Certificate for RSA 2048 key says 2058

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Certificate for RSA 2048 key says 2058

Ken Goldman-2
I generate a key and self signed certificate like this:

 > openssl genrsa -out cakey.pem -aes256 -passout pass:rrrr 2048
 > openssl req -new -x509 -key cakey.pem -out cacert.pem -days 3650

When I dump the certificate, I see
        ....
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
                 Public-Key: (2058 bit)
                 Modulus:
                     02:b1:4c:dd:59:4d:72:8d:93:4b:e5:07:89:53:f7:
        ....

Why 2058 - 10 extra bits?  I know that, at times, ASN.1 DER needs an
extra byte to make a number positive, but 10 bits?

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Certificate for RSA 2048 key says 2058

Viktor Dukhovni


> On Dec 14, 2017, at 1:11 PM, Ken Goldman <[hidden email]> wrote:
>
> I generate a key and self signed certificate like this:
>
> > openssl genrsa -out cakey.pem -aes256 -passout pass:rrrr 2048
> > openssl req -new -x509 -key cakey.pem -out cacert.pem -days 3650
>
> When I dump the certificate, I see
> ....
>        Subject Public Key Info:
>            Public Key Algorithm: rsaEncryption
>                Public-Key: (2058 bit)
>                Modulus:
>                    02:b1:4c:dd:59:4d:72:8d:93:4b:e5:07:89:53:f7:
> ....
>
> Why 2058 - 10 extra bits?  I know that, at times, ASN.1 DER needs an extra byte to make a number positive, but 10 bits?

What version of OpenSSL is this?  When I try this with OpenSSL 1.1.0 I get:

$ openssl version
OpenSSL 1.1.0h-dev  xx XXX xxxx

$ for i in $(seq 20); do openssl req -nodes -new -x509 -newkey rsa:2048 -keyout cakey.pem -out cacert.pem -days 3650 -subj "/CN=Root CA" 2>/dev/null; openssl x509 -text -in cacert.pem | grep 'Public-Key:'; done
                Public-Key: (2048 bit)
                Public-Key: (2048 bit)
                Public-Key: (2048 bit)
                Public-Key: (2048 bit)
                Public-Key: (2048 bit)
                Public-Key: (2048 bit)
                Public-Key: (2048 bit)
                Public-Key: (2048 bit)
                Public-Key: (2048 bit)
                Public-Key: (2048 bit)
                Public-Key: (2048 bit)
                Public-Key: (2048 bit)
                Public-Key: (2048 bit)
                Public-Key: (2048 bit)
                Public-Key: (2048 bit)
                Public-Key: (2048 bit)
                Public-Key: (2048 bit)
                Public-Key: (2048 bit)
                Public-Key: (2048 bit)
                Public-Key: (2048 bit)

Same results with master from git.

--
        Viktor.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Certificate for RSA 2048 key says 2058

Ken Goldman-2
On 12/14/2017 1:34 PM, Viktor Dukhovni wrote:

>
>
>> On Dec 14, 2017, at 1:11 PM, Ken Goldman <[hidden email]> wrote:
>>
>> I generate a key and self signed certificate like this:
>>
>>> openssl genrsa -out cakey.pem -aes256 -passout pass:rrrr 2048
>>> openssl req -new -x509 -key cakey.pem -out cacert.pem -days 3650
>>
>> When I dump the certificate, I see
>> ....
>>         Subject Public Key Info:
>>             Public Key Algorithm: rsaEncryption
>>                 Public-Key: (2058 bit)
>>                 Modulus:
>>                     02:b1:4c:dd:59:4d:72:8d:93:4b:e5:07:89:53:f7:
>> ....
>>
>> Why 2058 - 10 extra bits?  I know that, at times, ASN.1 DER needs an extra byte to make a number positive, but 10 bits?
>
> What version of OpenSSL is this?  When I try this with OpenSSL 1.1.0 I get:
>
> $ openssl version
> OpenSSL 1.1.0h-dev  xx XXX xxxx
>
> $ for i in $(seq 20); do openssl req -nodes -new -x509 -newkey rsa:2048 -keyout cakey.pem -out cacert.pem -days 3650 -subj "/CN=Root CA" 2>/dev/null; openssl x509 -text -in cacert.pem | grep 'Public-Key:'; done
>                  Public-Key: (2048 bit)
>                  Public-Key: (2048 bit)
>                  Public-Key: (2048 bit)
> Same results with master from git.
>

OpenSSL 1.0.1e-fips 11 Feb 2013 - and I get the same results as you for
1000's of passes. So, apparently, something strange happened to the one
key that I generated for my CA.

It feels like some random leading zero case, but I can't reproduce it
with another key.




--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users