Should a CA certify a key with a negative (or incorrectly encoded) modulus
in the first place? Sounds like a bad idea to me....
Alex
> -----Original Message-----
> From: Secret Squirrel [mailto:[EMAIL PROTECTED]]
> Sent: Friday, June 16, 2000 2:21 AM
> To: [EMAIL PROTECTED]
> Subject: Re: outlook certs
>
>
> > -----BEGIN CERTIFICATE-----
> > MIIBSzCB/AIEN5gYKTAHBgUrDgMCAzAeMQswCQYDVQQGEwJQTDEPMA0GA1UEChMG
> > b2ktd2JkMCYXETAwMDYxMzA5NTQwMy0wMTAwFxEwMTEyMTQwOTU0MDMtMDEwMDBI
> > MQ8wDQYDVQQDEwZrdXJzMTAxEzARBgNVBAMTCnJlY2lwaWVudHMxDzANBgNVBAsT
> > Bm9pLXdiZDEPMA0GA1UEChMGb2ktd2JkMFkwCwYJKoZIhvcNAQEBA0oAMEcCQN+q
> > oPQMo4U+aULJjaw/EldK21DLJj+Z4KkiEWbNHpWcNO+8ZoTf4/c8YvawfSD+iTtS
> > hG/dIeCZwYeh4/4bFMMCAwEAATAHBgUrDgMCAwNBAIUwzaEwGZVC98cd+Bu/DsYv
> > 9YAF7QQHPDSWyARgOqMzkGXJUCfBT3MWY8ir5pFxSnoJiOCtOiqE+UMPv+8tRhw=
> > -----END CERTIFICATE-----
>
> The actual value of the modulus in that cert is:
>
> DF AA A0 F4 0C A3 85 3E 69 42 C9 8D AC 3F 12 57
> 4A DB 50 CB 26 3F 99 E0 A9 22 11 66 CD 1E 95 9C
> 34 EF BC 66 84 DF E3 F7 3C 62 F6 B0 7D 20 FE 89
> 3B 52 84 6F DD 21 E0 99 C1 87 A1 E3 FE 1B 14 C3
>
> The value is not encoded properly in the cert; because the
> high bit is set
> it is supposed to have a leading zero byte. Technically it
> is specifying
> a negative number, which is the value you were seeing from openssl.
>
> Most cert parsing programs are aware of this bug and know that moduli
> and such will always be positive numbers. Maybe there is some way to
> configure your openssl to know that.
>
>
