Quantcast

Leading Zeros in ASN1_INTEGER?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Leading Zeros in ASN1_INTEGER?

Matthias Ballreich

Hi there,

 

is it normal that OpenSSL removes the leading Zeros in an ASN1_INTEGER?

I tried to read the Certificate Serial and the Certificate Serial in the AuthorityKeyID-Extension with C++, which works very well, but i noticed that OpenSSL removes the leading Zeros on it.

The real ASN1-Value is: 00BEED73EE for example, but i got only BEED73EE.

If i view the Certificate inside Microsoft Cert Tool (Certmgr.exe) the leading Zeros are listed there. Same on Firefox, if i Import and view the Certificate there.

So is this the correct way of handling inside OpenSSL or is it a bug or?

 

Is there a way to prevent that?

 

I’m using  OpenSSL 1.0.2j.

 

Hope someone could explain it a little bit.

Thanks!


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Leading Zeros in ASN1_INTEGER?

Viktor Dukhovni

> On Jan 28, 2017, at 10:01 AM, Matthias Ballreich <[hidden email]> wrote:
>
> is it normal that OpenSSL removes the leading Zeros in an ASN1_INTEGER?
> I tried to read the Certificate Serial and the Certificate Serial in the
> AuthorityKeyID-Extension with C++, which works very well, but i noticed
> that OpenSSL removes the leading Zeros on it.
>
> The real ASN1-Value is: 00BEED73EE for example, but i got only BEED73EE.
> If i view the Certificate inside Microsoft Cert Tool (Certmgr.exe) the
> leading Zeros are listed there. Same on Firefox, if i Import and view
> the Certificate there. So is this the correct way of handling inside
> OpenSSL or is it a bug or?

Integers don't have leading zeros.  Octet strings representing integers
(in non-DER form) might have leading zeros, but you should not confuse
the data type with its representation.  OpenSSL outputs the correct DER
form of the serial *number* in certificates.

Leading zeros are needed in the DER representation of positive integers
whose most significant nibble is in the range from 8 to F.  Otherwise
the leading bit would cause the integer to be interpreted as negative.

--
        Viktor.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Leading Zeros in ASN1_INTEGER?

Matthias Ballreich

thanks for explanation.


But why did Windows Cert Manager and Firefox Cert Manager show 00BEED73EE as serial number instead of BEED73EE (which openssl shows)?



Von: openssl-users <[hidden email]> im Auftrag von Viktor Dukhovni <[hidden email]>
Gesendet: Samstag, 28. Januar 2017 17:00:53
An: [hidden email]
Betreff: Re: [openssl-users] Leading Zeros in ASN1_INTEGER?
 

> On Jan 28, 2017, at 10:01 AM, Matthias Ballreich <[hidden email]> wrote:
>
> is it normal that OpenSSL removes the leading Zeros in an ASN1_INTEGER?
> I tried to read the Certificate Serial and the Certificate Serial in the
> AuthorityKeyID-Extension with C++, which works very well, but i noticed
> that OpenSSL removes the leading Zeros on it.
>
> The real ASN1-Value is: 00BEED73EE for example, but i got only BEED73EE.
> If i view the Certificate inside Microsoft Cert Tool (Certmgr.exe) the
> leading Zeros are listed there. Same on Firefox, if i Import and view
> the Certificate there. So is this the correct way of handling inside
> OpenSSL or is it a bug or?

Integers don't have leading zeros.  Octet strings representing integers
(in non-DER form) might have leading zeros, but you should not confuse
the data type with its representation.  OpenSSL outputs the correct DER
form of the serial *number* in certificates.

Leading zeros are needed in the DER representation of positive integers
whose most significant nibble is in the range from 8 to F.  Otherwise
the leading bit would cause the integer to be interpreted as negative.

--
        Viktor.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Leading Zeros in ASN1_INTEGER?

Jeffrey Walton-3
On Mon, Jan 30, 2017 at 5:03 AM, Matthias Ballreich
<[hidden email]> wrote:
> thanks for explanation.
>
> But why did Windows Cert Manager and Firefox Cert Manager show 00BEED73EE as
> serial number instead of BEED73EE (which openssl shows)?

Its just a presentation detail. It appears Microsoft and Mozilla take
the content octets of the ASN.1 integer and they hex encoded it.
OpenSSL appears to convert the it into a binary number/big endian
array and hex encodes it before presenting it to you.

Another tool could have turned it into a binary number and Base64
encoded it before presenting it to you.

The important detail is the underlying data. You can use tools like
OpenSSL's asn1parse or Gutmann's dumpasn1 to see the raw data, if
needed.

Jeff
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Leading Zeros in ASN1_INTEGER?

Erwann Abalea-4
In reply to this post by Matthias Ballreich
Why not?

This serial number could also be displayed as 3203232750, or 000BEED73EE, or 03203232750.

Cordialement,
Erwann Abalea

Le 30 janv. 2017 à 11:03, Matthias Ballreich <[hidden email]> a écrit :

thanks for explanation.

But why did Windows Cert Manager and Firefox Cert Manager show 00BEED73EE as serial number instead of BEED73EE (which openssl shows)?


Von: openssl-users <[hidden email]> im Auftrag von Viktor Dukhovni <[hidden email]>
Gesendet: Samstag, 28. Januar 2017 17:00:53
An: [hidden email]
Betreff: Re: [openssl-users] Leading Zeros in ASN1_INTEGER?
 

> On Jan 28, 2017, at 10:01 AM, Matthias Ballreich <[hidden email]> wrote:

> is it normal that OpenSSL removes the leading Zeros in an ASN1_INTEGER?
> I tried to read the Certificate Serial and the Certificate Serial in the
> AuthorityKeyID-Extension with C++, which works very well, but i noticed
> that OpenSSL removes the leading Zeros on it.

> The real ASN1-Value is: 00BEED73EE for example, but i got only BEED73EE.
> If i view the Certificate inside Microsoft Cert Tool (Certmgr.exe) the
> leading Zeros are listed there. Same on Firefox, if i Import and view
> the Certificate there. So is this the correct way of handling inside
> OpenSSL or is it a bug or?

Integers don't have leading zeros.  Octet strings representing integers
(in non-DER form) might have leading zeros, but you should not confuse
the data type with its representation.  OpenSSL outputs the correct DER
form of the serial *number* in certificates.

Leading zeros are needed in the DER representation of positive integers
whose most significant nibble is in the range from 8 to F.  Otherwise
the leading bit would cause the integer to be interpreted as negative.

-- 
        Viktor.

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Loading...