AW: openssl can don' t handle 20 Octes long Serial Numbers RFC 32 80

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

AW: openssl can don' t handle 20 Octes long Serial Numbers RFC 32 80

thomas.beckmann
Kyle

it's not required by the RFC but it's required by x.209 (BER, Encoding of
integer-values)

Regards

Thomas

> -----Urspr√ľngliche Nachricht-----
> Von: [hidden email]
> [mailto:[hidden email]] Im Auftrag von Kyle Hamilton
> Gesendet: Mittwoch, 11. Januar 2006 15:22
> An: [hidden email]
> Betreff: Re: openssl can don' t handle 20 Octes long Serial
> Numbers RFC 32 80
>
> My belief is that the presentation should be as an octet
> string, as opposed to a string representation of an integer.  
> Furthermore, serial numbers are unsigned, not signed, and
> generally increment.
>
> The problem is that the CA did not embed "00" before the
> serial number of the certificate it signed -- and, by RFC, it
> is not required to.
> The serial number should be presented to the user as an
> opaque string of hex bytes, not (as current) a translation
> into an integer.
>
> -Kyle H
>
> On 1/11/06, [hidden email]
> <[hidden email]> wrote:
> >
> > Michael,
> >
> > OpenSSL ist working correct because "9a 38 74 00 00 00 00
> 25 be" is a
> > negative integer. If you preceedyour serial number with "00"
> > everything will work fine... even the presentation of your
> number with OpenSSL.
> >
> > Best regards
> >
> > Thomas
> >
> >
> >  ________________________________
> >  Von: [hidden email]
> > [mailto:[hidden email]] Im Auftrag von
> Bohn, Michael
> > Gesendet: Mittwoch, 11. Januar 2006 07:20
> > An: [hidden email]
> > Betreff: openssl can don' t handle 20 Octes long Serial Numbers RFC
> > 3280
> >
> >
> >
> >
> > Hi all,
> > sorry that I send the same e-mail again but I did't find
> any answer to
> > my last one.
> >
> > We have the case that openssl can not handle long serial numbers.
> > In ower case we have this Serail Nr. 9a 38 74 00 00 00 00
> 25 be but  
> > OpenSSL 0.9.7e 25 Oct 2004 print this:
> >
> > openssl x509 -in file  -noout -text
> > Certificate:
> >     Data:
> >         Version: 3 (0x2)
> >         Serial Number:
> >              (Negative)65:c7:8b:ff:ff:ff:ff:da:42
> >
> >
> > windows cisco and  mozilla can handle this SN  without any problems.
> >
> >
> > ################ RFC 3280        ############################
> >
> > RFC 3280        Internet X.509 Public Key Infrastructure    
>   April 2002
> >
> >
> >    Given the uniqueness requirements above, serial numbers can be
> >    expected to contain long integers.  Certificate users
> MUST be able to
> >    handle serialNumber values up to 20 octets.  Conformant
> CAs MUST NOT
> >    use serialNumber values longer than 20 octets.
> >
> > ###############################################################
> >
> >
> > best regards
> >
> >
> > Michael
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [hidden email]
> Automated List Manager                           [hidden email]
>
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]