> From: owner-openssl-us...@openssl.org On Behalf Of Peter Sylvester > Sent: Sunday, 29 August, 2010 05:44
> The encoding is invalid BER. > The openssl is tolerant but also destructive in copy. > > whenever you use openssl x509 -in -out ... you remove one > leading 0 octet. > > IMHO openssl should reject the cert because of invalid encoding. > > > On 08/29/2010 04:17 AM, Mounir IDRASSI wrote: > > Hi, > > > > The problem you are encountering is partly caused by the > way OpenSSL > > handles integers whose DER encoded value starts with one or > more zeros > > : in this case, OpenSSL removes the leading zero when creating the > > corresponding ASN1_INTEGER structure thus leading to the fact that > > computed DER of this structure and the original one will be > different!! > > Nit: redundant leading 00 (or FF) in an INTEGER is VALID *B*ER but INVALID *D*ER. And signed things like certs are *D*ER for exactly this reason, so a reconstructed encoding is bit for bit identical and hashes and signatures etc. work. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org