value is: 00BEED73EE for example, but i got only BEED73EE.
> If i view the Certificate inside Microsoft Cert Tool (Certmgr.exe) the
> leading Zeros are listed there. Same on Firefox, if i Import and view
> the Certificate there. So is this the correct way of handling inside
> OpenSSL or is it a bug or?

Integers don't have leading zeros.  Octet strings representing integers
(in non-DER form) might have leading zeros, but you should not confuse
the data type with its representation.  OpenSSL outputs the correct DER
form of the serial *number* in certificates.

Leading zeros are needed in the DER representation of positive integers
whose most significant nibble is in the range from 8 to F.  Otherwise
the leading bit would cause the integer to be interpreted as negative.

--
        Viktor.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Reply via email to