Alexei Chetroi wrote:
What serial number CA certificate should have? man req states that serial number 0 will be used when generating self signed request with "openssl req -x509", unless -set_serial option is used. But on my Sarge machine, generating selfsigned certs produces certificates with serial numbers different from 0 and each time different. Here's example on careq.pem:
This depends on the policy of the PKI.
fa:5c:95:05:89:7d:cb:28
be:31:23:0b:b5:be:e6:3e
cb:8a:8b:f8:2e:d0:97:d5
The problem is, that these serial numbers cause command "rebuildOpenSSLindexDB" called from Node->Administration->Backup and recovery->"Rebuild OpenSSL's database and next serialnumber" to fail with this error: Loading the Objects ... VALID_CA_CERTIFICATE: 7FFFFFFF
Looks like an overflow problem of OpenCA.
I think this is the relevant code (OpenSSL.xs):
int
serial(cert)
OpenCA_OpenSSL_X509 cert
PREINIT:
char * stringval;
CODE:
stringval = i2s_ASN1_INTEGER(NULL,X509_get_serialNumber(cert));
RETVAL = atoi(stringval);
free(stringval);
OUTPUT:
RETVALint is usually not an 8 byte unsigned integer. Perhaps it is enough to change the return datatype to "unsigned long long int" and replace atoi with "strtoull (stringval, (char **)NULL, 10);"
Additionally crypto-utils.lib includes a sprintf with "%lX". I think we have to use "%llX" instead.
... but these are only ideas. I do not test it.
Michael
P.S. I'm really busy these days so I only read devel. -- _______________________________________________________________
Michael Bell Humboldt-Universitaet zu Berlin
Tel.: +49 (0)30-2093 2482 ZE Computer- und Medienservice Fax: +49 (0)30-2093 2704 Unter den Linden 6 [EMAIL PROTECTED] D-10099 Berlin _______________________________________________________________
smime.p7s
Description: S/MIME Cryptographic Signature
